Analysis
-
max time kernel
129s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
10-08-2024 12:49
Static task
static1
Behavioral task
behavioral1
Sample
861d09740e77deb97a5711179346a36f_JaffaCakes118.dll
Resource
win7-20240708-en
General
-
Target
861d09740e77deb97a5711179346a36f_JaffaCakes118.dll
-
Size
378KB
-
MD5
861d09740e77deb97a5711179346a36f
-
SHA1
3edb804ad464b649fe21e5da1f44ba7d9f2ecbb5
-
SHA256
53a364103209fe91a9ae7ec56bc31906eb1c2e68902d6317bebdf8f183e0ac25
-
SHA512
8f55ca87bbcecc77ad02f1610fdd2c36feeed2f2dfd1a25c2dee1db03d3a0fe92052c8255e18fc9fd52a9eff2363ec8510a369b87864b36ec439087366e67e13
-
SSDEEP
3072:Do6vBnby4Yx0XjFFzPQ0MslzERfQB24hLxBVi/b/9+PdpiWC35ol/uwfTuT2b2MT:vs6Xpq0H3Jhds/9+qC/zfTPLt
Malware Config
Extracted
qakbot
402.343
obama104
1632729661
95.77.223.148:443
47.22.148.6:443
89.101.97.139:443
27.223.92.142:995
120.151.47.189:443
136.232.34.70:443
120.150.218.241:995
185.250.148.74:443
181.118.183.94:443
140.82.49.12:443
67.165.206.193:993
103.148.120.144:443
71.74.12.34:443
76.25.142.196:443
73.151.236.31:443
173.21.10.71:2222
75.188.35.168:443
2.178.88.145:61202
71.80.168.245:443
45.46.53.140:2222
109.12.111.14:443
105.198.236.99:443
73.77.87.137:443
41.248.239.221:995
182.176.112.182:443
96.37.113.36:993
75.66.88.33:443
162.244.227.34:443
24.229.150.54:995
216.201.162.158:443
92.59.35.196:2222
196.218.227.241:995
24.139.72.117:443
68.207.102.78:443
72.252.201.69:443
2.188.27.77:443
177.130.82.197:2222
68.204.7.158:443
189.210.115.207:443
181.163.96.53:443
24.55.112.61:443
75.107.26.196:465
185.250.148.74:2222
68.186.192.69:443
24.152.219.253:995
50.29.166.232:995
-
salt
jHxastDcds)oMc=jvh7wdUhxcsdt2
Signatures
-
Processes:
reg.exereg.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Umuwfyqcuvp = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Avyjz = "0" reg.exe -
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 2284 regsvr32.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
explorer.exerundll32.exeexplorer.exeschtasks.exeregsvr32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe -
Modifies data under HKEY_USERS 10 IoCs
Processes:
explorer.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Eleiazwei\57352aca = c4317c26be5abff528c19632306a365439526bf49a7549f6485389047b8cb021503b217cfa7071088e8107f20de17d7d14705a857f529887e0fc873d4355cec1e4be2030f62cc19b790502b23ea6faca1e9765da93 explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Eleiazwei\2a3d6540 = ebbf25f0d68c56bd5dfbb601cd85b58d175e449b3c316d98c7b5bb1559f4d908f24d046055ddf9590e159bf7e5b60ba7c71425a6b1b503318fe95ebc809ca1bcb2db9421a6e4bdd7b091f281b5d9eef467 explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Eleiazwei\92810225 = fd572a1307eeb3fa585ff388d306110eacb13f20e510436e9faf13edb2573aeaf13375d71a6c673f7100628d314213f67b72ff15314594a7dbcefe88a54b34b61b01c22b9cc938640e67d9df546ec4aac8b2cc834de855b2e20d0d27b5ec341c2d8c52bb47590cc195ada461 explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Eleiazwei\a71ed26b = ba51f768c7938b24e521b0441f0d6ad30d246b065b explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Eleiazwei\d857bd9d = 881a56c2b4361be4251b2503a3a29a3590b7dad64f910448d7c015c2fa4dfef9a0c3bb616441ae4e737cd86a005d9316deda66098938c8d942cc8775069b4e4b9dec7c88e57a8c8769e8993c4c7c89bdba865651e20f5a836d7d3e950b83aa59d013d3deaaf50a960b293ee92a72c019d44136bc90fbe786433f914c explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Eleiazwei explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Eleiazwei\d857bd9d = 881a41c2b4362ecf4609b16142f36d0d083bdae1c882339e26a3c895983bd36b539b1ec3359c639b3adebfe82d5f98ac1c3755af15b3cdec2cc53006059750414be4ee0e939e667a970eaf5155aa9b71d54ef52dbdafdae1e020fba519876aa3467be6f1e4d6e5 explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Eleiazwei\edc86dd3 = cf15222b908f74dc55d9d394bbf0bd458a825e55c247deaa89cfebe083655b743e873c470e416e655d7a338196ef8ad99a122fa7a2d72e4ef9a3ba5ba9314c87f0ec30a0e487564177a10fa407711bc4a56621e5dd08ddf7372c30f753f80afa449a7b95926117f1888699b540fde3a0391dd8021578c293796961dd68cf5d0aa4fdb9ee69e0ca152ce8c9f08a94c8667def63eee2f55b9d03e9eb1cd9728a9e41 explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Eleiazwei\ef894daf = a8102a8d1fbc5889980e2296ff503a93ae0bf61a2991e91a13dc6d70476eba4630ce077ec22d050e2db6a3648eee6b9f759712f77aa81f0fe64ab443b196a0b8d4e4a573ba9f1ebe0d03cb580eb0cde0c882bf4a8c430cdb63effcffae559894f50e88a0ef0ff7d72ad125d2 explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Eleiazwei\55740ab6 = e7e672444fabf05af45c7f5d3bfecc010d6a9e72b8dc090b94ae3aafc568a47866d98fca8c8dc8e8a5ccc5bc4f71dcf97cde1100127f8fd7370fae6e4d9f218755c6284215c79208480767336166f1efc3b90e36a043ffc1467d9027011b81715e8a600ac3fdf03a87ad explorer.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exeregsvr32.exepid process 2980 rundll32.exe 2284 regsvr32.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
rundll32.exeregsvr32.exepid process 2980 rundll32.exe 2284 regsvr32.exe -
Suspicious use of WriteProcessMemory 43 IoCs
Processes:
rundll32.exerundll32.exeexplorer.exetaskeng.exeregsvr32.exeregsvr32.exeexplorer.exedescription pid process target process PID 2332 wrote to memory of 2980 2332 rundll32.exe rundll32.exe PID 2332 wrote to memory of 2980 2332 rundll32.exe rundll32.exe PID 2332 wrote to memory of 2980 2332 rundll32.exe rundll32.exe PID 2332 wrote to memory of 2980 2332 rundll32.exe rundll32.exe PID 2332 wrote to memory of 2980 2332 rundll32.exe rundll32.exe PID 2332 wrote to memory of 2980 2332 rundll32.exe rundll32.exe PID 2332 wrote to memory of 2980 2332 rundll32.exe rundll32.exe PID 2980 wrote to memory of 2340 2980 rundll32.exe explorer.exe PID 2980 wrote to memory of 2340 2980 rundll32.exe explorer.exe PID 2980 wrote to memory of 2340 2980 rundll32.exe explorer.exe PID 2980 wrote to memory of 2340 2980 rundll32.exe explorer.exe PID 2980 wrote to memory of 2340 2980 rundll32.exe explorer.exe PID 2980 wrote to memory of 2340 2980 rundll32.exe explorer.exe PID 2340 wrote to memory of 2264 2340 explorer.exe schtasks.exe PID 2340 wrote to memory of 2264 2340 explorer.exe schtasks.exe PID 2340 wrote to memory of 2264 2340 explorer.exe schtasks.exe PID 2340 wrote to memory of 2264 2340 explorer.exe schtasks.exe PID 1204 wrote to memory of 548 1204 taskeng.exe regsvr32.exe PID 1204 wrote to memory of 548 1204 taskeng.exe regsvr32.exe PID 1204 wrote to memory of 548 1204 taskeng.exe regsvr32.exe PID 1204 wrote to memory of 548 1204 taskeng.exe regsvr32.exe PID 1204 wrote to memory of 548 1204 taskeng.exe regsvr32.exe PID 548 wrote to memory of 2284 548 regsvr32.exe regsvr32.exe PID 548 wrote to memory of 2284 548 regsvr32.exe regsvr32.exe PID 548 wrote to memory of 2284 548 regsvr32.exe regsvr32.exe PID 548 wrote to memory of 2284 548 regsvr32.exe regsvr32.exe PID 548 wrote to memory of 2284 548 regsvr32.exe regsvr32.exe PID 548 wrote to memory of 2284 548 regsvr32.exe regsvr32.exe PID 548 wrote to memory of 2284 548 regsvr32.exe regsvr32.exe PID 2284 wrote to memory of 1064 2284 regsvr32.exe explorer.exe PID 2284 wrote to memory of 1064 2284 regsvr32.exe explorer.exe PID 2284 wrote to memory of 1064 2284 regsvr32.exe explorer.exe PID 2284 wrote to memory of 1064 2284 regsvr32.exe explorer.exe PID 2284 wrote to memory of 1064 2284 regsvr32.exe explorer.exe PID 2284 wrote to memory of 1064 2284 regsvr32.exe explorer.exe PID 1064 wrote to memory of 1672 1064 explorer.exe reg.exe PID 1064 wrote to memory of 1672 1064 explorer.exe reg.exe PID 1064 wrote to memory of 1672 1064 explorer.exe reg.exe PID 1064 wrote to memory of 1672 1064 explorer.exe reg.exe PID 1064 wrote to memory of 1604 1064 explorer.exe reg.exe PID 1064 wrote to memory of 1604 1064 explorer.exe reg.exe PID 1064 wrote to memory of 1604 1064 explorer.exe reg.exe PID 1064 wrote to memory of 1604 1064 explorer.exe reg.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\861d09740e77deb97a5711179346a36f_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\861d09740e77deb97a5711179346a36f_JaffaCakes118.dll,#12⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn xleqjkkjxz /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\861d09740e77deb97a5711179346a36f_JaffaCakes118.dll\"" /SC ONCE /Z /ST 12:51 /ET 13:034⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2264
-
C:\Windows\system32\taskeng.exetaskeng.exe {E8379AA1-A3C6-44C9-8E0E-E01CC960BDD7} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Windows\system32\regsvr32.exeregsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\861d09740e77deb97a5711179346a36f_JaffaCakes118.dll"2⤵
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Windows\SysWOW64\regsvr32.exe-s "C:\Users\Admin\AppData\Local\Temp\861d09740e77deb97a5711179346a36f_JaffaCakes118.dll"3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe4⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Umuwfyqcuvp" /d "0"5⤵
- Windows security bypass
PID:1672 -
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Avyjz" /d "0"5⤵
- Windows security bypass
PID:1604
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
378KB
MD5861d09740e77deb97a5711179346a36f
SHA13edb804ad464b649fe21e5da1f44ba7d9f2ecbb5
SHA25653a364103209fe91a9ae7ec56bc31906eb1c2e68902d6317bebdf8f183e0ac25
SHA5128f55ca87bbcecc77ad02f1610fdd2c36feeed2f2dfd1a25c2dee1db03d3a0fe92052c8255e18fc9fd52a9eff2363ec8510a369b87864b36ec439087366e67e13