Analysis
-
max time kernel
149s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
13-08-2024 15:32
Static task
static1
Behavioral task
behavioral1
Sample
93ae5f6059247d99d43a26e7968f6553_JaffaCakes118.dll
Resource
win7-20240708-en
General
-
Target
93ae5f6059247d99d43a26e7968f6553_JaffaCakes118.dll
-
Size
1.2MB
-
MD5
93ae5f6059247d99d43a26e7968f6553
-
SHA1
725d664d5358124d996b425828f6f1412e9cb7e6
-
SHA256
f11eb150d3899616f4e6857c247bf09496fefc2f44d9badbbba02b85dedb8f9d
-
SHA512
01755678f491dce52317eebf5f4f48dba124dddb364e3ef97174f4bd42d2410e00737ba3d429302a7b1964d0a6ed845cb96ea10fc280d2aa5b0a1584561f0ada
-
SSDEEP
24576:4uYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:I9cKrUqZWLAcU
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/1192-5-0x0000000002EE0000-0x0000000002EE1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
pid Process 2572 sigverif.exe 320 winlogon.exe 2728 shrpubw.exe -
Loads dropped DLL 7 IoCs
pid Process 1192 Process not Found 2572 sigverif.exe 1192 Process not Found 320 winlogon.exe 1192 Process not Found 2728 shrpubw.exe 1192 Process not Found -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mcbsdqtxprcnbm = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\JP4pfQ2Ta\\winlogon.exe" Process not Found -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sigverif.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA winlogon.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA shrpubw.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1488 regsvr32.exe 1488 regsvr32.exe 1488 regsvr32.exe 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1192 wrote to memory of 2844 1192 Process not Found 31 PID 1192 wrote to memory of 2844 1192 Process not Found 31 PID 1192 wrote to memory of 2844 1192 Process not Found 31 PID 1192 wrote to memory of 2572 1192 Process not Found 32 PID 1192 wrote to memory of 2572 1192 Process not Found 32 PID 1192 wrote to memory of 2572 1192 Process not Found 32 PID 1192 wrote to memory of 1248 1192 Process not Found 33 PID 1192 wrote to memory of 1248 1192 Process not Found 33 PID 1192 wrote to memory of 1248 1192 Process not Found 33 PID 1192 wrote to memory of 320 1192 Process not Found 34 PID 1192 wrote to memory of 320 1192 Process not Found 34 PID 1192 wrote to memory of 320 1192 Process not Found 34 PID 1192 wrote to memory of 2876 1192 Process not Found 35 PID 1192 wrote to memory of 2876 1192 Process not Found 35 PID 1192 wrote to memory of 2876 1192 Process not Found 35 PID 1192 wrote to memory of 2728 1192 Process not Found 36 PID 1192 wrote to memory of 2728 1192 Process not Found 36 PID 1192 wrote to memory of 2728 1192 Process not Found 36 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\93ae5f6059247d99d43a26e7968f6553_JaffaCakes118.dll1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1488
-
C:\Windows\system32\sigverif.exeC:\Windows\system32\sigverif.exe1⤵PID:2844
-
C:\Users\Admin\AppData\Local\vVO\sigverif.exeC:\Users\Admin\AppData\Local\vVO\sigverif.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2572
-
C:\Windows\system32\winlogon.exeC:\Windows\system32\winlogon.exe1⤵PID:1248
-
C:\Users\Admin\AppData\Local\RFiXNrVv\winlogon.exeC:\Users\Admin\AppData\Local\RFiXNrVv\winlogon.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:320
-
C:\Windows\system32\shrpubw.exeC:\Windows\system32\shrpubw.exe1⤵PID:2876
-
C:\Users\Admin\AppData\Local\d2LPSd\shrpubw.exeC:\Users\Admin\AppData\Local\d2LPSd\shrpubw.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2728
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD5034e5e4fd72b12d8882a36bc2433358c
SHA1df917d529e7b737c599d3c5a859f34b9e7d631e2
SHA256b4518dbdee463534278ddc967a08e69256172e84d449bae15bff4410f21d6b30
SHA512d05424265ff361e2d31f323421b46a27f915d815682efaf38348fb5a6804dbfaeaeebf66a7e5a9595c59f0b90eb45ae97616dbabc30bbc395ac988490e3a5999
-
Filesize
1.2MB
MD5e2f8a62126b603a4e692f9fe40e8eb8c
SHA109eafec4d1880956bb13f3ae06571598ea9a327d
SHA256e9a92a223051c73e02843128d92309c6fbf1150eb8ddeca38aad4fb4ad8ab645
SHA51284757777d4a2c68c6e89d08740b01a8b6894878d4a11b5cd0cc44f04227f1392c58abc7f65f3bc7f2d28c91d4cecf19ace9fefd1ace9918f6a771339cf8ff562
-
Filesize
1.2MB
MD5e04cb85ddc2433471f30f4f669c6c891
SHA149c4413dcc0f4ed6b1aad6099c18c1e1c3221190
SHA256fec1c7a657298d0f19eeb54a3ab3ab991679819fc82afd1487fe5e44e78e065a
SHA512a58e29bac67490a76b032eab00e9dd6577981c000e76db9d1daf6d339f4ec4a2fcd86601a2a0ff90f45c6def12d2fb6f88201cd94faa7404ee253071faeba919
-
Filesize
988B
MD513bcb31e04060cff81894e9bc6badef2
SHA15204a2a1704acdd90a3b419731356b7f586330dc
SHA256986522ec5d3d06851a00a92c4640735eb030d67789712a9cf62a857e7133bd0e
SHA51255ae29a79155b2225fe1d41f7012ea6a7ba3659099fc2ac81a4fdba7c2d13519ced7d1d2e17c6fd534e2630ab25019294a2385339e231aeaa11bd451d12b204f
-
Filesize
381KB
MD51151b1baa6f350b1db6598e0fea7c457
SHA1434856b834baf163c5ea4d26434eeae775a507fb
SHA256b1506e0a7e826eff0f5252ef5026070c46e2235438403a9a24d73ee69c0b8a49
SHA512df728d06238da1dece96f8b8d67a2423ed4dcb344b42d5958768d23bd570a79e7189e7c5ba783c1628fe8ddd1deaebeacb1b471c59c8a7c9beb21b4f1eb9edab
-
Filesize
398KB
MD529e6d0016611c8f948db5ea71372f76c
SHA101d007a01020370709cd6580717f9ace049647e8
SHA25653c868882ebc9e0d4f703afeccb172043069ccc0b5b6f7cac1d2aad9c4640930
SHA512300216ab47ee44b8f68d4835bf26641f949039522b680af00fb602f57d31c38812428dc624461bc2cc7d6384cad396bc033718e41e11a65f7dd0eeb36ed924e4
-
Filesize
73KB
MD5e8e95ae5534553fc055051cee99a7f55
SHA14e0f668849fd546edd083d5981ed685d02a68df4
SHA2569e107fd99892d08b15c223ac17c49af75a4cbca41b5e939bb91c9dca9f0d0bec
SHA5125d3c32d136a264b6d2cfba4602e4d8f75e55ba0e199e0e81d7a515c34d8b9237db29647c10ab79081173010ff8e2c6a59b652c0a9cfa796433aed2d200f02da6