Analysis
-
max time kernel
150s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
13-08-2024 19:31
Static task
static1
Behavioral task
behavioral1
Sample
946f198f08b87a5905b23ba3874d29f8_JaffaCakes118.dll
Resource
win7-20240704-en
General
-
Target
946f198f08b87a5905b23ba3874d29f8_JaffaCakes118.dll
-
Size
1.2MB
-
MD5
946f198f08b87a5905b23ba3874d29f8
-
SHA1
415cd2e62beb581b477c633373aee2f0ab850035
-
SHA256
abdd071d272c602d9eb594c38b82fab881b995e75614c0956470c44f7e1654a6
-
SHA512
7806161254fb434014babf4794ff8bf8b1f4f2727a2fabd59d84b951fdbd28787bcf6a888f55620fb78161c5094eb99e5925884e8db473c08ccf96dfa944634b
-
SSDEEP
24576:AuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:Q9cKrUqZWLAcU
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/1392-5-0x0000000002A20000-0x0000000002A21000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
pid Process 2948 perfmon.exe 2288 rdrleakdiag.exe 1708 recdisc.exe -
Loads dropped DLL 7 IoCs
pid Process 1392 Process not Found 2948 perfmon.exe 1392 Process not Found 2288 rdrleakdiag.exe 1392 Process not Found 1708 recdisc.exe 1392 Process not Found -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Madzpveq = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\3IvixjoazkM\\rdrleakdiag.exe" Process not Found -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA perfmon.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rdrleakdiag.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA recdisc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2364 rundll32.exe 2364 rundll32.exe 2364 rundll32.exe 1392 Process not Found 1392 Process not Found 1392 Process not Found 1392 Process not Found 1392 Process not Found 1392 Process not Found 1392 Process not Found 1392 Process not Found 1392 Process not Found 1392 Process not Found 1392 Process not Found 1392 Process not Found 1392 Process not Found 1392 Process not Found 1392 Process not Found 1392 Process not Found 1392 Process not Found 1392 Process not Found 1392 Process not Found 1392 Process not Found 1392 Process not Found 1392 Process not Found 1392 Process not Found 1392 Process not Found 1392 Process not Found 1392 Process not Found 1392 Process not Found 1392 Process not Found 1392 Process not Found 1392 Process not Found 1392 Process not Found 1392 Process not Found 1392 Process not Found 1392 Process not Found 1392 Process not Found 1392 Process not Found 1392 Process not Found 1392 Process not Found 1392 Process not Found 1392 Process not Found 1392 Process not Found 1392 Process not Found 1392 Process not Found 1392 Process not Found 1392 Process not Found 1392 Process not Found 1392 Process not Found 1392 Process not Found 1392 Process not Found 1392 Process not Found 1392 Process not Found 1392 Process not Found 1392 Process not Found 1392 Process not Found 1392 Process not Found 1392 Process not Found 1392 Process not Found 1392 Process not Found 1392 Process not Found 1392 Process not Found 1392 Process not Found -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1392 wrote to memory of 2732 1392 Process not Found 29 PID 1392 wrote to memory of 2732 1392 Process not Found 29 PID 1392 wrote to memory of 2732 1392 Process not Found 29 PID 1392 wrote to memory of 2948 1392 Process not Found 30 PID 1392 wrote to memory of 2948 1392 Process not Found 30 PID 1392 wrote to memory of 2948 1392 Process not Found 30 PID 1392 wrote to memory of 2888 1392 Process not Found 31 PID 1392 wrote to memory of 2888 1392 Process not Found 31 PID 1392 wrote to memory of 2888 1392 Process not Found 31 PID 1392 wrote to memory of 2288 1392 Process not Found 32 PID 1392 wrote to memory of 2288 1392 Process not Found 32 PID 1392 wrote to memory of 2288 1392 Process not Found 32 PID 1392 wrote to memory of 1116 1392 Process not Found 33 PID 1392 wrote to memory of 1116 1392 Process not Found 33 PID 1392 wrote to memory of 1116 1392 Process not Found 33 PID 1392 wrote to memory of 1708 1392 Process not Found 34 PID 1392 wrote to memory of 1708 1392 Process not Found 34 PID 1392 wrote to memory of 1708 1392 Process not Found 34 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\946f198f08b87a5905b23ba3874d29f8_JaffaCakes118.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2364
-
C:\Windows\system32\perfmon.exeC:\Windows\system32\perfmon.exe1⤵PID:2732
-
C:\Users\Admin\AppData\Local\UfP\perfmon.exeC:\Users\Admin\AppData\Local\UfP\perfmon.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2948
-
C:\Windows\system32\rdrleakdiag.exeC:\Windows\system32\rdrleakdiag.exe1⤵PID:2888
-
C:\Users\Admin\AppData\Local\MHmw\rdrleakdiag.exeC:\Users\Admin\AppData\Local\MHmw\rdrleakdiag.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2288
-
C:\Windows\system32\recdisc.exeC:\Windows\system32\recdisc.exe1⤵PID:1116
-
C:\Users\Admin\AppData\Local\O8zBcm\recdisc.exeC:\Users\Admin\AppData\Local\O8zBcm\recdisc.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1708
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD57b95c97ac5a36cccd8d226821a36987d
SHA10c1b5c94999aa06eae1627471be353d617eec8e9
SHA256c53ff9e18910407e891edaffb5e027a59abc1a7ee3693864ad5ff003898a08e8
SHA5129b0b111b354403695bc816bcebfae2db5e2272a9b9e75f27fe314a8993317772129a2bc47bb0a25890f38b77c1b77b647a4826324bf288e52d8a604bea4e611d
-
Filesize
39KB
MD55e058566af53848541fa23fba4bb5b81
SHA1769ce3bfc45e4d56ed01dbeeeca7be22f9b9eed6
SHA256ae83b050fa722da7e4b19fc3d534f0126b1ec055643bb1f267b85b55160f4409
SHA512352029cf0af7583a4c525cfd1da7467446bac410a885b2768d8052f39577ccce85b21d5bd946be6bf8341e7308c8e4f645e4d79232b93aaf6a92d6cd55f598d0
-
Filesize
1.2MB
MD58a86edef70bec0aa702eec0f9f214e7e
SHA1c5c7b793a71601534e77b1a95bb6d96082ea7935
SHA256f19f5a7abe8ac2cbade5ae98211b7cad86fca430318969f81c52fc9de0f56852
SHA512a68bd3741a6324461ebf44b52b2b9cbd0b2cf0e14a7fb6333f306281a647a1661a39d15cdf9c5271359211867d4adb445d4fb59e1817847ee7383158a9104ede
-
Filesize
1.2MB
MD5ebac51de94bcdbaad7aa66441a5ec73b
SHA1d2143d3d9341e59dd220554e16e6dce03e90943d
SHA25687c6fb394c36684ba0ee6163d84eaf426e712c7d8db27a7e61ccb33b5a3feb09
SHA5126d5d2e559580e440ca00e8686694dba5254d203797bd740ad9a2e3227ae38fd0128d66acad04b34a3973e173dc1cc2f0aa0a384ab4a641271cf3e57af7fae599
-
Filesize
1KB
MD582a984d8cde4d243d917f1d493fb19e1
SHA1dc93220867825b1f3fa6f6b55d803ad125e3e1a8
SHA256cd2c8b93b9ead00bb440d18543f83a73b857e1116b8a5dbd912f1e8c827143c4
SHA51220fdf840e84e2bc7dfb53752af64f0f05d40020e1635f2da13e20bf56fcb8ec02a5bcacaa736747bf5f9652f88dc376262118431aeb8b100eec67db77ef02a44
-
Filesize
232KB
MD5f3b306179f1840c0813dc6771b018358
SHA1dec7ce3c13f7a684cb52ae6007c99cf03afef005
SHA256dcaeb590394b42d180e23e3cef4dd135513395b026e0ed489aec49848b85b8f0
SHA5129f9ec4c2ca6373bd738bf415d059f3536390e46e5b0a560e9ee1b190407a6d0f481c38664c51b834a9e72d8878f71c3c19e427e3a6b5ca4ec6b02d1156eb9ef4
-
Filesize
168KB
MD53eb98cff1c242167df5fdbc6441ce3c5
SHA1730b27a1c92e8df1e60db5a6fc69ea1b24f68a69
SHA2566d8d5a244bb5a23c95653853fec3d04d2bdd2df5cff8cffb9848bddeb6adb081
SHA512f42be2a52d97fd1db2ed5a1a1a81a186a0aab41204980a103df33a4190632ba03f3cbb88fcea8da7ed9a5e15f60732d49a924b025fe6d3e623195ec1d37dfb35