Analysis
-
max time kernel
140s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
14/08/2024, 13:14
Behavioral task
behavioral1
Sample
963dc8315211daf1f382daacba1ceca3_JaffaCakes118.exe
Resource
win7-20240708-en
General
-
Target
963dc8315211daf1f382daacba1ceca3_JaffaCakes118.exe
-
Size
41KB
-
MD5
963dc8315211daf1f382daacba1ceca3
-
SHA1
58e8e8f762059c953f6955583136263fcf240dfe
-
SHA256
63d31bd766528766f5aa2184fafeb6c2471a5d6ded50263f8e4688539bd6dec4
-
SHA512
f40774408b5f5ec02059e951057ca4bc8eeb2bd89cbed0c9a9a053acde5e643327181d034d6497581966053b582b8aa28456a9da430b93a5f92bfbe1f2f20361
-
SSDEEP
768:crRdRkb7H7l1Yfli85RmHFjfKxSeWdNmFwszbIi25AX8:aRdw7QffXmHx6W/gNze
Malware Config
Signatures
-
Modifies firewall policy service 3 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\ rundll32.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\SysWOW64\rundll32.exe = "C:\\Windows\\SysWOW64\\rundll32.exe:*:Enabled:rundll32" rundll32.exe -
Drops file in Drivers directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\drivers\arcsas.sys rundll32.exe File created C:\Windows\SysWOW64\drivers\peauth.sys rundll32.exe File created C:\Windows\SysWOW64\drivers\rdvgkmd.sys rundll32.exe File opened for modification C:\Windows\SysWOW64\drivers\1394ohci.sys rundll32.exe File created C:\Windows\SysWOW64\drivers\CmBatt.sys rundll32.exe File created C:\Windows\SysWOW64\drivers\msiscsi.sys rundll32.exe File created C:\Windows\SysWOW64\drivers\viaide.sys rundll32.exe File created C:\Windows\SysWOW64\drivers\HidBatt.sys rundll32.exe File created C:\Windows\SysWOW64\drivers\MegaSR.sys rundll32.exe File created C:\Windows\SysWOW64\drivers\HpSAMD.sys rundll32.exe File created C:\Windows\SysWOW64\DRIVERS\mouclass.sys rundll32.exe File created C:\Windows\SysWOW64\drivers\MSPCLOCK.sys rundll32.exe File created C:\Windows\SysWOW64\drivers\ws2ifsl.sys rundll32.exe File created C:\Windows\SysWOW64\drivers\evbda.sys rundll32.exe File created C:\Windows\SysWOW64\drivers\MTConfig.sys rundll32.exe File created C:\Windows\SysWOW64\DRIVERS\ndiscap.sys rundll32.exe File created C:\Windows\SysWOW64\DRIVERS\RDPCDD.sys rundll32.exe File created C:\Windows\SysWOW64\DRIVERS\hidusb.sys rundll32.exe File created C:\Windows\SysWOW64\drivers\ksthunk.sys rundll32.exe File created C:\Windows\SysWOW64\DRIVERS\raspppoe.sys rundll32.exe File created C:\Windows\SysWOW64\DRIVERS\usbhub.sys rundll32.exe File created C:\Windows\SysWOW64\drivers\wmiacpi.sys rundll32.exe File created C:\Windows\SysWOW64\drivers\dmvsc.sys rundll32.exe File created C:\Windows\SysWOW64\drivers\errdev.sys rundll32.exe File created C:\Windows\SysWOW64\DRIVERS\HDAudBus.sys rundll32.exe File created C:\Windows\SysWOW64\drivers\hidbth.sys rundll32.exe File created C:\Windows\SysWOW64\drivers\nfrd960.sys rundll32.exe File created C:\Windows\SysWOW64\drivers\partmgr.sys rundll32.exe File created C:\Windows\SysWOW64\drivers\acpipmi.sys rundll32.exe File created C:\Windows\SysWOW64\Drivers\ksecdd.sys rundll32.exe File created C:\Windows\SysWOW64\drivers\umpass.sys rundll32.exe File created C:\Windows\SysWOW64\drivers\WudfPf.sys rundll32.exe File created C:\Windows\SysWOW64\drivers\ndis.sys rundll32.exe File created C:\Windows\SysWOW64\drivers\ohci1394.sys rundll32.exe File created C:\Windows\SysWOW64\drivers\tcpip.sys rundll32.exe File created C:\Windows\SysWOW64\DRIVERS\asyncmac.sys rundll32.exe File created C:\Windows\SysWOW64\drivers\HTTP.sys rundll32.exe File created C:\Windows\SysWOW64\drivers\vmstorfl.sys rundll32.exe File created C:\Windows\SysWOW64\DRIVERS\wanarp.sys rundll32.exe File created C:\Windows\SysWOW64\drivers\adp94xx.sys rundll32.exe File created C:\Windows\SysWOW64\drivers\aliide.sys rundll32.exe File created C:\Windows\SysWOW64\drivers\circlass.sys rundll32.exe File created C:\Windows\SysWOW64\DRIVERS\scfilter.sys rundll32.exe File created C:\Windows\SysWOW64\DRIVERS\ipfltdrv.sys rundll32.exe File created C:\Windows\SysWOW64\DRIVERS\rassstp.sys rundll32.exe File created C:\Windows\SysWOW64\DRIVERS\smb.sys rundll32.exe File created C:\Windows\SysWOW64\drivers\vmbus.sys rundll32.exe File created C:\Windows\SysWOW64\DRIVERS\tssecsrv.sys rundll32.exe File created C:\Windows\SysWOW64\DRIVERS\mouhid.sys rundll32.exe File created C:\Windows\SysWOW64\drivers\appid.sys rundll32.exe File created C:\Windows\SysWOW64\DRIVERS\rdpbus.sys rundll32.exe File created C:\Windows\SysWOW64\drivers\tsusbflt.sys rundll32.exe File created C:\Windows\SysWOW64\drivers\wd.sys rundll32.exe File created C:\Windows\SysWOW64\DRIVERS\blbdrive.sys rundll32.exe File created C:\Windows\SysWOW64\DRIVERS\cdrom.sys rundll32.exe File created C:\Windows\SysWOW64\DRIVERS\lltdio.sys rundll32.exe File created C:\Windows\SysWOW64\drivers\sffp_mmc.sys rundll32.exe File created C:\Windows\SysWOW64\drivers\volsnap.sys rundll32.exe File created C:\Windows\SysWOW64\drivers\MSTEE.sys rundll32.exe File created C:\Windows\SysWOW64\DRIVERS\kbdclass.sys rundll32.exe File created C:\Windows\SysWOW64\drivers\serial.sys rundll32.exe File created C:\Windows\SysWOW64\drivers\vhdmp.sys rundll32.exe File created C:\Windows\SysWOW64\drivers\drmkaud.sys rundll32.exe File created C:\Windows\SysWOW64\drivers\amdide.sys rundll32.exe -
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x0009000000012118-5.dat acprotect -
Deletes itself 1 IoCs
pid Process 1136 rundll32.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\surrd.sys rundll32.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\surrd.sys\ = "Driver" rundll32.exe -
Loads dropped DLL 5 IoCs
pid Process 2996 963dc8315211daf1f382daacba1ceca3_JaffaCakes118.exe 1136 rundll32.exe 1136 rundll32.exe 1136 rundll32.exe 1136 rundll32.exe -
resource yara_rule behavioral1/memory/2996-0-0x0000000000400000-0x0000000000424000-memory.dmp upx behavioral1/files/0x0009000000012118-5.dat upx behavioral1/memory/2996-8-0x0000000010000000-0x0000000010041000-memory.dmp upx behavioral1/memory/1136-14-0x0000000010000000-0x0000000010041000-memory.dmp upx behavioral1/memory/2996-15-0x0000000000400000-0x0000000000424000-memory.dmp upx behavioral1/memory/2996-16-0x0000000010000000-0x0000000010041000-memory.dmp upx behavioral1/memory/1136-225-0x0000000010000000-0x0000000010041000-memory.dmp upx -
Modifies WinLogon 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sbfxi\DllName = "sbfxi.dll" 963dc8315211daf1f382daacba1ceca3_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sbfxi\Startup = "sbfxi" 963dc8315211daf1f382daacba1ceca3_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sbfxi\Impersonate = "1" 963dc8315211daf1f382daacba1ceca3_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sbfxi\Asynchronous = "1" 963dc8315211daf1f382daacba1ceca3_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sbfxi\MaxWait = "1" 963dc8315211daf1f382daacba1ceca3_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sbfxi\ngrvv = "[2ACAFBD6091310124]" 963dc8315211daf1f382daacba1ceca3_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sbfxi 963dc8315211daf1f382daacba1ceca3_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify 963dc8315211daf1f382daacba1ceca3_JaffaCakes118.exe -
Drops file in System32 directory 7 IoCs
description ioc Process File created C:\Windows\SysWOW64\CLFS.sys rundll32.exe File created C:\Windows\SysWOW64\sbfxi.dll 963dc8315211daf1f382daacba1ceca3_JaffaCakes118.exe File created C:\Windows\SysWOW64\surrd.sys 963dc8315211daf1f382daacba1ceca3_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\surrd.sys 963dc8315211daf1f382daacba1ceca3_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\z98a.bin 963dc8315211daf1f382daacba1ceca3_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\z98a.bin rundll32.exe File opened for modification C:\Windows\SysWOW64\a9k.bin 963dc8315211daf1f382daacba1ceca3_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 963dc8315211daf1f382daacba1ceca3_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious behavior: LoadsDriver 64 IoCs
pid Process 1136 rundll32.exe 1136 rundll32.exe 1136 rundll32.exe 1136 rundll32.exe 1136 rundll32.exe 1136 rundll32.exe 1136 rundll32.exe 1136 rundll32.exe 1136 rundll32.exe 1136 rundll32.exe 1136 rundll32.exe 1136 rundll32.exe 1136 rundll32.exe 1136 rundll32.exe 1136 rundll32.exe 1136 rundll32.exe 1136 rundll32.exe 1136 rundll32.exe 1136 rundll32.exe 1136 rundll32.exe 1136 rundll32.exe 1136 rundll32.exe 1136 rundll32.exe 1136 rundll32.exe 1136 rundll32.exe 1136 rundll32.exe 1136 rundll32.exe 1136 rundll32.exe 1136 rundll32.exe 1136 rundll32.exe 1136 rundll32.exe 1136 rundll32.exe 1136 rundll32.exe 1136 rundll32.exe 1136 rundll32.exe 1136 rundll32.exe 1136 rundll32.exe 1136 rundll32.exe 1136 rundll32.exe 1136 rundll32.exe 1136 rundll32.exe 1136 rundll32.exe 1136 rundll32.exe 1136 rundll32.exe 1136 rundll32.exe 1136 rundll32.exe 1136 rundll32.exe 1136 rundll32.exe 1136 rundll32.exe 1136 rundll32.exe 1136 rundll32.exe 1136 rundll32.exe 1136 rundll32.exe 1136 rundll32.exe 1136 rundll32.exe 1136 rundll32.exe 1136 rundll32.exe 1136 rundll32.exe 1136 rundll32.exe 1136 rundll32.exe 1136 rundll32.exe 1136 rundll32.exe 1136 rundll32.exe 1136 rundll32.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1136 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2996 wrote to memory of 1136 2996 963dc8315211daf1f382daacba1ceca3_JaffaCakes118.exe 31 PID 2996 wrote to memory of 1136 2996 963dc8315211daf1f382daacba1ceca3_JaffaCakes118.exe 31 PID 2996 wrote to memory of 1136 2996 963dc8315211daf1f382daacba1ceca3_JaffaCakes118.exe 31 PID 2996 wrote to memory of 1136 2996 963dc8315211daf1f382daacba1ceca3_JaffaCakes118.exe 31 PID 2996 wrote to memory of 1136 2996 963dc8315211daf1f382daacba1ceca3_JaffaCakes118.exe 31 PID 2996 wrote to memory of 1136 2996 963dc8315211daf1f382daacba1ceca3_JaffaCakes118.exe 31 PID 2996 wrote to memory of 1136 2996 963dc8315211daf1f382daacba1ceca3_JaffaCakes118.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\963dc8315211daf1f382daacba1ceca3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\963dc8315211daf1f382daacba1ceca3_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Modifies WinLogon
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe sbfxi.dll,sbfxi C:\Users\Admin\AppData\Local\Temp\963dc8315211daf1f382daacba1ceca3_JaffaCakes118.exe2⤵
- Modifies firewall policy service
- Drops file in Drivers directory
- Deletes itself
- Impair Defenses: Safe Mode Boot
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: LoadsDriver
- Suspicious use of SetWindowsHookEx
PID:1136
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD5d3fc181630ad425cd7680464f7dbc16a
SHA17b9ebd6e415586495f4bb9a0b9b5fac93a40f0da
SHA2561a374b5cbdd91bd355645431d52f8b32556360f9f7de9e498ddaf6cb47b9b1c9
SHA5120f9d8e63d5a883cf3710b2165a5fd260eabbdefd3b81f52267ac4a40eda0375083826516aa0f62c6be0e9426129fea1a1ba22ef0ed0f419e0bfba36b27e23f3d
-
Filesize
23KB
MD52c54eec77b79845463813db2b3755bc1
SHA1382adec59348e317d2b3344067d9b54557d914c1
SHA256051c6215d2ac977ac9c8708d5ce356879580f268646576eb56b1d94d68b89427
SHA512f7e0e346259907471fe7777e1faa71214d2b88e6dcfe312fe4cd29d53a878bfe809ef7c10e41bf68e55b4a9402c2ef010e97cc3f54bb3ee4b9c698d7eda57dd8