Analysis
-
max time kernel
135s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
15-08-2024 07:04
Static task
static1
Behavioral task
behavioral1
Sample
9952f96c49160b9f0c578a8287e71849_JaffaCakes118.dll
Resource
win7-20240705-en
General
-
Target
9952f96c49160b9f0c578a8287e71849_JaffaCakes118.dll
-
Size
378KB
-
MD5
9952f96c49160b9f0c578a8287e71849
-
SHA1
de1b258d568aad3cc0339298c69f8fa8d4799a64
-
SHA256
b431e56b69304dc1ad42e480222410ebf179c27ec2cc518ea113b7cbec9b7eb6
-
SHA512
66cb7ab469a0bee9f135177d19a39dd5e3a858244ba5da7e806d5a5128de100e07c503e38221d8d5cf3534beb799b6c4107c145745ac6f9af4c88de6bab5ad55
-
SSDEEP
3072:Do6vBnby4Yx0XjFFzPQ0MslzERfQB24hLxBVi/b/9+PdpiWC35ol/uwfTuT2b2MD:vs6Xpq0H3Jhds/9+qC/zfTPLg6
Malware Config
Extracted
qakbot
402.343
obama104
1632729661
95.77.223.148:443
47.22.148.6:443
89.101.97.139:443
27.223.92.142:995
120.151.47.189:443
136.232.34.70:443
120.150.218.241:995
185.250.148.74:443
181.118.183.94:443
140.82.49.12:443
67.165.206.193:993
103.148.120.144:443
71.74.12.34:443
76.25.142.196:443
73.151.236.31:443
173.21.10.71:2222
75.188.35.168:443
2.178.88.145:61202
71.80.168.245:443
45.46.53.140:2222
109.12.111.14:443
105.198.236.99:443
73.77.87.137:443
41.248.239.221:995
182.176.112.182:443
96.37.113.36:993
75.66.88.33:443
162.244.227.34:443
24.229.150.54:995
216.201.162.158:443
92.59.35.196:2222
196.218.227.241:995
24.139.72.117:443
68.207.102.78:443
72.252.201.69:443
2.188.27.77:443
177.130.82.197:2222
68.204.7.158:443
189.210.115.207:443
181.163.96.53:443
24.55.112.61:443
75.107.26.196:465
185.250.148.74:2222
68.186.192.69:443
24.152.219.253:995
50.29.166.232:995
-
salt
jHxastDcds)oMc=jvh7wdUhxcsdt2
Signatures
-
Processes:
reg.exereg.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Mmzxzrzlmghg = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Uyebeu = "0" reg.exe -
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 5064 regsvr32.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
rundll32.exeexplorer.exeschtasks.exeregsvr32.exeexplorer.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe -
Modifies data under HKEY_USERS 10 IoCs
Processes:
explorer.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Guujebpe\29814817 = 045bd31767a0d876c0cdefb3123231f9ec9be5400279a901963b32 explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Guujebpe\dbeb90ca = 21b1138ffcf82787e2608497b4d4e8f2034c8180295e1aba9e6fc0ebc0e9ae979f89f239 explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Guujebpe\a4a2ff3c = abb40beea020ec1efc90db6af67deca4df60d2b77e607512749097a1bb141a9b51e780662efa46c15f3542b78b2b9334b664f03f089d9c4261130891 explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Guujebpe explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Guujebpe\2bc0686b = 65705a361b307072ad9cf750b020e9e77562180623e5355375255f6843b2d07896fa441d747853b01f0de3e67a0812aa7ad72e5bdbf5061327465a9da3a13132d1b0ade97a7e14795ce19470da5adf730fdc684ff45ee55c43576f8b5a1b014f80c23b457e17064751a6f46b explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Guujebpe\56c827e1 = 0140e8ed660b956133e3d0db3179a80c60add2b284d1bb12c52145b5db36b6d5290588fcd38c648793816ccc8c1d6c925b1a3206f6e83723077a6eda7451f35fe2ba271824a0b731b0d27061c89b3e42929d9f94f54ff5a8a6d79c explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Guujebpe\ee744084 = f7843949aa73de5abde24130a0d5d463929da4c1094ca76c9bb9dae7a6b76f426c378b9173b9643dad2dd52652644d946f9be0431f23fc40edf8b4aa50ebde120babf917f14ad974e979545b01777c19d6373f691cecb14faf9849a8f9afba693bdc6280d915aa6421db explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Guujebpe\a4a2ff3c = abb41ceea020d947b5ee74d87e479fcf0c9858d0af54c78dbf0ddd9cd38adbf29b52053b4db39e explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Guujebpe\913d2f72 = 9292a3594a795a174ccf8035cb5fdd241860d015abb34dd55ae1cb0d510ba9002ffd1dcd6c4ebba32981e918733bb13db429946a40254f75aa76be16f1b574d87f651b5ba25fab0a53ae4fa4b80069c4502056f6d26ba53f0138a886dd1b5537f340b4647e038bbb4600743336f64564a115373cf1ea49c523fc8eb6ecd49eb1cb420d55f11805b8fb2d935ba56dcc829d30a5b848476bfff2 explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Guujebpe\937c0f0e = e2067893efbec9dc8aa1b6e5e30768d8c29ff5e3a021471647bca274a0e83e20cd10049a496453e21e8c7bc1e9c16e6280a325b35bc2fb61467064a9e510ddfc29fa588762fafba099363a explorer.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
rundll32.exeregsvr32.exepid process 1672 rundll32.exe 1672 rundll32.exe 5064 regsvr32.exe 5064 regsvr32.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
rundll32.exeregsvr32.exepid process 1672 rundll32.exe 5064 regsvr32.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
rundll32.exerundll32.exeexplorer.exeregsvr32.exeregsvr32.exeexplorer.exedescription pid process target process PID 884 wrote to memory of 1672 884 rundll32.exe rundll32.exe PID 884 wrote to memory of 1672 884 rundll32.exe rundll32.exe PID 884 wrote to memory of 1672 884 rundll32.exe rundll32.exe PID 1672 wrote to memory of 3816 1672 rundll32.exe explorer.exe PID 1672 wrote to memory of 3816 1672 rundll32.exe explorer.exe PID 1672 wrote to memory of 3816 1672 rundll32.exe explorer.exe PID 1672 wrote to memory of 3816 1672 rundll32.exe explorer.exe PID 1672 wrote to memory of 3816 1672 rundll32.exe explorer.exe PID 3816 wrote to memory of 644 3816 explorer.exe schtasks.exe PID 3816 wrote to memory of 644 3816 explorer.exe schtasks.exe PID 3816 wrote to memory of 644 3816 explorer.exe schtasks.exe PID 4008 wrote to memory of 5064 4008 regsvr32.exe regsvr32.exe PID 4008 wrote to memory of 5064 4008 regsvr32.exe regsvr32.exe PID 4008 wrote to memory of 5064 4008 regsvr32.exe regsvr32.exe PID 5064 wrote to memory of 1400 5064 regsvr32.exe explorer.exe PID 5064 wrote to memory of 1400 5064 regsvr32.exe explorer.exe PID 5064 wrote to memory of 1400 5064 regsvr32.exe explorer.exe PID 5064 wrote to memory of 1400 5064 regsvr32.exe explorer.exe PID 5064 wrote to memory of 1400 5064 regsvr32.exe explorer.exe PID 1400 wrote to memory of 3872 1400 explorer.exe reg.exe PID 1400 wrote to memory of 3872 1400 explorer.exe reg.exe PID 1400 wrote to memory of 516 1400 explorer.exe reg.exe PID 1400 wrote to memory of 516 1400 explorer.exe reg.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9952f96c49160b9f0c578a8287e71849_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:884 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9952f96c49160b9f0c578a8287e71849_JaffaCakes118.dll,#12⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3816 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn kjssrrofu /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\9952f96c49160b9f0c578a8287e71849_JaffaCakes118.dll\"" /SC ONCE /Z /ST 07:06 /ET 07:184⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:644
-
C:\Windows\system32\regsvr32.exeregsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\9952f96c49160b9f0c578a8287e71849_JaffaCakes118.dll"1⤵
- Suspicious use of WriteProcessMemory
PID:4008 -
C:\Windows\SysWOW64\regsvr32.exe-s "C:\Users\Admin\AppData\Local\Temp\9952f96c49160b9f0c578a8287e71849_JaffaCakes118.dll"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:5064 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Mmzxzrzlmghg" /d "0"4⤵
- Windows security bypass
PID:3872 -
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Uyebeu" /d "0"4⤵
- Windows security bypass
PID:516
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
378KB
MD59952f96c49160b9f0c578a8287e71849
SHA1de1b258d568aad3cc0339298c69f8fa8d4799a64
SHA256b431e56b69304dc1ad42e480222410ebf179c27ec2cc518ea113b7cbec9b7eb6
SHA51266cb7ab469a0bee9f135177d19a39dd5e3a858244ba5da7e806d5a5128de100e07c503e38221d8d5cf3534beb799b6c4107c145745ac6f9af4c88de6bab5ad55
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e