Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
17-08-2024 00:15
Static task
static1
Behavioral task
behavioral1
Sample
a07b656063b17069350a758375bf0e4a_JaffaCakes118.dll
Resource
win7-20240705-en
General
-
Target
a07b656063b17069350a758375bf0e4a_JaffaCakes118.dll
-
Size
1.2MB
-
MD5
a07b656063b17069350a758375bf0e4a
-
SHA1
630f9abee5584c039c8853b254a8a3beb83022db
-
SHA256
6a73321338957ab1a99d1baa1a556b9d50708f20fe34c981e48e16597a3a5119
-
SHA512
22ebb45d8f5dab19b944a4d6b0bc3da307a13bb950b56f7c8a629fcde72277473fc988a849005c03a4dc150071d4647f762bebf0c1db3bce55dbc78ca3a76b12
-
SSDEEP
24576:3uYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N7:59cKrUqZWLAcUj
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/1204-5-0x00000000024D0000-0x00000000024D1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
pid Process 2780 Dxpserver.exe 1836 EhStorAuthn.exe 3032 notepad.exe -
Loads dropped DLL 7 IoCs
pid Process 1204 Process not Found 2780 Dxpserver.exe 1204 Process not Found 1836 EhStorAuthn.exe 1204 Process not Found 3032 notepad.exe 1204 Process not Found -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nvzakw = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\2qpbS\\EhStorAuthn.exe" Process not Found -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Dxpserver.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA EhStorAuthn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA notepad.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2400 rundll32.exe 2400 rundll32.exe 2400 rundll32.exe 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found 1204 Process not Found -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1204 wrote to memory of 2320 1204 Process not Found 30 PID 1204 wrote to memory of 2320 1204 Process not Found 30 PID 1204 wrote to memory of 2320 1204 Process not Found 30 PID 1204 wrote to memory of 2780 1204 Process not Found 31 PID 1204 wrote to memory of 2780 1204 Process not Found 31 PID 1204 wrote to memory of 2780 1204 Process not Found 31 PID 1204 wrote to memory of 2664 1204 Process not Found 33 PID 1204 wrote to memory of 2664 1204 Process not Found 33 PID 1204 wrote to memory of 2664 1204 Process not Found 33 PID 1204 wrote to memory of 1836 1204 Process not Found 34 PID 1204 wrote to memory of 1836 1204 Process not Found 34 PID 1204 wrote to memory of 1836 1204 Process not Found 34 PID 1204 wrote to memory of 2964 1204 Process not Found 35 PID 1204 wrote to memory of 2964 1204 Process not Found 35 PID 1204 wrote to memory of 2964 1204 Process not Found 35 PID 1204 wrote to memory of 3032 1204 Process not Found 36 PID 1204 wrote to memory of 3032 1204 Process not Found 36 PID 1204 wrote to memory of 3032 1204 Process not Found 36 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a07b656063b17069350a758375bf0e4a_JaffaCakes118.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2400
-
C:\Windows\system32\Dxpserver.exeC:\Windows\system32\Dxpserver.exe1⤵PID:2320
-
C:\Users\Admin\AppData\Local\zusteMa\Dxpserver.exeC:\Users\Admin\AppData\Local\zusteMa\Dxpserver.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2780
-
C:\Windows\system32\EhStorAuthn.exeC:\Windows\system32\EhStorAuthn.exe1⤵PID:2664
-
C:\Users\Admin\AppData\Local\96Kp9KPXs\EhStorAuthn.exeC:\Users\Admin\AppData\Local\96Kp9KPXs\EhStorAuthn.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1836
-
C:\Windows\system32\notepad.exeC:\Windows\system32\notepad.exe1⤵PID:2964
-
C:\Users\Admin\AppData\Local\rf6auimm6\notepad.exeC:\Users\Admin\AppData\Local\rf6auimm6\notepad.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3032
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD5a3816dfb570fec3ff393d02a833d8a38
SHA1ab6e6a13820965fd88a277e13ce8988838ea7a8e
SHA25656d698fd1e24fe345aab4b06aee72caf39ea1d5e0656b1f661516aad9455631d
SHA512e0f048656fc4917e55dbf5fc69a24243859e1cff0d5081c7e7f925b2f0d32ce923392e6e91cfa40981722aac06aa9b76335295bc6dfa515c19ca5cb9bfb09ffc
-
Filesize
1.2MB
MD5fcdbe957ce492a3c3a7c32ad7b76ddd5
SHA16315393034309a307f148e43c6c13e7206f4bccc
SHA256fa7712ddceb870a35bbd0427db9d140e3d281fb6d0d7ab26db0511e54548aa3a
SHA5121745df2d797f98c7b112c435f02812712de1420dc1d8f2a18751969ab1261678af1023ab6ce7017055b4029e75fe75b5025f0fe7b9685bf09fdbc73d7dd785c7
-
Filesize
259KB
MD54d38389fb92e43c77a524fd96dbafd21
SHA108014e52f6894cad4f1d1e6fc1a703732e9acd19
SHA256070bc95c486c15d2edc3548ba416dc9565ead401cb03a0472f719fb55ac94e73
SHA51202d8d130cff2b8de15139d309e1cd74a2148bb786fd749e5f22775d45e193b0f75adf40274375cabce33576480ff20456f25172d29a034cd134b8084d40a67ba
-
Filesize
1.2MB
MD5fe9f1453a69aa838363806d2b42f321b
SHA104b1c0cf1dfd2b47dfab3784a5f5a7a762117261
SHA2568e2aa997a5e7d3d116ebb37063b8a2b732ba5cbcac1c2b8d0611f2a3421f53a3
SHA51255ade2637ce5b57034c4e2bba71185e283cf72f9e15fbbeef04c307ac74c669fbe00477a6f056f5baffea04729ee9eed1ef898331691e2d8df4881fe9354f10a
-
Filesize
1KB
MD56281763c7aa58ef242412e6ee8f6ba32
SHA1bc390b5166760cb99d6a5c3570592d7ceef6ef7d
SHA25693712fd77cc1f6bd57286147348620449f0e0198e3bc0cf251310d9465bd2f61
SHA512549f5be43137ae5c4fcbfcf6201e64ae433edf4a7a80b85f7a9b988bc1352341429a4471fd9837576722c21dcc665287d5048fec7cd107edb52392be989fe34b
-
Filesize
137KB
MD53abe95d92c80dc79707d8e168d79a994
SHA164b10c17f602d3f21c84954541e7092bc55bb5ab
SHA2562159d9d5c9355521de859d1c40907fcdfef19f8cf68eda7485b89e9aa119e3ad
SHA51270fee5e87121229bba5c5e5aaa9f028ac0546dc9d38b7a00a81b882c8f8ce4abfdc364a598976b1463cca05e9400db715f8a4478ec61b03a693bbeee18c6ae5c
-
Filesize
189KB
MD5f2c7bb8acc97f92e987a2d4087d021b1
SHA17eb0139d2175739b3ccb0d1110067820be6abd29
SHA256142e1d688ef0568370c37187fd9f2351d7ddeda574f8bfa9b0fa4ef42db85aa2
SHA5122f37a2e503cffbd7c05c7d8a125b55368ce11aad5b62f17aaac7aaf3391a6886fa6a0fd73223e9f30072419bf5762a8af7958e805a52d788ba41f61eb084bfe8