Analysis
-
max time kernel
149s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
23-08-2024 09:52
Static task
static1
Behavioral task
behavioral1
Sample
bb3f80224ccb963c44b6fd5c32407490_JaffaCakes118.dll
Resource
win7-20240705-en
General
-
Target
bb3f80224ccb963c44b6fd5c32407490_JaffaCakes118.dll
-
Size
1.2MB
-
MD5
bb3f80224ccb963c44b6fd5c32407490
-
SHA1
4d1b454fb9b0fa8e0972f2c3b853e2b2daa025ce
-
SHA256
dc19cb70f3b01ea32e03808948037934c7d98035aa0eb12538c3d2472ac8e452
-
SHA512
bcd0e1373cef696f182ea97b0b9948e7a28017c7000a96a18bea130ea253c18c2d9a386455bd6ba04e3f5880e0e7844e24e47706b0cf85bfcdf7facb326efb56
-
SSDEEP
24576:zuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:99cKrUqZWLAcU
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/3476-4-0x0000000000960000-0x0000000000961000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
pid Process 1580 MDMAppInstaller.exe 3648 bdeunlock.exe 2316 ApplicationFrameHost.exe -
Loads dropped DLL 3 IoCs
pid Process 1580 MDMAppInstaller.exe 3648 bdeunlock.exe 2316 ApplicationFrameHost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wdtbxtklooytt = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\1SFtXVX\\bdeunlock.exe" Process not Found -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MDMAppInstaller.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bdeunlock.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ApplicationFrameHost.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Process not Found Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Process not Found -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4564 rundll32.exe 4564 rundll32.exe 4564 rundll32.exe 4564 rundll32.exe 4564 rundll32.exe 4564 rundll32.exe 3476 Process not Found 3476 Process not Found 3476 Process not Found 3476 Process not Found 3476 Process not Found 3476 Process not Found 3476 Process not Found 3476 Process not Found 3476 Process not Found 3476 Process not Found 3476 Process not Found 3476 Process not Found 3476 Process not Found 3476 Process not Found 3476 Process not Found 3476 Process not Found 3476 Process not Found 3476 Process not Found 3476 Process not Found 3476 Process not Found 3476 Process not Found 3476 Process not Found 3476 Process not Found 3476 Process not Found 3476 Process not Found 3476 Process not Found 3476 Process not Found 3476 Process not Found 3476 Process not Found 3476 Process not Found 3476 Process not Found 3476 Process not Found 3476 Process not Found 3476 Process not Found 3476 Process not Found 3476 Process not Found 3476 Process not Found 3476 Process not Found 3476 Process not Found 3476 Process not Found 3476 Process not Found 3476 Process not Found 3476 Process not Found 3476 Process not Found 3476 Process not Found 3476 Process not Found 3476 Process not Found 3476 Process not Found 3476 Process not Found 3476 Process not Found 3476 Process not Found 3476 Process not Found 3476 Process not Found 3476 Process not Found 3476 Process not Found 3476 Process not Found 3476 Process not Found 3476 Process not Found -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeShutdownPrivilege 3476 Process not Found Token: SeCreatePagefilePrivilege 3476 Process not Found Token: SeShutdownPrivilege 3476 Process not Found Token: SeCreatePagefilePrivilege 3476 Process not Found -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3476 Process not Found -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3476 wrote to memory of 1744 3476 Process not Found 96 PID 3476 wrote to memory of 1744 3476 Process not Found 96 PID 3476 wrote to memory of 1580 3476 Process not Found 97 PID 3476 wrote to memory of 1580 3476 Process not Found 97 PID 3476 wrote to memory of 3172 3476 Process not Found 98 PID 3476 wrote to memory of 3172 3476 Process not Found 98 PID 3476 wrote to memory of 3648 3476 Process not Found 99 PID 3476 wrote to memory of 3648 3476 Process not Found 99 PID 3476 wrote to memory of 4844 3476 Process not Found 100 PID 3476 wrote to memory of 4844 3476 Process not Found 100 PID 3476 wrote to memory of 2316 3476 Process not Found 101 PID 3476 wrote to memory of 2316 3476 Process not Found 101 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\bb3f80224ccb963c44b6fd5c32407490_JaffaCakes118.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4564
-
C:\Windows\system32\MDMAppInstaller.exeC:\Windows\system32\MDMAppInstaller.exe1⤵PID:1744
-
C:\Users\Admin\AppData\Local\2D3dfs\MDMAppInstaller.exeC:\Users\Admin\AppData\Local\2D3dfs\MDMAppInstaller.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1580
-
C:\Windows\system32\bdeunlock.exeC:\Windows\system32\bdeunlock.exe1⤵PID:3172
-
C:\Users\Admin\AppData\Local\dNEWoptGc\bdeunlock.exeC:\Users\Admin\AppData\Local\dNEWoptGc\bdeunlock.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3648
-
C:\Windows\system32\ApplicationFrameHost.exeC:\Windows\system32\ApplicationFrameHost.exe1⤵PID:4844
-
C:\Users\Admin\AppData\Local\W6XQchEl\ApplicationFrameHost.exeC:\Users\Admin\AppData\Local\W6XQchEl\ApplicationFrameHost.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2316
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
151KB
MD530e978cc6830b04f1e7ed285cccaa746
SHA1e915147c17e113c676c635e2102bbff90fb7aa52
SHA256dc821931f63117962e2266acd3266e86bf8116d4a14b3adbebfade1d40b84766
SHA512331923fa479f71c4c80b0e86ea238628666f95b6cf61cf4d741ae4a27ea2b8c636864dfac543d14599b4873f3b2ab397d07c4e4c17aca3f3b4e5871e24e50214
-
Filesize
1.2MB
MD5f1efe87601d00cd786cfb20f0c0b876e
SHA17db82d6f2bdcff6bc096af39a8c98799b33e0019
SHA256ceeebd6f5571545724250e1d6061c5c9cb1f6686abd07b6a9bf65909b40cc527
SHA5127b3d5c11cc0fcc5ebe2a088d1c594e6218af5f667d5b05bf26b462370e2daaad948f4cf401af301a5a1f94ceb13d9825c95d94c1f9c5dd2790812e6ba3cf4eae
-
Filesize
76KB
MD5d58a8a987a8dafad9dc32a548cc061e7
SHA1f79fc9e0ab066cad530b949c2153c532a5223156
SHA256cf58e424b86775e6f2354291052126a646f842fff811b730714dfbbd8ebc71a4
SHA51293df28b65af23a5f82124ba644e821614e2e2074c98dbb2bd7319d1dfe9e2179b9d660d7720913c79a8e7b2f8560440789ad5e170b9d94670589885060c14265
-
Filesize
1.2MB
MD54f26c2b68a5cd594556c482a4afdfc00
SHA1b7049152dce3605c95538786fe7f50e713bd2c38
SHA256fb34016f6e6e554261aad21ec073737ccd2a87ad788f869e84f4b6e7129981b4
SHA512a617e854ea838e225a4e7af673ed4878a9f5aebb5cde1066cdd70d07812b9440d575e604f542848749fb2720946160ab783eed9e2f72bb8f93dcf38683e6b25a
-
Filesize
1.2MB
MD50c70722fc3e517c1a4a371628f7ed591
SHA188dfb482cb146bc6a297603bbc9b7c686c645e14
SHA25631331414e827a19caee99b03fbbaf44b64ce4fc60169d63ebae168353f6003b9
SHA51263c3cee41fa5ebdd24a4da61834e9cdfd26fedf99472ef6e634f4b5ddefb23919b525bae2fec1af2d3472638936be43f754469ca2297d3c3307030fc003e97c1
-
Filesize
279KB
MD5fef5d67150c249db3c1f4b30a2a5a22e
SHA141ca037b0229be9338da4d78244b4f0ea5a3d5f3
SHA256dcfdd67bf3244ff86cadaaea50b43cce5479014ea2021c0c2fb40b7c856e5603
SHA5124ded9ca87d9d30c31ab2baededaa6e26681741ea1742d80c318173536c643a01bc049e03a03c3b45b3cb8860464a855830e12e87670503e65eedcdd5e9b2d1e7
-
Filesize
1KB
MD574c5189ebb4cb75400f7ee8b0b64e2be
SHA1bf5c6f62b592e71323a7d58b12ab2d956e3fb85c
SHA256e2e637d247251c2829cccae157c3fa552440c329d48254498a6fbdc4e9c0be64
SHA5123999d70c7197961998c059cacc21a2a9e8475752ee5263cdd49171a086ccffa293523dfc9758fc0840981356fefe0ca704b4db537eb473b580601cfdcd5b4873