Analysis
-
max time kernel
149s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
08-09-2024 08:28
Static task
static1
Behavioral task
behavioral1
Sample
d3f216eeea37381852976689b9c537a8_JaffaCakes118.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d3f216eeea37381852976689b9c537a8_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
d3f216eeea37381852976689b9c537a8_JaffaCakes118.dll
-
Size
1.2MB
-
MD5
d3f216eeea37381852976689b9c537a8
-
SHA1
ba8d8d6b2319e53f8b58cf84376e15b214516aa4
-
SHA256
28fb620bc8c98c777202e2c78138149132c9f237f75832028a3c01fd3009398d
-
SHA512
ae12c4bbccd60faed5544f406f80c7be37a2aef001dd33d26069bea60d95a78b7c5807d188bcbc92e6ddbcff04584006c5a54013073dafadb0b3b9286966cb0c
-
SSDEEP
24576:/uYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9NN:B9cKrUqZWLAcUV
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/3472-4-0x0000000007030000-0x0000000007031000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
pid Process 5072 dpapimig.exe 1280 phoneactivate.exe 2272 Utilman.exe -
Loads dropped DLL 3 IoCs
pid Process 5072 dpapimig.exe 1280 phoneactivate.exe 2272 Utilman.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Daamvycbobhd = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\dXQXcDY73fI\\phoneactivate.exe" Process not Found -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dpapimig.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA phoneactivate.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Utilman.exe -
Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4692 rundll32.exe 4692 rundll32.exe 4692 rundll32.exe 4692 rundll32.exe 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found 3472 Process not Found -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3472 Process not Found 3472 Process not Found -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3472 Process not Found -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3472 wrote to memory of 2712 3472 Process not Found 96 PID 3472 wrote to memory of 2712 3472 Process not Found 96 PID 3472 wrote to memory of 5072 3472 Process not Found 97 PID 3472 wrote to memory of 5072 3472 Process not Found 97 PID 3472 wrote to memory of 3000 3472 Process not Found 98 PID 3472 wrote to memory of 3000 3472 Process not Found 98 PID 3472 wrote to memory of 1280 3472 Process not Found 99 PID 3472 wrote to memory of 1280 3472 Process not Found 99 PID 3472 wrote to memory of 3948 3472 Process not Found 100 PID 3472 wrote to memory of 3948 3472 Process not Found 100 PID 3472 wrote to memory of 2272 3472 Process not Found 101 PID 3472 wrote to memory of 2272 3472 Process not Found 101 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d3f216eeea37381852976689b9c537a8_JaffaCakes118.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4692
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4404,i,1330210614411927383,9239043499051775691,262144 --variations-seed-version --mojo-platform-channel-handle=4444 /prefetch:81⤵PID:600
-
C:\Windows\system32\dpapimig.exeC:\Windows\system32\dpapimig.exe1⤵PID:2712
-
C:\Users\Admin\AppData\Local\nARmGTXfM\dpapimig.exeC:\Users\Admin\AppData\Local\nARmGTXfM\dpapimig.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:5072
-
C:\Windows\system32\phoneactivate.exeC:\Windows\system32\phoneactivate.exe1⤵PID:3000
-
C:\Users\Admin\AppData\Local\mLnqa\phoneactivate.exeC:\Users\Admin\AppData\Local\mLnqa\phoneactivate.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1280
-
C:\Windows\system32\Utilman.exeC:\Windows\system32\Utilman.exe1⤵PID:3948
-
C:\Users\Admin\AppData\Local\xlV\Utilman.exeC:\Users\Admin\AppData\Local\xlV\Utilman.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2272
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Accessibility Features
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD5dd16c57b644561f6ff180a7703e4ac95
SHA170fdecb601b5609eb72c416d4e7ce4a9f98263d8
SHA256ceccccd96c665acae7e9d7b871c9cfbeb034d49bbc68b154b48989bb17fc67a6
SHA5126e0638dae4b5483ae6d18d8d16549d0efc2343bc7fd92fbfff9a25e0f97714a3cea050e061b930e0c8b6b20cfb34355feecf4937ee131edb7b2f7aa8937e03bc
-
Filesize
107KB
MD532c31f06e0b68f349f68afdd08e45f3d
SHA1e4b642f887e2c1d76b6b4777ade91e3cb3b9e27c
SHA256cea83eb34233fed5ebeef8745c7c581a8adbefbcfc0e30e2d30a81000c821017
SHA512fe61764b471465b164c9c2202ed349605117d57ceb0eca75acf8bda44e8744c115767ee0caed0b7feb70ba37b477d00805b3fdf0d0fa879dd4c8e3c1dc1c0d26
-
Filesize
1.4MB
MD5e8ad24d94e7188bf2568801e3edb3d9a
SHA1edf8e90ae8cb5b469c7ded3049d0beef88a2d9cb
SHA256f03a5ee52650ceaa591bec871e39bde919012c0ed7d35354dd2fba821cc2c184
SHA512a36d59a842d79ef0918a3a3a925f63599fc3372da4a919b5ef901d99b63bc05c6d372bc226f75f6ff70f5e01e1f6e71f56ec507e5acbaa7f5ea1118042270a12
-
Filesize
76KB
MD5b6d6477a0c90a81624c6a8548026b4d0
SHA1e6eac6941d27f76bbd306c2938c0a962dbf1ced1
SHA256a8147d08b82609c72d588a0a604cd3c1f2076befcc719d282c7cbd6525ae89eb
SHA51272ec8b79e3438f0f981129a323ad39db84df7dd14a796a820bdbc74ea8fa13eee843d1ea030a0c1caeda2e2d69952f14a821a73825b38dd9415047aca597b1fe
-
Filesize
1.4MB
MD5de0d2068406cf8ec5b6318dd57a39f69
SHA117a577d712fc9baa97dd674cb909c94e9c5a6329
SHA25677d21aa8cf58d0b9363dc78b235b01cb4c651000fe0bfbb09b2be38f1b963cc2
SHA512da3a84ea9b2f60ae41156d49aebd760638fe83dcf7b18370d36f4f233b091b4af8e9e3df1d5a64b0f0916b646a6d4d9e4ced67565e4ee02fbf44dda394145fe7
-
Filesize
123KB
MD5a117edc0e74ab4770acf7f7e86e573f7
SHA15ceffb1a5e05e52aafcbc2d44e1e8445440706f3
SHA256b5bc4fce58403ea554691db678e6c8c448310fe59990990f0e37cd4357567d37
SHA51272883f794ff585fe7e86e818d4d8c54fa9781cab6c3fac6f6956f58a016a91f676e70d14691cbe054ae7b7469c6b4783152fbb694e92b940d9e3595fe3f41d97
-
Filesize
1KB
MD513e7a48a36159f0f28bdad80ed4439b6
SHA150857ed48451a5d7a0dff1843720148fdf11221e
SHA256587f24b86c224bda6b37d6bd0672797f24f10e8566899168ba5acb61c0b65935
SHA512179774285324c49b741cfe080c3f70f68d5c8c739592239ee154fe77aadc44dcb093aaaac01e26ba2f02684bfa8948bad807943e082703c88399b52e9fdbf45c