Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
18-09-2024 12:55
Static task
static1
Behavioral task
behavioral1
Sample
e92a56600266f295094dfbf8f2dce8d3_JaffaCakes118.dll
Resource
win7-20240903-en
General
-
Target
e92a56600266f295094dfbf8f2dce8d3_JaffaCakes118.dll
-
Size
1.4MB
-
MD5
e92a56600266f295094dfbf8f2dce8d3
-
SHA1
52db6d1d6db1e21c1cc8a90b275522eed96e04e2
-
SHA256
526ebbf20321313197a89bbac67ecc6b3289419dfc06b67031c9d838a355e1ff
-
SHA512
5d24771e4232982f1cfb60393826f18c5934840910dafb07cb6e1de8a6932681bd5636ef60e3f413ad2c8b57b451982d59f75dc988693fd757ce12594025990f
-
SSDEEP
24576:OuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:u9cKrUqZWLAcU
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/3376-4-0x0000000002450000-0x0000000002451000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
pid Process 2756 EhStorAuthn.exe 3368 cmstp.exe 3512 bdechangepin.exe -
Loads dropped DLL 4 IoCs
pid Process 2756 EhStorAuthn.exe 3368 cmstp.exe 3368 cmstp.exe 3512 bdechangepin.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qebzqfuc = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\CloudStore\\tm2wnTnZZ2\\cmstp.exe" Process not Found -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA EhStorAuthn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmstp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bdechangepin.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4024 rundll32.exe 4024 rundll32.exe 4024 rundll32.exe 4024 rundll32.exe 3376 Process not Found 3376 Process not Found 3376 Process not Found 3376 Process not Found 3376 Process not Found 3376 Process not Found 3376 Process not Found 3376 Process not Found 3376 Process not Found 3376 Process not Found 3376 Process not Found 3376 Process not Found 3376 Process not Found 3376 Process not Found 3376 Process not Found 3376 Process not Found 3376 Process not Found 3376 Process not Found 3376 Process not Found 3376 Process not Found 3376 Process not Found 3376 Process not Found 3376 Process not Found 3376 Process not Found 3376 Process not Found 3376 Process not Found 3376 Process not Found 3376 Process not Found 3376 Process not Found 3376 Process not Found 3376 Process not Found 3376 Process not Found 3376 Process not Found 3376 Process not Found 3376 Process not Found 3376 Process not Found 3376 Process not Found 3376 Process not Found 3376 Process not Found 3376 Process not Found 3376 Process not Found 3376 Process not Found 3376 Process not Found 3376 Process not Found 3376 Process not Found 3376 Process not Found 3376 Process not Found 3376 Process not Found 3376 Process not Found 3376 Process not Found 3376 Process not Found 3376 Process not Found 3376 Process not Found 3376 Process not Found 3376 Process not Found 3376 Process not Found 3376 Process not Found 3376 Process not Found 3376 Process not Found 3376 Process not Found -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3376 wrote to memory of 3580 3376 Process not Found 89 PID 3376 wrote to memory of 3580 3376 Process not Found 89 PID 3376 wrote to memory of 2756 3376 Process not Found 90 PID 3376 wrote to memory of 2756 3376 Process not Found 90 PID 3376 wrote to memory of 992 3376 Process not Found 91 PID 3376 wrote to memory of 992 3376 Process not Found 91 PID 3376 wrote to memory of 3368 3376 Process not Found 92 PID 3376 wrote to memory of 3368 3376 Process not Found 92 PID 3376 wrote to memory of 820 3376 Process not Found 93 PID 3376 wrote to memory of 820 3376 Process not Found 93 PID 3376 wrote to memory of 3512 3376 Process not Found 94 PID 3376 wrote to memory of 3512 3376 Process not Found 94 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e92a56600266f295094dfbf8f2dce8d3_JaffaCakes118.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4024
-
C:\Windows\system32\EhStorAuthn.exeC:\Windows\system32\EhStorAuthn.exe1⤵PID:3580
-
C:\Users\Admin\AppData\Local\be5m\EhStorAuthn.exeC:\Users\Admin\AppData\Local\be5m\EhStorAuthn.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2756
-
C:\Windows\system32\cmstp.exeC:\Windows\system32\cmstp.exe1⤵PID:992
-
C:\Users\Admin\AppData\Local\Zu4Mmh7s\cmstp.exeC:\Users\Admin\AppData\Local\Zu4Mmh7s\cmstp.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3368
-
C:\Windows\system32\bdechangepin.exeC:\Windows\system32\bdechangepin.exe1⤵PID:820
-
C:\Users\Admin\AppData\Local\KtdCULRX\bdechangepin.exeC:\Users\Admin\AppData\Local\KtdCULRX\bdechangepin.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3512
Network
-
Remote address:8.8.8.8:53Request228.249.119.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request36.56.20.217.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request83.177.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request97.17.167.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request86.23.85.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request198.187.3.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.214.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request25.140.123.92.in-addr.arpaIN PTRResponse25.140.123.92.in-addr.arpaIN PTRa92-123-140-25deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request13.227.111.52.in-addr.arpaIN PTRResponse
-
73 B 159 B 1 1
DNS Request
228.249.119.40.in-addr.arpa
-
71 B 131 B 1 1
DNS Request
36.56.20.217.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
83.177.190.20.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
97.17.167.52.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
86.23.85.13.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
198.187.3.20.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.214.232.199.in-addr.arpa
-
72 B 137 B 1 1
DNS Request
25.140.123.92.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
13.227.111.52.in-addr.arpa
-
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD5ffb0554cef93fc4a3e59de4a42a5fff7
SHA1f7597286e6b3c7831028a9a69c81a65371d98927
SHA256c3aa41fe13e9071746a07554f139b55d1467519d4f625b38f0719a23ccf663da
SHA512e9dfb67b2782daaaa8ff9bffc576f93d9de7f23fec14d0b17ee33a0fdc0c8e54809b44a5b7f5cfe7db6bcd59eaf271eca3dc42cdf11bea0df782ee1a18daffd0
-
Filesize
373KB
MD5601a28eb2d845d729ddd7330cbae6fd6
SHA15cf9f6f9135c903d42a7756c638333db8621e642
SHA2564d43f37576a0ebbaf97024cd5597d968ffe59c871b483554aea302dccb7253f6
SHA5121687044612ceb705f79c806b176f885fd01449251b0097c2df70280b7d10a2b830ee30ac0f645a7e8d8067892f6562d933624de694295e22318863260222859d
-
Filesize
1.4MB
MD5c2a286dee73536fb9384b2f3ec520863
SHA10fa09ec4d9f275a259dcb73f1e0190e28beeb303
SHA256c0566b92f937c5517193923632c151155bbbf236e3441834198c06cb0a14957d
SHA5127ff8d76ae106686228dadf33f910644f152244ece3602fb5096161863a531e4fdb7e2705e53f37a18c7b2c81ad4f11eec4b9d978805c2f0c390f02d0335c5635
-
Filesize
96KB
MD54cc43fe4d397ff79fa69f397e016df52
SHA18fd6cf81ad40c9b123cd75611860a8b95c72869c
SHA256f2d3905ee38b2b5c0b724d582f14eb1db7621ffb8f3826df686a20784341614c
SHA512851ef9fa5a03ec8b9fea0094c6e4bfa0b9e71cee3412ee86b2dfc34682aa5fb6455fefe7fc0092b711956d7c880cf8a5761b63ee990aa8e72f3473086ac0f157
-
Filesize
128KB
MD5d45618e58303edb4268a6cca5ec99ecc
SHA11f8049fc5ea8b57bb68e19fb55cb9dc1e18e9513
SHA256d527323643be9df4d174c3169c6f2c7854a59b781654bcaebd154cb51fb4219c
SHA5125d7ae663dcfedfaf00836dc018131851e5a40778bd582b417b9f0bbd4bb6d1b2eb8f37f7f5a01cd2beed78b6037ef6eb2a3290248d5e901173b1407990a202bd
-
Filesize
1.4MB
MD5555b9c110795f9386e1b8b97c4276f88
SHA10574473ce07e9b43a15abc674cdc4770a455bb6b
SHA2564d00d412492f362ede772fdf369021cb14f19f132e9e1895be36de4f3bcf8e23
SHA512bb4c17ed15eeb083e4c7b9b044f2f9c961c07817645791efbcaa77a8e93f9036bb5d5a10b6de96b2ad5c1122e9cb09a0b934be7a568a754649e8282ca02d9040
-
Filesize
989B
MD5a4558a7da6d25ee8fddd173367ae4475
SHA13a98386aeff12a99989995af52508d3538f28e09
SHA25660d7ad9d99d23d31ec3f03db8da06ded4448289897abcd9c6b0551a25d22f980
SHA512afcbec356fb21c0c2681a6fed589f7320118a191c64d2a6e81fa15045d65dd8df555d4d5dbb4cd20bcb08ef9e5eae7b0916db76c8fff9f77c7e67cee3dd6fa02