Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
21-09-2024 08:56
Static task
static1
Behavioral task
behavioral1
Sample
ef747e43d5de3708eb4a10f4eb17f2d3_JaffaCakes118.dll
Resource
win7-20240708-en
General
-
Target
ef747e43d5de3708eb4a10f4eb17f2d3_JaffaCakes118.dll
-
Size
1.2MB
-
MD5
ef747e43d5de3708eb4a10f4eb17f2d3
-
SHA1
2752f41170e192acc418d1b19791763326c1b363
-
SHA256
a778300ec5f7f0660a1009be0d859897cf12b0ff1f60cd01ec2adf82aeaf5844
-
SHA512
0d42f89ad6d9884b68e07af6ed9f1a19b39975b234dc4ebf5e664c484ae81ac628d396efc485e2aa0b5cc9dca7403d13adec99ec08831c18e9595819166bd08a
-
SSDEEP
24576:BuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9NI:T9cKrUqZWLAcUw
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/1208-5-0x0000000002980000-0x0000000002981000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
pid Process 2668 mblctr.exe 2996 DisplaySwitch.exe 584 calc.exe -
Loads dropped DLL 7 IoCs
pid Process 1208 Process not Found 2668 mblctr.exe 1208 Process not Found 2996 DisplaySwitch.exe 1208 Process not Found 584 calc.exe 1208 Process not Found -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mcbsdqtxprcnbm = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\NETWOR~1\\HO5Z\\DISPLA~1.EXE" Process not Found -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DisplaySwitch.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA calc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mblctr.exe -
Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1620 rundll32.exe 1620 rundll32.exe 1620 rundll32.exe 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found 1208 Process not Found -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1208 wrote to memory of 2596 1208 Process not Found 30 PID 1208 wrote to memory of 2596 1208 Process not Found 30 PID 1208 wrote to memory of 2596 1208 Process not Found 30 PID 1208 wrote to memory of 2668 1208 Process not Found 31 PID 1208 wrote to memory of 2668 1208 Process not Found 31 PID 1208 wrote to memory of 2668 1208 Process not Found 31 PID 1208 wrote to memory of 2984 1208 Process not Found 32 PID 1208 wrote to memory of 2984 1208 Process not Found 32 PID 1208 wrote to memory of 2984 1208 Process not Found 32 PID 1208 wrote to memory of 2996 1208 Process not Found 33 PID 1208 wrote to memory of 2996 1208 Process not Found 33 PID 1208 wrote to memory of 2996 1208 Process not Found 33 PID 1208 wrote to memory of 2792 1208 Process not Found 34 PID 1208 wrote to memory of 2792 1208 Process not Found 34 PID 1208 wrote to memory of 2792 1208 Process not Found 34 PID 1208 wrote to memory of 584 1208 Process not Found 35 PID 1208 wrote to memory of 584 1208 Process not Found 35 PID 1208 wrote to memory of 584 1208 Process not Found 35 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ef747e43d5de3708eb4a10f4eb17f2d3_JaffaCakes118.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1620
-
C:\Windows\system32\mblctr.exeC:\Windows\system32\mblctr.exe1⤵PID:2596
-
C:\Users\Admin\AppData\Local\yAxe\mblctr.exeC:\Users\Admin\AppData\Local\yAxe\mblctr.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2668
-
C:\Windows\system32\DisplaySwitch.exeC:\Windows\system32\DisplaySwitch.exe1⤵PID:2984
-
C:\Users\Admin\AppData\Local\KSF3\DisplaySwitch.exeC:\Users\Admin\AppData\Local\KSF3\DisplaySwitch.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2996
-
C:\Windows\system32\calc.exeC:\Windows\system32\calc.exe1⤵PID:2792
-
C:\Users\Admin\AppData\Local\gz9jST\calc.exeC:\Users\Admin\AppData\Local\gz9jST\calc.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:584
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Accessibility Features
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
517KB
MD5b795e6138e29a37508285fc31e92bd78
SHA1d0fe0c38c7c61adbb77e58d48b96cd4bf98ecd4a
SHA25601a9733871baa8518092bade3fce62dcca14cdf6fc55b98218253580b38d7659
SHA5128312174a77bab5fef7c4e9efff66c43d3515b02f5766ed1d3b9bd0abb3d7344a9a22cbac228132098428c122293d2b1898b3a2d75f5e4247b1dcb9aa9c7913b1
-
Filesize
1.2MB
MD5ee479fb581cca792169a2bbcea0b8411
SHA19c8748fcf66c34ecb8ddef3a13910ebee277f7b5
SHA256ad8a6cdb3b00beb1a0da01a06601800b127f962adfa218a859ef3da3ae97a310
SHA5125c240b0b6464c7188027bfe16e567b4cecf51d44031de0f529a5dcc6cd7297e6278da67bb4945dca1239e5e45aaec373d42cb900f08afc6db798453579e75ee7
-
Filesize
1.2MB
MD50413610f788af96d4af609c4ccd04b78
SHA1d916dfb03b4b570e4cb35ddcbebb4bdacc30c55f
SHA256900baa9d780e23dc6289ba2433cbbdddbee313a0351b839f56b7f7777219c249
SHA512fa23a79d5143c035f465f0e69a0e7808c44e0ed915a0a45bc38e126cdb2c1d605fdbf6948ae28b228bad63ff8d46e2f748671c9880f8afcac7a98cb76068be2e
-
Filesize
935KB
MD5fa4c36b574bf387d9582ed2c54a347a8
SHA1149077715ee56c668567e3a9cb9842284f4fe678
SHA256b71cdf708d4a4f045f784de5e5458ebf9a4fa2b188c3f7422e2fbfe19310be3f
SHA5121f04ce0440eec7477153ebc2ce56eaabcbbac58d9d703c03337f030e160d22cd635ae201752bc2962643c75bbf2036afdd69d97e8cbc81260fd0e2f55946bb55
-
Filesize
1KB
MD5ab6238b1f0151a24a8bebdd94607b64f
SHA15143aac1a49caa354502f0a4cdcbdd9ca44b2851
SHA256b2148203ebd114b355c3e35b291b22dff308eab09a27c962260e28f595d8bae2
SHA51201e94824100ec92dd715e8c68e71300feaf5cc5d7e5dc2e879a986a6ca1e886430ca37a1f78d21493f4e9547e3eba3f7de5149479d616ad65decbc298831cc13
-
Filesize
1.2MB
MD5078fc2070232eda656083a5b53f3163f
SHA1fc8d28a896b8003a8424e8ad89390a87c754f64e
SHA2569f941014964341d8f3606d2453988e5af9e8b64bfe66507bee5a14fa98066faa
SHA512eaa17cf5d4b05cd68e00d41a2729a18561478c92e5b3dcea60c4f36aa53c5ed87191ccc3cb5c006f0bce0037e65e96543a517e2a8fc9d4a5d379ab2ab85f793d
-
Filesize
897KB
MD510e4a1d2132ccb5c6759f038cdb6f3c9
SHA142d36eeb2140441b48287b7cd30b38105986d68f
SHA256c6a91cba00bf87cdb064c49adaac82255cbec6fdd48fd21f9b3b96abf019916b
SHA5129bd44afb164ab3e09a784c765cd03838d2e5f696c549fc233eb5a69cada47a8e1fb62095568cb272a80da579d9d0e124b1c27cf61bb2ac8cf6e584a722d8864d