Analysis
-
max time kernel
142s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
10-10-2024 16:05
Static task
static1
Behavioral task
behavioral1
Sample
30bd3b3bd7381349e197d2ef177ca9c3_JaffaCakes118.dll
Resource
win7-20240903-en
General
-
Target
30bd3b3bd7381349e197d2ef177ca9c3_JaffaCakes118.dll
-
Size
378KB
-
MD5
30bd3b3bd7381349e197d2ef177ca9c3
-
SHA1
2405334c09be197e6b02f164dc6156b984ed1a8d
-
SHA256
514cc64434bfa10f76874da27c20a1de0e1de8d671168ac7409b04e4e48bf023
-
SHA512
70a6b3117e2c43f42b835171d874f2d0cf3aa3cb15bb7713b7b057c8fc1c1ba7b42d9defcd1d0b4f73eee10a8bc3d85ed7d853696663d04185e60b80656756d0
-
SSDEEP
3072:Do6vBnby4Yx0XjFFzPQ0MslzERfQB24hLxBVi/b/9+PdpiWC35ol/uwfTuT2b2MY:vs6Xpq0H3Jhds/9+qC/zfTPLe
Malware Config
Extracted
qakbot
402.343
obama104
1632729661
95.77.223.148:443
47.22.148.6:443
89.101.97.139:443
27.223.92.142:995
120.151.47.189:443
136.232.34.70:443
120.150.218.241:995
185.250.148.74:443
181.118.183.94:443
140.82.49.12:443
67.165.206.193:993
103.148.120.144:443
71.74.12.34:443
76.25.142.196:443
73.151.236.31:443
173.21.10.71:2222
75.188.35.168:443
2.178.88.145:61202
71.80.168.245:443
45.46.53.140:2222
109.12.111.14:443
105.198.236.99:443
73.77.87.137:443
41.248.239.221:995
182.176.112.182:443
96.37.113.36:993
75.66.88.33:443
162.244.227.34:443
24.229.150.54:995
216.201.162.158:443
92.59.35.196:2222
196.218.227.241:995
24.139.72.117:443
68.207.102.78:443
72.252.201.69:443
2.188.27.77:443
177.130.82.197:2222
68.204.7.158:443
189.210.115.207:443
181.163.96.53:443
24.55.112.61:443
75.107.26.196:465
185.250.148.74:2222
68.186.192.69:443
24.152.219.253:995
50.29.166.232:995
-
salt
jHxastDcds)oMc=jvh7wdUhxcsdt2
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Bukkvxds = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Ygepigh = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe -
Loads dropped DLL 1 IoCs
pid Process 896 regsvr32.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Modifies data under HKEY_USERS 10 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Mjvlycxyxykb\592aca40 = 2a8f6ef6a668ca94887266800f4cbba364de324f0d0f5124967184c97db15d1054 explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Mjvlycxyxykb\242285ca = 300879430e55c010af7c3731b9f85399aa7ca525728d5de3b8a1ead64732581bce28bed034fb4431768bcd11e669588d3372bcd3505c0b6a8a698d9adce2c6417d31160282df8f191629918514d399faa74b914df24702e94b5683280e5f explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Mjvlycxyxykb\a90132e1 = 04805c57024cf5e485420dee498b69d2d45ab3822e77a622c39060fda77a51973f6e70e832a4a422 explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Mjvlycxyxykb\d6485d17 = c4c002d4c35bade8f6ea0a6319d7bd6a7dd7d8a65aa689f3962e3d49db89c5cf02b4648f4fc071c353f5ad847e0554e21c4bca3010b437611b71d25ad5bf3fc10a563a792e4b8e0fa7b9c9c5b6383d4c2c6201b13d3666cd675a30401cae4dffb7ab7d1b4cec38ab38cbf58e40cb5328e3 explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Mjvlycxyxykb\e3d78d59 = f6801c4312622acfb4ba183d5107448e2bf8d895e415289b6f1dade6c146c491442381c615dd33e491760aa35032444d8073eb530c69e6f580b29f180bf94ded9462f7b4221ccb6f3b80b7ebcd369d588de8b4baeb42a941a4b44bb7b14e53137502c71a8516960ddf2df877ebe0f4083b164f725b10ee5fb10b97f41cab4bdd68115f65d7a3d46c078d5efa explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Mjvlycxyxykb\d6485d17 = c4c015d4c35b98918d8e59c590523a1fc30067fba38e5d3e10727e0c11c2e72cc81d65e5c4ed5e5f39bf3ad43a85d1d6a67725f3852bf9ca9b235055ffb8902ad109bfd78acccdaffcdc99ec5bb66d89db2e58fe8bda01277d18a99e explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Mjvlycxyxykb\e196ad25 = 82d6ff7fcd90cd181f0df465c6821749af2d3a57ea91d4aa8e4f53e5b4db9867ddf2dbf50da4b040717cb7 explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Mjvlycxyxykb\9c9ee2af = 5b73a2df7aa964da98a9442c484be5d32ed971cbfd1dadef41bf867737ee2f437e05103ea8ed06ce788b85f1b8b51f9a511bcbc6217ed1c2e10d0541f66180f39cabb7dfccea79a5e6b344987ab9ca489e368783b748a9437d2fb5a07a09473f09efcb784aa2a4fe7c3c explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Mjvlycxyxykb\5b6bea3c = 455b1b87638312bd3d5745c652f5fe0c99f3fbc1ec5ae08358 explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Mjvlycxyxykb explorer.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2924 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2052 rundll32.exe 896 regsvr32.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 2052 rundll32.exe 896 regsvr32.exe -
Suspicious use of WriteProcessMemory 43 IoCs
description pid Process procid_target PID 2464 wrote to memory of 2052 2464 rundll32.exe 31 PID 2464 wrote to memory of 2052 2464 rundll32.exe 31 PID 2464 wrote to memory of 2052 2464 rundll32.exe 31 PID 2464 wrote to memory of 2052 2464 rundll32.exe 31 PID 2464 wrote to memory of 2052 2464 rundll32.exe 31 PID 2464 wrote to memory of 2052 2464 rundll32.exe 31 PID 2464 wrote to memory of 2052 2464 rundll32.exe 31 PID 2052 wrote to memory of 2320 2052 rundll32.exe 32 PID 2052 wrote to memory of 2320 2052 rundll32.exe 32 PID 2052 wrote to memory of 2320 2052 rundll32.exe 32 PID 2052 wrote to memory of 2320 2052 rundll32.exe 32 PID 2052 wrote to memory of 2320 2052 rundll32.exe 32 PID 2052 wrote to memory of 2320 2052 rundll32.exe 32 PID 2320 wrote to memory of 2924 2320 explorer.exe 33 PID 2320 wrote to memory of 2924 2320 explorer.exe 33 PID 2320 wrote to memory of 2924 2320 explorer.exe 33 PID 2320 wrote to memory of 2924 2320 explorer.exe 33 PID 2404 wrote to memory of 2072 2404 taskeng.exe 36 PID 2404 wrote to memory of 2072 2404 taskeng.exe 36 PID 2404 wrote to memory of 2072 2404 taskeng.exe 36 PID 2404 wrote to memory of 2072 2404 taskeng.exe 36 PID 2404 wrote to memory of 2072 2404 taskeng.exe 36 PID 2072 wrote to memory of 896 2072 regsvr32.exe 37 PID 2072 wrote to memory of 896 2072 regsvr32.exe 37 PID 2072 wrote to memory of 896 2072 regsvr32.exe 37 PID 2072 wrote to memory of 896 2072 regsvr32.exe 37 PID 2072 wrote to memory of 896 2072 regsvr32.exe 37 PID 2072 wrote to memory of 896 2072 regsvr32.exe 37 PID 2072 wrote to memory of 896 2072 regsvr32.exe 37 PID 896 wrote to memory of 2036 896 regsvr32.exe 38 PID 896 wrote to memory of 2036 896 regsvr32.exe 38 PID 896 wrote to memory of 2036 896 regsvr32.exe 38 PID 896 wrote to memory of 2036 896 regsvr32.exe 38 PID 896 wrote to memory of 2036 896 regsvr32.exe 38 PID 896 wrote to memory of 2036 896 regsvr32.exe 38 PID 2036 wrote to memory of 2732 2036 explorer.exe 39 PID 2036 wrote to memory of 2732 2036 explorer.exe 39 PID 2036 wrote to memory of 2732 2036 explorer.exe 39 PID 2036 wrote to memory of 2732 2036 explorer.exe 39 PID 2036 wrote to memory of 1732 2036 explorer.exe 41 PID 2036 wrote to memory of 1732 2036 explorer.exe 41 PID 2036 wrote to memory of 1732 2036 explorer.exe 41 PID 2036 wrote to memory of 1732 2036 explorer.exe 41
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\30bd3b3bd7381349e197d2ef177ca9c3_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\30bd3b3bd7381349e197d2ef177ca9c3_JaffaCakes118.dll,#12⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn adxvwgrb /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\30bd3b3bd7381349e197d2ef177ca9c3_JaffaCakes118.dll\"" /SC ONCE /Z /ST 16:07 /ET 16:194⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2924
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {2E620663-A278-43A7-8A4E-3377D96F19F8} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\system32\regsvr32.exeregsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\30bd3b3bd7381349e197d2ef177ca9c3_JaffaCakes118.dll"2⤵
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\regsvr32.exe-s "C:\Users\Admin\AppData\Local\Temp\30bd3b3bd7381349e197d2ef177ca9c3_JaffaCakes118.dll"3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:896 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe4⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Bukkvxds" /d "0"5⤵
- Windows security bypass
PID:2732
-
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Ygepigh" /d "0"5⤵
- Windows security bypass
PID:1732
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
378KB
MD530bd3b3bd7381349e197d2ef177ca9c3
SHA12405334c09be197e6b02f164dc6156b984ed1a8d
SHA256514cc64434bfa10f76874da27c20a1de0e1de8d671168ac7409b04e4e48bf023
SHA51270a6b3117e2c43f42b835171d874f2d0cf3aa3cb15bb7713b7b057c8fc1c1ba7b42d9defcd1d0b4f73eee10a8bc3d85ed7d853696663d04185e60b80656756d0