Analysis
-
max time kernel
138s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-10-2024 16:05
Static task
static1
Behavioral task
behavioral1
Sample
30bd3b3bd7381349e197d2ef177ca9c3_JaffaCakes118.dll
Resource
win7-20240903-en
General
-
Target
30bd3b3bd7381349e197d2ef177ca9c3_JaffaCakes118.dll
-
Size
378KB
-
MD5
30bd3b3bd7381349e197d2ef177ca9c3
-
SHA1
2405334c09be197e6b02f164dc6156b984ed1a8d
-
SHA256
514cc64434bfa10f76874da27c20a1de0e1de8d671168ac7409b04e4e48bf023
-
SHA512
70a6b3117e2c43f42b835171d874f2d0cf3aa3cb15bb7713b7b057c8fc1c1ba7b42d9defcd1d0b4f73eee10a8bc3d85ed7d853696663d04185e60b80656756d0
-
SSDEEP
3072:Do6vBnby4Yx0XjFFzPQ0MslzERfQB24hLxBVi/b/9+PdpiWC35ol/uwfTuT2b2MY:vs6Xpq0H3Jhds/9+qC/zfTPLe
Malware Config
Extracted
qakbot
402.343
obama104
1632729661
95.77.223.148:443
47.22.148.6:443
89.101.97.139:443
27.223.92.142:995
120.151.47.189:443
136.232.34.70:443
120.150.218.241:995
185.250.148.74:443
181.118.183.94:443
140.82.49.12:443
67.165.206.193:993
103.148.120.144:443
71.74.12.34:443
76.25.142.196:443
73.151.236.31:443
173.21.10.71:2222
75.188.35.168:443
2.178.88.145:61202
71.80.168.245:443
45.46.53.140:2222
109.12.111.14:443
105.198.236.99:443
73.77.87.137:443
41.248.239.221:995
182.176.112.182:443
96.37.113.36:993
75.66.88.33:443
162.244.227.34:443
24.229.150.54:995
216.201.162.158:443
92.59.35.196:2222
196.218.227.241:995
24.139.72.117:443
68.207.102.78:443
72.252.201.69:443
2.188.27.77:443
177.130.82.197:2222
68.204.7.158:443
189.210.115.207:443
181.163.96.53:443
24.55.112.61:443
75.107.26.196:465
185.250.148.74:2222
68.186.192.69:443
24.152.219.253:995
50.29.166.232:995
-
salt
jHxastDcds)oMc=jvh7wdUhxcsdt2
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Bovuxvijw = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Yoinyc = "0" reg.exe -
Loads dropped DLL 1 IoCs
pid Process 4832 regsvr32.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe -
Modifies data under HKEY_USERS 10 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Onixfptzmyyu\96d72625 = 74820c5caeb958ecab456abb6c7e8bf00ae5933cc5824b2b7435896d66f08785a898c3cd8ca75417fee75d7de868a247ed87e660d1a514bad9a46c8747e976e42d356c4943d6468e75ec4ca5ea42c85b53418b869559 explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Onixfptzmyyu\51222eb6 = e380d9e4627350d3687050c00d0099e98570a57bf6b6a63b764b5b736e89ef369aa0ec5ee0775165a0fa17cc77abbbc917f491b1c0851e54ae7f2b45befa6a5c29ff47 explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Onixfptzmyyu\dc01999d = 3349f2d70a4813edf4d09a385d669154136f1dcfb03d055cbec3aaa9dd63feae2e87c8226fe70cf8b108c322238cf4b2ea3a074d4691213bec89fa38b38d84a7661cefad8dfe33eed48e3bfc348b88c40499e4647f9ed5fc25fe7923cd explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Onixfptzmyyu\ebdf69af = 25c5b0c2c41f1f857e2a09dc91d19652e52082d2d5f0478dd112cccd0acd5cef3ff97b73 explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Onixfptzmyyu\2e6b4140 = addd10b3a46b31af511f707986bacfe18214757905889f3c39d18577baadddc4a3a4bc8b002ece739751e62f787a25208459ce4a4454a4b8b0260e0267754e22df05d390f769 explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Onixfptzmyyu\a348f66b = db3ad63b03c5448002816303a91592b817f96e8103d33512b33a0f0cc33c0b136c76d06eca8245943bc05eb954f2bd673eb829d17faec1ecf406007ca470d57235a7c09e419c807aa53b52dcca41c0303b26833bdca3858cc8bb2e9bb0c882c4 explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Onixfptzmyyu\dc01999d = 3349e5d70a48269417160918b88c8cc7d2ebe8d575581dd8439369558379c49353b0330009fd0190de7cf50d346d3f61ae82e0277915ac37289658e792cadc317c902b695c7989d3e413d6673c57ab0c12e55b0629f76a450bbd537cc09d72ae2e952db0cc2cbf45dd6e48d43241e3b50236 explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Onixfptzmyyu explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Onixfptzmyyu\e99e49d3 = 0a36c44861ce711e296bdd22d2b59526a77f2ea263c6da994c3e9319ec686cfefeccd4a94a77e649f9ab0b8c879ea1cfb8b868d580b1492e896ca1aa3c444c8d6e2273a362571e9983ac140a40ad456d24cb7d8b5af3c25987561c3038f0b4dd678be122590cfaea8d0d0593202941edc49acb743c221c78a9fab0b9e94cded87f68cc0f980242dc9f5d9e5ee833df6d5a1f8ee1c947b23e7cc26b7f602c6b5e115cc2a741b46b87c6daa4b6c5c1fa152d880a1cfbf2e00d66d6f950e8c10513ac1155152f5e7e explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Onixfptzmyyu\53630eca = f29686914803451519a34cc30db2dff6a7c7fe7212b45c760504d3ebdb47a2187a9ac3d2997056f2a10b94429f1aa670d8cf3227da7d95974aa0d26c7432d4dc9bde4be5bd89f0c00c7574df30a6c15c23bc4adbaeaf77a89b0c9665f5b270474486699ed8e5562ae75fed507376f6948f6e explorer.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1764 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3160 rundll32.exe 3160 rundll32.exe 4832 regsvr32.exe 4832 regsvr32.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 3160 rundll32.exe 4832 regsvr32.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 4728 wrote to memory of 3160 4728 rundll32.exe 83 PID 4728 wrote to memory of 3160 4728 rundll32.exe 83 PID 4728 wrote to memory of 3160 4728 rundll32.exe 83 PID 3160 wrote to memory of 2964 3160 rundll32.exe 87 PID 3160 wrote to memory of 2964 3160 rundll32.exe 87 PID 3160 wrote to memory of 2964 3160 rundll32.exe 87 PID 3160 wrote to memory of 2964 3160 rundll32.exe 87 PID 3160 wrote to memory of 2964 3160 rundll32.exe 87 PID 2964 wrote to memory of 1764 2964 explorer.exe 88 PID 2964 wrote to memory of 1764 2964 explorer.exe 88 PID 2964 wrote to memory of 1764 2964 explorer.exe 88 PID 1828 wrote to memory of 4832 1828 regsvr32.exe 97 PID 1828 wrote to memory of 4832 1828 regsvr32.exe 97 PID 1828 wrote to memory of 4832 1828 regsvr32.exe 97 PID 4832 wrote to memory of 1776 4832 regsvr32.exe 98 PID 4832 wrote to memory of 1776 4832 regsvr32.exe 98 PID 4832 wrote to memory of 1776 4832 regsvr32.exe 98 PID 4832 wrote to memory of 1776 4832 regsvr32.exe 98 PID 4832 wrote to memory of 1776 4832 regsvr32.exe 98 PID 1776 wrote to memory of 4504 1776 explorer.exe 99 PID 1776 wrote to memory of 4504 1776 explorer.exe 99 PID 1776 wrote to memory of 3988 1776 explorer.exe 101 PID 1776 wrote to memory of 3988 1776 explorer.exe 101
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\30bd3b3bd7381349e197d2ef177ca9c3_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4728 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\30bd3b3bd7381349e197d2ef177ca9c3_JaffaCakes118.dll,#12⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3160 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn tjenzehyi /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\30bd3b3bd7381349e197d2ef177ca9c3_JaffaCakes118.dll\"" /SC ONCE /Z /ST 16:07 /ET 16:194⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1764
-
-
-
-
C:\Windows\system32\regsvr32.exeregsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\30bd3b3bd7381349e197d2ef177ca9c3_JaffaCakes118.dll"1⤵
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Windows\SysWOW64\regsvr32.exe-s "C:\Users\Admin\AppData\Local\Temp\30bd3b3bd7381349e197d2ef177ca9c3_JaffaCakes118.dll"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4832 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Bovuxvijw" /d "0"4⤵
- Windows security bypass
PID:4504
-
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Yoinyc" /d "0"4⤵
- Windows security bypass
PID:3988
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
378KB
MD530bd3b3bd7381349e197d2ef177ca9c3
SHA12405334c09be197e6b02f164dc6156b984ed1a8d
SHA256514cc64434bfa10f76874da27c20a1de0e1de8d671168ac7409b04e4e48bf023
SHA51270a6b3117e2c43f42b835171d874f2d0cf3aa3cb15bb7713b7b057c8fc1c1ba7b42d9defcd1d0b4f73eee10a8bc3d85ed7d853696663d04185e60b80656756d0