Analysis
-
max time kernel
149s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21/10/2024, 05:28 UTC
Static task
static1
Behavioral task
behavioral1
Sample
65a62742a787e492b028d52bdb05e703_JaffaCakes118.dll
Resource
win7-20240903-en
General
-
Target
65a62742a787e492b028d52bdb05e703_JaffaCakes118.dll
-
Size
1.1MB
-
MD5
65a62742a787e492b028d52bdb05e703
-
SHA1
f2b8cf85e293861d8cb1cd943909c96e528781e6
-
SHA256
60bd90f888794eb99bba351ecab0e7c63e74bc5a05ffa87404e0f60912fbf384
-
SHA512
e3bc49d29f577273ca331cd1f4325de3edda00bef6fe0a999534b7ddda3d548a683bdb2a4f5e8a5ab4ceb13520a7183d5b03f04bf775206896d7d74bceb5504c
-
SSDEEP
12288:ydMIwS97wJs6tSKDXEabXaC+jhc1S8XXk7CZzHsZH9dq0Tkr:EMIJxSDX3bqjhcfHk7MzH6zQr
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/1216-4-0x0000000002540000-0x0000000002541000-memory.dmp dridex_stager_shellcode -
resource yara_rule behavioral1/memory/2080-1-0x0000000140000000-0x0000000140112000-memory.dmp dridex_payload behavioral1/memory/2080-65-0x0000000140000000-0x0000000140112000-memory.dmp dridex_payload behavioral1/memory/1216-58-0x0000000140000000-0x0000000140112000-memory.dmp dridex_payload behavioral1/memory/1216-56-0x0000000140000000-0x0000000140112000-memory.dmp dridex_payload behavioral1/memory/1216-45-0x0000000140000000-0x0000000140112000-memory.dmp dridex_payload behavioral1/memory/1500-75-0x0000000140000000-0x0000000140113000-memory.dmp dridex_payload behavioral1/memory/1500-79-0x0000000140000000-0x0000000140113000-memory.dmp dridex_payload behavioral1/memory/1048-91-0x0000000140000000-0x0000000140119000-memory.dmp dridex_payload behavioral1/memory/1048-96-0x0000000140000000-0x0000000140119000-memory.dmp dridex_payload behavioral1/memory/796-113-0x0000000140000000-0x0000000140113000-memory.dmp dridex_payload -
Executes dropped EXE 3 IoCs
pid Process 1500 DWWIN.EXE 1048 msconfig.exe 796 ComputerDefaults.exe -
Loads dropped DLL 7 IoCs
pid Process 1216 Process not Found 1500 DWWIN.EXE 1216 Process not Found 1048 msconfig.exe 1216 Process not Found 796 ComputerDefaults.exe 1216 Process not Found -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wtobeyey = "C:\\Users\\Admin\\AppData\\Roaming\\MACROM~1\\FLASHP~1\\#SHARE~1\\2UPEJ9LT\\66d\\msconfig.exe" Process not Found -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ComputerDefaults.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DWWIN.EXE Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msconfig.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2080 regsvr32.exe 2080 regsvr32.exe 2080 regsvr32.exe 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1500 DWWIN.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1216 wrote to memory of 2788 1216 Process not Found 31 PID 1216 wrote to memory of 2788 1216 Process not Found 31 PID 1216 wrote to memory of 2788 1216 Process not Found 31 PID 1216 wrote to memory of 1500 1216 Process not Found 32 PID 1216 wrote to memory of 1500 1216 Process not Found 32 PID 1216 wrote to memory of 1500 1216 Process not Found 32 PID 1216 wrote to memory of 1092 1216 Process not Found 33 PID 1216 wrote to memory of 1092 1216 Process not Found 33 PID 1216 wrote to memory of 1092 1216 Process not Found 33 PID 1216 wrote to memory of 1048 1216 Process not Found 34 PID 1216 wrote to memory of 1048 1216 Process not Found 34 PID 1216 wrote to memory of 1048 1216 Process not Found 34 PID 1216 wrote to memory of 2432 1216 Process not Found 35 PID 1216 wrote to memory of 2432 1216 Process not Found 35 PID 1216 wrote to memory of 2432 1216 Process not Found 35 PID 1216 wrote to memory of 796 1216 Process not Found 36 PID 1216 wrote to memory of 796 1216 Process not Found 36 PID 1216 wrote to memory of 796 1216 Process not Found 36 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\65a62742a787e492b028d52bdb05e703_JaffaCakes118.dll1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2080
-
C:\Windows\system32\DWWIN.EXEC:\Windows\system32\DWWIN.EXE1⤵PID:2788
-
C:\Users\Admin\AppData\Local\ST2nn7d5z\DWWIN.EXEC:\Users\Admin\AppData\Local\ST2nn7d5z\DWWIN.EXE1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1500
-
C:\Windows\system32\msconfig.exeC:\Windows\system32\msconfig.exe1⤵PID:1092
-
C:\Users\Admin\AppData\Local\KNwM1HH\msconfig.exeC:\Users\Admin\AppData\Local\KNwM1HH\msconfig.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1048
-
C:\Windows\system32\ComputerDefaults.exeC:\Windows\system32\ComputerDefaults.exe1⤵PID:2432
-
C:\Users\Admin\AppData\Local\daXm\ComputerDefaults.exeC:\Users\Admin\AppData\Local\daXm\ComputerDefaults.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:796
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5567f73f77004e87bf9fd01f9b70fc4ac
SHA159a1868537eca9d34505fd4a2c8c1c2189b80828
SHA2569a2c9cc3911200918bf7ea26e5fc5506df5ff3ccd45d6dc21b204e01a6d2e247
SHA512348d5ac65aefa423056819712199461474ffff4b4a2f97d1ea9b7f114d69fd3d69d1ae731bb982b1200bccb87169ad400ecb8c79cca44e7f21048e92dd434cb4
-
Filesize
149KB
MD525247e3c4e7a7a73baeea6c0008952b1
SHA18087adb7a71a696139ddc5c5abc1a84f817ab688
SHA256c740497a7e58f7678e25b68b03573b4136a364464ee97c02ce5e0fe00cec7050
SHA512bc27946894e7775f772ac882740430c8b9d3f37a573e2524207f7bb32f44d4a227cb1e9a555e118d68af7f1e129abd2ac5cabbcd8bbf3551c485bae05108324b
-
Filesize
1.1MB
MD5ae35de056c5fe7121ae8c0fbbe6e82c0
SHA1c582682acfafe55b445f10ecc12c02a5e934b7f1
SHA256d5477413c9e29f9837ebc995170fcc3c47a52b09ee34a3ecf3975f4ece6243dd
SHA51247c9fd4f184da24cbc414e01e8c80beee8c78010d844b4457aa31c81720b94f5b016ec9efcd30301e974b5a78d7228c635dcf8f157170d351db1b1872796d76e
-
Filesize
1.1MB
MD5ef8a3dcfbbf6b4f06aa4c803972984cf
SHA12aab3a14690221c22b140d4b3a5eecd58f0ea241
SHA256f9df512e6c218103b754fb64e4eb5fe1cd69062e6b9cde52d962b20d3c6e6d77
SHA512d886dc8393d96108b3d16f4c30595eb427c73b1dcdce074fb4329750fe551c461b01f1358104dc5a0663188ffc57a771391400342abf8aa05c4ee4eba39919fb
-
Filesize
1KB
MD5134fb1231475c0de461349207dd3eecc
SHA140488c0841686bd819d9ea5dadfb689c37410c52
SHA2566a3f19dd53a6105357ae5d54deeabfa5475ae2c2b0b2f6572600443d840601f5
SHA512bc8490fa50cdf30ea99ab7d7a8b52c92242042666c2d4c33a7295f3fd4a5bd0d2cccd80abed360e796ec763ce0354f45eac55298242b96cf42b40aa94e7f6e79
-
Filesize
293KB
MD5e19d102baf266f34592f7c742fbfa886
SHA1c9c9c45b7e97bb7a180064d0a1962429f015686d
SHA256f3c8bb430f9c33e6caf06aaebde17b7fddcc55e8bb36cec2b9379038f1fca0b1
SHA5121b9f1880dd3c26ae790b8eead641e73264f90dc7aa2645acc530aad20ad9d247db613e1725282c85bca98c4428ac255752a4f5c9b2a97f90908b7fe4167bb283
-
Filesize
36KB
MD586bd981f55341273753ac42ea200a81e
SHA114fe410efc9aeb0a905b984ac27719ff0dd10ea7
SHA25640b194be2bad2d3d4d1b69f9aec2853c8b663130810a11607ff72a9e3a06d5b3
SHA51249bb6d4bf7a9356fadde7f6165af6973630827d28b69db10ad477a84d98b08fb82e4daae777166e1ddddb5b5efcdf634e4e9bd34b255dae87462ba32e8bba143