Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-10-2024 07:56
Behavioral task
behavioral1
Sample
6dcf8baea04fda87a96b3a137ea4dbfc_JaffaCakes118.dll
Resource
win7-20240903-en
General
-
Target
6dcf8baea04fda87a96b3a137ea4dbfc_JaffaCakes118.dll
-
Size
136KB
-
MD5
6dcf8baea04fda87a96b3a137ea4dbfc
-
SHA1
19ed57597ebb7649e76076c1531f2d665b551435
-
SHA256
6ca1498b43435ae08ce08a4cffce0fcfe660bdd907a48eda0dc7a663f4c971a7
-
SHA512
33e252f7a262d1c7d6fb0d1792381a9295a0d81ff9191298989f1e01de9d7d3d560804131abd1d265618b46254d2fae18e7c8e8cc6f7efcc36880571beb2b2eb
-
SSDEEP
1536:AKQJDzynl8pck/VxhNRjJrBbQ2oTPycJFtNmQ/IOEnToIfwTToqMV29ic:jnl1kNxhN1J9c2oTzJHNfxoTBfwEVA
Malware Config
Extracted
qakbot
402.363
tr
1632817399
105.198.236.99:443
140.82.49.12:443
37.210.152.224:995
89.101.97.139:443
81.241.252.59:2078
27.223.92.142:995
81.250.153.227:2222
73.151.236.31:443
47.22.148.6:443
122.11.220.212:2222
120.151.47.189:443
199.27.127.129:443
216.201.162.158:443
136.232.34.70:443
76.25.142.196:443
181.118.183.94:443
120.150.218.241:995
185.250.148.74:443
95.77.223.148:443
75.66.88.33:443
45.46.53.140:2222
173.25.166.81:443
103.148.120.144:443
173.21.10.71:2222
186.18.205.199:995
71.74.12.34:443
67.165.206.193:993
47.40.196.233:2222
68.204.7.158:443
24.229.150.54:995
109.12.111.14:443
177.130.82.197:2222
72.252.201.69:443
24.55.112.61:443
24.139.72.117:443
187.156.138.172:443
71.80.168.245:443
105.157.55.133:995
82.77.137.101:995
173.234.155.233:443
75.188.35.168:443
5.238.149.235:61202
73.77.87.137:443
182.176.112.182:443
96.37.113.36:993
162.244.227.34:443
92.59.35.196:2222
196.218.227.241:995
68.207.102.78:443
2.188.27.77:443
189.210.115.207:443
181.163.96.53:443
75.107.26.196:465
185.250.148.74:2222
68.186.192.69:443
-
salt
jHxastDcds)oMc=jvh7wdUhxcsdt2
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Zfixbyjd = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\Microsoft\Vuhqa = "0" reg.exe -
Loads dropped DLL 2 IoCs
pid Process 2560 regsvr32.exe 2560 regsvr32.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe -
Modifies data under HKEY_USERS 10 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Elwrgvi\323b8064 = 326a23b34214164230fde3b1df2332837a635b1149731a6a7dd1b91c85cdacc816a50666d1f8deb6faafb4a62b06af51013bd0f6dd339cba417e4a6c942d21af63 explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Elwrgvi\5e57056 = 6642e97883b2429496d4831fa4882b832d8733652963dfcb explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Elwrgvi\c05158b9 = dceae717e72567d752ba10d708df398f209034bc explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Elwrgvi explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Elwrgvi\7a4502a = f7d787ffc2d94f02212df18ef6c7124e3473dd779303ed9061e2db6a5173f91dba33202e8f1957a2c8d0b9647601066f6dddc438ddac64c6499030c278a65a36ab0a3ec8563fec7a9a5eb878b0730ea8e24f832c530beeb10e32e20652d42c46358ede2f1274ac027f1272852b8e6aeb5458a9399bdb53fc1fe31cf8e50cb85aa34e7b48d248ab0f39f1291f111ae615286dbaa5af explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Elwrgvi\bd591733 = bd6261178d37b8ea2692ff93002d07eefc16c947e31197060ce2f6bcaefae40c5198bc3bec4585ce71e4b448 explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Elwrgvi\78ed3fdc = 2e4f374d99aef62d1428f649f56ede1adc08837bcc explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Elwrgvi\bf18374f = 65a0105545a8cc7cd31f122ad712e1d05b82c2093eb5fd2f9da116d21ad55fbbc6cc4e9cd018462c9810d27d4ffcb738ae99499a5b960334c2fe4837 explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Elwrgvi\4d72ef92 = bf545c896678ef0aea54fc4a59a4da9a explorer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Elwrgvi\323b8064 = 326a34b342142329dfb2db38ebd5651ed9c84356b14eec8b7bdacdf6169b7f810227ec0f6bb233e6445ef5ae3db03f3628007ebb75d365bfcfb0021269b11820388a12563123c2a122b623bfc6bcea11fcbc1c717761 explorer.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1528 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3660 regsvr32.exe 3660 regsvr32.exe 2560 regsvr32.exe 2560 regsvr32.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 3660 regsvr32.exe 2560 regsvr32.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 2248 wrote to memory of 3660 2248 regsvr32.exe 84 PID 2248 wrote to memory of 3660 2248 regsvr32.exe 84 PID 2248 wrote to memory of 3660 2248 regsvr32.exe 84 PID 3660 wrote to memory of 2468 3660 regsvr32.exe 90 PID 3660 wrote to memory of 2468 3660 regsvr32.exe 90 PID 3660 wrote to memory of 2468 3660 regsvr32.exe 90 PID 3660 wrote to memory of 2468 3660 regsvr32.exe 90 PID 3660 wrote to memory of 2468 3660 regsvr32.exe 90 PID 2468 wrote to memory of 1528 2468 explorer.exe 91 PID 2468 wrote to memory of 1528 2468 explorer.exe 91 PID 2468 wrote to memory of 1528 2468 explorer.exe 91 PID 2496 wrote to memory of 2560 2496 regsvr32.exe 118 PID 2496 wrote to memory of 2560 2496 regsvr32.exe 118 PID 2496 wrote to memory of 2560 2496 regsvr32.exe 118 PID 2560 wrote to memory of 2548 2560 regsvr32.exe 119 PID 2560 wrote to memory of 2548 2560 regsvr32.exe 119 PID 2560 wrote to memory of 2548 2560 regsvr32.exe 119 PID 2560 wrote to memory of 2548 2560 regsvr32.exe 119 PID 2560 wrote to memory of 2548 2560 regsvr32.exe 119 PID 2548 wrote to memory of 3728 2548 explorer.exe 120 PID 2548 wrote to memory of 3728 2548 explorer.exe 120 PID 2548 wrote to memory of 2072 2548 explorer.exe 122 PID 2548 wrote to memory of 2072 2548 explorer.exe 122
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\6dcf8baea04fda87a96b3a137ea4dbfc_JaffaCakes118.dll1⤵
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\6dcf8baea04fda87a96b3a137ea4dbfc_JaffaCakes118.dll2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3660 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn qjdkhbxxf /tr "regsvr32.exe -s \"C:\Users\Admin\AppData\Local\Temp\6dcf8baea04fda87a96b3a137ea4dbfc_JaffaCakes118.dll\"" /SC ONCE /Z /ST 07:59 /ET 08:114⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1528
-
-
-
-
C:\Windows\system32\regsvr32.exeregsvr32.exe -s "C:\Users\Admin\AppData\Local\Temp\6dcf8baea04fda87a96b3a137ea4dbfc_JaffaCakes118.dll"1⤵
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\regsvr32.exe-s "C:\Users\Admin\AppData\Local\Temp\6dcf8baea04fda87a96b3a137ea4dbfc_JaffaCakes118.dll"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\ProgramData\Microsoft\Vuhqa" /d "0"4⤵
- Windows security bypass
PID:3728
-
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Zfixbyjd" /d "0"4⤵
- Windows security bypass
PID:2072
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD56dcf8baea04fda87a96b3a137ea4dbfc
SHA119ed57597ebb7649e76076c1531f2d665b551435
SHA2566ca1498b43435ae08ce08a4cffce0fcfe660bdd907a48eda0dc7a663f4c971a7
SHA51233e252f7a262d1c7d6fb0d1792381a9295a0d81ff9191298989f1e01de9d7d3d560804131abd1d265618b46254d2fae18e7c8e8cc6f7efcc36880571beb2b2eb