Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
24-11-2024 10:08
Static task
static1
Behavioral task
behavioral1
Sample
93fc422ef8eef071e16c5b12310f6b36_JaffaCakes118.dll
Resource
win7-20240903-en
General
-
Target
93fc422ef8eef071e16c5b12310f6b36_JaffaCakes118.dll
-
Size
1.1MB
-
MD5
93fc422ef8eef071e16c5b12310f6b36
-
SHA1
f1761280479126762632211380de0969d9295315
-
SHA256
9fe73d5332d83d76ee254a477355e48040194e781fd5c12b34f729a999e2554c
-
SHA512
c41316986dcc2359bff2eafb7f4d83403b792110a8257be28c706463957a785ac9c24aee033a02d10fc36b7a2327b655ecc751d3bc489aad4e73165390add566
-
SSDEEP
12288:idMIwS97wJs6tSKDXEabXaC+jhc1S8XXk7CZzHsZH9dq0T:UMIJxSDX3bqjhcfHk7MzH6z
Malware Config
Signatures
-
Dridex family
-
resource yara_rule behavioral1/memory/1248-4-0x0000000002DB0000-0x0000000002DB1000-memory.dmp dridex_stager_shellcode -
resource yara_rule behavioral1/memory/264-0-0x0000000140000000-0x000000014010D000-memory.dmp dridex_payload behavioral1/memory/1248-41-0x0000000140000000-0x000000014010D000-memory.dmp dridex_payload behavioral1/memory/1248-52-0x0000000140000000-0x000000014010D000-memory.dmp dridex_payload behavioral1/memory/1248-55-0x0000000140000000-0x000000014010D000-memory.dmp dridex_payload behavioral1/memory/264-61-0x0000000140000000-0x000000014010D000-memory.dmp dridex_payload behavioral1/memory/2788-71-0x0000000140000000-0x000000014010E000-memory.dmp dridex_payload behavioral1/memory/2788-73-0x0000000140000000-0x000000014010E000-memory.dmp dridex_payload behavioral1/memory/1916-90-0x0000000140000000-0x000000014010E000-memory.dmp dridex_payload behavioral1/memory/1720-106-0x0000000140000000-0x000000014010E000-memory.dmp dridex_payload -
Executes dropped EXE 3 IoCs
pid Process 2788 SystemPropertiesRemote.exe 1916 tabcal.exe 1720 SystemPropertiesAdvanced.exe -
Loads dropped DLL 7 IoCs
pid Process 1248 Process not Found 2788 SystemPropertiesRemote.exe 1248 Process not Found 1916 tabcal.exe 1248 Process not Found 1720 SystemPropertiesAdvanced.exe 1248 Process not Found -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rcoehfpd = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\ADMINI~1\\WTWSZL~1\\tabcal.exe" Process not Found -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemPropertiesRemote.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tabcal.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SystemPropertiesAdvanced.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 264 rundll32.exe 264 rundll32.exe 264 rundll32.exe 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1248 wrote to memory of 2688 1248 Process not Found 31 PID 1248 wrote to memory of 2688 1248 Process not Found 31 PID 1248 wrote to memory of 2688 1248 Process not Found 31 PID 1248 wrote to memory of 2788 1248 Process not Found 32 PID 1248 wrote to memory of 2788 1248 Process not Found 32 PID 1248 wrote to memory of 2788 1248 Process not Found 32 PID 1248 wrote to memory of 2204 1248 Process not Found 33 PID 1248 wrote to memory of 2204 1248 Process not Found 33 PID 1248 wrote to memory of 2204 1248 Process not Found 33 PID 1248 wrote to memory of 1916 1248 Process not Found 34 PID 1248 wrote to memory of 1916 1248 Process not Found 34 PID 1248 wrote to memory of 1916 1248 Process not Found 34 PID 1248 wrote to memory of 1680 1248 Process not Found 35 PID 1248 wrote to memory of 1680 1248 Process not Found 35 PID 1248 wrote to memory of 1680 1248 Process not Found 35 PID 1248 wrote to memory of 1720 1248 Process not Found 36 PID 1248 wrote to memory of 1720 1248 Process not Found 36 PID 1248 wrote to memory of 1720 1248 Process not Found 36 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\93fc422ef8eef071e16c5b12310f6b36_JaffaCakes118.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:264
-
C:\Windows\system32\SystemPropertiesRemote.exeC:\Windows\system32\SystemPropertiesRemote.exe1⤵PID:2688
-
C:\Users\Admin\AppData\Local\kdM1q5\SystemPropertiesRemote.exeC:\Users\Admin\AppData\Local\kdM1q5\SystemPropertiesRemote.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2788
-
C:\Windows\system32\tabcal.exeC:\Windows\system32\tabcal.exe1⤵PID:2204
-
C:\Users\Admin\AppData\Local\4pijv\tabcal.exeC:\Users\Admin\AppData\Local\4pijv\tabcal.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1916
-
C:\Windows\system32\SystemPropertiesAdvanced.exeC:\Windows\system32\SystemPropertiesAdvanced.exe1⤵PID:1680
-
C:\Users\Admin\AppData\Local\7EzU\SystemPropertiesAdvanced.exeC:\Users\Admin\AppData\Local\7EzU\SystemPropertiesAdvanced.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1720
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5cb6857fcf64ac38093bd7e80f55dc0fa
SHA1d160d7c90cd619983ffddabc70f19db38788a52b
SHA256a7cf1141f7f2041e5615f874fdd80b66efbd50461ac9472230f9ff19b7768890
SHA512fe7c86628b0b5e7ea916105adbe710679f9176af98c451382de5d4c87835956a05f29d55d7eecc42f01a6d47420b6732afe6fae3b5a4243019caf46c17b60bf6
-
Filesize
1.1MB
MD5561d66600397e1f0d892f2320e1c36fb
SHA16007429e4c1e206ba81d90c2057454821310fbad
SHA256056166cb8296f0bc9a2b93640439f88a25985f2f18d744d094343723d594d776
SHA5127323b601a8875c6a35c4a2f4e4dd9ff4fe6b213c22cf4324a9fea2edcd1f6161f789990b7e64431419dc717c42a8322d6c8be914cb3928cc0a77c91ddf82350f
-
Filesize
1.1MB
MD52915e1807cbdf163a7c5f6f8649ea5b5
SHA15fe67abc5aa97dc332e3dbf6b44747a9ac6eff2c
SHA256dce653725650f807e1e513d1b4d273d0cb54353c68df1c616e09d74d91657845
SHA5125194e5e5452e4068894cf1ce71bb6de3682d577c9847e410175af9724e41344a837ea3b01441504b5f25122bb6a785c7017b461980ea8628673b9fb82311d3ef
-
Filesize
1KB
MD52fcda14ea2024b58371e1352a44c970c
SHA12b75c4b2f889290b211597f5a58110a0957b109a
SHA2566e16cbdd590c0184f61864fca84a9306a7394d86a246aa00f80580d23ee2288f
SHA512737a788f00381485ac1b628f63af43bac300da2f75901d53af4cc1c1857f8366e311185237840eeeb68612f92057391cdd751ae44ce17f1cc7d23afe0b77c09a
-
Filesize
77KB
MD598e7911befe83f76777317ce6905666d
SHA12780088dffe1dd1356c5dd5112a9f04afee3ee8d
SHA2563fe8b63367b4298e70d46e87ce04cc7af5f30dfdb86b79eae41d0731d9415ea1
SHA512fc0226381d9a6984cccac8282697c78966524e1359f7f6044559b8223e773d3c108dda08a2dd283aa171dca3390801f2c92a5d1dbb978dd7f92a67bd8877b8b6
-
Filesize
80KB
MD525dc1e599591871c074a68708206e734
SHA127a9dffa92d979d39c07d889fada536c062dac77
SHA256a13b2ba5892c11c731869410b1e3dd2f250d70ff9efd513a9f260ab506dd42ef
SHA512f7da9ce4c3e8aea9095fcc977084c042f85df48fca0b58fb136dfd835ce69b5b1e68f3c11eeb14c617ffcec7011ffc7e5d5a948f49dde653a2348b28e10adb72
-
Filesize
80KB
MD5d0d7ac869aa4e179da2cc333f0440d71
SHA1e7b9a58f5bfc1ec321f015641a60978c0c683894
SHA2565762e1570de6ca4ff4254d03c8f6e572f3b9c065bf5c78fd5a9ea3769c33818a
SHA5121808b10dc85f8755a0074d1ea00794b46b4254573b6862c2813a89ca171ad94f95262e8b59a8f9a596c9bd6a724f440a14a813eab93aa140e818ee97af106db7