Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
28-05-2024 23:06
General
-
Target
7eb312244e301cf06794e58fd76cff5d_JaffaCakes118.dll
-
Size
1.2MB
-
MD5
7eb312244e301cf06794e58fd76cff5d
-
SHA1
dfb37e7411e4107e0d1c4ba13fbbe6cb27dcc561
-
SHA256
b21c5cb90775bfcf8ef1ebbff547885dddc00f3733522dbd91198d4761b2420b
-
SHA512
ed7f837642625040b1f9d675ca15928945e17fc459feae6c1535d1a1a09203565a290da6b2d97d4987a53bef474173ee6327f7ad798641405ef5b73aca44efbe
-
SSDEEP
24576:SVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:SV8hf6STw1ZlQauvzSq01ICe6zvm
Malware Config
Signatures
-
Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
-
Dridex Shellcode 1 IoCs
Detects Dridex Payload shellcode injected in Explorer process.
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 8 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 4 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of WriteProcessMemory 24 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7eb312244e301cf06794e58fd76cff5d_JaffaCakes118.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exeC:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe1⤵
-
C:\Users\Admin\AppData\Local\ohOBMJ5PT\SystemPropertiesDataExecutionPrevention.exeC:\Users\Admin\AppData\Local\ohOBMJ5PT\SystemPropertiesDataExecutionPrevention.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
-
C:\Windows\system32\shrpubw.exeC:\Windows\system32\shrpubw.exe1⤵
-
C:\Users\Admin\AppData\Local\47dHX\shrpubw.exeC:\Users\Admin\AppData\Local\47dHX\shrpubw.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe1⤵
-
C:\Users\Admin\AppData\Local\6lZKO3C\wermgr.exeC:\Users\Admin\AppData\Local\6lZKO3C\wermgr.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\SoundRecorder.exeC:\Windows\system32\SoundRecorder.exe1⤵
-
C:\Users\Admin\AppData\Local\yGywTZ\SoundRecorder.exeC:\Users\Admin\AppData\Local\yGywTZ\SoundRecorder.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\47dHX\srvcli.dllFilesize
1.2MB
MD55f1dc1c66af48746587efc722c1bc836
SHA1c87c6f46ae42d59557e02e66f424e9b18088d6e5
SHA25636bdd349d71e0a586f7686f44ba0003179ea37ed2aa1f7412416b297d48640af
SHA512435930204e197085d308a080c611100e25b7be9abc7373661fc44c108ccaf39aad8b6caf8bdf726c0fd12f54a95210681e1be3a65fbdc6f81ed3b11d0f75e3e6
-
C:\Users\Admin\AppData\Local\ohOBMJ5PT\SYSDM.CPLFilesize
1.2MB
MD5db51310c925b3d73fd7a9abceb5e3c8d
SHA1619d8b73cc49ba598c3f6628c06d6b9009379ca2
SHA256b2c117dc5b4d941eb1905c43b05c8bc0e75ca34a963045fd2cce3460540ada29
SHA512fdde295dd195e19eda96294645f94035c7059f46927e98e11ffd80ad77198dbaf0061564329dec078482509f600766722a1064f7ff00f49023a39a5118f70589
-
C:\Users\Admin\AppData\Local\yGywTZ\UxTheme.dllFilesize
1.2MB
MD5b98557db6a6483915368622b8d5f59ef
SHA119609886d714a81ea00e1977c8bf53d73292e7c2
SHA256d7e075f1a92d62b88d7bfe8ec1a7e63d997407d1a118eb52f092161bc1600d7c
SHA5120e74fe43514ed5c016b30442f46e7ffd83ab5438f374bad7f02906acf34e6820463d5ffec46b9d44d22734f51d71c1dbc788516ac4fd2666ba556f26be7ee2a2
-
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Xwtifesqpwfy.lnkFilesize
1KB
MD59d56667ef4e0483d2103faec0bb15f1a
SHA13be86ff94860fbdc08d36f3dc68b7ecc55e7ee41
SHA25640301c1c9aeae097da108b34608822dc16c963047e3ad8f209e928067c8f75ab
SHA512831b0db56eaabab94ff0cbefffb7da2a4d4e142bd1a556954a2c93c04453164282c8a4c30c6e7c294931ac9c2437a4ddc01578fa52e4ab55a9aec91b1fd2c271
-
\Users\Admin\AppData\Local\47dHX\shrpubw.exeFilesize
398KB
MD529e6d0016611c8f948db5ea71372f76c
SHA101d007a01020370709cd6580717f9ace049647e8
SHA25653c868882ebc9e0d4f703afeccb172043069ccc0b5b6f7cac1d2aad9c4640930
SHA512300216ab47ee44b8f68d4835bf26641f949039522b680af00fb602f57d31c38812428dc624461bc2cc7d6384cad396bc033718e41e11a65f7dd0eeb36ed924e4
-
\Users\Admin\AppData\Local\6lZKO3C\wermgr.exeFilesize
49KB
MD541df7355a5a907e2c1d7804ec028965d
SHA1453263d230c6317eb4a2eb3aceeec1bbcf5e153d
SHA256207bfec939e7c017c4704ba76172ee2c954f485ba593bc1bc8c7666e78251861
SHA51259c9d69d3942543af4f387137226516adec1a4304bd5696c6c1d338f9e5f40d136450907351cce018563df1358e06a792005167f5c08c689df32d809c4cebdcf
-
\Users\Admin\AppData\Local\ohOBMJ5PT\SystemPropertiesDataExecutionPrevention.exeFilesize
80KB
MD5e43ff7785fac643093b3b16a9300e133
SHA1a30688e84c0b0a22669148fe87680b34fcca2fba
SHA256c8e1b3ecce673035a934d65b25c43ec23416f5bbf52d772e24e48e6fd3e77e9b
SHA51261260999bb57817dea2d404bcf093820679e597298c752d38db181fe9963b5fa47e070d6a3c7c970905035b396389bb02946b44869dc8b9560acc419b065999a
-
\Users\Admin\AppData\Local\yGywTZ\SoundRecorder.exeFilesize
139KB
MD547f0f526ad4982806c54b845b3289de1
SHA18420ea488a2e187fe1b7fcfb53040d10d5497236
SHA256e81b11fe30b16fa4e3f08810513c245248adce8566355a8f2a19c63b1143ff5b
SHA5124c9a1aa5ed55087538c91a77d7420932263b69e59dc57b1db738e59624265b734bf29e2b6ed8d0adb2e0dec5763bfbf86876fd7d1139c21e829001c7868d515d
-
memory/276-106-0x0000000140000000-0x0000000140145000-memory.dmpFilesize
1.3MB
-
memory/276-103-0x0000000000190000-0x0000000000197000-memory.dmpFilesize
28KB
-
memory/1188-14-0x0000000140000000-0x0000000140144000-memory.dmpFilesize
1.3MB
-
memory/1188-72-0x00000000774D6000-0x00000000774D7000-memory.dmpFilesize
4KB
-
memory/1188-25-0x0000000140000000-0x0000000140144000-memory.dmpFilesize
1.3MB
-
memory/1188-27-0x00000000775E1000-0x00000000775E2000-memory.dmpFilesize
4KB
-
memory/1188-26-0x0000000002EC0000-0x0000000002EC7000-memory.dmpFilesize
28KB
-
memory/1188-16-0x0000000140000000-0x0000000140144000-memory.dmpFilesize
1.3MB
-
memory/1188-15-0x0000000140000000-0x0000000140144000-memory.dmpFilesize
1.3MB
-
memory/1188-10-0x0000000140000000-0x0000000140144000-memory.dmpFilesize
1.3MB
-
memory/1188-37-0x0000000140000000-0x0000000140144000-memory.dmpFilesize
1.3MB
-
memory/1188-38-0x0000000140000000-0x0000000140144000-memory.dmpFilesize
1.3MB
-
memory/1188-4-0x00000000774D6000-0x00000000774D7000-memory.dmpFilesize
4KB
-
memory/1188-8-0x0000000140000000-0x0000000140144000-memory.dmpFilesize
1.3MB
-
memory/1188-5-0x0000000002EE0000-0x0000000002EE1000-memory.dmpFilesize
4KB
-
memory/1188-7-0x0000000140000000-0x0000000140144000-memory.dmpFilesize
1.3MB
-
memory/1188-9-0x0000000140000000-0x0000000140144000-memory.dmpFilesize
1.3MB
-
memory/1188-11-0x0000000140000000-0x0000000140144000-memory.dmpFilesize
1.3MB
-
memory/1188-13-0x0000000140000000-0x0000000140144000-memory.dmpFilesize
1.3MB
-
memory/1188-12-0x0000000140000000-0x0000000140144000-memory.dmpFilesize
1.3MB
-
memory/1188-28-0x0000000077770000-0x0000000077772000-memory.dmpFilesize
8KB
-
memory/1904-0-0x00000000001A0000-0x00000000001A7000-memory.dmpFilesize
28KB
-
memory/1904-46-0x0000000140000000-0x0000000140144000-memory.dmpFilesize
1.3MB
-
memory/1904-1-0x0000000140000000-0x0000000140144000-memory.dmpFilesize
1.3MB
-
memory/2384-55-0x0000000140000000-0x0000000140145000-memory.dmpFilesize
1.3MB
-
memory/2384-60-0x0000000140000000-0x0000000140145000-memory.dmpFilesize
1.3MB
-
memory/2384-54-0x0000000000110000-0x0000000000117000-memory.dmpFilesize
28KB
-
memory/2432-73-0x00000000001B0000-0x00000000001B7000-memory.dmpFilesize
28KB
-
memory/2432-79-0x0000000140000000-0x0000000140145000-memory.dmpFilesize
1.3MB