Analysis
-
max time kernel
149s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
17-06-2024 10:39
General
-
Target
b83015ca9abbfa3a59dc3d5413860a96_JaffaCakes118.dll
-
Size
1.2MB
-
MD5
b83015ca9abbfa3a59dc3d5413860a96
-
SHA1
7147271a5540b3e0f1913cbfb3dd0fbce8db4132
-
SHA256
8dee4a77440b12c813b45a5e9bb21e68ab7150ecd230d7315f900ad4d6841229
-
SHA512
01c425db232a914023bc949d4a7d2085a8dfb44dc22bc15863b1b793978f73f01e0ad2c5d4a69890b3001bc2b7102db1d6f6efdcfa6e245d9b6354deea48d57e
-
SSDEEP
24576:kyTonNVlKTt/Q5ECvVP7hpJMvjtKpvPf9+m6kLRqgSyI:kyWRKTt/QlPVp3h9
Malware Config
Signatures
-
Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
-
Dridex Shellcode 1 IoCs
Detects Dridex Payload shellcode injected in Explorer process.
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 4 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 14 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b83015ca9abbfa3a59dc3d5413860a96_JaffaCakes118.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4172,i,5047420736443372512,9747851268033796534,262144 --variations-seed-version --mojo-platform-channel-handle=4368 /prefetch:81⤵
-
C:\Windows\system32\ddodiag.exeC:\Windows\system32\ddodiag.exe1⤵
-
C:\Users\Admin\AppData\Local\UCC9ZItPC\ddodiag.exeC:\Users\Admin\AppData\Local\UCC9ZItPC\ddodiag.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
-
C:\Windows\system32\MDMAppInstaller.exeC:\Windows\system32\MDMAppInstaller.exe1⤵
-
C:\Users\Admin\AppData\Local\4SP\MDMAppInstaller.exeC:\Users\Admin\AppData\Local\4SP\MDMAppInstaller.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
-
C:\Windows\system32\slui.exeC:\Windows\system32\slui.exe1⤵
-
C:\Users\Admin\AppData\Local\Ck81iEg4\slui.exeC:\Users\Admin\AppData\Local\Ck81iEg4\slui.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\4SP\MDMAppInstaller.exeFilesize
151KB
MD530e978cc6830b04f1e7ed285cccaa746
SHA1e915147c17e113c676c635e2102bbff90fb7aa52
SHA256dc821931f63117962e2266acd3266e86bf8116d4a14b3adbebfade1d40b84766
SHA512331923fa479f71c4c80b0e86ea238628666f95b6cf61cf4d741ae4a27ea2b8c636864dfac543d14599b4873f3b2ab397d07c4e4c17aca3f3b4e5871e24e50214
-
C:\Users\Admin\AppData\Local\4SP\WTSAPI32.dllFilesize
1.2MB
MD5024fbf37d0749902f293ab7bbafd3732
SHA14aed52ee1162950644e1e1112fc904e23656a5bd
SHA256d43ae57d0c4a8e7805e377edfa0d81f773ee16791d91b9f1acdd0fd913817124
SHA51219b6196447aaa9aa106182c010b262a902fa7e0ba45d5060057a4158f2d29ff9e2082eef151fadfdb505cc1a8942b330bdfb9072bbf496eba777d8ee438a0997
-
C:\Users\Admin\AppData\Local\Ck81iEg4\WINBRAND.dllFilesize
1.2MB
MD542f0faf373efc73fc707697f5a93120e
SHA170372f2363567459dd5330962adbc98065626753
SHA256df3d8ba91fe48de1333bb6d07699278e2885b9bc55a2a4c22ec1f53ced0c332b
SHA512c9d3e5ae2e14131e97260a0c02463fdb6fa4f6fc0bf7ed789aa8bd71518612cb8e3e6e431fb53f012d2c559b9e0350bbb3246d9961edc88452a6ec111dbdc682
-
C:\Users\Admin\AppData\Local\Ck81iEg4\slui.exeFilesize
534KB
MD5eb725ea35a13dc18eac46aa81e7f2841
SHA1c0b3304c970324952e18c4a51073e3bdec73440b
SHA25625e7624d469a592934ab8c509d12c153c2799e604c2a4b8a83650a7268577dff
SHA51239192a1fad29654b3769f007298eff049d0688a3cb51390833ec563f44f9931cd3f6f8693db37b649b061b5aab379b166c15dade56d0fc414375243320375b26
-
C:\Users\Admin\AppData\Local\UCC9ZItPC\XmlLite.dllFilesize
1.2MB
MD5ff38a251d3d5fc90c08ffe7fe11600a5
SHA1386e96230e48db5496a2dde226aea9cd858929db
SHA25600357e45c9b4ef41680a28c29a74e0f78ee929dd4e6ba7c5304e4717e832221b
SHA5127950780737c9bd559c9a358ed0b0fcb6fa381b6d6cd4e1a2322e88e6d909261b5f6d072555db08a1ce226c5455d5cd15bc4e78f91ac99764e505ffd4078b6c17
-
C:\Users\Admin\AppData\Local\UCC9ZItPC\ddodiag.exeFilesize
39KB
MD585feee634a6aee90f0108e26d3d9bc1f
SHA1a7b1fa32fe7ed67bd51dea438f2f767e3fef0ca2
SHA25699c63175504781e9278824d487da082da7c014e99f1024227af164986d3a27c6
SHA512b81a3e1723a5180c5168cd7bb5181c631f4f57c59780bb82a502160b7874777f3eef1ebe1b14f66c97f9f1a4721af13b6fbcdff2045c8563c18b5d12540953ff
-
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Xpqmtuztdhk.lnkFilesize
1KB
MD59d00f9e03d94abcbedd77eb928a1d7df
SHA1f2898b7e5d6d79b67f33644726d381e775ec19da
SHA25671c4ac4075a43b2d541c6179e19244680cbbe4473a2c491078da1da8659a34ed
SHA5129025145fc8df01d5f7c3b7687dace94313440a7acf2a7b50ea27c05adf59ecffecacc888f5473a4e57b4501b053e3f5736d9b0bbcfff309532f40f174667c966
-
memory/2200-54-0x0000000140000000-0x0000000140132000-memory.dmpFilesize
1.2MB
-
memory/2200-47-0x0000000140000000-0x0000000140132000-memory.dmpFilesize
1.2MB
-
memory/2200-50-0x0000028811330000-0x0000028811337000-memory.dmpFilesize
28KB
-
memory/2200-46-0x0000000140000000-0x0000000140132000-memory.dmpFilesize
1.2MB
-
memory/3108-39-0x0000000140000000-0x0000000140131000-memory.dmpFilesize
1.2MB
-
memory/3108-3-0x000001AF01230000-0x000001AF01237000-memory.dmpFilesize
28KB
-
memory/3108-0-0x0000000140000000-0x0000000140131000-memory.dmpFilesize
1.2MB
-
memory/3464-38-0x00007FF8482D0000-0x00007FF8482E0000-memory.dmpFilesize
64KB
-
memory/3464-14-0x0000000140000000-0x0000000140131000-memory.dmpFilesize
1.2MB
-
memory/3464-10-0x0000000140000000-0x0000000140131000-memory.dmpFilesize
1.2MB
-
memory/3464-7-0x0000000140000000-0x0000000140131000-memory.dmpFilesize
1.2MB
-
memory/3464-12-0x0000000140000000-0x0000000140131000-memory.dmpFilesize
1.2MB
-
memory/3464-13-0x0000000140000000-0x0000000140131000-memory.dmpFilesize
1.2MB
-
memory/3464-15-0x0000000140000000-0x0000000140131000-memory.dmpFilesize
1.2MB
-
memory/3464-36-0x00007FF846F0A000-0x00007FF846F0B000-memory.dmpFilesize
4KB
-
memory/3464-37-0x0000000002EB0000-0x0000000002EB7000-memory.dmpFilesize
28KB
-
memory/3464-33-0x0000000140000000-0x0000000140131000-memory.dmpFilesize
1.2MB
-
memory/3464-24-0x0000000140000000-0x0000000140131000-memory.dmpFilesize
1.2MB
-
memory/3464-11-0x0000000140000000-0x0000000140131000-memory.dmpFilesize
1.2MB
-
memory/3464-6-0x0000000140000000-0x0000000140131000-memory.dmpFilesize
1.2MB
-
memory/3464-4-0x0000000003050000-0x0000000003051000-memory.dmpFilesize
4KB
-
memory/3464-8-0x0000000140000000-0x0000000140131000-memory.dmpFilesize
1.2MB
-
memory/3464-9-0x0000000140000000-0x0000000140131000-memory.dmpFilesize
1.2MB
-
memory/4360-85-0x0000023E35F70000-0x0000023E35F77000-memory.dmpFilesize
28KB
-
memory/4360-84-0x0000000140000000-0x0000000140132000-memory.dmpFilesize
1.2MB
-
memory/4360-92-0x0000000140000000-0x0000000140132000-memory.dmpFilesize
1.2MB
-
memory/4404-73-0x0000000140000000-0x0000000140132000-memory.dmpFilesize
1.2MB
-
memory/4404-69-0x000002204DFA0000-0x000002204DFA7000-memory.dmpFilesize
28KB
-
memory/4404-65-0x0000000140000000-0x0000000140132000-memory.dmpFilesize
1.2MB