Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
-
submitted
18-04-2024 11:49
General
-
Target
f7edf14bfa55dd4235c32177c4cba776_JaffaCakes118.dll
-
Size
868KB
-
MD5
f7edf14bfa55dd4235c32177c4cba776
-
SHA1
ba1bbfca1c2e05f1ae2c3390e97acbde99e28f2a
-
SHA256
2044e2521531c1a0b7f8f2d22ac397bd632c2985e2c1e1d479bb2dcc35f9b094
-
SHA512
9bb89ce389c05868b8b067fa2bff1303a474a79a15b33d77ac0ffb155ae10ba3cc9fabf0c6dcca8d830fde9760e030b9631587226876fe42a7bafa61646dc435
-
SSDEEP
12288:LkbQEkWqv+157EYfxarhwLNuR7ek1tHffB/HzTyNQ6NIeGYr/R:LkbHkWfzZ5adwLNGeStHntqN7v
Malware Config
Signatures
-
Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
-
Dridex Shellcode 1 IoCs
Detects Dridex Payload shellcode injected in Explorer process.
-
Dridex payload 10 IoCs
Detects Dridex x64 core DLL in memory.
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 7 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 4 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f7edf14bfa55dd4235c32177c4cba776_JaffaCakes118.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\fveprompt.exeC:\Windows\system32\fveprompt.exe1⤵
-
C:\Users\Admin\AppData\Local\AotkZzv\fveprompt.exeC:\Users\Admin\AppData\Local\AotkZzv\fveprompt.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
-
C:\Windows\system32\fvenotify.exeC:\Windows\system32\fvenotify.exe1⤵
-
C:\Users\Admin\AppData\Local\2cGqi\fvenotify.exeC:\Users\Admin\AppData\Local\2cGqi\fvenotify.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
-
C:\Windows\system32\SystemPropertiesComputerName.exeC:\Windows\system32\SystemPropertiesComputerName.exe1⤵
-
C:\Users\Admin\AppData\Local\UMTMAoRl8\SystemPropertiesComputerName.exeC:\Users\Admin\AppData\Local\UMTMAoRl8\SystemPropertiesComputerName.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\2cGqi\slc.dllFilesize
872KB
MD5fa85356b2ffe7e62d32de18fa9447207
SHA13224f74d70f5f4167ee20ca08d4eed2a3484f1df
SHA25600e4e4eb34f07b308bffcb3ec4962280a838a73c9586ce33856766fce4382bbb
SHA512971bf963af1909599ffa1a0b922b31087576635998215539ba76395e381782da3bc7ada8643bc66f7198c1c1e470a0cb4547acb8b5a6ce969f2ee7769be09169
-
C:\Users\Admin\AppData\Local\AotkZzv\fveprompt.exeFilesize
104KB
MD5dc2c44a23b2cd52bd53accf389ae14b2
SHA1e36c7b6f328aa2ab2f52478169c52c1916f04b5f
SHA2567f5b19f2c6a94833196ee1929d48094889b33b504d73d3af88dd857ceaf67921
SHA512ff083f74777a9cfc940d4e0cb55886397e27c85f867de9a5dd9ea2c2751d2a77bf75fe0734e424d9678c83e927788d07d0b3072024f7e5a9848c7ff1aa4090dc
-
C:\Users\Admin\AppData\Local\UMTMAoRl8\SYSDM.CPLFilesize
872KB
MD5ce3323d436785820248d93832b9c03e2
SHA15017c204d6f4f0749b486e9f760e1bf5077c4b53
SHA256314b298795585159194395472767625013ea12b835bf5bccd7f0a3cf257f7366
SHA5128eb4fd9ca9b7a1300aca9e64c14d0e6850077dcbe94127c7774d239505b84a2dfcfbdd0a178e20cc993001260fdac57f6111461c851a88ef70486a13f0318302
-
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Aqrvnhd.lnkFilesize
1KB
MD58fbb1cf6865beec61c19fb810a489ec1
SHA148465a253f73cd9451f842f54fb14db8545f7828
SHA25659ab3101d0cca300b9dfd87fee71e996d56c33ab22c369d2d4563e76f93c406d
SHA5122ddb1563c8dd7bf1f3be9e06ab871abc8cf7b17ebea089bc8c548a82fe6e0743184de4e0e8885dd1bf521ef40035a6610f4cf6c134e17a851ad40ede4935312c
-
\Users\Admin\AppData\Local\2cGqi\fvenotify.exeFilesize
117KB
MD5e61d644998e07c02f0999388808ac109
SHA1183130ad81ff4c7997582a484e759bf7769592d6
SHA25615a85cd6fbcb1ec57d78f986d6dd8908bd56231ce0cf65775075512303f7e5fa
SHA512310141b73394ae12a35f8d4f0c097868ee8a8045a62dd402a5dfbe2151980dd4fe18409ae3ca9422e3b88b2fa9afb04c1acbf8ec23a937a0a242b32a9a1e9272
-
\Users\Admin\AppData\Local\AotkZzv\slc.dllFilesize
872KB
MD5cf11704d882c45f94aff658c307e5b3e
SHA1bb4d3c5939dd391d3842312920b754b89b4833fb
SHA25692785c7032710ec8e27f8554e56a44a9e3b5dbae3595a5aecf9657e75c4e89b4
SHA512839214948bde3c41fce4c465dad89ba7ef33ab157dfa3e632eec96c43038a1f50d904c0f4f02cf14f22271775b0552f5de066386bf2e7bf8831c9260067bdae0
-
\Users\Admin\AppData\Local\UMTMAoRl8\SystemPropertiesComputerName.exeFilesize
80KB
MD5bd889683916aa93e84e1a75802918acf
SHA15ee66571359178613a4256a7470c2c3e6dd93cfa
SHA2560e22894595891a9ff9706e03b3db31a751541c4a773f82420fce57237d6c47cf
SHA5129d76de848b319f44657fb7fbe5a3b927774ae999362ff811a199002ffa77ad9e1638a65a271388e605ab5e5a7cb6ce5aa7fcabc3ed583ade00eaa4c265552026
-
memory/1372-9-0x0000000140000000-0x00000001400D9000-memory.dmpFilesize
868KB
-
memory/1372-42-0x0000000140000000-0x00000001400D9000-memory.dmpFilesize
868KB
-
memory/1372-22-0x0000000140000000-0x00000001400D9000-memory.dmpFilesize
868KB
-
memory/1372-20-0x0000000140000000-0x00000001400D9000-memory.dmpFilesize
868KB
-
memory/1372-18-0x0000000140000000-0x00000001400D9000-memory.dmpFilesize
868KB
-
memory/1372-17-0x0000000140000000-0x00000001400D9000-memory.dmpFilesize
868KB
-
memory/1372-31-0x0000000140000000-0x00000001400D9000-memory.dmpFilesize
868KB
-
memory/1372-33-0x0000000077890000-0x0000000077892000-memory.dmpFilesize
8KB
-
memory/1372-32-0x0000000077860000-0x0000000077862000-memory.dmpFilesize
8KB
-
memory/1372-16-0x0000000140000000-0x00000001400D9000-memory.dmpFilesize
868KB
-
memory/1372-15-0x0000000140000000-0x00000001400D9000-memory.dmpFilesize
868KB
-
memory/1372-14-0x0000000140000000-0x00000001400D9000-memory.dmpFilesize
868KB
-
memory/1372-13-0x0000000140000000-0x00000001400D9000-memory.dmpFilesize
868KB
-
memory/1372-12-0x0000000140000000-0x00000001400D9000-memory.dmpFilesize
868KB
-
memory/1372-11-0x0000000140000000-0x00000001400D9000-memory.dmpFilesize
868KB
-
memory/1372-3-0x00000000775F6000-0x00000000775F7000-memory.dmpFilesize
4KB
-
memory/1372-8-0x0000000140000000-0x00000001400D9000-memory.dmpFilesize
868KB
-
memory/1372-7-0x0000000140000000-0x00000001400D9000-memory.dmpFilesize
868KB
-
memory/1372-6-0x0000000140000000-0x00000001400D9000-memory.dmpFilesize
868KB
-
memory/1372-23-0x0000000002960000-0x0000000002967000-memory.dmpFilesize
28KB
-
memory/1372-43-0x0000000140000000-0x00000001400D9000-memory.dmpFilesize
868KB
-
memory/1372-4-0x0000000002980000-0x0000000002981000-memory.dmpFilesize
4KB
-
memory/1372-24-0x0000000140000000-0x00000001400D9000-memory.dmpFilesize
868KB
-
memory/1372-21-0x0000000140000000-0x00000001400D9000-memory.dmpFilesize
868KB
-
memory/1372-86-0x00000000775F6000-0x00000000775F7000-memory.dmpFilesize
4KB
-
memory/1372-10-0x0000000140000000-0x00000001400D9000-memory.dmpFilesize
868KB
-
memory/1372-19-0x0000000140000000-0x00000001400D9000-memory.dmpFilesize
868KB
-
memory/2380-51-0x000007FEF6DE0000-0x000007FEF6EB9000-memory.dmpFilesize
868KB
-
memory/2380-0-0x000007FEF6DE0000-0x000007FEF6EB9000-memory.dmpFilesize
868KB
-
memory/2380-1-0x0000000000320000-0x0000000000327000-memory.dmpFilesize
28KB
-
memory/2400-78-0x0000000000100000-0x0000000000107000-memory.dmpFilesize
28KB
-
memory/2400-81-0x000007FEF7B30000-0x000007FEF7C0A000-memory.dmpFilesize
872KB
-
memory/2412-94-0x0000000000180000-0x0000000000187000-memory.dmpFilesize
28KB
-
memory/2412-99-0x000007FEF7B30000-0x000007FEF7C0A000-memory.dmpFilesize
872KB
-
memory/2616-64-0x000007FEF7B30000-0x000007FEF7C0A000-memory.dmpFilesize
872KB
-
memory/2616-61-0x0000000000290000-0x0000000000297000-memory.dmpFilesize
28KB
-
memory/2616-59-0x000007FEF7B30000-0x000007FEF7C0A000-memory.dmpFilesize
872KB