Analysis
-
max time kernel
149s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
19-04-2024 11:55
General
-
Target
fa3db9f8a47e7a349c2f63a26d256792_JaffaCakes118.dll
-
Size
1.4MB
-
MD5
fa3db9f8a47e7a349c2f63a26d256792
-
SHA1
f566a2771def56bd7d8227aa581eacc1252c2ef3
-
SHA256
c1e2fd72330519fbc4f7d2780814857073c4974cd69502931893a570d83d00fa
-
SHA512
a24d5ca21aa9a420d7f23f35da54ecef924aa374bc3459a18bb5af9cdcc1e31e2d9e648afdcb2d3dd91e007f4065598a113c55d01756c4fea4426093493b9efe
-
SSDEEP
12288:TVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:CfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
-
Dridex Shellcode 1 IoCs
Detects Dridex Payload shellcode injected in Explorer process.
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 7 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 4 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fa3db9f8a47e7a349c2f63a26d256792_JaffaCakes118.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\unregmp2.exeC:\Windows\system32\unregmp2.exe1⤵
-
C:\Users\Admin\AppData\Local\Yb5Jvz\unregmp2.exeC:\Users\Admin\AppData\Local\Yb5Jvz\unregmp2.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
-
C:\Windows\system32\spinstall.exeC:\Windows\system32\spinstall.exe1⤵
-
C:\Users\Admin\AppData\Local\qFLjUGVN\spinstall.exeC:\Users\Admin\AppData\Local\qFLjUGVN\spinstall.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
-
C:\Windows\system32\BitLockerWizardElev.exeC:\Windows\system32\BitLockerWizardElev.exe1⤵
-
C:\Users\Admin\AppData\Local\zUa\BitLockerWizardElev.exeC:\Users\Admin\AppData\Local\zUa\BitLockerWizardElev.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Yb5Jvz\slc.dllFilesize
1.4MB
MD5be8466313000c9fd02b9f470854e8795
SHA1d6015a40ac71e7db92f5cac672ab7423d184d37e
SHA256f7a76021036d79843f31d17bc611f9c798443035aff25d683eb7eef55a594f12
SHA512cf4dee18ea762f25dec6ddadae444d876dbfcfe9e5aa6d984c90fd4adea415bc687b51b7d789266c12dd72622713d12d554bb5c476e2cd7a158d3f6c7c966a48
-
C:\Users\Admin\AppData\Local\qFLjUGVN\VERSION.dllFilesize
1.4MB
MD55f02fd23fd0501d43269709e2f6bc992
SHA15650511edce5f133577f2891e9eac1f255a8cfc0
SHA25615be5f64b8caa1977d54ad093ee64b3d4b5424e7079dae3382358c48762c9427
SHA51297bc4b7d3be0f5571c545887352af3c79730b298e4cfd306824ab5b2c7c5ba861c69a924e7886184cab6933c581fc6adaa5df64f8029422501ae1e0c48f86279
-
C:\Users\Admin\AppData\Local\qFLjUGVN\spinstall.exeFilesize
584KB
MD529c1d5b330b802efa1a8357373bc97fe
SHA190797aaa2c56fc2a667c74475996ea1841bc368f
SHA256048bd22abf158346ab991a377cc6e9d2b20b4d73ccee7656c96a41f657e7be7f
SHA51266f4f75a04340a1dd55dfdcc3ff1103ea34a55295f56c12e88d38d1a41e5be46b67c98bd66ac9f878ce79311773e374ed2bce4dd70e8bb5543e4ec1dd56625ee
-
C:\Users\Admin\AppData\Local\zUa\FVEWIZ.dllFilesize
1.4MB
MD568137dbdc5dc3e88d032faf1cb06f089
SHA114635b7b1e9e4ec02cb44c0ba5fad351db6b046c
SHA2563cd3e4c4a3a45e9b1aae0fb477c38be545ee81832966b46f22ecc2d2f95a768e
SHA512566556d9d1317e5ae55d5fcc69ecab0814cb79f82c52c06fbcd5a3aff520af6881f21043320b8b4692a92f30dd7a3af87329dd3272a7b4c87f582428768af968
-
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Omdqupblcei.lnkFilesize
1KB
MD5c06713bf08483821c8ec0e1cd9661fdd
SHA180e3e58e16af8aa2137da2a089cd05f863c1417f
SHA256a0c107531ef892b941ce4cc4289bffc15255b33c4a791800bfa76accacaf2cb3
SHA5121676744e642ae7b98d24fc16e7977b20f164548ffc81b3bff1c3d5e100cbf02ad266e11a0004059028aa1731b79c1f558140852bd9525dc2acc2d0b111e0253d
-
\Users\Admin\AppData\Local\Yb5Jvz\unregmp2.exeFilesize
316KB
MD564b328d52dfc8cda123093e3f6e4c37c
SHA1f68f45b21b911906f3aa982e64504e662a92e5ab
SHA2567d6be433ba7dd4a2b8f8b79d7b87055da8daafa3e0404432d40469c39c2040e1
SHA512e29fc068532df36f39c86b79392b5c6191de6f69b7beaba28f9ac96a26089b341b770ff29556eca14f57afd1de59a6f3726818482d6861bdd8ac556ae768df00
-
\Users\Admin\AppData\Local\zUa\BitLockerWizardElev.exeFilesize
98KB
MD573f13d791e36d3486743244f16875239
SHA1ed5ec55dbc6b3bda505f0a4c699c257c90c02020
SHA2562483d2f0ad481005cca081a86a07be9060bc6d4769c4570f92ad96fa325be9b8
SHA512911a7b532312d50cc5e7f6a046d46ab5b322aa17ce59a40477173ea50f000a95db45f169f4ea3574e3e00ae4234b9f8363ac79329d683c14ebee1d423e6e43af
-
memory/1204-9-0x0000000140000000-0x0000000140162000-memory.dmpFilesize
1.4MB
-
memory/1204-37-0x0000000077C11000-0x0000000077C12000-memory.dmpFilesize
4KB
-
memory/1204-25-0x0000000140000000-0x0000000140162000-memory.dmpFilesize
1.4MB
-
memory/1204-24-0x0000000140000000-0x0000000140162000-memory.dmpFilesize
1.4MB
-
memory/1204-23-0x0000000140000000-0x0000000140162000-memory.dmpFilesize
1.4MB
-
memory/1204-22-0x0000000140000000-0x0000000140162000-memory.dmpFilesize
1.4MB
-
memory/1204-21-0x0000000140000000-0x0000000140162000-memory.dmpFilesize
1.4MB
-
memory/1204-20-0x0000000140000000-0x0000000140162000-memory.dmpFilesize
1.4MB
-
memory/1204-19-0x0000000140000000-0x0000000140162000-memory.dmpFilesize
1.4MB
-
memory/1204-18-0x0000000140000000-0x0000000140162000-memory.dmpFilesize
1.4MB
-
memory/1204-17-0x0000000140000000-0x0000000140162000-memory.dmpFilesize
1.4MB
-
memory/1204-15-0x0000000140000000-0x0000000140162000-memory.dmpFilesize
1.4MB
-
memory/1204-14-0x0000000140000000-0x0000000140162000-memory.dmpFilesize
1.4MB
-
memory/1204-13-0x0000000140000000-0x0000000140162000-memory.dmpFilesize
1.4MB
-
memory/1204-12-0x0000000140000000-0x0000000140162000-memory.dmpFilesize
1.4MB
-
memory/1204-11-0x0000000140000000-0x0000000140162000-memory.dmpFilesize
1.4MB
-
memory/1204-10-0x0000000140000000-0x0000000140162000-memory.dmpFilesize
1.4MB
-
memory/1204-133-0x0000000077A06000-0x0000000077A07000-memory.dmpFilesize
4KB
-
memory/1204-4-0x0000000077A06000-0x0000000077A07000-memory.dmpFilesize
4KB
-
memory/1204-7-0x0000000140000000-0x0000000140162000-memory.dmpFilesize
1.4MB
-
memory/1204-36-0x0000000140000000-0x0000000140162000-memory.dmpFilesize
1.4MB
-
memory/1204-26-0x0000000140000000-0x0000000140162000-memory.dmpFilesize
1.4MB
-
memory/1204-40-0x0000000077D70000-0x0000000077D72000-memory.dmpFilesize
8KB
-
memory/1204-47-0x0000000140000000-0x0000000140162000-memory.dmpFilesize
1.4MB
-
memory/1204-53-0x0000000140000000-0x0000000140162000-memory.dmpFilesize
1.4MB
-
memory/1204-27-0x0000000140000000-0x0000000140162000-memory.dmpFilesize
1.4MB
-
memory/1204-31-0x0000000002E00000-0x0000000002E07000-memory.dmpFilesize
28KB
-
memory/1204-5-0x0000000002EA0000-0x0000000002EA1000-memory.dmpFilesize
4KB
-
memory/1204-16-0x0000000140000000-0x0000000140162000-memory.dmpFilesize
1.4MB
-
memory/1204-28-0x0000000140000000-0x0000000140162000-memory.dmpFilesize
1.4MB
-
memory/2020-8-0x0000000140000000-0x0000000140162000-memory.dmpFilesize
1.4MB
-
memory/2020-0-0x0000000000190000-0x0000000000197000-memory.dmpFilesize
28KB
-
memory/2020-1-0x0000000140000000-0x0000000140162000-memory.dmpFilesize
1.4MB
-
memory/2080-89-0x0000000140000000-0x0000000140163000-memory.dmpFilesize
1.4MB
-
memory/2080-86-0x0000000000380000-0x0000000000387000-memory.dmpFilesize
28KB
-
memory/2080-141-0x0000000000380000-0x0000000000387000-memory.dmpFilesize
28KB
-
memory/2568-70-0x0000000000100000-0x0000000000107000-memory.dmpFilesize
28KB
-
memory/2568-71-0x0000000140000000-0x0000000140163000-memory.dmpFilesize
1.4MB
-
memory/2568-65-0x0000000140000000-0x0000000140163000-memory.dmpFilesize
1.4MB
-
memory/2968-111-0x0000000140000000-0x0000000140163000-memory.dmpFilesize
1.4MB
-
memory/2968-108-0x0000000000110000-0x0000000000117000-memory.dmpFilesize
28KB
-
memory/2968-144-0x0000000000110000-0x0000000000117000-memory.dmpFilesize
28KB