Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
-
submitted
20-04-2024 18:13
General
-
Target
fd57127a9d03362b266131627024567f_JaffaCakes118.dll
-
Size
1.7MB
-
MD5
fd57127a9d03362b266131627024567f
-
SHA1
8fd4756ed988115415e16ddd1813f1d6a7127efb
-
SHA256
745a55baf57dd1b7ce9c758087660f6d408b6cf9471df4c7e823f5f622097394
-
SHA512
7da2e4c387bb16ee026e20db9954b138090e501cf15247bb404b8b6cae781f0980cfcff817cbe0f8a059af05adf22d01cf0ad9557f7ccbbf0ada9b7a3af0447a
-
SSDEEP
12288:PVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:mfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
-
Dridex Shellcode 1 IoCs
Detects Dridex Payload shellcode injected in Explorer process.
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 5 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\fd57127a9d03362b266131627024567f_JaffaCakes118.dll1⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe1⤵
-
C:\Users\Admin\AppData\Local\r0s\printfilterpipelinesvc.exeC:\Users\Admin\AppData\Local\r0s\printfilterpipelinesvc.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
-
C:\Windows\system32\tcmsetup.exeC:\Windows\system32\tcmsetup.exe1⤵
-
C:\Users\Admin\AppData\Local\3KhcT8\tcmsetup.exeC:\Users\Admin\AppData\Local\3KhcT8\tcmsetup.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
-
C:\Windows\system32\CameraSettingsUIHost.exeC:\Windows\system32\CameraSettingsUIHost.exe1⤵
-
C:\Users\Admin\AppData\Local\we79YJWE\CameraSettingsUIHost.exeC:\Users\Admin\AppData\Local\we79YJWE\CameraSettingsUIHost.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\3KhcT8\TAPI32.dllFilesize
1.7MB
MD57710200faf3a4546b151c58a218c99e8
SHA14b999d80823e94d91686f56520c6af7c33392e63
SHA2560ede644051ca29c49f43c0167cb4ae747458ffd2b3a57f3fa92faa7948816460
SHA5125f374862bc1d91eea97acef7793937c8239f69c12048268a5bbbeb0ccb7ccc1b8ad543dd4cc857e03a26acf1c0507ce0d24c494f341a9f93f1dcd5712362104f
-
C:\Users\Admin\AppData\Local\3KhcT8\tcmsetup.exeFilesize
16KB
MD558f3b915b9ae7d63431772c2616b0945
SHA16346e837da3b0f551becb7cac6d160e3063696e9
SHA256e243501ba2ef7a6f04f51410bb916faffe0ec23450a4d030ce6bfe747e544b39
SHA5127b09192af460c502d1a94989a0d06191c8c7a058ce3a4541e3f45960a1e12529d0cdaff9da3d5bacfdceed57aeb6dc9a159c6c0a95675c438f99bf7e418c6dc5
-
C:\Users\Admin\AppData\Local\r0s\XmlLite.dllFilesize
1.7MB
MD5dcc72e21fd06f404fd8190879a337f1f
SHA11696a95362bc81d5f5a0a3a467e6a32942d29286
SHA2564fc4e46cead4966a590070619d0651856276f63d263f713d1697881dfc6ec71a
SHA51275c3c30783aeffb1dc930acf74d25568dab5267a2b50bb138598171ba68b0867e8766117ba92e6496ddce4d9d239910fe6454555b93fae5a5a31a24417e27541
-
C:\Users\Admin\AppData\Local\r0s\printfilterpipelinesvc.exeFilesize
813KB
MD5331a40eabaa5870e316b401bd81c4861
SHA1ddff65771ca30142172c0d91d5bfff4eb1b12b73
SHA256105099819555ed87ef3dab70a2eaf2cb61076f453266cec57ffccb8f4c00df88
SHA51229992dbf10f327d77865af5e6ebbe66b937a5b4ad04c68cafbf4e6adbd6c6532c8a82ac7e638d97c1f053353a7c8a6d7e379f389af15443c94a1e8f9b16be5f8
-
C:\Users\Admin\AppData\Local\we79YJWE\CameraSettingsUIHost.exeFilesize
31KB
MD59e98636523a653c7a648f37be229cf69
SHA1bd4da030e7cf4d55b7c644dfacd26b152e6a14c4
SHA2563bf20bc5a208dfa1ea26a042fd0010b1268dcfedc94ed775f11890bc1d95e717
SHA51241966166e2ddfe40e6f4e6da26bc490775caac9997465c6dd94ba6a664d3a797ffc2aa5684c95702e8657e5cea62a46a75aee3e7d5e07a47dcaaa5c4da565e78
-
C:\Users\Admin\AppData\Local\we79YJWE\DUI70.dllFilesize
1.9MB
MD5091acbf4c1b2a82064a031927e95da9a
SHA1dc9a804a2b4ad533442ea178f274566459eeb587
SHA2560cfc11d34931fe528637ed0dcd7cc2f931816a58ab15909149e69d417061298d
SHA5128593fbb0af633b78b298db18db0a49d9e8b7de7cb75d34028af3aa813c12013f2a8a1c377068d10deb761d3a5a6802b1901fc9414ec299d9ed1e2432b93858e3
-
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Vqslomum.lnkFilesize
1KB
MD544f3e895a618c298b19f06edb9aea4c0
SHA108c23207fd33fb49be072a0d392cfe8c7671a5a6
SHA2566f4811e039efbca80306b269c8d80d84922ba90b553aa471dfc7ce4ce097313a
SHA5127e0fb8f0f86cf999574e529065076b34dcccf00206c247e4a66bbf20167d849565d073246989e25a3b7596f38040e00277cb331c853d9f7be41e269f6441a3a8
-
memory/1080-0-0x0000000140000000-0x00000001401A9000-memory.dmpFilesize
1.7MB
-
memory/1080-7-0x0000000140000000-0x00000001401A9000-memory.dmpFilesize
1.7MB
-
memory/1080-1-0x00000000005C0000-0x00000000005C7000-memory.dmpFilesize
28KB
-
memory/1504-95-0x0000000140000000-0x00000001401EF000-memory.dmpFilesize
1.9MB
-
memory/1504-98-0x000002A9485F0000-0x000002A9485F7000-memory.dmpFilesize
28KB
-
memory/1504-101-0x0000000140000000-0x00000001401EF000-memory.dmpFilesize
1.9MB
-
memory/2632-67-0x0000000140000000-0x00000001401AA000-memory.dmpFilesize
1.7MB
-
memory/2632-61-0x0000000140000000-0x00000001401AA000-memory.dmpFilesize
1.7MB
-
memory/2632-63-0x000001E86A430000-0x000001E86A437000-memory.dmpFilesize
28KB
-
memory/3512-15-0x0000000140000000-0x00000001401A9000-memory.dmpFilesize
1.7MB
-
memory/3512-19-0x0000000140000000-0x00000001401A9000-memory.dmpFilesize
1.7MB
-
memory/3512-21-0x0000000140000000-0x00000001401A9000-memory.dmpFilesize
1.7MB
-
memory/3512-22-0x0000000140000000-0x00000001401A9000-memory.dmpFilesize
1.7MB
-
memory/3512-23-0x0000000140000000-0x00000001401A9000-memory.dmpFilesize
1.7MB
-
memory/3512-24-0x0000000140000000-0x00000001401A9000-memory.dmpFilesize
1.7MB
-
memory/3512-26-0x0000000140000000-0x00000001401A9000-memory.dmpFilesize
1.7MB
-
memory/3512-25-0x0000000140000000-0x00000001401A9000-memory.dmpFilesize
1.7MB
-
memory/3512-28-0x0000000140000000-0x00000001401A9000-memory.dmpFilesize
1.7MB
-
memory/3512-29-0x0000000140000000-0x00000001401A9000-memory.dmpFilesize
1.7MB
-
memory/3512-30-0x0000000140000000-0x00000001401A9000-memory.dmpFilesize
1.7MB
-
memory/3512-32-0x0000000001390000-0x0000000001397000-memory.dmpFilesize
28KB
-
memory/3512-27-0x0000000140000000-0x00000001401A9000-memory.dmpFilesize
1.7MB
-
memory/3512-38-0x0000000140000000-0x00000001401A9000-memory.dmpFilesize
1.7MB
-
memory/3512-39-0x00007FF8B9640000-0x00007FF8B9650000-memory.dmpFilesize
64KB
-
memory/3512-48-0x0000000140000000-0x00000001401A9000-memory.dmpFilesize
1.7MB
-
memory/3512-50-0x0000000140000000-0x00000001401A9000-memory.dmpFilesize
1.7MB
-
memory/3512-20-0x0000000140000000-0x00000001401A9000-memory.dmpFilesize
1.7MB
-
memory/3512-18-0x0000000140000000-0x00000001401A9000-memory.dmpFilesize
1.7MB
-
memory/3512-17-0x0000000140000000-0x00000001401A9000-memory.dmpFilesize
1.7MB
-
memory/3512-16-0x0000000140000000-0x00000001401A9000-memory.dmpFilesize
1.7MB
-
memory/3512-14-0x0000000140000000-0x00000001401A9000-memory.dmpFilesize
1.7MB
-
memory/3512-4-0x0000000002DB0000-0x0000000002DB1000-memory.dmpFilesize
4KB
-
memory/3512-6-0x0000000140000000-0x00000001401A9000-memory.dmpFilesize
1.7MB
-
memory/3512-8-0x0000000140000000-0x00000001401A9000-memory.dmpFilesize
1.7MB
-
memory/3512-13-0x0000000140000000-0x00000001401A9000-memory.dmpFilesize
1.7MB
-
memory/3512-11-0x0000000140000000-0x00000001401A9000-memory.dmpFilesize
1.7MB
-
memory/3512-12-0x0000000140000000-0x00000001401A9000-memory.dmpFilesize
1.7MB
-
memory/3512-9-0x00007FF8B8FBA000-0x00007FF8B8FBB000-memory.dmpFilesize
4KB
-
memory/3512-10-0x0000000140000000-0x00000001401A9000-memory.dmpFilesize
1.7MB
-
memory/3800-80-0x00000201391C0000-0x00000201391C7000-memory.dmpFilesize
28KB
-
memory/3800-84-0x0000000140000000-0x00000001401AB000-memory.dmpFilesize
1.7MB
-
memory/3800-78-0x0000000140000000-0x00000001401AB000-memory.dmpFilesize
1.7MB