Analysis
-
max time kernel
151s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
29-04-2024 07:42
General
-
Target
0726868759757a903ffefe0a9d5d8ba6_JaffaCakes118.dll
-
Size
989KB
-
MD5
0726868759757a903ffefe0a9d5d8ba6
-
SHA1
7078742587ded855bac56f879f5bbceff45de95f
-
SHA256
d04f133d20d4a095b1824e6f24d6b9e4766119ccfde358d403cce3cf8bf01560
-
SHA512
b560f8853dc1bf96a5593f32b8960941ea6474f045c661b6c27470764a7cf16c9381985297a0118dc7bfb6530fc0526fdb1c679881e0a497c5bcca57a2f66762
-
SSDEEP
24576:/VHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:/V8hf6STw1ZlQauvzSq01ICe6zvm
Malware Config
Signatures
-
Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
-
Dridex Shellcode 1 IoCs
Detects Dridex Payload shellcode injected in Explorer process.
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 4 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0726868759757a903ffefe0a9d5d8ba6_JaffaCakes118.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\MoUsoCoreWorker.exeC:\Windows\system32\MoUsoCoreWorker.exe1⤵
-
C:\Users\Admin\AppData\Local\bepHPR\MoUsoCoreWorker.exeC:\Users\Admin\AppData\Local\bepHPR\MoUsoCoreWorker.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
-
C:\Windows\system32\shrpubw.exeC:\Windows\system32\shrpubw.exe1⤵
-
C:\Users\Admin\AppData\Local\bQPf6AjbD\shrpubw.exeC:\Users\Admin\AppData\Local\bQPf6AjbD\shrpubw.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
-
C:\Windows\system32\iexpress.exeC:\Windows\system32\iexpress.exe1⤵
-
C:\Users\Admin\AppData\Local\60Goh9\iexpress.exeC:\Users\Admin\AppData\Local\60Goh9\iexpress.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3808 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\60Goh9\VERSION.dllFilesize
990KB
MD5b02d0d180a109a4cbe1099d88570c9c4
SHA1cc840d2858e9cf2b396a2746af80aebf5431c00a
SHA25622865b9e13f8bf07ae1075e9f205e3ed223e7ec8a049eddad19ac49202878618
SHA5125f10ef74c910c55817f82add3ffd4ad836a744470fbc35139416ec615d8eefa927dd9c6467086d77946ebf435e5f2a61a61132fa5654e7954f9e8cebbd9fd3b3
-
C:\Users\Admin\AppData\Local\60Goh9\iexpress.exeFilesize
166KB
MD517b93a43e25d821d01af40ba6babcc8c
SHA197c978d78056d995f751dfef1388d7cce4cc404a
SHA256d070b79fa254c528babb73d607a7a8fd53db89795d751f42fc0a283b61a76fd3
SHA5126b5743b37a3be8ae9ee2ab84e0749c32c60544298a7cce396470aa40bbd13f2e838d5d98159f21d500d20817c51ebce4b1d2f554e3e05f6c7fc97bc9d70ea391
-
C:\Users\Admin\AppData\Local\bQPf6AjbD\MFC42u.dllFilesize
1017KB
MD53e386577268406c251e5b60850d415fc
SHA151f4f1a912ad30f1bdc9853616b20b861ee12851
SHA2560c2b79cabe7d2b99af6b53d5f3ddb129b15e4e17d3a990b1a69bf1dd788e6147
SHA512e7cf6212302864bc381683c04fd806d07655b2c4479720c428dd15e1ccdd0c85b1aa6215d0c1ee770f5fc933823b3486c97be66ae785832ea7df3cdc1f1e7c9d
-
C:\Users\Admin\AppData\Local\bQPf6AjbD\shrpubw.exeFilesize
59KB
MD59910d5c62428ec5f92b04abf9428eec9
SHA105f27d7515e8ae1fa3bc974ec65b864ec4c9ac8b
SHA2566b84e6e55d8572d7edf0b6243d00abb651fcb0cddddac8461de5f9bb80035a2e
SHA51201be043f7ff879a683e53962eec58456ba200d6787ea66581bb62669ae65d5e58a5577cdf23441165f7a535fce1dec933e3ad2465c72172b4a1488b24ce722cb
-
C:\Users\Admin\AppData\Local\bepHPR\MoUsoCoreWorker.exeFilesize
1.6MB
MD547c6b45ff22b73caf40bb29392386ce3
SHA17e29a8d98fbb9b02d3d22e3576f4fd61ab50ffe9
SHA256cbccb642725edb42e749e26ded68a16b3aa20e291a1a7793a2d4efebb75f99c0
SHA512c919ab84a497616e7969d58c251f4e6efc337b41ef6956864b86d66ae1437294c124232fec54433eab3a6518ed529f8445dd0b23706b2f42f3fa42e69711f331
-
C:\Users\Admin\AppData\Local\bepHPR\XmlLite.dllFilesize
990KB
MD50fbdbf372f2c321e7bbe44b182f66735
SHA115f23eb6cf9c7fedf4837ff0c2ee87e0d992b326
SHA2561bc5a8814cbd2002f9e441ab24f5c7897357d349135cac9849409d528b8ceb04
SHA512abfee992db125c37ec12f2a680088cfb9f20a36927d4fb7f9fc1b8b9b9f840a3a22ededc15ac869d160e2cb94532e2be6984a2edde3c1defb9e11c2fed5a3c49
-
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Axoeay.lnkFilesize
1KB
MD51bf50676c68ec152d130aab48efbd5c8
SHA14e42d372d40f94193128f6036426d7b5e8610904
SHA25608b9af7083cdcbd6a4a59f7f1f52cc72691079bcabe50b7436aeba3a2a7c4b9a
SHA512c87fb2bcdb7f170a77dd825e71feb02ff964f49ef870ebc76935d8c9c41295ca8ddc2553d0c89027b9a231c1eef6822b8fe82489d1fa06d86ac420ac6e38901f
-
memory/532-0-0x00000255354B0000-0x00000255354B7000-memory.dmpFilesize
28KB
-
memory/532-1-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/532-38-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/1676-51-0x0000000140000000-0x00000001400FE000-memory.dmpFilesize
1016KB
-
memory/1676-46-0x0000000140000000-0x00000001400FE000-memory.dmpFilesize
1016KB
-
memory/1676-45-0x0000011BC5ED0000-0x0000011BC5ED7000-memory.dmpFilesize
28KB
-
memory/2500-68-0x0000000140000000-0x0000000140104000-memory.dmpFilesize
1.0MB
-
memory/2500-63-0x0000000140000000-0x0000000140104000-memory.dmpFilesize
1.0MB
-
memory/2500-62-0x000001B179180000-0x000001B179187000-memory.dmpFilesize
28KB
-
memory/3156-82-0x000002E06C030000-0x000002E06C037000-memory.dmpFilesize
28KB
-
memory/3156-85-0x0000000140000000-0x00000001400FE000-memory.dmpFilesize
1016KB
-
memory/3384-23-0x00007FFD95D5A000-0x00007FFD95D5B000-memory.dmpFilesize
4KB
-
memory/3384-6-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/3384-7-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/3384-8-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/3384-9-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/3384-10-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/3384-12-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/3384-35-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/3384-14-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/3384-24-0x00000000008D0000-0x00000000008D7000-memory.dmpFilesize
28KB
-
memory/3384-30-0x00007FFD97270000-0x00007FFD97280000-memory.dmpFilesize
64KB
-
memory/3384-25-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/3384-13-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/3384-11-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/3384-4-0x00000000026A0000-0x00000000026A1000-memory.dmpFilesize
4KB