Analysis
-
max time kernel
153s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
10-05-2024 22:54
General
-
Target
3173e2551fd79567f5818bb1f1d98c79_JaffaCakes118.dll
-
Size
991KB
-
MD5
3173e2551fd79567f5818bb1f1d98c79
-
SHA1
2db6358760c912f1c724445878b12a6873ad30e0
-
SHA256
3f812c9450e03e319c53151a7d187d9e5627779c631dcce038b480bad6bcf144
-
SHA512
701c4c5e2be7e92a0c50d0c5eb7393164b4295fcfe4a32947302ed70b54f5ec714d5b8ca64752783d768b7797b87ec1604a96bbfa1ed536d9e0a5f8b5cb8bc1a
-
SSDEEP
24576:SVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:SV8hf6STw1ZlQauvzSq01ICe6zvm
Malware Config
Signatures
-
Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
-
Dridex Shellcode 1 IoCs
Detects Dridex Payload shellcode injected in Explorer process.
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\3173e2551fd79567f5818bb1f1d98c79_JaffaCakes118.dll1⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\sdclt.exeC:\Windows\system32\sdclt.exe1⤵
-
C:\Users\Admin\AppData\Local\epoK0\sdclt.exeC:\Users\Admin\AppData\Local\epoK0\sdclt.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
-
C:\Windows\system32\PresentationSettings.exeC:\Windows\system32\PresentationSettings.exe1⤵
-
C:\Users\Admin\AppData\Local\xrsFx\PresentationSettings.exeC:\Users\Admin\AppData\Local\xrsFx\PresentationSettings.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
-
C:\Windows\system32\Dxpserver.exeC:\Windows\system32\Dxpserver.exe1⤵
-
C:\Users\Admin\AppData\Local\mEzmdYc0\Dxpserver.exeC:\Users\Admin\AppData\Local\mEzmdYc0\Dxpserver.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4060 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\epoK0\ReAgent.dllFilesize
993KB
MD58eaddae8bf5635f9e54d8a52ae32704f
SHA1446f817c69ef58e194fc852f05d2481506cafb2a
SHA256b449b3ecc5eece41690b9845d7e5c8ef9cf7e27cce8d01d14dfaec9fb713f802
SHA512835815f2b7efb1efd273d169741514767d0ec4f942b827a0ed5894b61e2c71cd5ae1cd2fa218ce078f0b846a8da2542bb320d463465a8070db0988933b1735f0
-
C:\Users\Admin\AppData\Local\epoK0\sdclt.exeFilesize
1.2MB
MD5e09d48f225e7abcab14ebd3b8a9668ec
SHA11c5b9322b51c09a407d182df481609f7cb8c425d
SHA256efd238ea79b93d07852d39052f1411618c36e7597e8af0966c4a3223f0021dc3
SHA512384d606b90c4803e5144b4de24edc537cb22dd59336a18a58d229500ed36aec92c8467cae6d3f326647bd044d8074931da553c7809727fb70227e99c257df0b4
-
C:\Users\Admin\AppData\Local\mEzmdYc0\Dxpserver.exeFilesize
310KB
MD56344f1a7d50da5732c960e243c672165
SHA1b6d0236f79d4f988640a8445a5647aff5b5410f7
SHA256b1081651ac33610824e2088ff64d1655993dd3d6073af1e5ffe0b4a0027f502f
SHA51273f6fa01b880e6619fafa065c171bd0a2b7b2d908762b5aca15f2b8d856b5501b3884e3566ef9b8032c8cbf9bb15116e60c22fded4656c8857c974cda4213d65
-
C:\Users\Admin\AppData\Local\mEzmdYc0\dwmapi.dllFilesize
993KB
MD5865db75c463e69ed8d42b279127e1aae
SHA1dc3b3e8e6d7b79b696d828d01098d788a0a901e0
SHA2569227ae5dfcd0051f313bc68bb02932b55cff1c4906a559bb2a50f4b1a2b42a32
SHA5122791d0a67547e259ae3ac1c0b688458ca0ee8c9a93450a75e9e0d885bd43b473168045ef7d469dc7015d315ba41ecb16b42fc3433b066caf6daa33526bee00ad
-
C:\Users\Admin\AppData\Local\xrsFx\PresentationSettings.exeFilesize
219KB
MD5790799a168c41689849310f6c15f98fa
SHA1a5d213fc1c71a56de9441b2e35411d83770c01ec
SHA2566e59ab1a0b4ac177dc3397a54afcf68fcea3c1ee72c33bd08c89f04a6dac64b8
SHA5128153b79d4681f21ade7afe995841c386bff8e491ad347f8e7c287df5f9053cae7458e273339146d9a920ceaa2ba0f41cc793d7b2c0fa80efbb41477d39470866
-
C:\Users\Admin\AppData\Local\xrsFx\WINMM.dllFilesize
996KB
MD58c23a6047d924f708be2adb45ef6883d
SHA1b04c2878fec6ee6c1d9697d95e05e4dd33eb0d5a
SHA256b6ce7ef55c440f48d47a1550dc320a6bc3dcc22718fe7111f03976b3f664a373
SHA5129fbda2ebdab1ad1459cef6db2f7ea4ccad89a06e1f1d9dc82c05aae1ea2cc7a95d6a901e98dd32a9304cf4b58093fa61186539f3259d3123ca996b14fe9dd60d
-
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Axoeay.lnkFilesize
1KB
MD5805d5e1f3d453dc8719816394ff800e5
SHA1457defadfa0a3615612b67638df85f94a2a28385
SHA2564c484dddd72f5118b1f9c53039adb5a5f8d2eea206ac4cbb199b6a9799483548
SHA51244aa83a8760715713fa19465138ba2f15a271f35cd1d9627f3dc4d01fc032f283344cb2ebc8355925941fa155d15794d553774fb81dfce04585b4758fe6dc257
-
memory/2960-51-0x0000000140000000-0x00000001400FE000-memory.dmpFilesize
1016KB
-
memory/2960-46-0x0000000140000000-0x00000001400FE000-memory.dmpFilesize
1016KB
-
memory/2960-45-0x00000177F2060000-0x00000177F2067000-memory.dmpFilesize
28KB
-
memory/3376-23-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/3376-24-0x00007FFEB185A000-0x00007FFEB185B000-memory.dmpFilesize
4KB
-
memory/3376-12-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/3376-10-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/3376-7-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/3376-6-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/3376-36-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/3376-4-0x0000000002720000-0x0000000002721000-memory.dmpFilesize
4KB
-
memory/3376-8-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/3376-14-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/3376-13-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/3376-9-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/3376-29-0x00007FFEB2B50000-0x00007FFEB2B60000-memory.dmpFilesize
64KB
-
memory/3376-25-0x0000000000D70000-0x0000000000D77000-memory.dmpFilesize
28KB
-
memory/3376-11-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/3604-0-0x00000000011D0000-0x00000000011D7000-memory.dmpFilesize
28KB
-
memory/3604-38-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/3604-1-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/4468-62-0x0000015C73B00000-0x0000015C73B07000-memory.dmpFilesize
28KB
-
memory/4468-63-0x0000000140000000-0x00000001400FF000-memory.dmpFilesize
1020KB
-
memory/4468-68-0x0000000140000000-0x00000001400FF000-memory.dmpFilesize
1020KB
-
memory/4764-84-0x0000000140000000-0x00000001400FE000-memory.dmpFilesize
1016KB