Analysis
-
max time kernel
144s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
10-05-2024 00:45
General
-
Target
2c82259047ff1a2055de236f59b1145d_JaffaCakes118.dll
-
Size
1.2MB
-
MD5
2c82259047ff1a2055de236f59b1145d
-
SHA1
c8aec22b2317578d0a4a349e1b3303b545cd1924
-
SHA256
2c5e903d22f52303dc85482ceca20ce539a634d9874b5050115eebb2822d4fc9
-
SHA512
614102a31e0a44df03395e77218fc79749adcbf4ce75033779d8f114bfad89d155202761c9109ef52c290d159a7e469103282c712660bf1691c3efd022ca5739
-
SSDEEP
24576:ZVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:ZV8hf6STw1ZlQauvzSq01ICe6zvm
Malware Config
Signatures
-
Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
-
Dridex Shellcode 1 IoCs
Detects Dridex Payload shellcode injected in Explorer process.
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 4 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2c82259047ff1a2055de236f59b1145d_JaffaCakes118.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\msinfo32.exeC:\Windows\system32\msinfo32.exe1⤵
-
C:\Users\Admin\AppData\Local\BnWkK\msinfo32.exeC:\Users\Admin\AppData\Local\BnWkK\msinfo32.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
-
C:\Windows\system32\LockScreenContentServer.exeC:\Windows\system32\LockScreenContentServer.exe1⤵
-
C:\Users\Admin\AppData\Local\Nx0Jq\LockScreenContentServer.exeC:\Users\Admin\AppData\Local\Nx0Jq\LockScreenContentServer.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
-
C:\Windows\system32\EhStorAuthn.exeC:\Windows\system32\EhStorAuthn.exe1⤵
-
C:\Users\Admin\AppData\Local\szWYRx\EhStorAuthn.exeC:\Users\Admin\AppData\Local\szWYRx\EhStorAuthn.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\BnWkK\MFC42u.dllFilesize
1.3MB
MD510591371f9b173ce55fc6b8e75a0818b
SHA14acf478aeaec2af739c56f8e4225f9b17b125417
SHA25650b6d0eb8bb39c3ea55e42390c71a77e621b1edf91f81f8f224fb373c71b4914
SHA512ef0c29800e4eb87f10de8f9d894a8831629280043832b50c2f21bed1fa41ba64b504720f9380584554d5e52fbbb3563e0acdc05c279256dd189ab1232d3fdbe1
-
C:\Users\Admin\AppData\Local\BnWkK\msinfo32.exeFilesize
376KB
MD50aed91da63713bf9f881b03a604a1c9d
SHA1b1b2d292cb1a4c13dc243b5eab13afb316a28b9a
SHA2565cf1604d2473661266e08fc0e4e144ea98f99b7584c43585eb2b01551130fd14
SHA51204bca9b321d702122b6e72c2ad15b7cd98924e5dfc3b8dd0e907ea28fd7826d3f72b98c67242b6698594df648d3c2b6b0952bb52a2363b687bbe44a66e830c03
-
C:\Users\Admin\AppData\Local\Nx0Jq\DUI70.dllFilesize
1.5MB
MD52ddd3063ecce77e4d0d1abd3d1dfd5bd
SHA17059140e05fd10396ea7c14a22f688828130fc8a
SHA256540f9a582533703e56c8e005632b8210543b4f65afd0ae48b864edfc1ffdddaa
SHA512271a2b2f2f95dc9a8cbb8107ffd884e29d4c647dd8842d5f8edd93ef77de2f005bc96b4b8d621d155939c28abed94663096c63f2afd1c51514fddc2dd77f45ed
-
C:\Users\Admin\AppData\Local\Nx0Jq\LockScreenContentServer.exeFilesize
47KB
MD5a0b7513c98cf46ca2cea3a567fec137c
SHA12307fc8e3fc620ea3c2fdc6248ad4658479ba995
SHA256cb2278884f04fd34753f7a20e5865ef5fc4fa47c28df9ac14ad6e922713af8c6
SHA5123928485a60ffa7f2d2b7d0be51863e1f8197578cfb397f1086a1ab5132843a23bbc4042b04b5d01fafad04878bd839161fa492d0cf1a6bac6be92023cdee3d15
-
C:\Users\Admin\AppData\Local\szWYRx\EhStorAuthn.exeFilesize
128KB
MD5d45618e58303edb4268a6cca5ec99ecc
SHA11f8049fc5ea8b57bb68e19fb55cb9dc1e18e9513
SHA256d527323643be9df4d174c3169c6f2c7854a59b781654bcaebd154cb51fb4219c
SHA5125d7ae663dcfedfaf00836dc018131851e5a40778bd582b417b9f0bbd4bb6d1b2eb8f37f7f5a01cd2beed78b6037ef6eb2a3290248d5e901173b1407990a202bd
-
C:\Users\Admin\AppData\Local\szWYRx\UxTheme.dllFilesize
1.2MB
MD5ced0098582712260e93db900b073ecb4
SHA1ea336e56f3091329bcabe8d4bc24155a70b128c9
SHA256b9035f072ae83488114f676d6229fc6886587211d2469e261c6ab1be7b25e80c
SHA51217248acf133edb14cbf47f48a1a7dccd877e5b6cbe8bf7c13af259b874d6b5c49b088f13890aa9615e18f3d71fd8e4439d94ef1ea0a80b0b8dba455815d4b9ef
-
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yvephsk.lnkFilesize
1KB
MD502e931872cd5d6f761ce4389d29cf0ea
SHA140f7a0dc9700e263625ab257390dc803c84a32cd
SHA256ccf3721c41aa555db6634a4b7bca45acb9723395f402c5ca5efbd2bf816a31b4
SHA51248219a88ebd895356cf0fd777e2f46125896642aae15ba741ccb45e4275bdee5367482105ed368c54475673b4d308b20b973dc64440667ee99f1bdb5acf8f6a1
-
memory/564-52-0x0000000140000000-0x000000014014A000-memory.dmpFilesize
1.3MB
-
memory/564-46-0x0000000140000000-0x000000014014A000-memory.dmpFilesize
1.3MB
-
memory/564-49-0x000002ABEA450000-0x000002ABEA457000-memory.dmpFilesize
28KB
-
memory/1464-63-0x0000000140000000-0x0000000140189000-memory.dmpFilesize
1.5MB
-
memory/1464-66-0x0000020557F80000-0x0000020557F87000-memory.dmpFilesize
28KB
-
memory/1464-69-0x0000000140000000-0x0000000140189000-memory.dmpFilesize
1.5MB
-
memory/3444-34-0x0000000002BF0000-0x0000000002BF7000-memory.dmpFilesize
28KB
-
memory/3444-11-0x0000000140000000-0x0000000140143000-memory.dmpFilesize
1.3MB
-
memory/3444-7-0x0000000140000000-0x0000000140143000-memory.dmpFilesize
1.3MB
-
memory/3444-8-0x0000000140000000-0x0000000140143000-memory.dmpFilesize
1.3MB
-
memory/3444-6-0x0000000140000000-0x0000000140143000-memory.dmpFilesize
1.3MB
-
memory/3444-4-0x0000000003210000-0x0000000003211000-memory.dmpFilesize
4KB
-
memory/3444-10-0x0000000140000000-0x0000000140143000-memory.dmpFilesize
1.3MB
-
memory/3444-12-0x0000000140000000-0x0000000140143000-memory.dmpFilesize
1.3MB
-
memory/3444-13-0x0000000140000000-0x0000000140143000-memory.dmpFilesize
1.3MB
-
memory/3444-15-0x0000000140000000-0x0000000140143000-memory.dmpFilesize
1.3MB
-
memory/3444-33-0x00007FFCF5D7A000-0x00007FFCF5D7B000-memory.dmpFilesize
4KB
-
memory/3444-9-0x0000000140000000-0x0000000140143000-memory.dmpFilesize
1.3MB
-
memory/3444-35-0x00007FFCF7690000-0x00007FFCF76A0000-memory.dmpFilesize
64KB
-
memory/3444-36-0x0000000140000000-0x0000000140143000-memory.dmpFilesize
1.3MB
-
memory/3444-24-0x0000000140000000-0x0000000140143000-memory.dmpFilesize
1.3MB
-
memory/3444-14-0x0000000140000000-0x0000000140143000-memory.dmpFilesize
1.3MB
-
memory/3876-0-0x0000000140000000-0x0000000140143000-memory.dmpFilesize
1.3MB
-
memory/3876-39-0x0000000140000000-0x0000000140143000-memory.dmpFilesize
1.3MB
-
memory/3876-3-0x00000237F8B30000-0x00000237F8B37000-memory.dmpFilesize
28KB
-
memory/4968-83-0x0000020281AF0000-0x0000020281AF7000-memory.dmpFilesize
28KB
-
memory/4968-80-0x0000000140000000-0x0000000140144000-memory.dmpFilesize
1.3MB
-
memory/4968-86-0x0000000140000000-0x0000000140144000-memory.dmpFilesize
1.3MB