Analysis
-
max time kernel
149s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
20-05-2024 22:29
General
-
Target
6122acd9d27d5bbb20b560bf1e1970b8_JaffaCakes118.dll
-
Size
1.3MB
-
MD5
6122acd9d27d5bbb20b560bf1e1970b8
-
SHA1
db4a42934bfa843a492d63f3bb0b3d5fb4862830
-
SHA256
1450515f58f4eb0b64380065b9b90072caec6d100c51dbf049b5c1a3ee44aa5c
-
SHA512
44016421b721b59d35f87b7719610e145825b1606acad2b166ab0893190a06646d7291ccaa117e6d6f1c3e4b61b474f1efa4cc9f98e7220fc3b097e6603b240b
-
SSDEEP
24576:xVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:xV8hf6STw1ZlQauvzSq01ICe6zvm
Malware Config
Signatures
-
Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
-
Dridex Shellcode 1 IoCs
Detects Dridex Payload shellcode injected in Explorer process.
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\6122acd9d27d5bbb20b560bf1e1970b8_JaffaCakes118.dll1⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\recdisc.exeC:\Windows\system32\recdisc.exe1⤵
-
C:\Users\Admin\AppData\Local\I8vk8yxQB\recdisc.exeC:\Users\Admin\AppData\Local\I8vk8yxQB\recdisc.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
-
C:\Windows\system32\EhStorAuthn.exeC:\Windows\system32\EhStorAuthn.exe1⤵
-
C:\Users\Admin\AppData\Local\8Jy\EhStorAuthn.exeC:\Users\Admin\AppData\Local\8Jy\EhStorAuthn.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
-
C:\Windows\system32\CustomShellHost.exeC:\Windows\system32\CustomShellHost.exe1⤵
-
C:\Users\Admin\AppData\Local\XN6L8PXeW\CustomShellHost.exeC:\Users\Admin\AppData\Local\XN6L8PXeW\CustomShellHost.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\8Jy\EhStorAuthn.exeFilesize
128KB
MD5d45618e58303edb4268a6cca5ec99ecc
SHA11f8049fc5ea8b57bb68e19fb55cb9dc1e18e9513
SHA256d527323643be9df4d174c3169c6f2c7854a59b781654bcaebd154cb51fb4219c
SHA5125d7ae663dcfedfaf00836dc018131851e5a40778bd582b417b9f0bbd4bb6d1b2eb8f37f7f5a01cd2beed78b6037ef6eb2a3290248d5e901173b1407990a202bd
-
C:\Users\Admin\AppData\Local\8Jy\UxTheme.dllFilesize
1.3MB
MD555470843608b0abb5c21f43227db3dc3
SHA1303f7e7524522c708149aa60693c9e91986e6530
SHA25691d9a13a2980bedf7039d2ea6536cedffd246e2b6f51929687d84c561d8d42a4
SHA512559bb3a05b0f35f3de5eb00e1b90fa55cc145b6675058ff89a4c735eb1156c82d59df4ffe1b0d3c97d4ce9b63c86172dc8ed41cb51efb93d42310dd8c1cc467f
-
C:\Users\Admin\AppData\Local\I8vk8yxQB\ReAgent.dllFilesize
1.3MB
MD5e4f84ac3a7ed9cc74a45e50e0bd9f6c8
SHA12c39f86624f927e6c866e011cce4fe50b6a543d9
SHA256e95d445af2a65c4ccb09de8d5cc9a29385efbce599b8c7be14ea4b6fec832abd
SHA5125834bdc169b68b6b2d872d97b429f186fb78216677f5cdaa62328b8d5842edabcd586f332fe96bb2477e21a9d0e683e3c806eea15ab0e2357079a86e679a14f4
-
C:\Users\Admin\AppData\Local\I8vk8yxQB\recdisc.exeFilesize
193KB
MD518afee6824c84bf5115bada75ff0a3e7
SHA1d10f287a7176f57b3b2b315a5310d25b449795aa
SHA2560787b37cf197595b8149ffe3784f9c59eacde3616011f185513ff5c075a5ac4e
SHA512517356165b401dbebf15437d3b17746aef5a6a4cc62a0afe45966abc92b4cf377eee4514a36ee28b1e88e55a22a2f8a6c997df45971e7f354b66ac7d9e141845
-
C:\Users\Admin\AppData\Local\XN6L8PXeW\CustomShellHost.exeFilesize
835KB
MD570400e78b71bc8efdd063570428ae531
SHA1cd86ecd008914fdd0389ac2dc00fe92d87746096
SHA25691333f3282a2420359ae9d3adf537688741d21e964f021e2b152ab293447f289
SHA51253005dda237fb23af79f54779c74a09835ad4cad3ca7b9dcec80e3793a60dd262f45b910bef96ab9c8e69d0c6990fea6ca5fee85d7f8425db523ae658372959e
-
C:\Users\Admin\AppData\Local\XN6L8PXeW\WTSAPI32.dllFilesize
1.3MB
MD5f1ddaf977e81f4539d153c69982ef7c7
SHA1bc942df25da9797a432eef9efb06dcdf0034ddfb
SHA25692d5552d9c87a9107832dc6dfb3d653a203eb8422609a3b02c382c18b771417a
SHA51236bcd0f1cf03646b82a34b776ada0f66d8e0a809021e76507fd964e85fae2edc671d151c6638b81bdc216e6807db075029a58439cdc4a725e29a99b8da8d9be3
-
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Lyvwlrjkvg.lnkFilesize
1KB
MD540680a826f9149eb624addb93be4b2ee
SHA1815d359a8314a7e45d64506d58242695f8f37a1e
SHA25691a659b0cb45dba0937bf76488dfa5093fec29ab864ecb91cb27f7b792d9534c
SHA51229c9b67d1bdbcac4882141b5779e35f0f169f8714c2959865cf03269508facd02288aca98358f820c7345f113a985e34ef92b528d9ed0c468116c30d76138380
-
memory/2092-52-0x0000000140000000-0x000000014014A000-memory.dmpFilesize
1.3MB
-
memory/2092-47-0x0000000140000000-0x000000014014A000-memory.dmpFilesize
1.3MB
-
memory/2092-46-0x000001980DCA0000-0x000001980DCA7000-memory.dmpFilesize
28KB
-
memory/2836-86-0x0000000140000000-0x000000014014A000-memory.dmpFilesize
1.3MB
-
memory/2836-80-0x0000018054350000-0x0000018054357000-memory.dmpFilesize
28KB
-
memory/3480-37-0x00000000009B0000-0x00000000009B7000-memory.dmpFilesize
28KB
-
memory/3480-12-0x0000000140000000-0x0000000140149000-memory.dmpFilesize
1.3MB
-
memory/3480-8-0x0000000140000000-0x0000000140149000-memory.dmpFilesize
1.3MB
-
memory/3480-16-0x0000000140000000-0x0000000140149000-memory.dmpFilesize
1.3MB
-
memory/3480-13-0x0000000140000000-0x0000000140149000-memory.dmpFilesize
1.3MB
-
memory/3480-7-0x0000000140000000-0x0000000140149000-memory.dmpFilesize
1.3MB
-
memory/3480-9-0x0000000140000000-0x0000000140149000-memory.dmpFilesize
1.3MB
-
memory/3480-10-0x0000000140000000-0x0000000140149000-memory.dmpFilesize
1.3MB
-
memory/3480-11-0x0000000140000000-0x0000000140149000-memory.dmpFilesize
1.3MB
-
memory/3480-4-0x00000000026D0000-0x00000000026D1000-memory.dmpFilesize
4KB
-
memory/3480-25-0x0000000140000000-0x0000000140149000-memory.dmpFilesize
1.3MB
-
memory/3480-6-0x00007FFF1598A000-0x00007FFF1598B000-memory.dmpFilesize
4KB
-
memory/3480-38-0x00007FFF16C30000-0x00007FFF16C40000-memory.dmpFilesize
64KB
-
memory/3480-34-0x0000000140000000-0x0000000140149000-memory.dmpFilesize
1.3MB
-
memory/3480-14-0x0000000140000000-0x0000000140149000-memory.dmpFilesize
1.3MB
-
memory/3480-15-0x0000000140000000-0x0000000140149000-memory.dmpFilesize
1.3MB
-
memory/4560-69-0x0000000140000000-0x000000014014A000-memory.dmpFilesize
1.3MB
-
memory/4560-66-0x0000024757EA0000-0x0000024757EA7000-memory.dmpFilesize
28KB
-
memory/4896-39-0x0000000140000000-0x0000000140149000-memory.dmpFilesize
1.3MB
-
memory/4896-1-0x0000000140000000-0x0000000140149000-memory.dmpFilesize
1.3MB
-
memory/4896-3-0x0000000003090000-0x0000000003097000-memory.dmpFilesize
28KB