Analysis
-
max time kernel
149s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
23-05-2024 08:13
General
-
Target
6a4e5486af546391e45412c333bbe6c8_JaffaCakes118.dll
-
Size
1.2MB
-
MD5
6a4e5486af546391e45412c333bbe6c8
-
SHA1
b93d409fc83ab378bba92cd0c6ca012cfd821f95
-
SHA256
80b2c8b6a99129cf3c8de8ab7b21f4cb2c6f0dc9569b58aa1416d7a9057a314f
-
SHA512
b8cdf8bc9b75c7cf3567106b5585ebda71503bbed0f664b7422214d76252158fde10508909e6511e2c35ecdd7e691c285219282402812a855e4bbf9432fae144
-
SSDEEP
24576:mVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8at:mV8hf6STw1ZlQauvzSq01ICe6zvm
Malware Config
Signatures
-
Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
-
Dridex Shellcode 1 IoCs
Detects Dridex Payload shellcode injected in Explorer process.
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 7 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 4 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6a4e5486af546391e45412c333bbe6c8_JaffaCakes118.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\rdpshell.exeC:\Windows\system32\rdpshell.exe1⤵
-
C:\Users\Admin\AppData\Local\fu6ZE\rdpshell.exeC:\Users\Admin\AppData\Local\fu6ZE\rdpshell.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
-
C:\Windows\system32\sethc.exeC:\Windows\system32\sethc.exe1⤵
-
C:\Users\Admin\AppData\Local\rncYQG\sethc.exeC:\Users\Admin\AppData\Local\rncYQG\sethc.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
-
C:\Windows\system32\msinfo32.exeC:\Windows\system32\msinfo32.exe1⤵
-
C:\Users\Admin\AppData\Local\we3J\msinfo32.exeC:\Users\Admin\AppData\Local\we3J\msinfo32.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\fu6ZE\WTSAPI32.dllFilesize
1.2MB
MD53dc53dc35e4c8644f327958e9976bada
SHA15331af8167fcfd8c885384d022a476ed4639e14d
SHA256621235d3eb527fa6ee8058da8c34b559d886496e5cc423461a3c021db7c2cee9
SHA512d5a64cb4703eabd6c4cc095139f5168c49321ce09cc8bd6363444fb9d5fd19a24fc2cd40058bf0d5ffee642fccf5a37544fa2b23624d40278847d38c2f1036c9
-
C:\Users\Admin\AppData\Local\rncYQG\OLEACC.dllFilesize
1.2MB
MD59c88b9824b239044ec7bf21dbf6d4987
SHA193a90d70e7ecc02f2d47afb1cc671706d7476fd8
SHA25614c8d93facfbd8553276d2b0ec8da348825f451c06d1a72f8d79c8bea8aa4421
SHA5128260c35a00a220cd6cf81a838fe9f7616ddd4d5f0abd335544c866a6ced0f14e5e8b3c566d45682e6fd079947b6bddf49942d0580409cf8361b20059893e44ad
-
C:\Users\Admin\AppData\Local\we3J\MFC42u.dllFilesize
1.3MB
MD5f799468ca150e7571eecd9467e700949
SHA19c20f8f9bd8cef5d4a59044ac75c7088210da4ec
SHA25664d890ec451c45635032910c9ca5b355e90d6c9f15efe28c68ae19722c4f2408
SHA5129dddbed213b413b00410bfa7f8eb8b9842cde6ff16b0639bee9ceb5ec675a66d3856e172813baccecf3a847f7d2989250cc87e47becc54e5fc981368b87b6a0a
-
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Tkjddllshxzvy.lnkFilesize
1KB
MD52a2d3317348b014ac69d6197ea87b8ec
SHA105ff1db444b0d529de6f5a117dcb6d572f4c6463
SHA256dba3ecea5762ffaade2b8606bdbb0d4779da48a028ea233edf9d243a1138816e
SHA512f986fadf6bd1c4681e80a36aa9c3652da00c4315e69c15dddb35089584a49a1e81a9c36148dcca357262de7d2b819f1ce08fb51b55678d45bddb72c509ebbe75
-
\Users\Admin\AppData\Local\fu6ZE\rdpshell.exeFilesize
292KB
MD5a62dfcea3a58ba8fcf32f831f018fe3f
SHA175f7690b19866f2c2b3dd3bfdff8a1c6fa8e958b
SHA256f8346a44f12e5b1ca6beaae5fbdf5f7f494ba204379c21d1875b03ba6da6152e
SHA5129a3df5be95017c23ab144302d2275654e86193e2cd94957d5f72bda3cb171ec2a6da14e6631a7fd4fd053b4529f4083aa287ada57484ad0ee01a8e5b2b54c603
-
\Users\Admin\AppData\Local\rncYQG\sethc.exeFilesize
272KB
MD53bcb70da9b5a2011e01e35ed29a3f3f3
SHA19daecb1ee5d7cbcf46ee154dd642fcd993723a9b
SHA256dd94bf73f0e3652b76cfb774b419ceaa2082bc7f30cc34e28dfa51952fa9ccb5
SHA51269d231132f488fd7033349f232db1207f88f1d5cb84f5422adf0dd5fb7b373dada8fdfac7760b8845e5aab00a7ae56f24d66bbb8aa70c3c8de6ec5c31982b4df
-
\Users\Admin\AppData\Local\we3J\msinfo32.exeFilesize
370KB
MD5d291620d4c51c5f5ffa62ccdc52c5c13
SHA12081c97f15b1c2a2eadce366baf3c510da553cc7
SHA25676e959dd7db31726c040d46cfa86b681479967aea36db5f625e80bd36422e8ae
SHA51275f9bcce4c596dae1f4d78e13d9d53b0c31988d2170c3d9f5db352b8c8a1c8ca58f4a002b30a4b328b8f4769008b750b8a1c9fda44a582e11c3adc38345c334b
-
memory/548-97-0x0000000140000000-0x000000014014A000-memory.dmpFilesize
1.3MB
-
memory/548-94-0x0000000000390000-0x0000000000397000-memory.dmpFilesize
28KB
-
memory/548-92-0x0000000140000000-0x000000014014A000-memory.dmpFilesize
1.3MB
-
memory/632-79-0x0000000140000000-0x0000000140144000-memory.dmpFilesize
1.3MB
-
memory/632-73-0x0000000000440000-0x0000000000447000-memory.dmpFilesize
28KB
-
memory/1196-26-0x0000000002E10000-0x0000000002E17000-memory.dmpFilesize
28KB
-
memory/1196-15-0x0000000140000000-0x0000000140143000-memory.dmpFilesize
1.3MB
-
memory/1196-14-0x0000000140000000-0x0000000140143000-memory.dmpFilesize
1.3MB
-
memory/1196-12-0x0000000140000000-0x0000000140143000-memory.dmpFilesize
1.3MB
-
memory/1196-11-0x0000000140000000-0x0000000140143000-memory.dmpFilesize
1.3MB
-
memory/1196-9-0x0000000140000000-0x0000000140143000-memory.dmpFilesize
1.3MB
-
memory/1196-37-0x0000000140000000-0x0000000140143000-memory.dmpFilesize
1.3MB
-
memory/1196-38-0x0000000140000000-0x0000000140143000-memory.dmpFilesize
1.3MB
-
memory/1196-4-0x0000000077466000-0x0000000077467000-memory.dmpFilesize
4KB
-
memory/1196-25-0x0000000140000000-0x0000000140143000-memory.dmpFilesize
1.3MB
-
memory/1196-28-0x0000000077800000-0x0000000077802000-memory.dmpFilesize
8KB
-
memory/1196-5-0x0000000002E30000-0x0000000002E31000-memory.dmpFilesize
4KB
-
memory/1196-8-0x0000000140000000-0x0000000140143000-memory.dmpFilesize
1.3MB
-
memory/1196-7-0x0000000140000000-0x0000000140143000-memory.dmpFilesize
1.3MB
-
memory/1196-65-0x0000000077466000-0x0000000077467000-memory.dmpFilesize
4KB
-
memory/1196-27-0x0000000077671000-0x0000000077672000-memory.dmpFilesize
4KB
-
memory/1196-16-0x0000000140000000-0x0000000140143000-memory.dmpFilesize
1.3MB
-
memory/1196-13-0x0000000140000000-0x0000000140143000-memory.dmpFilesize
1.3MB
-
memory/1196-10-0x0000000140000000-0x0000000140143000-memory.dmpFilesize
1.3MB
-
memory/2744-60-0x0000000140000000-0x0000000140144000-memory.dmpFilesize
1.3MB
-
memory/2744-54-0x0000000140000000-0x0000000140144000-memory.dmpFilesize
1.3MB
-
memory/2744-57-0x0000000000190000-0x0000000000197000-memory.dmpFilesize
28KB
-
memory/2864-0-0x0000000140000000-0x0000000140143000-memory.dmpFilesize
1.3MB
-
memory/2864-46-0x0000000140000000-0x0000000140143000-memory.dmpFilesize
1.3MB
-
memory/2864-3-0x00000000001B0000-0x00000000001B7000-memory.dmpFilesize
28KB