Analysis
-
max time kernel
149s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
23-05-2024 08:13
General
-
Target
6a4e5486af546391e45412c333bbe6c8_JaffaCakes118.dll
-
Size
1.2MB
-
MD5
6a4e5486af546391e45412c333bbe6c8
-
SHA1
b93d409fc83ab378bba92cd0c6ca012cfd821f95
-
SHA256
80b2c8b6a99129cf3c8de8ab7b21f4cb2c6f0dc9569b58aa1416d7a9057a314f
-
SHA512
b8cdf8bc9b75c7cf3567106b5585ebda71503bbed0f664b7422214d76252158fde10508909e6511e2c35ecdd7e691c285219282402812a855e4bbf9432fae144
-
SSDEEP
24576:mVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8at:mV8hf6STw1ZlQauvzSq01ICe6zvm
Malware Config
Signatures
-
Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
-
Dridex Shellcode 1 IoCs
Detects Dridex Payload shellcode injected in Explorer process.
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 5 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 4 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6a4e5486af546391e45412c333bbe6c8_JaffaCakes118.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4160,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=1288 /prefetch:81⤵
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
-
C:\Users\Admin\AppData\Local\ggBfldBm\AgentService.exeC:\Users\Admin\AppData\Local\ggBfldBm\AgentService.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
-
C:\Windows\system32\rdpinput.exeC:\Windows\system32\rdpinput.exe1⤵
-
C:\Users\Admin\AppData\Local\NTVsk\rdpinput.exeC:\Users\Admin\AppData\Local\NTVsk\rdpinput.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
-
C:\Windows\system32\dwm.exeC:\Windows\system32\dwm.exe1⤵
-
C:\Users\Admin\AppData\Local\XwKP1T6\dwm.exeC:\Users\Admin\AppData\Local\XwKP1T6\dwm.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\NTVsk\WINSTA.dllFilesize
1.2MB
MD552fb1919cdc9f56a0330bd406add588c
SHA105cc708d978f06f1624357e040063d5d5bef7397
SHA2561a3f84f67009062cf3a8f7090b347ef349a68769c023dd9fb34a422c29a90bb2
SHA512755dfeb18b9ec9515aab5360ae23949540ff78cddd482ff9520a88b3794a30d0433ba5bd33aecf1ae801e65745af4b56bfa5bebe055c382952234014c881b515
-
C:\Users\Admin\AppData\Local\NTVsk\rdpinput.exeFilesize
180KB
MD5bd99eeca92869f9a3084d689f335c734
SHA1a2839f6038ea50a4456cd5c2a3ea003e7b77688c
SHA25639bfb2214efeed47f4f5e50e6dff05541e29caeb27966520bdadd52c3d5e7143
SHA512355433c3bbbaa3bcb849633d45713d8a7ac6f87a025732fbe83e259ec3a0cb4eabb18239df26609453f9fc6764c7276c5d0472f11cf12d15ef806aa7594d090e
-
C:\Users\Admin\AppData\Local\XwKP1T6\dwm.exeFilesize
92KB
MD55c27608411832c5b39ba04e33d53536c
SHA1f92f8b7439ce1de4c297046ed1d3ff9f20bc97af
SHA2560ac827c9e35cdaa492ddd435079415805dcc276352112b040bcd34ef122cf565
SHA5121fa25eabc08dff9ea25dfa7da310a677927c6344b76815696b0483f8860fa1469820ff15d88a78ed32f712d03003631d9aceaf9c9851de5dd40c1fc2a7bc1309
-
C:\Users\Admin\AppData\Local\XwKP1T6\dxgi.dllFilesize
1.2MB
MD5855227d647e931df2ce1bc1e1e87ab86
SHA139c9f787b0484c7f0fd517c824a0700ffbde140f
SHA25625d66886b548de512cfe56d6c7ed389d11c52bd51c0014f4196159cef30c54b3
SHA51234a4a4349061792a1f668bd44a4a5b97279c5c5e1ae6aefcb41f30fe2358b0b2a959f45033f582cdc44ea8c38decb9f4d1619e1757725b636aabd43dbeb7fd41
-
C:\Users\Admin\AppData\Local\ggBfldBm\ACTIVEDS.dllFilesize
1.2MB
MD5103e66a38c1ad145df2da002ac6d4e58
SHA1a43dc590ca1dcc37868b561b8abe570995b10878
SHA256e86ab35771bdd33216cf80a0a657da8b3d3f90bf850562bac244d2afba15c5f1
SHA51221c5b656ae8ce9f558e2e654e90c5335bf0794be3f1adc3bf1b0b86e45efec182c820bedd0df76686566fcb0e880e6d3c2f12042b2db6a731d1cf5e1e9cf9cd7
-
C:\Users\Admin\AppData\Local\ggBfldBm\AgentService.exeFilesize
1.2MB
MD5f8bac206def3e87ceb8ef3cb0fb5a194
SHA1a28ea816e7b5ca511da4576262a5887a75171276
SHA256c69e4520d5dd84a409c2df1825ba30ec367400e4f7b001c8e971da8bef1a2268
SHA5128df9a814c738e79492a3b72ba359bf3aedfb89fe02215ef58e743c541a2194ba47e227969d76c55387eee6eb367ca68e4b3cdf054022cb86e62376cc2fdef909
-
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Xpqmtuztdhk.lnkFilesize
1KB
MD537c8036e99ce437bbe342cdc6f77f83e
SHA13b40fb69159d3bb2551dd56bae4daee199b3b2ea
SHA256d314beb50afa09d14dbb1d1ac8e8a77d85b2c6590f295b9a302bc000624fb4b5
SHA5124f217b2946c8ee6f6eb0133f9c1025dba3362e954b88a537708850ae09e0cdc890f547a8e0ac406a86a7622373cec4d9767cbb4d9b6e32018ab2a1844584225e
-
memory/1216-92-0x00000202BBB60000-0x00000202BBCA4000-memory.dmpFilesize
1.3MB
-
memory/1216-87-0x0000000140000000-0x0000000140144000-memory.dmpFilesize
1.3MB
-
memory/1216-88-0x00000202BBCB0000-0x00000202BBDF4000-memory.dmpFilesize
1.3MB
-
memory/1216-94-0x0000000140000000-0x0000000140144000-memory.dmpFilesize
1.3MB
-
memory/1976-54-0x0000000140000000-0x0000000140144000-memory.dmpFilesize
1.3MB
-
memory/1976-50-0x000002835EB20000-0x000002835EB27000-memory.dmpFilesize
28KB
-
memory/1976-47-0x0000000140000000-0x0000000140144000-memory.dmpFilesize
1.3MB
-
memory/1976-46-0x0000000140000000-0x0000000140144000-memory.dmpFilesize
1.3MB
-
memory/3504-29-0x0000000000600000-0x0000000000607000-memory.dmpFilesize
28KB
-
memory/3504-13-0x0000000140000000-0x0000000140143000-memory.dmpFilesize
1.3MB
-
memory/3504-4-0x0000000000650000-0x0000000000651000-memory.dmpFilesize
4KB
-
memory/3504-7-0x0000000140000000-0x0000000140143000-memory.dmpFilesize
1.3MB
-
memory/3504-8-0x0000000140000000-0x0000000140143000-memory.dmpFilesize
1.3MB
-
memory/3504-10-0x0000000140000000-0x0000000140143000-memory.dmpFilesize
1.3MB
-
memory/3504-12-0x0000000140000000-0x0000000140143000-memory.dmpFilesize
1.3MB
-
memory/3504-11-0x0000000140000000-0x0000000140143000-memory.dmpFilesize
1.3MB
-
memory/3504-14-0x0000000140000000-0x0000000140143000-memory.dmpFilesize
1.3MB
-
memory/3504-15-0x0000000140000000-0x0000000140143000-memory.dmpFilesize
1.3MB
-
memory/3504-25-0x0000000140000000-0x0000000140143000-memory.dmpFilesize
1.3MB
-
memory/3504-30-0x00007FF9B07D0000-0x00007FF9B07E0000-memory.dmpFilesize
64KB
-
memory/3504-36-0x0000000140000000-0x0000000140143000-memory.dmpFilesize
1.3MB
-
memory/3504-16-0x0000000140000000-0x0000000140143000-memory.dmpFilesize
1.3MB
-
memory/3504-9-0x0000000140000000-0x0000000140143000-memory.dmpFilesize
1.3MB
-
memory/3504-6-0x00007FF9AF94A000-0x00007FF9AF94B000-memory.dmpFilesize
4KB
-
memory/3888-39-0x0000000140000000-0x0000000140143000-memory.dmpFilesize
1.3MB
-
memory/3888-0-0x0000000140000000-0x0000000140143000-memory.dmpFilesize
1.3MB
-
memory/3888-3-0x00000244E1FD0000-0x00000244E1FD7000-memory.dmpFilesize
28KB
-
memory/4108-73-0x0000000140000000-0x0000000140145000-memory.dmpFilesize
1.3MB
-
memory/4108-65-0x0000000140000000-0x0000000140145000-memory.dmpFilesize
1.3MB
-
memory/4108-68-0x0000000140000000-0x0000000140145000-memory.dmpFilesize
1.3MB
-
memory/4108-69-0x000001ACCB650000-0x000001ACCB657000-memory.dmpFilesize
28KB