Analysis
-
max time kernel
150s -
max time network
52s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
14-06-2024 11:01
General
-
Target
a95463c4c15657eea00d42c7f5f4d0cd_JaffaCakes118.dll
-
Size
986KB
-
MD5
a95463c4c15657eea00d42c7f5f4d0cd
-
SHA1
5c44e306351f8055a871c4ba85fa48502dac3d1e
-
SHA256
240a3850e0e1a7ab754fd9325e11cf6fcf5251e2b3f329f2de2930b39792f2d6
-
SHA512
c29799b71728c6547515a805aacaee6908641ed54ffafc862cd0da9e3d548f58fb6740dd72cdb84e99886a331d4b69cfd75acf2ffb17988293f041c04fdaa68c
-
SSDEEP
24576:oVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:oV8hf6STw1ZlQauvzSq01ICe6zvm
Malware Config
Signatures
-
Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
-
Dridex Shellcode 1 IoCs
Detects Dridex Payload shellcode injected in Explorer process.
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 4 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of FindShellTrayWindow 5 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a95463c4c15657eea00d42c7f5f4d0cd_JaffaCakes118.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\MusNotificationUx.exeC:\Windows\system32\MusNotificationUx.exe1⤵
-
C:\Users\Admin\AppData\Local\tYwgL3MX\MusNotificationUx.exeC:\Users\Admin\AppData\Local\tYwgL3MX\MusNotificationUx.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
-
C:\Windows\system32\SystemPropertiesHardware.exeC:\Windows\system32\SystemPropertiesHardware.exe1⤵
-
C:\Users\Admin\AppData\Local\Zn6aUqGx\SystemPropertiesHardware.exeC:\Users\Admin\AppData\Local\Zn6aUqGx\SystemPropertiesHardware.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
-
C:\Windows\system32\SystemSettingsRemoveDevice.exeC:\Windows\system32\SystemSettingsRemoveDevice.exe1⤵
-
C:\Users\Admin\AppData\Local\Jcw\SystemSettingsRemoveDevice.exeC:\Users\Admin\AppData\Local\Jcw\SystemSettingsRemoveDevice.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Jcw\DUI70.dllFilesize
1.2MB
MD54e5e039a4f5bacaa103b38c82dfc1de7
SHA15e08bec9d70483c3133969a5573f49012491aec3
SHA2569ad1806a4e0550f7ee1b8c245b853c0281b44321711ce537219f44bf0d04f592
SHA512264aee506544c68b6a0782c8e4fee95aa81ece8ab9402ba1cf0e04efe274584500173d6afb0a1031f350cd1553d440051e38c0a5c66d5ecbd18f1d030196bf72
-
C:\Users\Admin\AppData\Local\Jcw\SystemSettingsRemoveDevice.exeFilesize
39KB
MD57853f1c933690bb7c53c67151cbddeb0
SHA1d47a1ad0ccba4c988c8ffc5cbf9636fd4f4fa6e6
SHA2569500731b2a3442f11dfd08a8adfe027e7f32ef5834c628eed4b78be74168470d
SHA512831993d610539d44422d769de6561a4622e1b9cb3d73253774b6cecabf57654a74cd88b4ebe20921585ea96d977225b9501f02a0f6a1fc7d2cad6824fd539304
-
C:\Users\Admin\AppData\Local\Zn6aUqGx\SYSDM.CPLFilesize
986KB
MD5c6ff0bf1ad2e0db3c03dc84fc06b7a4a
SHA1f4cd8a96a2f0ec005b601a1936ee19e6f232502d
SHA256873c042301e949931d4151b5d34bc3d9be0e043dd7cbf66beb4cb4a481d0acbf
SHA512783d5fcc3552db595a59c9c4311c67151981c2af93bb9992337ac22ef7851dc07acf93b8a971725d4d811a5a3d20204c27b29563a9a6a5a5d610fdadeabea80b
-
C:\Users\Admin\AppData\Local\Zn6aUqGx\SystemPropertiesHardware.exeFilesize
82KB
MD5bf5bc0d70a936890d38d2510ee07a2cd
SHA169d5971fd264d8128f5633db9003afef5fad8f10
SHA256c8ebd920399ebcf3ab72bd325b71a6b4c6119dfecea03f25059a920c4d32acc7
SHA5120e129044777cbbf5ea995715159c50773c1818fc5e8faa5c827fd631b44c086b34dfdcbe174b105891ccc3882cc63a8664d189fb6a631d8f589de4e01a862f51
-
C:\Users\Admin\AppData\Local\tYwgL3MX\MusNotificationUx.exeFilesize
615KB
MD5869a214114a81712199f3de5d69d9aad
SHA1be973e4188eff0d53fdf0e9360106e8ad946d89f
SHA256405c2df9a36d7cfb5c8382c96f04792eb88c11a6cfa36b1d2ec3e0bec8d17361
SHA512befcdeb8de6e68b9ee0bacd4cbc80f7393a0213d4039b239c98585e0cd5db1755c75559a62372374cbfb7132b6a7973ea9e6a31952e0e0ba007079c56e6d9012
-
C:\Users\Admin\AppData\Local\tYwgL3MX\XmlLite.dllFilesize
986KB
MD5c2f6fd6d86cfd367eda4258acf8730b8
SHA179ee35541a680c8ee365dbb355cc0bab455e05e4
SHA256d2e52aed1e414aac1318f73b8301e1648d47f7e68857e94052fb75e919e8f1f6
SHA5125517c0ce9b0c0f6b77d2f56fbed60b27b08d3ce5b858365c481654ff3c61389abe0896a2a0ec6a3f144f28ce1928defc28b6640addac2fd873e4a8d2afe7ed5c
-
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Arcabpqqvo.lnkFilesize
1KB
MD556dfa64fd4000372fe380fc29bf5f8bf
SHA1502b5936fdfe394acd48788d7c11dac826b61e9e
SHA25649c81a0aed832a64327e37253fe1ad740f4033af87d0b0d0c1ac9aadff79b802
SHA512f09897e655e40be03617cd6b819fd2ad854a5b1165f19b40daa9649228988cf664fa2961fb0b38c72bca8e058d6bc01cd86c3cc01c6437c5dcb25b2cab7096d8
-
memory/560-50-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/560-44-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/560-47-0x000001E5BB2A0000-0x000001E5BB2A7000-memory.dmpFilesize
28KB
-
memory/1132-67-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/1132-64-0x0000027037830000-0x0000027037837000-memory.dmpFilesize
28KB
-
memory/1404-79-0x0000000140000000-0x0000000140142000-memory.dmpFilesize
1.3MB
-
memory/1404-78-0x00000166532B0000-0x00000166532B7000-memory.dmpFilesize
28KB
-
memory/1404-84-0x0000000140000000-0x0000000140142000-memory.dmpFilesize
1.3MB
-
memory/2512-37-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/2512-1-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/2512-0-0x00000206D9DF0000-0x00000206D9DF7000-memory.dmpFilesize
28KB
-
memory/3516-34-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/3516-28-0x00007FFF192D0000-0x00007FFF192E0000-memory.dmpFilesize
64KB
-
memory/3516-10-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/3516-11-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/3516-14-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/3516-27-0x0000000007A40000-0x0000000007A47000-memory.dmpFilesize
28KB
-
memory/3516-8-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/3516-9-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/3516-23-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/3516-12-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/3516-13-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/3516-4-0x0000000007A60000-0x0000000007A61000-memory.dmpFilesize
4KB
-
memory/3516-6-0x00007FFF190CA000-0x00007FFF190CB000-memory.dmpFilesize
4KB
-
memory/3516-7-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB