Analysis
-
max time kernel
149s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
18-06-2024 12:25
General
-
Target
bbeb2cd20a1ba49d25bc9a31ed2ab382_JaffaCakes118.dll
-
Size
986KB
-
MD5
bbeb2cd20a1ba49d25bc9a31ed2ab382
-
SHA1
0cf1a27e3a3223300a6b2c76823678430b9b2196
-
SHA256
0a28e7ee9defb1086bc03f8a1aff2ded0d1f088e7d6ce37dbadd8ff7d524d297
-
SHA512
2dea31f1ecc66c3af3a8ebc35355b26293ac772714ee099ae28650f71c2813d615e6c6c1d02c5c239373626322fd1b9811836f20e127f64436d104946185183a
-
SSDEEP
24576:dVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:dV8hf6STw1ZlQauvzSq01ICe6zvm
Malware Config
Signatures
-
Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
-
Dridex Shellcode 1 IoCs
Detects Dridex Payload shellcode injected in Explorer process.
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 4 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\bbeb2cd20a1ba49d25bc9a31ed2ab382_JaffaCakes118.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4240,i,18168883380598738769,14202261231630113808,262144 --variations-seed-version --mojo-platform-channel-handle=1304 /prefetch:81⤵
-
C:\Windows\system32\MoUsoCoreWorker.exeC:\Windows\system32\MoUsoCoreWorker.exe1⤵
-
C:\Users\Admin\AppData\Local\TV02gl\MoUsoCoreWorker.exeC:\Users\Admin\AppData\Local\TV02gl\MoUsoCoreWorker.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
-
C:\Windows\system32\slui.exeC:\Windows\system32\slui.exe1⤵
-
C:\Users\Admin\AppData\Local\AamrTfV\slui.exeC:\Users\Admin\AppData\Local\AamrTfV\slui.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
-
C:\Windows\system32\sigverif.exeC:\Windows\system32\sigverif.exe1⤵
-
C:\Users\Admin\AppData\Local\ME6Jxl37\sigverif.exeC:\Users\Admin\AppData\Local\ME6Jxl37\sigverif.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\AamrTfV\SLC.dllFilesize
987KB
MD56e4385f38f291c1d48e15600fa4e8862
SHA1b8829cac8baed26f9d86e8cfbf652f35c362ceec
SHA256ac976c6407668a8bce100067b01ecc2992daac8e47e03ba2d2d065da11eeef27
SHA51242cfe15ff31762331fef1c20d38164bc5dd1795f988ddd83823bf58519a52f08cd007c04f86fa8d623c597eaa2bfe6aa0f33981f7a541fb6c7de5c6fcb4fd341
-
C:\Users\Admin\AppData\Local\AamrTfV\slui.exeFilesize
534KB
MD5eb725ea35a13dc18eac46aa81e7f2841
SHA1c0b3304c970324952e18c4a51073e3bdec73440b
SHA25625e7624d469a592934ab8c509d12c153c2799e604c2a4b8a83650a7268577dff
SHA51239192a1fad29654b3769f007298eff049d0688a3cb51390833ec563f44f9931cd3f6f8693db37b649b061b5aab379b166c15dade56d0fc414375243320375b26
-
C:\Users\Admin\AppData\Local\ME6Jxl37\VERSION.dllFilesize
987KB
MD513967a9e4a214cf7a6e10c577d6cd8f8
SHA12c5c6b73ee7892032c571da9c6af1da178ddae95
SHA256c18d47c9dcfd9ecba6cb8ff75e9a444d55874a759efe02ca752acbeaaa7a8cdf
SHA512f985828455cc3940413ec95fc4308ab5be2e18da31c339262225477e0e21a234fcef38c094f4c90b38cbf7adc603461c7a7673a3c546ab7d988b1428a30920cc
-
C:\Users\Admin\AppData\Local\ME6Jxl37\sigverif.exeFilesize
77KB
MD52151a535274b53ba8a728e542cbc07a8
SHA1a2304c0f2616a7d12298540dce459dd9ccf07443
SHA256064de47877b00dc35886e829a697e4adb3d3cfdf294ddba13b6009a0f415b1bd
SHA512e6fd520ee1bd80a5fe8a7c2ae6446dcaabd4e335a602c36356f85305abef751b7dffa7eaac1ec13c105ccd8c3e9070bd32ed4b14bc8a9e52dc5f47b936d69a9f
-
C:\Users\Admin\AppData\Local\TV02gl\MoUsoCoreWorker.exeFilesize
1.6MB
MD547c6b45ff22b73caf40bb29392386ce3
SHA17e29a8d98fbb9b02d3d22e3576f4fd61ab50ffe9
SHA256cbccb642725edb42e749e26ded68a16b3aa20e291a1a7793a2d4efebb75f99c0
SHA512c919ab84a497616e7969d58c251f4e6efc337b41ef6956864b86d66ae1437294c124232fec54433eab3a6518ed529f8445dd0b23706b2f42f3fa42e69711f331
-
C:\Users\Admin\AppData\Local\TV02gl\XmlLite.dllFilesize
986KB
MD5c2ab5e67837009e2f87d04bf1bd11c20
SHA118462ffbd4d336b6f1c17239fde97d8278d5e25f
SHA2564ca250708d25fba8abb1c650c92d13163d1ce7b103517f5617e9ef7ef5f62a90
SHA512e6fb01f649465e88a5101de84c6fc5ebeb261b54de640fe9877291382178f1fcc7fee9b3e966eddb8a43ce65db7b859f6b66b44fed705650c067cb1ed893503d
-
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Xpqmtuztdhk.lnkFilesize
1KB
MD55561af73b91f488441505daa317f32b9
SHA12215908dfb5576582e23608b967c9e331955afab
SHA256c2acce03627cc3e1543f5760b09053a3f9c1fb97bc018d68340756059816e4f1
SHA512f66cd5fbebc9d544f90b4b3c9e400acea7793d72b10c3a194e261cd8fc7cf26aad98476621e89b06592025bf89b2ddb7a4522fe733ecea905e17ff9a8d977814
-
memory/376-47-0x00000155933B0000-0x00000155933B7000-memory.dmpFilesize
28KB
-
memory/376-44-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/376-50-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/1392-81-0x0000026AA1E70000-0x0000026AA1E77000-memory.dmpFilesize
28KB
-
memory/1392-84-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/1784-0-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/1784-3-0x000001BA97B90000-0x000001BA97B97000-memory.dmpFilesize
28KB
-
memory/1784-37-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/2160-64-0x000001B788C80000-0x000001B788C87000-memory.dmpFilesize
28KB
-
memory/2160-67-0x0000000140000000-0x00000001400FD000-memory.dmpFilesize
1012KB
-
memory/3424-25-0x00007FFCE1790000-0x00007FFCE17A0000-memory.dmpFilesize
64KB
-
memory/3424-13-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/3424-7-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/3424-8-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/3424-9-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/3424-10-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/3424-11-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/3424-22-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/3424-24-0x00000000032D0000-0x00000000032D7000-memory.dmpFilesize
28KB
-
memory/3424-34-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/3424-23-0x00007FFCE12EA000-0x00007FFCE12EB000-memory.dmpFilesize
4KB
-
memory/3424-12-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/3424-6-0x0000000140000000-0x00000001400FC000-memory.dmpFilesize
1008KB
-
memory/3424-4-0x00000000077E0000-0x00000000077E1000-memory.dmpFilesize
4KB