Analysis

  • max time kernel
    149s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    29-07-2024 01:51

General

  • Target

    31b7ddc62f5f53c4e73e7e6fc2ac8a8e_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    31b7ddc62f5f53c4e73e7e6fc2ac8a8e

  • SHA1

    90bc55e8741ad80cc692f8916879afe1136d300c

  • SHA256

    d62f7d5f5612a00f40af40dd9e4d077879f57a394e6c54cfdd8ac3c643212844

  • SHA512

    2c1de038b2c6a2b090f0f17a1fc0118bbed7837496a7c7df345295039d16e1731c5274cde666880b5323eed51547b10a93a22efd7d2deffd14f0bcc1e8f611dc

  • SSDEEP

    24576:luYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:f9cKrUqZWLAcU

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\31b7ddc62f5f53c4e73e7e6fc2ac8a8e_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:3000
  • C:\Windows\system32\BitLockerWizard.exe
    C:\Windows\system32\BitLockerWizard.exe
    1⤵
      PID:2572
    • C:\Users\Admin\AppData\Local\b6us4oBw5\BitLockerWizard.exe
      C:\Users\Admin\AppData\Local\b6us4oBw5\BitLockerWizard.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2620
    • C:\Windows\system32\WFS.exe
      C:\Windows\system32\WFS.exe
      1⤵
        PID:1696
      • C:\Users\Admin\AppData\Local\5N7DNcbSr\WFS.exe
        C:\Users\Admin\AppData\Local\5N7DNcbSr\WFS.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:936
      • C:\Windows\system32\ComputerDefaults.exe
        C:\Windows\system32\ComputerDefaults.exe
        1⤵
          PID:1316
        • C:\Users\Admin\AppData\Local\OFxp\ComputerDefaults.exe
          C:\Users\Admin\AppData\Local\OFxp\ComputerDefaults.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1504

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\5N7DNcbSr\WFS.exe

          Filesize

          951KB

          MD5

          a943d670747778c7597987a4b5b9a679

          SHA1

          c48b760ff9762205386563b93e8884352645ef40

          SHA256

          1a582ebe780abc1143baccaf4910714d3e9f4195edd86939499d03ed6e756610

          SHA512

          3d926ddead8afcb32b52b3eb3c416d197c15e5fff6ba9fa03a31a07522bdb9088b32500fc8b98d82af657071571d09cd336a65cf45c485ebcc145dea70b3a934

        • C:\Users\Admin\AppData\Local\5N7DNcbSr\credui.dll

          Filesize

          1.2MB

          MD5

          ebd1fb2e90491aa084ffc02ef491cb25

          SHA1

          115d7373e39f8e372b1385e545f0d6ea18e19df6

          SHA256

          fdd3c1c5ae4bdc639b8844aac543e0e97b01488b5f6ad95d58b7e7ed3443fba9

          SHA512

          84d482f8b3e16a36a177f6d9bb94dec9e706e40553a54c4dd3e350faaba9847c008489186be0682bfa0f34ddf59f8b3f9c5db8699fa76675fadd4bcf1d685f76

        • C:\Users\Admin\AppData\Local\OFxp\appwiz.cpl

          Filesize

          1.2MB

          MD5

          203df4e130faac4b7e4c5e473b422872

          SHA1

          133eb16de65b4648dca24eeba8af97b5170e1b98

          SHA256

          918c1ac0dafc87b12fb4a8e9843737e8516988c09acc87b684d0ccae1493f31c

          SHA512

          d01b4bf4253df248d962eab72b3c74737e5aa1431c073021013fe5ada008561c3966d9d29d8e556836e4dd556e797610c57daaa2a0737ea7a00fe03b6b12febe

        • C:\Users\Admin\AppData\Local\b6us4oBw5\FVEWIZ.dll

          Filesize

          1.2MB

          MD5

          941cc22026cfe7deed4d24d8c38e7737

          SHA1

          1c529ce94d44656fc583382b099d8b821e760b2b

          SHA256

          c8d2498ec1b9b06335cf9301b686a16d9bc37038d7b6069b2ec2f2d063e2e4e0

          SHA512

          3908ea6da3e010e36325ab633859720278e447a0a5e58200a9ab741573f73d409a5d6e628e00981532028e30a73d5e8cdbbd7e2d2f6ecce7e617b95d8b525bef

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ewnqrlgibmqii.lnk

          Filesize

          1KB

          MD5

          849d037e66fe11ec59cae9f71d4cc7b3

          SHA1

          d5af813a797f626a826ee91e66ba312f7120dc05

          SHA256

          e8ff3d5529a361cce9e82419a0b7e428f893733f30b7847f4a3cf01ffbd0763d

          SHA512

          a9232f2b01f87ae9aaf79cb53511ff1cbde83f1e7b1958e2e7bef6c5d28384c920b56d074021b1dd2c8b674663fc1646f7f405962d67cbf6ff539429d8b012f4

        • \Users\Admin\AppData\Local\OFxp\ComputerDefaults.exe

          Filesize

          36KB

          MD5

          86bd981f55341273753ac42ea200a81e

          SHA1

          14fe410efc9aeb0a905b984ac27719ff0dd10ea7

          SHA256

          40b194be2bad2d3d4d1b69f9aec2853c8b663130810a11607ff72a9e3a06d5b3

          SHA512

          49bb6d4bf7a9356fadde7f6165af6973630827d28b69db10ad477a84d98b08fb82e4daae777166e1ddddb5b5efcdf634e4e9bd34b255dae87462ba32e8bba143

        • \Users\Admin\AppData\Local\b6us4oBw5\BitLockerWizard.exe

          Filesize

          98KB

          MD5

          08a761595ad21d152db2417d6fdb239a

          SHA1

          d84c1bc2e8c9afce9fb79916df9bca169f93a936

          SHA256

          ec0b9e5f29a43f9db44fa76b85701058f26776ab974044c1d4741591b74d0620

          SHA512

          8b07828e9c0edf09277f89294b8e1a54816f6f3d1fe132b3eb70370b81feb82d056ec31566793bd6f451725f79c3b4aeedb15a83216115e00943e0c19cab37c9

        • memory/936-78-0x000007FEF6360000-0x000007FEF6492000-memory.dmp

          Filesize

          1.2MB

        • memory/936-73-0x000007FEF6360000-0x000007FEF6492000-memory.dmp

          Filesize

          1.2MB

        • memory/936-72-0x0000000000290000-0x0000000000297000-memory.dmp

          Filesize

          28KB

        • memory/1204-16-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

        • memory/1204-26-0x00000000024D0000-0x00000000024D7000-memory.dmp

          Filesize

          28KB

        • memory/1204-13-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

        • memory/1204-11-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

        • memory/1204-10-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

        • memory/1204-9-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

        • memory/1204-8-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

        • memory/1204-28-0x00000000773E0000-0x00000000773E2000-memory.dmp

          Filesize

          8KB

        • memory/1204-27-0x0000000077251000-0x0000000077252000-memory.dmp

          Filesize

          4KB

        • memory/1204-38-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

        • memory/1204-37-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

        • memory/1204-4-0x0000000077046000-0x0000000077047000-memory.dmp

          Filesize

          4KB

        • memory/1204-15-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

        • memory/1204-5-0x00000000024F0000-0x00000000024F1000-memory.dmp

          Filesize

          4KB

        • memory/1204-7-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

        • memory/1204-12-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

        • memory/1204-17-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

        • memory/1204-25-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

        • memory/1204-71-0x0000000077046000-0x0000000077047000-memory.dmp

          Filesize

          4KB

        • memory/1204-14-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

        • memory/1504-90-0x000007FEF7660000-0x000007FEF7792000-memory.dmp

          Filesize

          1.2MB

        • memory/1504-93-0x0000000000390000-0x0000000000397000-memory.dmp

          Filesize

          28KB

        • memory/1504-96-0x000007FEF7660000-0x000007FEF7792000-memory.dmp

          Filesize

          1.2MB

        • memory/2620-59-0x000007FEF7790000-0x000007FEF78C2000-memory.dmp

          Filesize

          1.2MB

        • memory/2620-54-0x000007FEF7790000-0x000007FEF78C2000-memory.dmp

          Filesize

          1.2MB

        • memory/3000-3-0x00000000002A0000-0x00000000002A7000-memory.dmp

          Filesize

          28KB

        • memory/3000-46-0x000007FEF7650000-0x000007FEF7781000-memory.dmp

          Filesize

          1.2MB

        • memory/3000-0-0x000007FEF7650000-0x000007FEF7781000-memory.dmp

          Filesize

          1.2MB

        We care about your privacy.

        This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.