Analysis

  • max time kernel
    149s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    13-08-2024 15:32

General

  • Target

    93ae5f6059247d99d43a26e7968f6553_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    93ae5f6059247d99d43a26e7968f6553

  • SHA1

    725d664d5358124d996b425828f6f1412e9cb7e6

  • SHA256

    f11eb150d3899616f4e6857c247bf09496fefc2f44d9badbbba02b85dedb8f9d

  • SHA512

    01755678f491dce52317eebf5f4f48dba124dddb364e3ef97174f4bd42d2410e00737ba3d429302a7b1964d0a6ed845cb96ea10fc280d2aa5b0a1584561f0ada

  • SSDEEP

    24576:4uYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:I9cKrUqZWLAcU

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\93ae5f6059247d99d43a26e7968f6553_JaffaCakes118.dll
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:1488
  • C:\Windows\system32\sigverif.exe
    C:\Windows\system32\sigverif.exe
    1⤵
      PID:2844
    • C:\Users\Admin\AppData\Local\vVO\sigverif.exe
      C:\Users\Admin\AppData\Local\vVO\sigverif.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2572
    • C:\Windows\system32\winlogon.exe
      C:\Windows\system32\winlogon.exe
      1⤵
        PID:1248
      • C:\Users\Admin\AppData\Local\RFiXNrVv\winlogon.exe
        C:\Users\Admin\AppData\Local\RFiXNrVv\winlogon.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:320
      • C:\Windows\system32\shrpubw.exe
        C:\Windows\system32\shrpubw.exe
        1⤵
          PID:2876
        • C:\Users\Admin\AppData\Local\d2LPSd\shrpubw.exe
          C:\Users\Admin\AppData\Local\d2LPSd\shrpubw.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2728

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\RFiXNrVv\WINSTA.dll

          Filesize

          1.2MB

          MD5

          034e5e4fd72b12d8882a36bc2433358c

          SHA1

          df917d529e7b737c599d3c5a859f34b9e7d631e2

          SHA256

          b4518dbdee463534278ddc967a08e69256172e84d449bae15bff4410f21d6b30

          SHA512

          d05424265ff361e2d31f323421b46a27f915d815682efaf38348fb5a6804dbfaeaeebf66a7e5a9595c59f0b90eb45ae97616dbabc30bbc395ac988490e3a5999

        • C:\Users\Admin\AppData\Local\d2LPSd\MFC42u.dll

          Filesize

          1.2MB

          MD5

          e2f8a62126b603a4e692f9fe40e8eb8c

          SHA1

          09eafec4d1880956bb13f3ae06571598ea9a327d

          SHA256

          e9a92a223051c73e02843128d92309c6fbf1150eb8ddeca38aad4fb4ad8ab645

          SHA512

          84757777d4a2c68c6e89d08740b01a8b6894878d4a11b5cd0cc44f04227f1392c58abc7f65f3bc7f2d28c91d4cecf19ace9fefd1ace9918f6a771339cf8ff562

        • C:\Users\Admin\AppData\Local\vVO\VERSION.dll

          Filesize

          1.2MB

          MD5

          e04cb85ddc2433471f30f4f669c6c891

          SHA1

          49c4413dcc0f4ed6b1aad6099c18c1e1c3221190

          SHA256

          fec1c7a657298d0f19eeb54a3ab3ab991679819fc82afd1487fe5e44e78e065a

          SHA512

          a58e29bac67490a76b032eab00e9dd6577981c000e76db9d1daf6d339f4ec4a2fcd86601a2a0ff90f45c6def12d2fb6f88201cd94faa7404ee253071faeba919

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ygxjfqh.lnk

          Filesize

          988B

          MD5

          13bcb31e04060cff81894e9bc6badef2

          SHA1

          5204a2a1704acdd90a3b419731356b7f586330dc

          SHA256

          986522ec5d3d06851a00a92c4640735eb030d67789712a9cf62a857e7133bd0e

          SHA512

          55ae29a79155b2225fe1d41f7012ea6a7ba3659099fc2ac81a4fdba7c2d13519ced7d1d2e17c6fd534e2630ab25019294a2385339e231aeaa11bd451d12b204f

        • \Users\Admin\AppData\Local\RFiXNrVv\winlogon.exe

          Filesize

          381KB

          MD5

          1151b1baa6f350b1db6598e0fea7c457

          SHA1

          434856b834baf163c5ea4d26434eeae775a507fb

          SHA256

          b1506e0a7e826eff0f5252ef5026070c46e2235438403a9a24d73ee69c0b8a49

          SHA512

          df728d06238da1dece96f8b8d67a2423ed4dcb344b42d5958768d23bd570a79e7189e7c5ba783c1628fe8ddd1deaebeacb1b471c59c8a7c9beb21b4f1eb9edab

        • \Users\Admin\AppData\Local\d2LPSd\shrpubw.exe

          Filesize

          398KB

          MD5

          29e6d0016611c8f948db5ea71372f76c

          SHA1

          01d007a01020370709cd6580717f9ace049647e8

          SHA256

          53c868882ebc9e0d4f703afeccb172043069ccc0b5b6f7cac1d2aad9c4640930

          SHA512

          300216ab47ee44b8f68d4835bf26641f949039522b680af00fb602f57d31c38812428dc624461bc2cc7d6384cad396bc033718e41e11a65f7dd0eeb36ed924e4

        • \Users\Admin\AppData\Local\vVO\sigverif.exe

          Filesize

          73KB

          MD5

          e8e95ae5534553fc055051cee99a7f55

          SHA1

          4e0f668849fd546edd083d5981ed685d02a68df4

          SHA256

          9e107fd99892d08b15c223ac17c49af75a4cbca41b5e939bb91c9dca9f0d0bec

          SHA512

          5d3c32d136a264b6d2cfba4602e4d8f75e55ba0e199e0e81d7a515c34d8b9237db29647c10ab79081173010ff8e2c6a59b652c0a9cfa796433aed2d200f02da6

        • memory/320-77-0x000007FEF5960000-0x000007FEF5A93000-memory.dmp

          Filesize

          1.2MB

        • memory/320-76-0x0000000000110000-0x0000000000117000-memory.dmp

          Filesize

          28KB

        • memory/320-73-0x000007FEF5960000-0x000007FEF5A93000-memory.dmp

          Filesize

          1.2MB

        • memory/1192-9-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

        • memory/1192-26-0x0000000002EC0000-0x0000000002EC7000-memory.dmp

          Filesize

          28KB

        • memory/1192-25-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

        • memory/1192-14-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

        • memory/1192-13-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

        • memory/1192-12-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

        • memory/1192-11-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

        • memory/1192-10-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

        • memory/1192-4-0x0000000076C76000-0x0000000076C77000-memory.dmp

          Filesize

          4KB

        • memory/1192-37-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

        • memory/1192-38-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

        • memory/1192-5-0x0000000002EE0000-0x0000000002EE1000-memory.dmp

          Filesize

          4KB

        • memory/1192-28-0x0000000076F10000-0x0000000076F12000-memory.dmp

          Filesize

          8KB

        • memory/1192-27-0x0000000076D81000-0x0000000076D82000-memory.dmp

          Filesize

          4KB

        • memory/1192-8-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

        • memory/1192-7-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

        • memory/1192-16-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

        • memory/1192-65-0x0000000076C76000-0x0000000076C77000-memory.dmp

          Filesize

          4KB

        • memory/1192-15-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

        • memory/1192-18-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

        • memory/1488-46-0x000007FEF6380000-0x000007FEF64B1000-memory.dmp

          Filesize

          1.2MB

        • memory/1488-3-0x00000000003C0000-0x00000000003C7000-memory.dmp

          Filesize

          28KB

        • memory/1488-0-0x000007FEF6380000-0x000007FEF64B1000-memory.dmp

          Filesize

          1.2MB

        • memory/2572-60-0x000007FEF63E0000-0x000007FEF6512000-memory.dmp

          Filesize

          1.2MB

        • memory/2572-55-0x000007FEF63E0000-0x000007FEF6512000-memory.dmp

          Filesize

          1.2MB

        • memory/2572-54-0x0000000000190000-0x0000000000197000-memory.dmp

          Filesize

          28KB

        • memory/2728-91-0x000007FEF5960000-0x000007FEF5A98000-memory.dmp

          Filesize

          1.2MB

        • memory/2728-96-0x000007FEF5960000-0x000007FEF5A98000-memory.dmp

          Filesize

          1.2MB