Analysis

  • max time kernel
    149s
  • max time network
    100s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-08-2024 09:52

General

  • Target

    bb3f80224ccb963c44b6fd5c32407490_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    bb3f80224ccb963c44b6fd5c32407490

  • SHA1

    4d1b454fb9b0fa8e0972f2c3b853e2b2daa025ce

  • SHA256

    dc19cb70f3b01ea32e03808948037934c7d98035aa0eb12538c3d2472ac8e452

  • SHA512

    bcd0e1373cef696f182ea97b0b9948e7a28017c7000a96a18bea130ea253c18c2d9a386455bd6ba04e3f5880e0e7844e24e47706b0cf85bfcdf7facb326efb56

  • SSDEEP

    24576:zuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:99cKrUqZWLAcU

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\bb3f80224ccb963c44b6fd5c32407490_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:4564
  • C:\Windows\system32\MDMAppInstaller.exe
    C:\Windows\system32\MDMAppInstaller.exe
    1⤵
      PID:1744
    • C:\Users\Admin\AppData\Local\2D3dfs\MDMAppInstaller.exe
      C:\Users\Admin\AppData\Local\2D3dfs\MDMAppInstaller.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:1580
    • C:\Windows\system32\bdeunlock.exe
      C:\Windows\system32\bdeunlock.exe
      1⤵
        PID:3172
      • C:\Users\Admin\AppData\Local\dNEWoptGc\bdeunlock.exe
        C:\Users\Admin\AppData\Local\dNEWoptGc\bdeunlock.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:3648
      • C:\Windows\system32\ApplicationFrameHost.exe
        C:\Windows\system32\ApplicationFrameHost.exe
        1⤵
          PID:4844
        • C:\Users\Admin\AppData\Local\W6XQchEl\ApplicationFrameHost.exe
          C:\Users\Admin\AppData\Local\W6XQchEl\ApplicationFrameHost.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2316

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\2D3dfs\MDMAppInstaller.exe

          Filesize

          151KB

          MD5

          30e978cc6830b04f1e7ed285cccaa746

          SHA1

          e915147c17e113c676c635e2102bbff90fb7aa52

          SHA256

          dc821931f63117962e2266acd3266e86bf8116d4a14b3adbebfade1d40b84766

          SHA512

          331923fa479f71c4c80b0e86ea238628666f95b6cf61cf4d741ae4a27ea2b8c636864dfac543d14599b4873f3b2ab397d07c4e4c17aca3f3b4e5871e24e50214

        • C:\Users\Admin\AppData\Local\2D3dfs\WTSAPI32.dll

          Filesize

          1.2MB

          MD5

          f1efe87601d00cd786cfb20f0c0b876e

          SHA1

          7db82d6f2bdcff6bc096af39a8c98799b33e0019

          SHA256

          ceeebd6f5571545724250e1d6061c5c9cb1f6686abd07b6a9bf65909b40cc527

          SHA512

          7b3d5c11cc0fcc5ebe2a088d1c594e6218af5f667d5b05bf26b462370e2daaad948f4cf401af301a5a1f94ceb13d9825c95d94c1f9c5dd2790812e6ba3cf4eae

        • C:\Users\Admin\AppData\Local\W6XQchEl\ApplicationFrameHost.exe

          Filesize

          76KB

          MD5

          d58a8a987a8dafad9dc32a548cc061e7

          SHA1

          f79fc9e0ab066cad530b949c2153c532a5223156

          SHA256

          cf58e424b86775e6f2354291052126a646f842fff811b730714dfbbd8ebc71a4

          SHA512

          93df28b65af23a5f82124ba644e821614e2e2074c98dbb2bd7319d1dfe9e2179b9d660d7720913c79a8e7b2f8560440789ad5e170b9d94670589885060c14265

        • C:\Users\Admin\AppData\Local\W6XQchEl\dxgi.dll

          Filesize

          1.2MB

          MD5

          4f26c2b68a5cd594556c482a4afdfc00

          SHA1

          b7049152dce3605c95538786fe7f50e713bd2c38

          SHA256

          fb34016f6e6e554261aad21ec073737ccd2a87ad788f869e84f4b6e7129981b4

          SHA512

          a617e854ea838e225a4e7af673ed4878a9f5aebb5cde1066cdd70d07812b9440d575e604f542848749fb2720946160ab783eed9e2f72bb8f93dcf38683e6b25a

        • C:\Users\Admin\AppData\Local\dNEWoptGc\DUser.dll

          Filesize

          1.2MB

          MD5

          0c70722fc3e517c1a4a371628f7ed591

          SHA1

          88dfb482cb146bc6a297603bbc9b7c686c645e14

          SHA256

          31331414e827a19caee99b03fbbaf44b64ce4fc60169d63ebae168353f6003b9

          SHA512

          63c3cee41fa5ebdd24a4da61834e9cdfd26fedf99472ef6e634f4b5ddefb23919b525bae2fec1af2d3472638936be43f754469ca2297d3c3307030fc003e97c1

        • C:\Users\Admin\AppData\Local\dNEWoptGc\bdeunlock.exe

          Filesize

          279KB

          MD5

          fef5d67150c249db3c1f4b30a2a5a22e

          SHA1

          41ca037b0229be9338da4d78244b4f0ea5a3d5f3

          SHA256

          dcfdd67bf3244ff86cadaaea50b43cce5479014ea2021c0c2fb40b7c856e5603

          SHA512

          4ded9ca87d9d30c31ab2baededaa6e26681741ea1742d80c318173536c643a01bc049e03a03c3b45b3cb8860464a855830e12e87670503e65eedcdd5e9b2d1e7

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ahvhgxnkgdxqlh.lnk

          Filesize

          1KB

          MD5

          74c5189ebb4cb75400f7ee8b0b64e2be

          SHA1

          bf5c6f62b592e71323a7d58b12ab2d956e3fb85c

          SHA256

          e2e637d247251c2829cccae157c3fa552440c329d48254498a6fbdc4e9c0be64

          SHA512

          3999d70c7197961998c059cacc21a2a9e8475752ee5263cdd49171a086ccffa293523dfc9758fc0840981356fefe0ca704b4db537eb473b580601cfdcd5b4873

        • memory/1580-52-0x00007FFDE0410000-0x00007FFDE0542000-memory.dmp

          Filesize

          1.2MB

        • memory/1580-49-0x00000154BCC70000-0x00000154BCC77000-memory.dmp

          Filesize

          28KB

        • memory/1580-46-0x00007FFDE0410000-0x00007FFDE0542000-memory.dmp

          Filesize

          1.2MB

        • memory/2316-86-0x00007FFDE0410000-0x00007FFDE0542000-memory.dmp

          Filesize

          1.2MB

        • memory/2316-83-0x000001FDBF040000-0x000001FDBF047000-memory.dmp

          Filesize

          28KB

        • memory/3476-34-0x00000000008F0000-0x00000000008F7000-memory.dmp

          Filesize

          28KB

        • memory/3476-17-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

        • memory/3476-11-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

        • memory/3476-10-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

        • memory/3476-25-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

        • memory/3476-9-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

        • memory/3476-7-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

        • memory/3476-6-0x00007FFDFCBAA000-0x00007FFDFCBAB000-memory.dmp

          Filesize

          4KB

        • memory/3476-12-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

        • memory/3476-14-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

        • memory/3476-16-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

        • memory/3476-13-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

        • memory/3476-4-0x0000000000960000-0x0000000000961000-memory.dmp

          Filesize

          4KB

        • memory/3476-36-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

        • memory/3476-35-0x00007FFDFDB70000-0x00007FFDFDB80000-memory.dmp

          Filesize

          64KB

        • memory/3476-8-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

        • memory/3476-15-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

        • memory/3648-69-0x00007FFDDF060000-0x00007FFDDF193000-memory.dmp

          Filesize

          1.2MB

        • memory/3648-64-0x00007FFDDF060000-0x00007FFDDF193000-memory.dmp

          Filesize

          1.2MB

        • memory/3648-63-0x0000026E7C670000-0x0000026E7C677000-memory.dmp

          Filesize

          28KB

        • memory/4564-0-0x00007FFDEEF20000-0x00007FFDEF051000-memory.dmp

          Filesize

          1.2MB

        • memory/4564-39-0x00007FFDEEF20000-0x00007FFDEF051000-memory.dmp

          Filesize

          1.2MB

        • memory/4564-3-0x00000185390D0000-0x00000185390D7000-memory.dmp

          Filesize

          28KB