Analysis
-
max time kernel
149s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
08-09-2024 08:28
General
-
Target
d3f216eeea37381852976689b9c537a8_JaffaCakes118.dll
-
Size
1.2MB
-
MD5
d3f216eeea37381852976689b9c537a8
-
SHA1
ba8d8d6b2319e53f8b58cf84376e15b214516aa4
-
SHA256
28fb620bc8c98c777202e2c78138149132c9f237f75832028a3c01fd3009398d
-
SHA512
ae12c4bbccd60faed5544f406f80c7be37a2aef001dd33d26069bea60d95a78b7c5807d188bcbc92e6ddbcff04584006c5a54013073dafadb0b3b9286966cb0c
-
SSDEEP
24576:/uYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9NN:B9cKrUqZWLAcUV
Malware Config
Signatures
-
Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
-
Dridex Shellcode 1 IoCs
Detects Dridex Payload shellcode injected in Explorer process.
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 4 IoCs
-
Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d3f216eeea37381852976689b9c537a8_JaffaCakes118.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4404,i,1330210614411927383,9239043499051775691,262144 --variations-seed-version --mojo-platform-channel-handle=4444 /prefetch:81⤵
-
C:\Windows\system32\dpapimig.exeC:\Windows\system32\dpapimig.exe1⤵
-
C:\Users\Admin\AppData\Local\nARmGTXfM\dpapimig.exeC:\Users\Admin\AppData\Local\nARmGTXfM\dpapimig.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
-
C:\Windows\system32\phoneactivate.exeC:\Windows\system32\phoneactivate.exe1⤵
-
C:\Users\Admin\AppData\Local\mLnqa\phoneactivate.exeC:\Users\Admin\AppData\Local\mLnqa\phoneactivate.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
-
C:\Windows\system32\Utilman.exeC:\Windows\system32\Utilman.exe1⤵
-
C:\Users\Admin\AppData\Local\xlV\Utilman.exeC:\Users\Admin\AppData\Local\xlV\Utilman.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Accessibility Features
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD5dd16c57b644561f6ff180a7703e4ac95
SHA170fdecb601b5609eb72c416d4e7ce4a9f98263d8
SHA256ceccccd96c665acae7e9d7b871c9cfbeb034d49bbc68b154b48989bb17fc67a6
SHA5126e0638dae4b5483ae6d18d8d16549d0efc2343bc7fd92fbfff9a25e0f97714a3cea050e061b930e0c8b6b20cfb34355feecf4937ee131edb7b2f7aa8937e03bc
-
Filesize
107KB
MD532c31f06e0b68f349f68afdd08e45f3d
SHA1e4b642f887e2c1d76b6b4777ade91e3cb3b9e27c
SHA256cea83eb34233fed5ebeef8745c7c581a8adbefbcfc0e30e2d30a81000c821017
SHA512fe61764b471465b164c9c2202ed349605117d57ceb0eca75acf8bda44e8744c115767ee0caed0b7feb70ba37b477d00805b3fdf0d0fa879dd4c8e3c1dc1c0d26
-
Filesize
1.4MB
MD5e8ad24d94e7188bf2568801e3edb3d9a
SHA1edf8e90ae8cb5b469c7ded3049d0beef88a2d9cb
SHA256f03a5ee52650ceaa591bec871e39bde919012c0ed7d35354dd2fba821cc2c184
SHA512a36d59a842d79ef0918a3a3a925f63599fc3372da4a919b5ef901d99b63bc05c6d372bc226f75f6ff70f5e01e1f6e71f56ec507e5acbaa7f5ea1118042270a12
-
Filesize
76KB
MD5b6d6477a0c90a81624c6a8548026b4d0
SHA1e6eac6941d27f76bbd306c2938c0a962dbf1ced1
SHA256a8147d08b82609c72d588a0a604cd3c1f2076befcc719d282c7cbd6525ae89eb
SHA51272ec8b79e3438f0f981129a323ad39db84df7dd14a796a820bdbc74ea8fa13eee843d1ea030a0c1caeda2e2d69952f14a821a73825b38dd9415047aca597b1fe
-
Filesize
1.4MB
MD5de0d2068406cf8ec5b6318dd57a39f69
SHA117a577d712fc9baa97dd674cb909c94e9c5a6329
SHA25677d21aa8cf58d0b9363dc78b235b01cb4c651000fe0bfbb09b2be38f1b963cc2
SHA512da3a84ea9b2f60ae41156d49aebd760638fe83dcf7b18370d36f4f233b091b4af8e9e3df1d5a64b0f0916b646a6d4d9e4ced67565e4ee02fbf44dda394145fe7
-
Filesize
123KB
MD5a117edc0e74ab4770acf7f7e86e573f7
SHA15ceffb1a5e05e52aafcbc2d44e1e8445440706f3
SHA256b5bc4fce58403ea554691db678e6c8c448310fe59990990f0e37cd4357567d37
SHA51272883f794ff585fe7e86e818d4d8c54fa9781cab6c3fac6f6956f58a016a91f676e70d14691cbe054ae7b7469c6b4783152fbb694e92b940d9e3595fe3f41d97
-
Filesize
1KB
MD513e7a48a36159f0f28bdad80ed4439b6
SHA150857ed48451a5d7a0dff1843720148fdf11221e
SHA256587f24b86c224bda6b37d6bd0672797f24f10e8566899168ba5acb61c0b65935
SHA512179774285324c49b741cfe080c3f70f68d5c8c739592239ee154fe77aadc44dcb093aaaac01e26ba2f02684bfa8948bad807943e082703c88399b52e9fdbf45c
-
Filesize
1.5MB
-
Filesize
28KB
-
Filesize
1.5MB
-
Filesize
28KB
-
Filesize
1.2MB
-
Filesize
28KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
4KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
4KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
64KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
28KB
-
Filesize
1.2MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
28KB