Analysis
-
max time kernel
149s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
08-09-2024 15:42
General
-
Target
d4b352a768590a50e1a05ed9d448532f_JaffaCakes118.dll
-
Size
1.2MB
-
MD5
d4b352a768590a50e1a05ed9d448532f
-
SHA1
4523e3c1119bd266bd2a37e79891bac697394778
-
SHA256
3a73e3bcb1526fd55c631a34ac7496450411304463378d110c51e4fabf79974c
-
SHA512
830560117515b2a5173a6185588d9d68f97cfa640eea06b2aa3ec550b6fe61e10bd18955bd3b04a6a48fc12461a9474466cb341dee2b7cb416e37695fc276e7c
-
SSDEEP
24576:AyTonNVlKTt/Q5ECvVP7hpJMvjtKpvPf9+m6kLRqgSyI:AyWRKTt/QlPVp3h9
Malware Config
Signatures
-
Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
-
Dridex Shellcode 1 IoCs
Detects Dridex Payload shellcode injected in Explorer process.
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 4 IoCs
-
Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d4b352a768590a50e1a05ed9d448532f_JaffaCakes118.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\rdpclip.exeC:\Windows\system32\rdpclip.exe1⤵
-
C:\Users\Admin\AppData\Local\aLluv\rdpclip.exeC:\Users\Admin\AppData\Local\aLluv\rdpclip.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
-
C:\Windows\system32\RdpSaUacHelper.exeC:\Windows\system32\RdpSaUacHelper.exe1⤵
-
C:\Users\Admin\AppData\Local\xFKy7Lot\RdpSaUacHelper.exeC:\Users\Admin\AppData\Local\xFKy7Lot\RdpSaUacHelper.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
-
C:\Windows\system32\Magnify.exeC:\Windows\system32\Magnify.exe1⤵
-
C:\Users\Admin\AppData\Local\Q3316I9\Magnify.exeC:\Users\Admin\AppData\Local\Q3316I9\Magnify.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Accessibility Features
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD5e1ae100dfdb53d82baf99ec662befff0
SHA1d4a8f30a73a19b450ee08ee576bd2af2b108257c
SHA2563de93983f203a40817415e5a51ed81856c028f5fcdfd1d198a1d8b7d1f0040e6
SHA51299055bc6a6bc99dbabb4ad564282f20e8dbe3c303c9dce67d59ec7daf497080621e277600c273457792078f6d10bbcf622e9a616dd645beaaeeb83b5203d2ab0
-
Filesize
639KB
MD54029890c147e3b4c6f41dfb5f9834d42
SHA110d08b3f6dabe8171ca2dd52e5737e3402951c75
SHA25657137f784594793dc0669042ccd3a71ddbfedeb77da6d97173d82613e08add4d
SHA512dbdc60f8692f13c23dbed0b76e9c6758a5b413bd6aaf4e4d0ba74e69c0871eb759da95c3f85a31d972388b545dcf3bb8abbcbedd29a1e7e48c065130b98b893d
-
Filesize
1.2MB
MD53235d65ced0190493132f97c26266b3e
SHA14023805df5d7680955d10e6821583472721817f0
SHA256f7b973c26aa9886f91568b54806bb0c91f5af81d8d1aa94f30383044fc15fef8
SHA5120952db6c83043ad87730a9facab5e1379128e651a4113f2510a8653dd1c6fd12a069dcf52ac4f42ef20e02e821302abb43ae30401c634c47f48bc7a1b0360c11
-
Filesize
446KB
MD5a52402d6bd4e20a519a2eeec53332752
SHA1129f2b6409395ef877b9ca39dd819a2703946a73
SHA2569d5be181d9309dea98039d2ce619afe745fc8a9a1b1c05cf860b3620b5203308
SHA512632dda67066cff2b940f27e3f409e164684994a02bda57d74e958c462b9a0963e922be4a487c06126cecc9ef34d34913ef8315524bf8422f83c0c135b8af924e
-
Filesize
33KB
MD50d5b016ac7e7b6257c069e8bb40845de
SHA15282f30e90cbd1be8da95b73bc1b6a7d041e43c2
SHA2566a6fdd834af9c79c5ffc5e6b51700030259aeae535f8626df84b07b7d2cee067
SHA512cd44d8b70fc67c692e6966b4ad86a7de9c96df0bade1b3a80cb4767be159d64f3cc04dc5934f7d843b15101865089e43b8aecabddc370b22caf0c48b56b3430e
-
Filesize
1.2MB
MD50f71c635c90f3644c0cd348147017e5e
SHA115e23bf3e7b59570b94cce6a1c982511986113ff
SHA256c28bc38f811ed0e80057d89f8af9db1f14d0af8e7ef960d0c6a74c6d71e66179
SHA5124af4764e8e416d1ce2e2718c87b5edb43a53e70dcc187b2028a2abc433a1bdd624ae3de4657cd6778286e736389b080f0f1f87c510485a42d633a7dd91a67744
-
Filesize
1KB
MD5dbc89f1fbebcb038e2b6727964869d93
SHA1a8106f2266e506ab89d43e4f972aaad923f64ca6
SHA2569505af3d8fbf75f55e3194f5a42b68c1113c63eb1fef689d025e69f3d81ae1f8
SHA51293e4a512a161bc89e678262f395c8e97a529d14f7e6dd4789f74dda12f75f96ef0738432f663606953fdf71176ea969fb5cdac0966577aeb897fe8a319e675e9
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
28KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
28KB
-
Filesize
64KB
-
Filesize
1.2MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
28KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
1.2MB