Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
-
submitted
15-09-2024 00:28
General
-
Target
e157bb91f2fe1d353eb5416732647237_JaffaCakes118.dll
-
Size
1.2MB
-
MD5
e157bb91f2fe1d353eb5416732647237
-
SHA1
89e00be7c80f2e9a47d4d40c578163dfb13da2ed
-
SHA256
07467eba6149f24096c0c3e26ac1cdeac1fe9757de8eef09f7083561c56e3557
-
SHA512
58f7e5943ce2110cf4cdaa3a5d28d3c60a4d28d0b0125ccd88f3ef0579c9fde66402921c4a5f5906426ba0614a4887b83fae04b1b4edc8b48f1a5273edf6398d
-
SSDEEP
24576:buYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9NB:F9cKrUqZWLAcUZ
Malware Config
Signatures
-
Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
-
Dridex Shellcode 1 IoCs
Detects Dridex Payload shellcode injected in Explorer process.
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 7 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 4 IoCs
-
Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e157bb91f2fe1d353eb5416732647237_JaffaCakes118.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\OptionalFeatures.exeC:\Windows\system32\OptionalFeatures.exe1⤵
-
C:\Users\Admin\AppData\Local\NRXL5usV0\OptionalFeatures.exeC:\Users\Admin\AppData\Local\NRXL5usV0\OptionalFeatures.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
-
C:\Windows\system32\mspaint.exeC:\Windows\system32\mspaint.exe1⤵
-
C:\Users\Admin\AppData\Local\r4ctA9dAF\mspaint.exeC:\Users\Admin\AppData\Local\r4ctA9dAF\mspaint.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
-
C:\Windows\system32\DisplaySwitch.exeC:\Windows\system32\DisplaySwitch.exe1⤵
-
C:\Users\Admin\AppData\Local\BM3E\DisplaySwitch.exeC:\Users\Admin\AppData\Local\BM3E\DisplaySwitch.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Accessibility Features
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD52757af9d3d08970034d4ed32655aa204
SHA1766c368219c09c1c104f0583b901884027bf3f82
SHA256889c346e9a77f188d5f4b505763dce9807ea54ace06b5f8934c60de43a6de06b
SHA512f163131a113203a44958891d8ab98c0ed775fc3a7c769c49fd8d8e5a3170bba3b39598b33a36d6771baf15970cbef193977d0cedca2b67cd304186de22527ee2
-
Filesize
1.2MB
MD56cc61dfb82f8ecc8b2f6cf49c8589bac
SHA1ad9d780870308b956576195b1ee4c192e765114a
SHA25681b644fd9dbffac9b26987087e4abaa25e3d526931b2d6299bf95056deaffb92
SHA512157cb286c1101bb61b5c248ed7fb57937b8f671ddfaf90a696bacd2b01881a908638e501ceda955ade9cca65212663050b6128facd8056efca0fb327431b8dc4
-
Filesize
1.2MB
MD5f98220d129b953c3faa692506965c403
SHA1f41d427e898a8a8c2f8c97da62be42ec83b40895
SHA256f544b59de6d699b82567ae5909384b9157ea280de3f835435bffd050a2650bb7
SHA5128b17dddbfa3dbce6a67d84f6659bafe8ad01a47e25aaeb48d53bd0d1caff484ba234817c74238b5184d6b3aab5ee3d921a709b86666124dd580b2aa55b14d67b
-
Filesize
1KB
MD5536d30c2c58161d738600dc587d973f6
SHA1f3671842c32ddd75521349241dcf0d7d6121ca91
SHA256515a08981edca8e4dce0db4388f0ada4a24f5eb27d4f29fceb273c6ceafa85a3
SHA512e09f1865e1a5a7fc1cb7a477af3b67a150ac4b56a6c79c48746736813a868efccc1afca048ea94e4b5bf61c66cfed4f75f69c25eca9fbf8736f79e4b26af6bd3
-
Filesize
517KB
MD5b795e6138e29a37508285fc31e92bd78
SHA1d0fe0c38c7c61adbb77e58d48b96cd4bf98ecd4a
SHA25601a9733871baa8518092bade3fce62dcca14cdf6fc55b98218253580b38d7659
SHA5128312174a77bab5fef7c4e9efff66c43d3515b02f5766ed1d3b9bd0abb3d7344a9a22cbac228132098428c122293d2b1898b3a2d75f5e4247b1dcb9aa9c7913b1
-
Filesize
95KB
MD5eae7af6084667c8f05412ddf096167fc
SHA10dbe8aba001447030e48e8ad5466fd23481e6140
SHA25601feebd3aca961f31ba4eac45347b105d1c5772627b08f5538047721b61ff9bc
SHA512172a8accaa35a6c9f86713a330c5899dfeeffe3b43413a3d276fc16d45cd62ed9237aa6bff29cc60a2022fba8dcc156959723c041df4b7463436a3bdabef2a9d
-
Filesize
6.4MB
MD5458f4590f80563eb2a0a72709bfc2bd9
SHA13f97dc3bd1467c710c6a8d26b97bb6cf47deb4c6
SHA256ff923c051ae380bf30d749ebe9cf310ccab6572d84eb81b76fb1012bcbdf557f
SHA512e34500658dbe105a704fff6988b75d13aa9931adfd585b8ce1f023c61abd573d58067ee1f43e80076729ba99c9a00c17eb8cfcfac9c3d271d76bd251ccab1681
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
28KB
-
Filesize
4KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
8KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
28KB