Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
04-12-2024 06:26
General
-
Target
c141b9a07b0399778d5fec3ef4752733_JaffaCakes118.dll
-
Size
808KB
-
MD5
c141b9a07b0399778d5fec3ef4752733
-
SHA1
160d66bde8bb5c86a215373c547503c3f9b8ee59
-
SHA256
0d13f2263bec1f51944342a3480bd51290abf1d96b31bdaad78202ead85bf179
-
SHA512
f83207a62afd8425f98943f7346a8517ca3f2e05863ae5c90d9bcc1004df19201a9ea27c68eedbe3422a5634804b0cddb83560a2354988fff2a5e341f0d84ba4
-
SSDEEP
12288:8dMIwS97wJs6tSKDXEabXaC+jhc1S8XXk7CZzHsZH9dq0T:OMIJxSDX3bqjhcfHk7MzH6z
Malware Config
Signatures
-
Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
-
Dridex family
-
Dridex Shellcode 1 IoCs
Detects Dridex Payload shellcode injected in Explorer process.
-
Dridex payload 10 IoCs
Detects Dridex x64 core DLL in memory.
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 8 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 4 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c141b9a07b0399778d5fec3ef4752733_JaffaCakes118.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\VaultSysUi.exeC:\Windows\system32\VaultSysUi.exe1⤵
-
C:\Users\Admin\AppData\Local\4RLMcT0T\VaultSysUi.exeC:\Users\Admin\AppData\Local\4RLMcT0T\VaultSysUi.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
-
C:\Windows\system32\mfpmp.exeC:\Windows\system32\mfpmp.exe1⤵
-
C:\Users\Admin\AppData\Local\nhGb\mfpmp.exeC:\Users\Admin\AppData\Local\nhGb\mfpmp.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
-
C:\Windows\system32\rdpinit.exeC:\Windows\system32\rdpinit.exe1⤵
-
C:\Users\Admin\AppData\Local\RZ6gXk\rdpinit.exeC:\Users\Admin\AppData\Local\RZ6gXk\rdpinit.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
812KB
MD51f827d25a2f8058be1b2b7b7aa66fd79
SHA157616ea2fd156507545ad35146355c36c096c5d4
SHA256ddff5e2f1a85b723ece632305961ed7b1fa886bb0cb6ea42b706fe28f48b0755
SHA512af6d4656ce7d62e022b670018b488518f54a9dd10a562f4763ec63ad0c470b6799ad531313384f4f7c5549e39421875c128bb5cc646fe76592007a1836f6a2ad
-
Filesize
812KB
MD5901fa977d7157354d16a2a5872bf099e
SHA1e731dc98100aae02da93d320399a85638868e0b9
SHA256f7ccb348c20b8d8368e3b1f7b225a98b335a831ee4ff93a9f7abdefe4e113e8f
SHA5120aecbecede2cf04e22e1453637764f01e6b2498c04180bf20a3c3c74efceb0c82b994ba6d8c01cd3c749a89bc7f28d24dbad46f87da63f4ab825ccf741b377e9
-
Filesize
816KB
MD5fd01f1a4b5191abeb735daed7de1e9c1
SHA162788231f02c23edb324fde3753701adc9d3ee65
SHA256b580b8f889875658f81bc368f85d935021192849d81e66c65a449df09cd4561d
SHA512e6f5744f2fc8327999e9ac0c729ca01ca4075ba59af4ec04a1f336cd73dcaed7427e794608fedd877398ea5dc6f503653b90a2a1fb41d6e831353f42a357d08d
-
Filesize
1012B
MD509c481eb1ef6908dbb85fe79e67ad97d
SHA1f215675216ec6a3e769d35fe1c5c4969b7a017da
SHA256df6d028e7af4e43f560bd5b9a851117a51428dc1958389ed36c583bb4ee2d99e
SHA512e9ac9460802260473c9284389c7d6dc943895720dabf7fd5f4e031b1d477c8ef17e2b0da288d3a514aa749e481b244fa2b735f40453ef5cadeb96a685c4ac8fe
-
Filesize
39KB
MD5f40ef105d94350d36c799ee23f7fec0f
SHA1ee3a5cfe8b807e1c1718a27eb97fa134360816e3
SHA256eeb3f79be414b81f4eb8167390641787f14a033414533fb8de651c2247d054b2
SHA512f16bcca6f6cecbdae117d5a41de7e86a6d9dfdfa2ce8c75ebff10d097083c106e7f9d030debed8cb20fdd71815a8aa7723a1d3c68b38ec382e55370331c594a1
-
Filesize
174KB
MD5664e12e0ea009cc98c2b578ff4983c62
SHA127b302c0108851ac6cc37e56590dd9074b09c3c9
SHA25600bd9c3c941a5a9b4fc8594d7b985f5f1ac48f0ba7495a728b8fa42b4b48a332
SHA512f5eee4e924dcc3cf5e82eff36543e9d0e9c17dc2272b403cf30f8d2da42312821f5566249a98a952f5441b1f0d6d61a86b5c5198bc598d65ea9d4fb35822505d
-
Filesize
24KB
MD52d8600b94de72a9d771cbb56b9f9c331
SHA1a0e2ac409159546183aa45875497844c4adb5aac
SHA2567d8d8918761b8b6c95758375a6e7cf7fb8e43abfdd3846476219883ef3f8c185
SHA5123aaa6619f29434c294b9b197c3b86fdc5d88b0254c8f35f010c9b5f254fd47fbc3272412907e2a5a4f490bda2acfbbd7a90f968e25067abf921b934d2616eafc
-
Filesize
808KB
-
Filesize
808KB
-
Filesize
808KB
-
Filesize
808KB
-
Filesize
808KB
-
Filesize
28KB
-
Filesize
808KB
-
Filesize
808KB
-
Filesize
808KB
-
Filesize
808KB
-
Filesize
808KB
-
Filesize
808KB
-
Filesize
808KB
-
Filesize
808KB
-
Filesize
808KB
-
Filesize
808KB
-
Filesize
808KB
-
Filesize
8KB
-
Filesize
808KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
808KB
-
Filesize
808KB
-
Filesize
808KB
-
Filesize
808KB
-
Filesize
808KB
-
Filesize
808KB
-
Filesize
808KB
-
Filesize
808KB
-
Filesize
808KB
-
Filesize
808KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
808KB
-
Filesize
808KB
-
Filesize
808KB
-
Filesize
808KB
-
Filesize
28KB
-
Filesize
812KB
-
Filesize
808KB
-
Filesize
28KB
-
Filesize
808KB
-
Filesize
812KB
-
Filesize
28KB
-
Filesize
812KB
-
Filesize
816KB
-
Filesize
28KB
-
Filesize
816KB