Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
02-01-2025 09:02
General
-
Target
JaffaCakes118_63fbef9c63dc9858707e03078f23f1ce.dll
-
Size
2.4MB
-
MD5
63fbef9c63dc9858707e03078f23f1ce
-
SHA1
3a3aa0a1c6663551ee8e05fc2e6b17942fa83b96
-
SHA256
11066c2e0a1b0fe58bc9584918054340aa58179a79a3c8c6da49c63801d8ff2a
-
SHA512
e812c268e67ee8eeb46d6d8b50ca00c26e8db4784f99c15edd083b3583d999a1e65ffd46d7af87069d854b62edc956a26fe5ffd80d295efb2dd5126d6ed56956
-
SSDEEP
12288:tVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:0fP7fWsK5z9A+WGAW+V5SB6Ct4bnb
Malware Config
Signatures
-
Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
-
Dridex family
-
Dridex Shellcode 1 IoCs
Detects Dridex Payload shellcode injected in Explorer process.
-
Drops startup file 3 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 3 IoCs
-
Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_63fbef9c63dc9858707e03078f23f1ce.dll1⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\ApplySettingsTemplateCatalog.exeC:\Windows\system32\ApplySettingsTemplateCatalog.exe1⤵
-
C:\Users\Admin\AppData\Local\lIWVOCTZ\ApplySettingsTemplateCatalog.exeC:\Users\Admin\AppData\Local\lIWVOCTZ\ApplySettingsTemplateCatalog.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
-
C:\Windows\system32\AtBroker.exeC:\Windows\system32\AtBroker.exe1⤵
-
C:\Users\Admin\AppData\Local\AZqXZ\AtBroker.exeC:\Users\Admin\AppData\Local\AZqXZ\AtBroker.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
-
C:\Windows\system32\WFS.exeC:\Windows\system32\WFS.exe1⤵
-
C:\Users\Admin\AppData\Local\wWHZ\WFS.exeC:\Users\Admin\AppData\Local\wWHZ\WFS.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Accessibility Features
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
90KB
MD530076e434a015bdf4c136e09351882cc
SHA1584c958a35e23083a0861421357405afd26d9a0c
SHA256ae7b1e298a6e38f0a3428151bfc5565ede50a8d98dafaa147b13cf89c61f2ddd
SHA512675e310c2455acf9220735f34fa527afe87dac691e89cc0edc3c4659147e9fd223f96b7a3beea532047aa0ebc58880a7010343019a50aa73ce69a038e3592024
-
Filesize
2.4MB
MD506eceee83689db16956efe8ea3e313a2
SHA16e2124c1bc9c1ecee408931a3051341df84afd04
SHA2564a76eacb082190e63028dca1ccefdab26fa656ebc429cbea0deffbcaa3ec8318
SHA51295a20cee6f63660499ef30ca2c41a33ed80f6d1d7f390c8efd27c76f8425b909de7702dea9d44e5d1cab8c1fa52dbef1418ddf3439672c6a5be3da9d3a037198
-
Filesize
2.4MB
MD56931831a701d1102cd1ffaa3b2336586
SHA164b42741077e1581af5ec9ee0e40d0f46e7ff722
SHA256ea0103f951ccb1f555911b4ef208f423b2d23048873e3c633c6df6e3c0ba0985
SHA512e3e4e7d1753c4ff7e830102938c29d18efd700e06fcf9bf519d029bd5571cf58d5003a1c226a047a4818e80f4335f5270d2ef6992f2d8cbf84026b1170b287c7
-
Filesize
1.1MB
MD513af41b1c1c53c7360cd582a82ec2093
SHA17425f893d1245e351483ab4a20a5f59d114df4e1
SHA256a462f29efaaa3c30411e76f32608a2ba5b7d21af3b9804e5dda99e342ba8c429
SHA512c7c82acef623d964c520f1a458dbfe34099981de0b781fb56e14b1f82632e3a8437db6434e7c20988aa3b39efde47aab8d188e80845e841a13e74b079285706a
-
Filesize
2.4MB
MD53dc5ef63f6e2df851b933c459242e64f
SHA1c597159a84dc93e3d47c13d7b454ad69be8138a4
SHA256accdf6f22aee20c9db6bf9c3bcb226538141e11530fc7af59817416e669017d2
SHA512ca89059565cf42cceebcda0c4ea9c7cf21fcdf39e6d619c7508f649e1ef81cab4fa4b7dfea8418bd27b91d8433bbdbc9b69e0619e56f262a7b04ca40bf316938
-
Filesize
944KB
MD53cbc8d0f65e3db6c76c119ed7c2ffd85
SHA1e74f794d86196e3bbb852522479946cceeed7e01
SHA256e23e4182efe7ed61aaf369696e1ce304c3818df33d1663872b6d3c75499d81f4
SHA51226ae5845a804b9eb752078f1ffa80a476648a8a9508b4f7ba56c94acd4198f3ba59c77add4feb7e0420070222af56521ca5f6334f466d5db272c816930513f0a
-
Filesize
1KB
MD5fa22f4d2e88d82c83637925b01cf0c46
SHA1501d50766cb37d9d077ee59ae69d9bf10ef4d666
SHA256a81982f86aa2d90a9b96fcf2e3d1fcdafa0fb22bde2b4ba5c0f2192f0a23c601
SHA5120099daf8ea924c788514248ee58677e89a931573f5f1efbe5c0869d9f853db3a81f26f0e0c3b8f6986ad981311b2a5e7784b86384f1e75f5cb4e7e55589c09a0
-
Filesize
28KB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
64KB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
28KB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
2.4MB