Overview

overview

10

Static

static

3

166efc8a66...18.dll

windows7-x64

10

166efc8a66...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-05-2024 06:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    166efc8a667e3cfb33844e03296e97eb_JaffaCakes118.dll

  • Size

    986KB

  • MD5

    166efc8a667e3cfb33844e03296e97eb

  • SHA1

    bd5d5ea491654f42528d67a181b1f2cc69a13ce1

  • SHA256

    9a5fafe9f2709e56150afa4f94b4a157fd75ae0cbd85f3df661c912278392f7a

  • SHA512

    05124728e76803ccf20dcdbd3c3ba39f62b535997c9f5129a03fe8adf7b7f0b441d7402905728fd133a1a93fe7a7b4d152da242892564dc567abd95d4dd08a6e

  • SSDEEP

    24576:PVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:PV8hf6STw1ZlQauvzSq01ICe6zvm

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\166efc8a667e3cfb33844e03296e97eb_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:4180
  • C:\Windows\system32\Magnify.exe
    C:\Windows\system32\Magnify.exe
    1⤵
      PID:3720
    • C:\Users\Admin\AppData\Local\8MWFGrL\Magnify.exe
      C:\Users\Admin\AppData\Local\8MWFGrL\Magnify.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:796
    • C:\Windows\system32\phoneactivate.exe
      C:\Windows\system32\phoneactivate.exe
      1⤵
        PID:3516
      • C:\Users\Admin\AppData\Local\6SXey60\phoneactivate.exe
        C:\Users\Admin\AppData\Local\6SXey60\phoneactivate.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:3808
      • C:\Windows\system32\sigverif.exe
        C:\Windows\system32\sigverif.exe
        1⤵
          PID:3108
        • C:\Users\Admin\AppData\Local\zDDhgY\sigverif.exe
          C:\Users\Admin\AppData\Local\zDDhgY\sigverif.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:4012

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Initial Access

        Execution

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Privilege Escalation

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Query Registry

        1
        T1012

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Resource Development

        Reconnaissance

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\6SXey60\DUI70.dll
          Filesize

          1.2MB

          MD5

          5983f3a1baa8bac7634597faae85a73a

          SHA1

          1dd9642ec53c63923b0274e89c01412789dedea0

          SHA256

          c1171e2a9cab1ba738f83c42407b8aa430ec1d2a67c8c5cd5202888968cc438d

          SHA512

          4b72ec2ae3921fc436e03226363c185845a91e8ef421a4bd14f310a5d7e94d088d303a562a4c4c813927caa94ab6f56470503b09b2224f65ffd034ca925aca6a

          Download Submit
        • C:\Users\Admin\AppData\Local\6SXey60\phoneactivate.exe
          Filesize

          107KB

          MD5

          32c31f06e0b68f349f68afdd08e45f3d

          SHA1

          e4b642f887e2c1d76b6b4777ade91e3cb3b9e27c

          SHA256

          cea83eb34233fed5ebeef8745c7c581a8adbefbcfc0e30e2d30a81000c821017

          SHA512

          fe61764b471465b164c9c2202ed349605117d57ceb0eca75acf8bda44e8744c115767ee0caed0b7feb70ba37b477d00805b3fdf0d0fa879dd4c8e3c1dc1c0d26

          Download Submit
        • C:\Users\Admin\AppData\Local\8MWFGrL\MAGNIFICATION.dll
          Filesize

          987KB

          MD5

          d9613e8e57dc47e7a800073606f28ed3

          SHA1

          7fd33dc93881e2fe3477a13be1d80bc54aacad33

          SHA256

          1b568e5832177294e9ed3ace57c82eb393c742c7d5b58549366e2cf9bb1d9cf3

          SHA512

          0ac87dd4ebe28c910e89d8b00e1c40813c53a7f9042944003148eabcdfd6e6613f88cba954562aa4915c1aa397b3e5ecde7a02d5dd791dda4d3a79c4f26722ea

          Download Submit
        • C:\Users\Admin\AppData\Local\8MWFGrL\Magnify.exe
          Filesize

          639KB

          MD5

          4029890c147e3b4c6f41dfb5f9834d42

          SHA1

          10d08b3f6dabe8171ca2dd52e5737e3402951c75

          SHA256

          57137f784594793dc0669042ccd3a71ddbfedeb77da6d97173d82613e08add4d

          SHA512

          dbdc60f8692f13c23dbed0b76e9c6758a5b413bd6aaf4e4d0ba74e69c0871eb759da95c3f85a31d972388b545dcf3bb8abbcbedd29a1e7e48c065130b98b893d

          Download Submit
        • C:\Users\Admin\AppData\Local\zDDhgY\VERSION.dll
          Filesize

          987KB

          MD5

          2bfad24fa9fa628300d87420ff44a9dd

          SHA1

          f889d13dccca6f00d210829c4fe46984e327ef61

          SHA256

          ffd1a57aa023ff4f7d4a34b33d27ee32d2a0f224a2c40af852975180169b6f5c

          SHA512

          fb67ebc098e4f1c533c128ab6b38df39d487b8a5f07c296ae99a779485953d55a048d8d5762331609da2fd6a86b9b6d8330f306af0c98a71fd25dc370e9c46e9

          Download Submit
        • C:\Users\Admin\AppData\Local\zDDhgY\sigverif.exe
          Filesize

          77KB

          MD5

          2151a535274b53ba8a728e542cbc07a8

          SHA1

          a2304c0f2616a7d12298540dce459dd9ccf07443

          SHA256

          064de47877b00dc35886e829a697e4adb3d3cfdf294ddba13b6009a0f415b1bd

          SHA512

          e6fd520ee1bd80a5fe8a7c2ae6446dcaabd4e335a602c36356f85305abef751b7dffa7eaac1ec13c105ccd8c3e9070bd32ed4b14bc8a9e52dc5f47b936d69a9f

          Download Submit
        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Aibqacvbwgcfz.lnk
          Filesize

          1KB

          MD5

          0079d8caecf63d9c5ae0cf46a41be7f2

          SHA1

          d5cd685b31d34be0cd1be399a3ec5005e542b386

          SHA256

          c5a361a31549d6415dfa41faf9145028d90bcc6a93691009a2388e0c9929d4cf

          SHA512

          6182bfb11907422f79dc862f38e00c08e0954626c738f495779c91b9d02d3611c6567e9bd5d6e99a95982d1928690c937a37e7fe6c609513d8bc85d35139bc53

          Download Submit
        • memory/796-50-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/796-44-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/796-47-0x000002404B3D0000-0x000002404B3D7000-memory.dmp
          Filesize

          28KB

          Download
        • memory/3476-31-0x00007FFE4D17A000-0x00007FFE4D17B000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3476-9-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/3476-7-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/3476-6-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/3476-4-0x0000000002DE0000-0x0000000002DE1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3476-34-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/3476-12-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/3476-8-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/3476-10-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/3476-11-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/3476-13-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/3476-32-0x0000000000B70000-0x0000000000B77000-memory.dmp
          Filesize

          28KB

          Download
        • memory/3476-33-0x00007FFE4E0F0000-0x00007FFE4E100000-memory.dmp
          Filesize

          64KB

          Download
        • memory/3476-22-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/3808-69-0x0000000140000000-0x0000000140142000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3808-66-0x0000020168330000-0x0000020168337000-memory.dmp
          Filesize

          28KB

          Download
        • memory/3808-63-0x0000000140000000-0x0000000140142000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/4012-85-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/4180-0-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/4180-37-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/4180-3-0x0000023FE8E90000-0x0000023FE8E97000-memory.dmp
          Filesize

          28KB

          Download