Overview

overview

10

Static

static

3

28f9d2567f...18.dll

windows7-x64

10

28f9d2567f...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    28-07-2024 22:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    28f9d2567ff022f9487d72b412530ca6_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    28f9d2567ff022f9487d72b412530ca6

  • SHA1

    11c59d4f551d171cd7719f68018a5881be91f0dc

  • SHA256

    3d91e0a34af694a2c0dcecbf51e9aea69df32acfafa28e778f8136585c188a9b

  • SHA512

    6923bdeb098a1e1df22ffc683766fdb5c44b4b2e01acd6b2622886229efa1e1bc601f66426f5447cb16021e4502af31c09f0ea1f57e81c6221fb3d81e32f44d7

  • SSDEEP

    24576:WuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:W9cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Event Triggered Execution: Accessibility Features 1 TTPs

    Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.

    persistenceprivilege_escalation
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\28f9d2567ff022f9487d72b412530ca6_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1472
  • C:\Windows\system32\RDVGHelper.exe
    C:\Windows\system32\RDVGHelper.exe
    1⤵
      PID:2744
    • C:\Users\Admin\AppData\Local\Lx6yxoni\RDVGHelper.exe
      C:\Users\Admin\AppData\Local\Lx6yxoni\RDVGHelper.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2164
    • C:\Windows\system32\Utilman.exe
      C:\Windows\system32\Utilman.exe
      1⤵
        PID:1572
      • C:\Users\Admin\AppData\Local\HQ3\Utilman.exe
        C:\Users\Admin\AppData\Local\HQ3\Utilman.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2508
      • C:\Windows\system32\Dxpserver.exe
        C:\Windows\system32\Dxpserver.exe
        1⤵
          PID:2012
        • C:\Users\Admin\AppData\Local\M1WfpWE\Dxpserver.exe
          C:\Users\Admin\AppData\Local\M1WfpWE\Dxpserver.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2840

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\HQ3\DUI70.dll
          Filesize

          1.4MB

          MD5

          37a95773d7423c15d72df0e2b78d5b19

          SHA1

          05c57577faa91c9b00281fac7af1eca4b28a7bb7

          SHA256

          b344da94288a6e5b643ea272134fe22399c6e169a67235bb7e57d2d78df94b5c

          SHA512

          36577d962d67e47c08a52542c786244aa7621daf3519e20fe9fd4aa73db1dcf6fd4939addff4353ca70c825d6971c8b1b49fa2c81f9748371973f45ed992cde1

          Download Submit

        • C:\Users\Admin\AppData\Local\Lx6yxoni\WTSAPI32.dll
          Filesize

          1.2MB

          MD5

          1cf66486023dce5d5f1f41d00c66bd4f

          SHA1

          5dc2ec7eb6fc9b5acf497b90ae6e27f0211c0d08

          SHA256

          8342824484563bea2bba8329b76dd800f276411ac00fa365314f24bb14a74099

          SHA512

          b72c36347c8244e968c0cd2a9308bf59c2dde8e8c60773c903eb0a91113939bedf9a532d3fb318e12c5434ab51eaff466d024ba5df077b99c3f9302dd4d6f7f1

          Download Submit

        • C:\Users\Admin\AppData\Local\M1WfpWE\dwmapi.dll
          Filesize

          1.2MB

          MD5

          76baf560e8ae81bc75d4b7ce47978827

          SHA1

          010d3b21c815763de35b220d670f952b757ad891

          SHA256

          13b935c7143ab8d439d3d3f8614409227a2c45eaa74b9f024f4e5540830a4006

          SHA512

          0568cf91eca410870beec5f13b9a18bed6fcf02d44f8095f3bb74a91707f8d0b8fbb0ad9328723cda97d64fa8f7f874955fd88754e999847e07bd45c43e7d40c

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Filabyuswgwl.lnk
          Filesize

          1KB

          MD5

          76a81ed3f3c5401bf01bda0e627fc4f7

          SHA1

          c020db4b790955440bd9bda025f68b357902a794

          SHA256

          3088db8798965c59bc50df36341e9e05205e9a8a6ee9cf79c188299a534aea03

          SHA512

          279342c0298e6df61b8c0dab2ee500154e46c614caf20239bf95d01a68e670d5400e3f2ee36b7ecdfcf07b9d0f28dd4ac15a9befada713ac35cd15ee2f233789

          Download Submit

        • \Users\Admin\AppData\Local\HQ3\Utilman.exe
          Filesize

          1.3MB

          MD5

          32c5ee55eadfc071e57851e26ac98477

          SHA1

          8f8d0aee344e152424143da49ce2c7badabb8f9d

          SHA256

          7ca90616e68bc851f14658a366d80f21ddb7a7dd8a866049e54651158784a9ea

          SHA512

          e0943efa81f3087c84a5909c72a436671ee8cc3cc80154901430e83ec7966aac800ad4b26f4a174a0071da617c0982ceda584686c6e2056e1a83e864aca6c975

          Download Submit

        • \Users\Admin\AppData\Local\Lx6yxoni\RDVGHelper.exe
          Filesize

          93KB

          MD5

          53fda4af81e7c4895357a50e848b7cfe

          SHA1

          01fb2d0210f1c47aaf684e31a9fb78f89bba9c0f

          SHA256

          62ab8c2c5b5bd84fd07e96b6a3b87a4ea56946107ed9b7f8076580ae1fefd038

          SHA512

          dbbda90a57d27160c5a3a5e4e94cfc43b1663fcbfe424fdec851e52356f61492bdcf677c46be8aa4e8ccc8be7c389b6aa7bbbce8447e1fae32f03e5e409f4051

          Download Submit

        • \Users\Admin\AppData\Local\M1WfpWE\Dxpserver.exe
          Filesize

          259KB

          MD5

          4d38389fb92e43c77a524fd96dbafd21

          SHA1

          08014e52f6894cad4f1d1e6fc1a703732e9acd19

          SHA256

          070bc95c486c15d2edc3548ba416dc9565ead401cb03a0472f719fb55ac94e73

          SHA512

          02d8d130cff2b8de15139d309e1cd74a2148bb786fd749e5f22775d45e193b0f75adf40274375cabce33576480ff20456f25172d29a034cd134b8084d40a67ba

          Download Submit

        • memory/1164-29-0x0000000077621000-0x0000000077622000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1164-23-0x00000000024F0000-0x00000000024F7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1164-4-0x0000000077416000-0x0000000077417000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1164-17-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1164-16-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1164-15-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1164-13-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1164-12-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1164-11-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1164-10-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1164-9-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1164-14-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1164-34-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1164-33-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1164-5-0x0000000002510000-0x0000000002511000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1164-30-0x00000000777B0000-0x00000000777B2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1164-26-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1164-68-0x0000000077416000-0x0000000077417000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1164-7-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1164-8-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1472-42-0x000007FEF6EE0000-0x000007FEF7011000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1472-1-0x000007FEF6EE0000-0x000007FEF7011000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1472-0-0x0000000000120000-0x0000000000127000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2164-56-0x000007FEF7470000-0x000007FEF75A2000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2164-50-0x000007FEF7470000-0x000007FEF75A2000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2164-53-0x00000000000F0000-0x00000000000F7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2508-69-0x000007FEF6EB0000-0x000007FEF7015000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/2508-72-0x0000000000110000-0x0000000000117000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2508-75-0x000007FEF6EB0000-0x000007FEF7015000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/2840-87-0x0000000000190000-0x0000000000197000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2840-88-0x000007FEF6EE0000-0x000007FEF7012000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2840-93-0x000007FEF6EE0000-0x000007FEF7012000-memory.dmp

          Filesize

          1.2MB

          Download