Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

15316c0e7c...18.dll

windows7-x64

10

15316c0e7c...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240730-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/07/2024, 10:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    15316c0e7c8c689c67f3bef4cec0c488_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    15316c0e7c8c689c67f3bef4cec0c488

  • SHA1

    51e5cbc2766b3688c11533cb0cdb5796464c248d

  • SHA256

    4107c69a51675b589d7d1b9b32b7c3f4f245f25509538e8d546f5ceea0353aad

  • SHA512

    404c00a4274ff305cb7e12acde5115d91186fc5be83e1113824234a34541ef54102983a3f944377bae94ff20002d52d4772764674d9ac6d4c73f000ec96a03ce

  • SSDEEP

    24576:UuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N1e:M9cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\15316c0e7c8c689c67f3bef4cec0c488_JaffaCakes118.dll
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:2620
  • C:\Windows\system32\rdpshell.exe
    C:\Windows\system32\rdpshell.exe
    1⤵
      PID:2884
    • C:\Users\Admin\AppData\Local\rSjnFQgFB\rdpshell.exe
      C:\Users\Admin\AppData\Local\rSjnFQgFB\rdpshell.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:112
    • C:\Windows\system32\mfpmp.exe
      C:\Windows\system32\mfpmp.exe
      1⤵
        PID:4088
      • C:\Users\Admin\AppData\Local\XbHIVr\mfpmp.exe
        C:\Users\Admin\AppData\Local\XbHIVr\mfpmp.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2700
      • C:\Windows\system32\CameraSettingsUIHost.exe
        C:\Windows\system32\CameraSettingsUIHost.exe
        1⤵
          PID:2556
        • C:\Users\Admin\AppData\Local\FoOkj\CameraSettingsUIHost.exe
          C:\Users\Admin\AppData\Local\FoOkj\CameraSettingsUIHost.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:4948

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\FoOkj\CameraSettingsUIHost.exe
          Filesize

          31KB

          MD5

          9e98636523a653c7a648f37be229cf69

          SHA1

          bd4da030e7cf4d55b7c644dfacd26b152e6a14c4

          SHA256

          3bf20bc5a208dfa1ea26a042fd0010b1268dcfedc94ed775f11890bc1d95e717

          SHA512

          41966166e2ddfe40e6f4e6da26bc490775caac9997465c6dd94ba6a664d3a797ffc2aa5684c95702e8657e5cea62a46a75aee3e7d5e07a47dcaaa5c4da565e78

          Download Submit

        • C:\Users\Admin\AppData\Local\FoOkj\DUI70.dll
          Filesize

          1.5MB

          MD5

          d4627eeec972cac108a444e7734ff4d5

          SHA1

          c302dbace47aa4d0ca5f716d442ea9082fb9604d

          SHA256

          0337d99c1cf6a950ba11d24afb3fe81300e69a78d9e7026fd0d7f00ef78de293

          SHA512

          03b2c3a1c2ff63d82f62784dd8ada180fa46a34f6818f666bff7b9487072c078168b9b2936ecbdd46752feda3ac7c463fa51b2545205aa0bfc59c9b64687d4fb

          Download Submit

        • C:\Users\Admin\AppData\Local\XbHIVr\MFPlat.DLL
          Filesize

          1.2MB

          MD5

          d146eb73696b5a407ec3efe7d9c1760b

          SHA1

          00be95be22f24184e7a32a2db554d2886fe4c011

          SHA256

          60bbd9c61f10009de4345cd7b1f3ce69c28e3fca5989beffcf7c96c79fb24289

          SHA512

          45310da444c4adc4873f20274a131846e25cace6a55c5adca8ac992fa974235476d672adb7aa76ec09f4b3a2f8785e63cd51446a97c8c7179873118e78303e8e

          Download Submit

        • C:\Users\Admin\AppData\Local\XbHIVr\mfpmp.exe
          Filesize

          46KB

          MD5

          8f8fd1988973bac0c5244431473b96a5

          SHA1

          ce81ea37260d7cafe27612606cf044921ad1304c

          SHA256

          27287ac874cef86be03aee7b6d34fdc3bd208070ed20e44621a305865fb7579e

          SHA512

          a91179e1561168b3b58f5ca893bce425d35f4a02aec20ac3d6fb944f5eb3c06b0a1b9d9f3fb9ea87869d65671d2b89b4ae19acf794372bdbd27f5e9756c5a8ab

          Download Submit

        • C:\Users\Admin\AppData\Local\rSjnFQgFB\dwmapi.dll
          Filesize

          1.2MB

          MD5

          e9bd462e67a4f3cad3b89716b96ec689

          SHA1

          a2bbad2731d8ef43a8d7284033690d64f25b4943

          SHA256

          0e5980c82e93d44123c301794fce073433c426b5a6c9e87bf36c991a30c3abfe

          SHA512

          fa33dc7ee076e507eb817850777969dad7c8371a2f89f049f6c90472db30c64758e0acdaae384e69240c98159d1e26592045f1fd97fd43c089c9290fa409f08b

          Download Submit

        • C:\Users\Admin\AppData\Local\rSjnFQgFB\rdpshell.exe
          Filesize

          468KB

          MD5

          428066713f225bb8431340fa670671d4

          SHA1

          47f6878ff33317c3fc09c494df729a463bda174c

          SHA256

          da6c395a2018d3439ad580a19e6a1ca5ff29ef9074411ee9f9f1b0a6365dfebd

          SHA512

          292aad2762ae4dc519c69411aa114a29894f60ffac103813db4946f2fac4f5a166f66523c421529d6847c0882d8ab467392ee8da1e3a4fca0d6d4e6ebda5b737

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Rnqxvswjyjuqjvh.lnk
          Filesize

          1KB

          MD5

          583ccdc061e522a184cedfddc08d6ff5

          SHA1

          17756e949583d69cfe45c71321ebc81493279ac7

          SHA256

          2a843287e755aef43347896c9a95bd863d6654c83210a3db5718c103d70707fc

          SHA512

          7899995d363a298f40fbebd032150628532b74d9abee1e1ef65e650b131d5a7dc4478035aca368c8d099819ce1b161367b9f7f4517c4d1fc4c09d5b0fe0f0bd0

          Download Submit

        • memory/112-49-0x000002A245AA0000-0x000002A245AA7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/112-46-0x00007FFC18E90000-0x00007FFC18FC8000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/112-52-0x00007FFC18E90000-0x00007FFC18FC8000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2620-0-0x00007FFC18E90000-0x00007FFC18FC7000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2620-39-0x00007FFC18E90000-0x00007FFC18FC7000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2620-3-0x0000000002620000-0x0000000002627000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2700-66-0x000001F6A7010000-0x000001F6A7017000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2700-63-0x00007FFC18E90000-0x00007FFC18FC9000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2700-69-0x00007FFC18E90000-0x00007FFC18FC9000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3408-33-0x0000000001080000-0x0000000001087000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3408-32-0x00007FFC2701A000-0x00007FFC2701B000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3408-6-0x0000000140000000-0x0000000140137000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3408-8-0x0000000140000000-0x0000000140137000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3408-9-0x0000000140000000-0x0000000140137000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3408-10-0x0000000140000000-0x0000000140137000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3408-11-0x0000000140000000-0x0000000140137000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3408-13-0x0000000140000000-0x0000000140137000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3408-15-0x0000000140000000-0x0000000140137000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3408-7-0x0000000140000000-0x0000000140137000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3408-34-0x00007FFC274D0000-0x00007FFC274E0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3408-36-0x0000000140000000-0x0000000140137000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3408-24-0x0000000140000000-0x0000000140137000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3408-16-0x0000000140000000-0x0000000140137000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3408-14-0x0000000140000000-0x0000000140137000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3408-12-0x0000000140000000-0x0000000140137000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3408-4-0x0000000003090000-0x0000000003091000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4948-83-0x0000024FB6750000-0x0000024FB6757000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4948-86-0x00007FFC187C0000-0x00007FFC1893D000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/4948-80-0x00007FFC187C0000-0x00007FFC1893D000-memory.dmp

          Filesize

          1.5MB

          Download