Overview

overview

10

Static

static

3

21f9325464...18.dll

windows7-x64

10

21f9325464...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-07-2024 20:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    21f932546446e084908765994b75052d_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    21f932546446e084908765994b75052d

  • SHA1

    ad0414dbc48e0ae9fe223b9645d5eed04faa9078

  • SHA256

    3652a2d2f0185a50473b526745a81a8e88e7fe64374ca9ebf6e5dbab1f0c580c

  • SHA512

    ab55c5c2b4c1622b9005f808693e7f9b1dc3de18296ddad3d11dfc50c1b0cf58b8bc78ca4833b643e4218174ac33a624f23e7a4eee5f801ce4adf04b3fe38ffd

  • SSDEEP

    24576:MuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:k9cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\21f932546446e084908765994b75052d_JaffaCakes118.dll
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:4860
  • C:\Windows\system32\sigverif.exe
    C:\Windows\system32\sigverif.exe
    1⤵
      PID:2396
    • C:\Users\Admin\AppData\Local\jiFqzLkU\sigverif.exe
      C:\Users\Admin\AppData\Local\jiFqzLkU\sigverif.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:3312
    • C:\Windows\system32\wbengine.exe
      C:\Windows\system32\wbengine.exe
      1⤵
        PID:2424
      • C:\Users\Admin\AppData\Local\Dece\wbengine.exe
        C:\Users\Admin\AppData\Local\Dece\wbengine.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1000
      • C:\Windows\system32\Netplwiz.exe
        C:\Windows\system32\Netplwiz.exe
        1⤵
          PID:552
        • C:\Users\Admin\AppData\Local\AqF4\Netplwiz.exe
          C:\Users\Admin\AppData\Local\AqF4\Netplwiz.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:4268

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\AqF4\NETPLWIZ.dll
          Filesize

          1.2MB

          MD5

          70ccf96c88e42c6821ad61252aec66da

          SHA1

          d6b3f949df1cdc2b603fa62d219a836854b70292

          SHA256

          b18161515e7d387a1da0a0740f289ae28e8c1de693d7432b2afd46ad2c1006b9

          SHA512

          b3aa686b1bbd9a408fcc0b26cac492e7bd492ce044feb5ee7e26328042f73e533c043c627f8b269fb634d97d8962d1b90dd60d2a0beb681091ad4733cfdf6046

          Download Submit

        • C:\Users\Admin\AppData\Local\AqF4\Netplwiz.exe
          Filesize

          40KB

          MD5

          520a7b7065dcb406d7eca847b81fd4ec

          SHA1

          d1b3b046a456630f65d482ff856c71dfd2f335c8

          SHA256

          8323b44b6e69f02356a5ab0d03a4fc87b953edcbd85c2b6281bf92bc0a3b224d

          SHA512

          7aea2810f38d1640d4aa87efbbe20783fe7b8e7f588864a3a384a37c91108d906abd89b235672608c98c46ed76db2b0039462098a1064ebe4108ec37b6087914

          Download Submit

        • C:\Users\Admin\AppData\Local\Dece\wbengine.exe
          Filesize

          1.5MB

          MD5

          17270a354a66590953c4aac1cf54e507

          SHA1

          715babcc8e46b02ac498f4f06df7937904d9798d

          SHA256

          9954394b43783061f9290706320cc65597c29176d5b8e7a26fa1d6b3536832b4

          SHA512

          6be0ba6be84d01ab47f5a4ca98a6b940c43bd2d1e1a273d41c3e88aca47da11d932024b007716d1a6ffe6cee396b0e3e6971ab2afc293e72472f2e61c17b2a89

          Download Submit

        • C:\Users\Admin\AppData\Local\Dece\wer.dll
          Filesize

          1.2MB

          MD5

          97dd1589863aa937ec5a0e89ce1641e5

          SHA1

          494b21d3a509d7a7a09dab5fc263a3069d8b33c0

          SHA256

          0939011d787ba8b2ae5dc981e9751803332e1a90432c4df273c1039a0ae61c0e

          SHA512

          936860d1c83d9e516e50c19ceafd74ca01b1ac9101f0de5537bf8a79c4ff29caf38255feb07d1bd38b6e48fd5b83e7f8e095d8ae585ed0bac42e1287f82a4a07

          Download Submit

        • C:\Users\Admin\AppData\Local\jiFqzLkU\VERSION.dll
          Filesize

          1.2MB

          MD5

          7392a02732c1d171b9fdfc5449d66d9f

          SHA1

          537e3ea0cb56beb5623958ce7bd6834d40dbb167

          SHA256

          6bdba0a9f0df29d4cb34be49c1d46f651619f39b59bc8025532768a75c76d2e9

          SHA512

          7d3c6826181d3b411f91c1d08e425a09db5df24560b49e80acfb9f8ae056263f3b358410d4d1aa1b5807888f08bc33b594a68e99f78e52d283fb68d498640c83

          Download Submit

        • C:\Users\Admin\AppData\Local\jiFqzLkU\sigverif.exe
          Filesize

          77KB

          MD5

          2151a535274b53ba8a728e542cbc07a8

          SHA1

          a2304c0f2616a7d12298540dce459dd9ccf07443

          SHA256

          064de47877b00dc35886e829a697e4adb3d3cfdf294ddba13b6009a0f415b1bd

          SHA512

          e6fd520ee1bd80a5fe8a7c2ae6446dcaabd4e335a602c36356f85305abef751b7dffa7eaac1ec13c105ccd8c3e9070bd32ed4b14bc8a9e52dc5f47b936d69a9f

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Txrhelfambrw.lnk
          Filesize

          1KB

          MD5

          213c88e21d9da5e05d98ab090c5e6b80

          SHA1

          2b7fb83df36b788406faf1a7ff48a2f3e6d26508

          SHA256

          863093ac019ae34cce73012f2bf876af1c85406c01ef61f28c2a330872236066

          SHA512

          98bc25c03ee39fb2e7a8f01a1a681a0b83095b02f689c901ff6f12f7ae9fc701b5cef608eae078c6fb9509898ea7a2876c8437e649a933011d7077c950ee4224

          Download Submit

        • memory/1000-63-0x000001F0B4940000-0x000001F0B4947000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1000-64-0x00007FFE23350000-0x00007FFE23483000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1000-69-0x00007FFE23350000-0x00007FFE23483000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3312-52-0x00007FFE23350000-0x00007FFE23482000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3312-46-0x00007FFE23350000-0x00007FFE23482000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3312-49-0x000002122F8D0000-0x000002122F8D7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3372-36-0x00007FFE415DA000-0x00007FFE415DB000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3372-13-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3372-7-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3372-14-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3372-16-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3372-6-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3372-4-0x0000000002F10000-0x0000000002F11000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3372-11-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3372-9-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3372-12-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3372-15-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3372-33-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3372-10-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3372-37-0x0000000002EF0000-0x0000000002EF7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3372-38-0x00007FFE41C10000-0x00007FFE41C20000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3372-24-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3372-8-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4268-85-0x00007FFE23350000-0x00007FFE23482000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4860-3-0x0000000002A30000-0x0000000002A37000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4860-39-0x00007FFE245B0000-0x00007FFE246E1000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4860-0-0x00007FFE245B0000-0x00007FFE246E1000-memory.dmp

          Filesize

          1.2MB

          Download