Overview

overview

10

Static

static

3

85ca9b6e2d...18.dll

windows7-x64

10

85ca9b6e2d...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-08-2024 10:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    85ca9b6e2d3628cea4badad665e74407_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    85ca9b6e2d3628cea4badad665e74407

  • SHA1

    951a6bd5f11a3e473a5e13b4cd9d76e1d8128fa5

  • SHA256

    09fb14c04c646802ded6085bf57fd6afd60d168d570cfed4db4ff7e820d0db72

  • SHA512

    b3fa6263f5fd2e72dd20b36100e2272cb823f899123525bb7176acfeb481aadde026ab5edf8163a51aba7236008cd3ec3aa3419f0d779052ed35b23975c1cd66

  • SSDEEP

    24576:QuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N9t:A9cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Event Triggered Execution: Accessibility Features 1 TTPs

    Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.

    persistenceprivilege_escalation
  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\85ca9b6e2d3628cea4badad665e74407_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:556
  • C:\Windows\system32\Narrator.exe
    C:\Windows\system32\Narrator.exe
    1⤵
      PID:3764
    • C:\Users\Admin\AppData\Local\uxq\Narrator.exe
      C:\Users\Admin\AppData\Local\uxq\Narrator.exe
      1⤵
      • Executes dropped EXE
      PID:4208
    • C:\Windows\system32\PresentationHost.exe
      C:\Windows\system32\PresentationHost.exe
      1⤵
        PID:2656
      • C:\Users\Admin\AppData\Local\kRej\PresentationHost.exe
        C:\Users\Admin\AppData\Local\kRej\PresentationHost.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1332
      • C:\Windows\system32\Utilman.exe
        C:\Windows\system32\Utilman.exe
        1⤵
          PID:4124
        • C:\Users\Admin\AppData\Local\0BYvq\Utilman.exe
          C:\Users\Admin\AppData\Local\0BYvq\Utilman.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:3064
        • C:\Windows\system32\wusa.exe
          C:\Windows\system32\wusa.exe
          1⤵
            PID:4624
          • C:\Users\Admin\AppData\Local\tRMR5GSV9\wusa.exe
            C:\Users\Admin\AppData\Local\tRMR5GSV9\wusa.exe
            1⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Checks whether UAC is enabled
            PID:3632

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\0BYvq\DUser.dll
            Filesize

            1.2MB

            MD5

            a8db0570ec9a56781a984816cb74ea38

            SHA1

            675bbef73d375aaa7b7fcd9ed73a346e6c77c6e8

            SHA256

            aa526e58c93f11a613eb535f8cdd5fb30bb0944be33f914a0a1fc0f52f3c8b44

            SHA512

            ca3b1d61826b7bec0bef223635c7cfc340dcb5bbb0d74e9cfac4b802c4c17d0cb60e8ae82edf350260e1dfccdef7d68c1bd8c3f8b9f714244700da2cd9d7cb5e

            Download Submit

          • C:\Users\Admin\AppData\Local\0BYvq\Utilman.exe
            Filesize

            123KB

            MD5

            a117edc0e74ab4770acf7f7e86e573f7

            SHA1

            5ceffb1a5e05e52aafcbc2d44e1e8445440706f3

            SHA256

            b5bc4fce58403ea554691db678e6c8c448310fe59990990f0e37cd4357567d37

            SHA512

            72883f794ff585fe7e86e818d4d8c54fa9781cab6c3fac6f6956f58a016a91f676e70d14691cbe054ae7b7469c6b4783152fbb694e92b940d9e3595fe3f41d97

            Download Submit

          • C:\Users\Admin\AppData\Local\kRej\PresentationHost.exe
            Filesize

            276KB

            MD5

            ef27d65b92d89e8175e6751a57ed9d93

            SHA1

            7279b58e711b459434f047e9098f9131391c3778

            SHA256

            17d6dcfaced6873a4ac0361ff14f48313f270ac9c465e9f02b5c12b5a5274c48

            SHA512

            40f46c3a131bb0388b8a3f7aee422936f6e2aa8d2cda547c43c4e7979c163d06c5aa20033a5156d3eeee5d455eeb929cbce89bcc8bb1766cbb65d7f03dd23e2e

            Download Submit

          • C:\Users\Admin\AppData\Local\kRej\VERSION.dll
            Filesize

            1.2MB

            MD5

            12d66d38ad30b3ade28eac3eac600744

            SHA1

            00cd45205f8f4c5c622e88451eb1679d9d5501ad

            SHA256

            31bb8825e75f791f752ba71b89455db3b286f44dc9482bd7f83d6476f4a3b43f

            SHA512

            96e6ca0319ae832f24a300d84224b1de14debb1938b965c5ae37d2b166ab4ff7cd9d412f0d09d6f06d008c8145253fbbc387cdff097a55885d7f9076b41919af

            Download Submit

          • C:\Users\Admin\AppData\Local\tRMR5GSV9\WTSAPI32.dll
            Filesize

            1.2MB

            MD5

            55e6052ec8ceb7b78d859537c5c2e623

            SHA1

            6c7f074a193691ed36b37e39dab457dc21e0f245

            SHA256

            58121de233d9e5a0009477deda694dc6c28d4d78ab867f5d382aeeebfe51fb59

            SHA512

            01358dae11bfa55ab77949086015e965cab73a0164f31f2251f3388aa1d2cebe76df56553e4567f92da8a7a89d262a74893163f0acd8f3c646fd1cbefd77b42f

            Download Submit

          • C:\Users\Admin\AppData\Local\tRMR5GSV9\wusa.exe
            Filesize

            309KB

            MD5

            e43499ee2b4cf328a81bace9b1644c5d

            SHA1

            b2b55641f2799e3fdb3bea709c9532017bbac59d

            SHA256

            3e30230bbf3ceee3e58162b61eed140e9616210833a6ad7df3e106bc7492d2fb

            SHA512

            04823764520871f9202d346b08a194bdd5f5929db6d5c2f113911f84aece7471c8d3bd2c4256119a303dbe18a0c055dbc5034d80b1f27a43744104544731f52b

            Download Submit

          • C:\Users\Admin\AppData\Local\uxq\Narrator.exe
            Filesize

            521KB

            MD5

            d92defaa4d346278480d2780325d8d18

            SHA1

            6494d55b2e5064ffe8add579edfcd13c3e69fffe

            SHA256

            69b8c93d9b262b36e2bdc223cc0d6e312cc471b49d7cc36befbba1f863a05d83

            SHA512

            b82c0fbc07361e4ad6e4ab171e55e1e41e9312ba995dce90696ca90f734f5d1ea11371ca046e8680ea566a1c2e0643ab86f1f6dcf6cbd05aed8448425a2830b5

            Download Submit

          • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Sfbjsepzltomqmf.lnk
            Filesize

            1KB

            MD5

            f9202669d793d953764744638ec8740b

            SHA1

            e1f0b8c966bef44c4257b7f9ad006a89907adbee

            SHA256

            ccfe142113825ca70e084a87c38e74b629bdee82db74a38ca7d9a27595b7a8b1

            SHA512

            ca3f4cc86a181375608eab7ba7c67faf19d139ca3849fac044a541c3c0419d11fcca7ac699e6b8b24380ada6294177cad76569f780ab00e255c8d01b2cb238db

            Download Submit

          • memory/556-1-0x00007FFF51B60000-0x00007FFF51C91000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/556-39-0x00007FFF51B60000-0x00007FFF51C91000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/556-3-0x000001BB29800000-0x000001BB29807000-memory.dmp

            Filesize

            28KB

            Download

          • memory/1332-60-0x00007FFF42F80000-0x00007FFF430B2000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/1332-55-0x00007FFF42F80000-0x00007FFF430B2000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/1332-54-0x00000180A71A0000-0x00000180A71A7000-memory.dmp

            Filesize

            28KB

            Download

          • memory/3064-71-0x00007FFF42E40000-0x00007FFF42F73000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3064-74-0x000001E17BA20000-0x000001E17BA27000-memory.dmp

            Filesize

            28KB

            Download

          • memory/3064-77-0x00007FFF42E40000-0x00007FFF42F73000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3428-30-0x00000000006D0000-0x00000000006D7000-memory.dmp

            Filesize

            28KB

            Download

          • memory/3428-17-0x0000000140000000-0x0000000140131000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3428-8-0x0000000140000000-0x0000000140131000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3428-9-0x0000000140000000-0x0000000140131000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3428-11-0x0000000140000000-0x0000000140131000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3428-12-0x0000000140000000-0x0000000140131000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3428-13-0x0000000140000000-0x0000000140131000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3428-14-0x0000000140000000-0x0000000140131000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3428-16-0x0000000140000000-0x0000000140131000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3428-7-0x0000000140000000-0x0000000140131000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3428-31-0x00007FFF60970000-0x00007FFF60980000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3428-36-0x0000000140000000-0x0000000140131000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3428-25-0x0000000140000000-0x0000000140131000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3428-15-0x0000000140000000-0x0000000140131000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3428-10-0x0000000140000000-0x0000000140131000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3428-4-0x0000000002470000-0x0000000002471000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3428-6-0x00007FFF5F72A000-0x00007FFF5F72B000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3632-91-0x0000016AD5640000-0x0000016AD5647000-memory.dmp

            Filesize

            28KB

            Download

          • memory/3632-94-0x00007FFF42FF0000-0x00007FFF43122000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3632-88-0x00007FFF42FF0000-0x00007FFF43122000-memory.dmp

            Filesize

            1.2MB

            Download