Overview

overview

10

Static

static

3

8f968de65b...18.dll

windows7-x64

10

8f968de65b...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-08-2024 17:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8f968de65b229b07429e091da4f33aa3_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    8f968de65b229b07429e091da4f33aa3

  • SHA1

    1be38b944d34c04a4a16a28634facd8cc3e2111f

  • SHA256

    3dff0c924f277d23a655e417ad8ac99c91a0acb1c8cd28ace46edc1811051696

  • SHA512

    4c22f146a252308da05553ceb86384437fe1836c3c86bd1c0f8bfc5c5bdf60ee8549cd831b9088a4a6e4aa382144766816b718acf5804f83a1130d274f46f1e5

  • SSDEEP

    24576:DuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9Ny:t9cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\8f968de65b229b07429e091da4f33aa3_JaffaCakes118.dll
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:2072
  • C:\Windows\system32\ie4uinit.exe
    C:\Windows\system32\ie4uinit.exe
    1⤵
      PID:2940
    • C:\Users\Admin\AppData\Local\jle4n\ie4uinit.exe
      C:\Users\Admin\AppData\Local\jle4n\ie4uinit.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2972
    • C:\Windows\system32\SystemPropertiesProtection.exe
      C:\Windows\system32\SystemPropertiesProtection.exe
      1⤵
        PID:3788
      • C:\Users\Admin\AppData\Local\ham\SystemPropertiesProtection.exe
        C:\Users\Admin\AppData\Local\ham\SystemPropertiesProtection.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2008
      • C:\Windows\system32\wermgr.exe
        C:\Windows\system32\wermgr.exe
        1⤵
          PID:1480
        • C:\Users\Admin\AppData\Local\GFXi\wermgr.exe
          C:\Users\Admin\AppData\Local\GFXi\wermgr.exe
          1⤵
          • Executes dropped EXE
          PID:2556
        • C:\Windows\system32\RdpSa.exe
          C:\Windows\system32\RdpSa.exe
          1⤵
            PID:3728
          • C:\Users\Admin\AppData\Local\9FwRj5uL\RdpSa.exe
            C:\Users\Admin\AppData\Local\9FwRj5uL\RdpSa.exe
            1⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Checks whether UAC is enabled
            PID:4736

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\9FwRj5uL\RdpSa.exe
            Filesize

            56KB

            MD5

            5992f5b5d0b296b83877da15b54dd1b4

            SHA1

            0d87be8d4b7aeada4b55d1d05c0539df892f8f82

            SHA256

            32f60eabe54c4d0cd0f0ec29f48f55ca1ad097bf35097247b186fd70426f847c

            SHA512

            4f6da913af530301da1d0638aa2635ada446ebee6e27b5059db5c2b7fe439162ac3b1a595ecf4163a093890df9ac94d9085a53d8c991e48703f9d2691326e7e6

            Download Submit

          • C:\Users\Admin\AppData\Local\9FwRj5uL\WINSTA.dll
            Filesize

            1.2MB

            MD5

            6b8996b641e1a65eb868ef0ca09a75ef

            SHA1

            3d0a11c68e833d28b3cf2bdbd4cf78110b7e59ce

            SHA256

            347aec2af183fbcdfb7a02d2cd9633c44cdf4a10bd8c7282e47d1c856e38eb6e

            SHA512

            e61f626ae9a5023603cb689c60446f64bd240f076624391058a06f034873448129848903c0fae57caffc36102205ec0d305f7251dc7560780410123052c965b2

            Download Submit

          • C:\Users\Admin\AppData\Local\GFXi\wermgr.exe
            Filesize

            223KB

            MD5

            f7991343cf02ed92cb59f394e8b89f1f

            SHA1

            573ad9af63a6a0ab9b209ece518fd582b54cfef5

            SHA256

            1c09759dcd31fdc81bcd6685438d7efb34e0229f1096bfd57d41ecfe614d07dc

            SHA512

            fa3cf314100f5340c7d0f6a70632a308fcadb4b48785753310a053a510169979a89637b8b4fedf4d3690db6b8b55146e323cad70d704c4e2ede4edff5284237d

            Download Submit

          • C:\Users\Admin\AppData\Local\ham\SYSDM.CPL
            Filesize

            1.2MB

            MD5

            0c308846b4e08e1631b2c4615204ea13

            SHA1

            547b5764f5396b0e74c158acc8aff3938e1f5a43

            SHA256

            347d2365c3c90efa69cbdb7c37fbb042e1b218466663afc8cdaf265c27e83340

            SHA512

            487a89cb81db8e7eccfa5013f4be190e1bc50d0ac1b8493816c71c2062bee82d5e60903110a0e3b8dc8ae9245f59d082c8861d3a4adfe32f08308048b11a846a

            Download Submit

          • C:\Users\Admin\AppData\Local\ham\SystemPropertiesProtection.exe
            Filesize

            82KB

            MD5

            26640d2d4fa912fc9a354ef6cfe500ff

            SHA1

            a343fd82659ce2d8de3beb587088867cf2ab8857

            SHA256

            a8ddf1b17b0cbc96a7eaedb0003aa7b1631da09ebfe85b387f8f630222511b37

            SHA512

            26162a3d9d4a8e3290dbcf6fe387b5c48ab1d9552aa02a38954649d877f408cb282e57580f81e15128e3a41da0eb58328d1d6253e1b57232f9a8cecdd99991dc

            Download Submit

          • C:\Users\Admin\AppData\Local\jle4n\VERSION.dll
            Filesize

            1.2MB

            MD5

            032aa5c656329bd9145a365226e86c02

            SHA1

            7f3d89e912d200a23205b28b60e216d06c0827a6

            SHA256

            276570ba6ca579f8e2458700636a8d5073573c33f3b090e71ed1597ba899bb30

            SHA512

            2417c2b03c79e26f30f13da143f8da82771867cc3a3fa4a6cf3c879f2b1c4bc2f48b802eaf278617e6de7165b63e4123cb1471fe7c00c015fb2630c7cc12101a

            Download Submit

          • C:\Users\Admin\AppData\Local\jle4n\ie4uinit.exe
            Filesize

            262KB

            MD5

            a2f0104edd80ca2c24c24356d5eacc4f

            SHA1

            8269b9fd9231f04ed47419bd565c69dc677fab56

            SHA256

            5d85c4d62cc26996826b9d96a9153f7e05a2260342bd913b3730610a1809203c

            SHA512

            e7bb87f9f6c82cb945b95f62695be98b3fa827a24fa8c4187fe836d4e7d3e7ae3b95101edd3c41d65f6cb684910f5954a67307d450072acd8d475212db094390

            Download Submit

          • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ppmzgvduo.lnk
            Filesize

            1KB

            MD5

            99712f6901da858716c4bca4d4a11304

            SHA1

            b5538d6b4773fdba38a7ce42e47e435d5bbe5b7a

            SHA256

            a129d08708e81276e886fb084142e5e9ec24a0069bc7569afa8a3964a0c390ed

            SHA512

            1f290405fb997f48231c49e5ec8b77ffbdf6ef29bdd542c3c0637776b45fc6acfecbdf5b86fdc615e3c34954c71c92c51720eefa18ce9ebb2adfa59362a0d49a

            Download Submit

          • memory/2008-69-0x00007FF9485D0000-0x00007FF948707000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/2008-66-0x000001C751630000-0x000001C751637000-memory.dmp

            Filesize

            28KB

            Download

          • memory/2072-3-0x00000000013A0000-0x00000000013A7000-memory.dmp

            Filesize

            28KB

            Download

          • memory/2072-38-0x00007FF956560000-0x00007FF956696000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/2072-1-0x00007FF956560000-0x00007FF956696000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/2972-52-0x00007FF9485D0000-0x00007FF948707000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/2972-47-0x0000023032260000-0x0000023032267000-memory.dmp

            Filesize

            28KB

            Download

          • memory/2972-46-0x00007FF9485D0000-0x00007FF948707000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3532-34-0x00007FF965E10000-0x00007FF965E20000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3532-33-0x0000000002CD0000-0x0000000002CD7000-memory.dmp

            Filesize

            28KB

            Download

          • memory/3532-14-0x0000000140000000-0x0000000140136000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3532-8-0x0000000140000000-0x0000000140136000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3532-9-0x0000000140000000-0x0000000140136000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3532-11-0x0000000140000000-0x0000000140136000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3532-12-0x0000000140000000-0x0000000140136000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3532-15-0x0000000140000000-0x0000000140136000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3532-16-0x0000000140000000-0x0000000140136000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3532-7-0x0000000140000000-0x0000000140136000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3532-35-0x0000000140000000-0x0000000140136000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3532-24-0x0000000140000000-0x0000000140136000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3532-13-0x0000000140000000-0x0000000140136000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3532-10-0x0000000140000000-0x0000000140136000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3532-4-0x0000000002CC0000-0x0000000002CC1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3532-6-0x00007FF965B6A000-0x00007FF965B6B000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4736-93-0x00007FF9485D0000-0x00007FF948708000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/4736-88-0x00007FF9485D0000-0x00007FF948708000-memory.dmp

            Filesize

            1.2MB

            Download