Overview

overview

10

Static

static

3

9c2ea8a66a...18.dll

windows7-x64

10

9c2ea8a66a...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-08-2024 00:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9c2ea8a66ae300767e59b45a8143a82d_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    9c2ea8a66ae300767e59b45a8143a82d

  • SHA1

    b4fa6eed05c8f92dad7e9eb45da03913ea5bfccb

  • SHA256

    517a906ea67b39b318993c2340fd67b5a0ff00bc486d77fdd7afeb99e5029234

  • SHA512

    a1a7c8ce64099d60e7c0153d2228af875097df0552b4c82f16d5beac058adb109a5e6cffef02e1317a5d82c0781e61117c06d8414635c5d0eec12b9eb500345d

  • SSDEEP

    24576:HuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:p9cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Event Triggered Execution: Accessibility Features 1 TTPs

    Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.

    persistenceprivilege_escalation
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\9c2ea8a66ae300767e59b45a8143a82d_JaffaCakes118.dll
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:3208
  • C:\Windows\system32\WFS.exe
    C:\Windows\system32\WFS.exe
    1⤵
      PID:2452
    • C:\Users\Admin\AppData\Local\4zZyxtHp\WFS.exe
      C:\Users\Admin\AppData\Local\4zZyxtHp\WFS.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:4180
    • C:\Windows\system32\Narrator.exe
      C:\Windows\system32\Narrator.exe
      1⤵
        PID:3288
      • C:\Users\Admin\AppData\Local\g56zo\Narrator.exe
        C:\Users\Admin\AppData\Local\g56zo\Narrator.exe
        1⤵
        • Executes dropped EXE
        PID:232
      • C:\Windows\system32\SystemSettingsRemoveDevice.exe
        C:\Windows\system32\SystemSettingsRemoveDevice.exe
        1⤵
          PID:3932
        • C:\Users\Admin\AppData\Local\ShEMP\SystemSettingsRemoveDevice.exe
          C:\Users\Admin\AppData\Local\ShEMP\SystemSettingsRemoveDevice.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:4824
        • C:\Windows\system32\wbengine.exe
          C:\Windows\system32\wbengine.exe
          1⤵
            PID:4700
          • C:\Users\Admin\AppData\Local\rq6Yvs\wbengine.exe
            C:\Users\Admin\AppData\Local\rq6Yvs\wbengine.exe
            1⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Checks whether UAC is enabled
            PID:3516

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\4zZyxtHp\MFC42u.dll
            Filesize

            1.2MB

            MD5

            cda4b4f7f11aa924cf26c30f5ebc6f33

            SHA1

            6fc3efd4670aedfe2636d323b0b452693620e8db

            SHA256

            7e5771ec86d371a8e7b16052acc5638d89487d9c70ce45832a74b2ab626a0f98

            SHA512

            7d1d0d85fe39c778610e8fd3cd3ddfc559f74bc427022950e84d77262a2331ce46d06dd6318b98dc6cbc60b561a7c264721f597f9330c659b8b859ac368e8172

            Download Submit

          • C:\Users\Admin\AppData\Local\4zZyxtHp\WFS.exe
            Filesize

            944KB

            MD5

            3cbc8d0f65e3db6c76c119ed7c2ffd85

            SHA1

            e74f794d86196e3bbb852522479946cceeed7e01

            SHA256

            e23e4182efe7ed61aaf369696e1ce304c3818df33d1663872b6d3c75499d81f4

            SHA512

            26ae5845a804b9eb752078f1ffa80a476648a8a9508b4f7ba56c94acd4198f3ba59c77add4feb7e0420070222af56521ca5f6334f466d5db272c816930513f0a

            Download Submit

          • C:\Users\Admin\AppData\Local\ShEMP\DUI70.dll
            Filesize

            1.5MB

            MD5

            bc7b8ee3743ac463cbf38bb16b6aafbf

            SHA1

            3f2bfa5b4b509a551a3c04b2ada3852773b3d8d5

            SHA256

            b634b1b56312568054fbf457d36a2d969e82af76d3ef6b81d8794644dcb524d2

            SHA512

            6c0099a14f3caa9e74a27d86d7d4062cdc99cffafa70c99e3ed2db5ae88ffbdd8559fb24d287ef90119e659bab3ad8089154adc5dd1e0036145607dbaf58a898

            Download Submit

          • C:\Users\Admin\AppData\Local\ShEMP\SystemSettingsRemoveDevice.exe
            Filesize

            39KB

            MD5

            7853f1c933690bb7c53c67151cbddeb0

            SHA1

            d47a1ad0ccba4c988c8ffc5cbf9636fd4f4fa6e6

            SHA256

            9500731b2a3442f11dfd08a8adfe027e7f32ef5834c628eed4b78be74168470d

            SHA512

            831993d610539d44422d769de6561a4622e1b9cb3d73253774b6cecabf57654a74cd88b4ebe20921585ea96d977225b9501f02a0f6a1fc7d2cad6824fd539304

            Download Submit

          • C:\Users\Admin\AppData\Local\g56zo\Narrator.exe
            Filesize

            521KB

            MD5

            d92defaa4d346278480d2780325d8d18

            SHA1

            6494d55b2e5064ffe8add579edfcd13c3e69fffe

            SHA256

            69b8c93d9b262b36e2bdc223cc0d6e312cc471b49d7cc36befbba1f863a05d83

            SHA512

            b82c0fbc07361e4ad6e4ab171e55e1e41e9312ba995dce90696ca90f734f5d1ea11371ca046e8680ea566a1c2e0643ab86f1f6dcf6cbd05aed8448425a2830b5

            Download Submit

          • C:\Users\Admin\AppData\Local\rq6Yvs\SPP.dll
            Filesize

            1.2MB

            MD5

            4e49bc9fac03079e7ff0943905d7a7fc

            SHA1

            8d968472a639cda956f9185d03f0a5581c05583c

            SHA256

            b21c38a42df352017190860e37e67ccb14fd151f50c51bd3608620615382b4fb

            SHA512

            88e8540fb4436f7d9dd23b207bbefda131e812f4f6826425a8ebeb24df1b0a5c968b22b21d3b69240d2f6a26f426948bfc1495d04f1da75ee2f66deb7b387695

            Download Submit

          • C:\Users\Admin\AppData\Local\rq6Yvs\wbengine.exe
            Filesize

            1.5MB

            MD5

            17270a354a66590953c4aac1cf54e507

            SHA1

            715babcc8e46b02ac498f4f06df7937904d9798d

            SHA256

            9954394b43783061f9290706320cc65597c29176d5b8e7a26fa1d6b3536832b4

            SHA512

            6be0ba6be84d01ab47f5a4ca98a6b940c43bd2d1e1a273d41c3e88aca47da11d932024b007716d1a6ffe6cee396b0e3e6971ab2afc293e72472f2e61c17b2a89

            Download Submit

          • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Pvdelpvduyz.lnk
            Filesize

            1005B

            MD5

            abd2d02dc9dabd84683a5e0997d7d146

            SHA1

            6ee60ed63f0b2469d71fc234da2db2ce4027a1b9

            SHA256

            074f08759acbd25cf87686cca0cdf56fcdbbc2e905ed393a6111a3b4cbddab2d

            SHA512

            a10be36c854b4617007748680bd57460d0d4fb615fa6957db8e9e9df45135e025df275a0056c90f1aa9efbe72ac635f3448afb36f170653b808eab7733b9ded0

            Download Submit

          • memory/3208-38-0x00007FFED33D0000-0x00007FFED3506000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3208-3-0x00007FFEE1B10000-0x00007FFEE1D05000-memory.dmp

            Filesize

            2.0MB

            Download

          • memory/3208-0-0x00007FFED33D0000-0x00007FFED3506000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3208-39-0x00007FFEE1B10000-0x00007FFEE1D05000-memory.dmp

            Filesize

            2.0MB

            Download

          • memory/3516-93-0x00007FFEC43E0000-0x00007FFEC4517000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3516-88-0x00007FFEC43E0000-0x00007FFEC4517000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3552-29-0x0000000000A90000-0x0000000000A97000-memory.dmp

            Filesize

            28KB

            Download

          • memory/3552-35-0x0000000140000000-0x0000000140136000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3552-7-0x0000000140000000-0x0000000140136000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3552-4-0x0000000002830000-0x0000000002831000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3552-11-0x0000000140000000-0x0000000140136000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3552-12-0x0000000140000000-0x0000000140136000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3552-24-0x0000000140000000-0x0000000140136000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3552-16-0x0000000140000000-0x0000000140136000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3552-15-0x0000000140000000-0x0000000140136000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3552-14-0x0000000140000000-0x0000000140136000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3552-13-0x0000000140000000-0x0000000140136000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3552-8-0x0000000140000000-0x0000000140136000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3552-30-0x00007FFEE1AF0000-0x00007FFEE1B00000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3552-9-0x0000000140000000-0x0000000140136000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3552-6-0x00007FFEE063A000-0x00007FFEE063B000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3552-10-0x0000000140000000-0x0000000140136000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/4180-52-0x00007FFEC43E0000-0x00007FFEC451D000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/4180-49-0x0000019485710000-0x0000019485717000-memory.dmp

            Filesize

            28KB

            Download

          • memory/4180-46-0x00007FFEC43E0000-0x00007FFEC451D000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/4824-77-0x00007FFEC43A0000-0x00007FFEC451C000-memory.dmp

            Filesize

            1.5MB

            Download

          • memory/4824-71-0x00007FFEC43A0000-0x00007FFEC451C000-memory.dmp

            Filesize

            1.5MB

            Download

          • memory/4824-74-0x0000020F07020000-0x0000020F07027000-memory.dmp

            Filesize

            28KB

            Download