Overview

overview

10

Static

static

3

a07b656063...18.dll

windows7-x64

10

a07b656063...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-08-2024 00:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a07b656063b17069350a758375bf0e4a_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    a07b656063b17069350a758375bf0e4a

  • SHA1

    630f9abee5584c039c8853b254a8a3beb83022db

  • SHA256

    6a73321338957ab1a99d1baa1a556b9d50708f20fe34c981e48e16597a3a5119

  • SHA512

    22ebb45d8f5dab19b944a4d6b0bc3da307a13bb950b56f7c8a629fcde72277473fc988a849005c03a4dc150071d4647f762bebf0c1db3bce55dbc78ca3a76b12

  • SSDEEP

    24576:3uYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N7:59cKrUqZWLAcUj

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\a07b656063b17069350a758375bf0e4a_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1256
  • C:\Windows\system32\ProximityUxHost.exe
    C:\Windows\system32\ProximityUxHost.exe
    1⤵
      PID:2224
    • C:\Users\Admin\AppData\Local\4PWjXK\ProximityUxHost.exe
      C:\Users\Admin\AppData\Local\4PWjXK\ProximityUxHost.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2816
    • C:\Windows\system32\GamePanel.exe
      C:\Windows\system32\GamePanel.exe
      1⤵
        PID:2864
      • C:\Users\Admin\AppData\Local\rxV1u\GamePanel.exe
        C:\Users\Admin\AppData\Local\rxV1u\GamePanel.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2216
      • C:\Windows\system32\rdpshell.exe
        C:\Windows\system32\rdpshell.exe
        1⤵
          PID:1396
        • C:\Users\Admin\AppData\Local\enVhGS\rdpshell.exe
          C:\Users\Admin\AppData\Local\enVhGS\rdpshell.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:5064

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\4PWjXK\DUI70.dll
          Filesize

          1.4MB

          MD5

          fa003c6f3152146e1c68cd7938c1cbfa

          SHA1

          9f2828bf10d1ca4a2c18918079b1cde267967781

          SHA256

          b29a301ee1ea1a3c1c5a9e926ef48229dc550384548dcd8373da32933e23c578

          SHA512

          fe462fa1747ee4b37c3d9e4ce01412861853446d2d23fd3cc1d8210fc111aecb3a315e650f18b5cb3037a521fd54ea914afb2df9bdbef7a08bedcf9c68470054

          Download Submit

        • C:\Users\Admin\AppData\Local\4PWjXK\ProximityUxHost.exe
          Filesize

          263KB

          MD5

          9ea326415b83d77295c70a35feb75577

          SHA1

          f8fc6a4f7f97b242f35066f61d305e278155b8a8

          SHA256

          192bfde77bf280e48f92d1eceacdc7ec4bf31cda46f7d577c7d7c3ec3ac89d8f

          SHA512

          2b1943600f97abcd18778101e33eac00c2bd360a3eff62fef65f668a084d8fa38c3bbdedfc6c2b7e8410aa7c9c3df2734705dc502b4754259121adc9198c3692

          Download Submit

        • C:\Users\Admin\AppData\Local\enVhGS\WTSAPI32.dll
          Filesize

          1.2MB

          MD5

          b68acdbbb6a6501134df2a5304b17ffd

          SHA1

          0849cb0c1b997a9433f5f931585c1635ee837171

          SHA256

          d00ad980d675bd736799f68de5709c2618b6fa8b2462366fcf11254fadc4a11f

          SHA512

          14975880761f2793e331ac0a6bd4409409cbbe3d22c343bb59cac83ec718f2a7092d3a06a7b2db220942dfe26d5224d4e0b7dd1dc38f09b0af59a957a61a4443

          Download Submit

        • C:\Users\Admin\AppData\Local\enVhGS\rdpshell.exe
          Filesize

          468KB

          MD5

          428066713f225bb8431340fa670671d4

          SHA1

          47f6878ff33317c3fc09c494df729a463bda174c

          SHA256

          da6c395a2018d3439ad580a19e6a1ca5ff29ef9074411ee9f9f1b0a6365dfebd

          SHA512

          292aad2762ae4dc519c69411aa114a29894f60ffac103813db4946f2fac4f5a166f66523c421529d6847c0882d8ab467392ee8da1e3a4fca0d6d4e6ebda5b737

          Download Submit

        • C:\Users\Admin\AppData\Local\rxV1u\GamePanel.exe
          Filesize

          1.2MB

          MD5

          266f6a62c16f6a889218800762b137be

          SHA1

          31b9bd85a37bf0cbb38a1c30147b83671458fa72

          SHA256

          71f8f11f26f3a7c1498373f20f0f4cc960513d0383fe24906eeb1bc9678beecd

          SHA512

          b21d9b0656ab6bd3b158922722a332f07096ddd4215c802776c5807c9cf6ece40082dd986ea6867bdc8d22878ce035a5c8dfcc26cfae94aeee059701b6bf1e68

          Download Submit

        • C:\Users\Admin\AppData\Local\rxV1u\dxgi.dll
          Filesize

          1.2MB

          MD5

          bd8f969dd921fa9d6a9435be35699124

          SHA1

          967a3d4918b09800dc806a5a629b0f714d25ab7d

          SHA256

          7f7a70c7af59950d5d6cf32c8fcee80c069548eb3f89781860312da37f519d0e

          SHA512

          41d0a1daa86768640d00902ea3215c3f25ba30a4eeb31e366ee398c215030d6e613b649805486c58ac6faa3769ff1c63f1c02f5b13df956fb3b9f4f9c60448ed

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Nszgn.lnk
          Filesize

          1KB

          MD5

          f176cbca9769e20925d29fd319092dfc

          SHA1

          09453b60a48eec0b64bdb42f0e907a42b148217d

          SHA256

          3a32498aeeb9686fefecbccc29ddd608a1844089f369edb5b73631ac8491525a

          SHA512

          8bec426be8b7cf30c5d2cee48330d5171acbfe6cf6455a290f1fb08a16c2902d5b2b201d5f183894d14894c1743c1984358611e3bece78efa661e9d503c4d2a3

          Download Submit

        • memory/1256-0-0x00007FFCD8290000-0x00007FFCD83C0000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1256-38-0x00007FFCD8290000-0x00007FFCD83C0000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1256-3-0x00000261C4100000-0x00000261C4107000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2216-65-0x0000029636E00000-0x0000029636E07000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2216-63-0x00007FFCC8220000-0x00007FFCC8351000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2216-69-0x00007FFCC8220000-0x00007FFCC8351000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2816-45-0x00007FFCC8060000-0x00007FFCC81D6000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/2816-51-0x00007FFCC8060000-0x00007FFCC81D6000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/2816-48-0x0000021867A60000-0x0000021867A67000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3484-24-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3484-16-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3484-7-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3484-8-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3484-9-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3484-10-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3484-11-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3484-13-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3484-15-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3484-35-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3484-29-0x00000000087A0000-0x00000000087A7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3484-30-0x00007FFCE6F10000-0x00007FFCE6F20000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3484-14-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3484-12-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3484-4-0x00000000087C0000-0x00000000087C1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3484-6-0x00007FFCE4FDA000-0x00007FFCE4FDB000-memory.dmp

          Filesize

          4KB

          Download

        • memory/5064-85-0x00007FFCC82C0000-0x00007FFCC83F1000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/5064-80-0x00007FFCC82C0000-0x00007FFCC83F1000-memory.dmp

          Filesize

          1.2MB

          Download