Analysis Overview
SHA256
3c08465a1453b7ae0a91858ca433f0670e11e769daaff2dd43cac6edc3fc0479
Threat Level: Known bad
The file a3b18c467e1d9e43ba85a2ccdcfaf83d_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Dridex
Sets file to hidden
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Delays execution with timeout.exe
Modifies registry class
Suspicious use of WriteProcessMemory
Views/modifies file attributes
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-17 18:42
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-17 18:42
Reported
2024-08-17 18:45
Platform
win7-20240705-en
Max time kernel
68s
Max time network
123s
Command Line
Signatures
Dridex
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\XIU\configurate\PLS.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Report-24Sept.2020.scr | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\XIU\configurate\PLS.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Report-24Sept.2020.scr
"C:\Users\Admin\AppData\Local\Temp\Report-24Sept.2020.scr" /S
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\XIU\configurate\selector.vbs" /f=CREATE_NO_WINDOW install.cmd
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\XIU\configurate\dsep.bat" "
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\XIU\configurate\PLS.exe
"PLS.exe" e -pVersion hl.rar
C:\Windows\SysWOW64\timeout.exe
timeout 5
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\XIU\configurate\fatless.vbs"
C:\Windows\SysWOW64\timeout.exe
timeout 4
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\XIU\configurate\lll.bat" "
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\XIU"
C:\Windows\SysWOW64\timeout.exe
timeout 2
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 -s CONFIG.dll
Network
Files
C:\XIU\configurate\selector.vbs
| MD5 | 9cce3084f1850c3be989cc47fab4ee71 |
| SHA1 | e490f01a46f85c155c2848affda6d2c7b0791c8b |
| SHA256 | 332462b21eed1bcbd9c198851e28b789893628410e7268ddc022a40e2f7f94c1 |
| SHA512 | 30cc59e8e1a5b20a1c59bb437dc96cf65f7bbfa798617a77a613ae89012be78bda38c51278411ba511a7058eaca728e160a0d6d29f5defaeafa4dc7f64458f88 |
C:\XIU\configurate\dsep.bat
| MD5 | 9318a04c2d4d80719382a7e73c28736b |
| SHA1 | ddb5096d2841b575a941ecaf79fee8e2365563ae |
| SHA256 | db74d354ad34fa9a0dafd9b846574855b480590ebf06879d87844060cf50ff4b |
| SHA512 | 0dd33ebf730e77a1d55996b14a560f1584e17e55e5a6efdedd3bce2ecdd0e7f892c9ae2b4bef8ee68a723ef9d02717e9f9fb3939f1b95cacaeacd29b28e70717 |
C:\XIU\configurate\SLP.txt
| MD5 | 24fdf4791a3efa0178e677b0e03c12b1 |
| SHA1 | f5f45b8c35cf303eff77aa1fbe02e9bd4318c7d7 |
| SHA256 | 6740389c8266848199851648c4228df7401dd30c8dec89ab7827f1bec7ab522b |
| SHA512 | f9b71717cdd61a9539dd93267f4d039e0de7dd8933b9f63679466a881884b06ccdc666d27bb6b9909127101a63879b33a1165a83fff9d6ce3009ed5e7b97b6da |
C:\XIU\configurate\PLS.exe
| MD5 | 061f64173293969577916832be29b90d |
| SHA1 | b05b80385de20463a80b6c9c39bd1d53123aab9b |
| SHA256 | 34dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce |
| SHA512 | 66e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da |
C:\XIU\configurate\fatless.vbs
| MD5 | 75214af723ca4720e0aa365eb3ef6f5b |
| SHA1 | a6b73a92246cd3b857e32e2a8a26ee8fc52fdcb4 |
| SHA256 | 06d4a788d4c91c141b933199826ac3b4df8d6027f818fc2b198043773ea132e4 |
| SHA512 | 91b7752a63e694641f17187cdb8e1a7876eda195f3070d6fee210b6210e2897833bc08b770db6e82cfec7a99e3fae5c01588872eb2aa60dccdc4064363f54c58 |
C:\XIU\configurate\lll.bat
| MD5 | 70c1b14895a29502d3e94e395606f82d |
| SHA1 | a02fff1f3a0c1c8ff5453a5de715cbe5ba227185 |
| SHA256 | b449d3d5b476b1a53bbe6b5d6fef93e89d8456450e84b1c349237c6a8df3b65d |
| SHA512 | 8f9a8975124738b7a5ad1e0d92549f45a06c6efa8fac7d3c07ce16399a6aeed5644c14bf56cec56c83a293835cfb994a99d3e75dc5e9ea7f41e9e354760f742c |
C:\XIU\configurate\CONFIG.dll
| MD5 | 031f318c8ab815cda0d447904a925cf7 |
| SHA1 | 2bbca22cb0355f1ad4acedd9dd69ebaaeddf6b9e |
| SHA256 | 9492c6842475059a6af7f4b8c42e03944f08938243fa393713a5a6a930d79bcd |
| SHA512 | 519a54859e82861cf3f73b3a6ac400b57bd560a53867b8396aa8c286a5ee4e675c75c3f80ddc0cb4e0ef80300ada6b4e985bd4bb73bdc8d1c56a673240a83c4d |
memory/2664-41-0x0000000074680000-0x00000000746D1000-memory.dmp
memory/2664-43-0x0000000074680000-0x00000000746D1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-17 18:42
Reported
2024-08-17 18:45
Platform
win10v2004-20240802-en
Max time kernel
72s
Max time network
151s
Command Line
Signatures
Dridex
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Report-24Sept.2020.scr | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\XIU\configurate\PLS.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Report-24Sept.2020.scr | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\XIU\configurate\PLS.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\Report-24Sept.2020.scr | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Report-24Sept.2020.scr
"C:\Users\Admin\AppData\Local\Temp\Report-24Sept.2020.scr" /S
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\XIU\configurate\selector.vbs" /f=CREATE_NO_WINDOW install.cmd
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\XIU\configurate\dsep.bat" "
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\XIU\configurate\PLS.exe
"PLS.exe" e -pVersion hl.rar
C:\Windows\SysWOW64\timeout.exe
timeout 5
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\XIU\configurate\fatless.vbs"
C:\Windows\SysWOW64\timeout.exe
timeout 4
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\XIU\configurate\lll.bat" "
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\XIU"
C:\Windows\SysWOW64\timeout.exe
timeout 2
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 -s CONFIG.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
C:\XIU\configurate\selector.vbs
| MD5 | 9cce3084f1850c3be989cc47fab4ee71 |
| SHA1 | e490f01a46f85c155c2848affda6d2c7b0791c8b |
| SHA256 | 332462b21eed1bcbd9c198851e28b789893628410e7268ddc022a40e2f7f94c1 |
| SHA512 | 30cc59e8e1a5b20a1c59bb437dc96cf65f7bbfa798617a77a613ae89012be78bda38c51278411ba511a7058eaca728e160a0d6d29f5defaeafa4dc7f64458f88 |
C:\XIU\configurate\dsep.bat
| MD5 | 9318a04c2d4d80719382a7e73c28736b |
| SHA1 | ddb5096d2841b575a941ecaf79fee8e2365563ae |
| SHA256 | db74d354ad34fa9a0dafd9b846574855b480590ebf06879d87844060cf50ff4b |
| SHA512 | 0dd33ebf730e77a1d55996b14a560f1584e17e55e5a6efdedd3bce2ecdd0e7f892c9ae2b4bef8ee68a723ef9d02717e9f9fb3939f1b95cacaeacd29b28e70717 |
C:\XIU\configurate\SLP.txt
| MD5 | 24fdf4791a3efa0178e677b0e03c12b1 |
| SHA1 | f5f45b8c35cf303eff77aa1fbe02e9bd4318c7d7 |
| SHA256 | 6740389c8266848199851648c4228df7401dd30c8dec89ab7827f1bec7ab522b |
| SHA512 | f9b71717cdd61a9539dd93267f4d039e0de7dd8933b9f63679466a881884b06ccdc666d27bb6b9909127101a63879b33a1165a83fff9d6ce3009ed5e7b97b6da |
C:\XIU\configurate\PLS.exe
| MD5 | 061f64173293969577916832be29b90d |
| SHA1 | b05b80385de20463a80b6c9c39bd1d53123aab9b |
| SHA256 | 34dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce |
| SHA512 | 66e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da |
C:\XIU\configurate\fatless.vbs
| MD5 | 75214af723ca4720e0aa365eb3ef6f5b |
| SHA1 | a6b73a92246cd3b857e32e2a8a26ee8fc52fdcb4 |
| SHA256 | 06d4a788d4c91c141b933199826ac3b4df8d6027f818fc2b198043773ea132e4 |
| SHA512 | 91b7752a63e694641f17187cdb8e1a7876eda195f3070d6fee210b6210e2897833bc08b770db6e82cfec7a99e3fae5c01588872eb2aa60dccdc4064363f54c58 |
C:\XIU\configurate\lll.bat
| MD5 | 70c1b14895a29502d3e94e395606f82d |
| SHA1 | a02fff1f3a0c1c8ff5453a5de715cbe5ba227185 |
| SHA256 | b449d3d5b476b1a53bbe6b5d6fef93e89d8456450e84b1c349237c6a8df3b65d |
| SHA512 | 8f9a8975124738b7a5ad1e0d92549f45a06c6efa8fac7d3c07ce16399a6aeed5644c14bf56cec56c83a293835cfb994a99d3e75dc5e9ea7f41e9e354760f742c |
C:\XIU\configurate\CONFIG.dll
| MD5 | 031f318c8ab815cda0d447904a925cf7 |
| SHA1 | 2bbca22cb0355f1ad4acedd9dd69ebaaeddf6b9e |
| SHA256 | 9492c6842475059a6af7f4b8c42e03944f08938243fa393713a5a6a930d79bcd |
| SHA512 | 519a54859e82861cf3f73b3a6ac400b57bd560a53867b8396aa8c286a5ee4e675c75c3f80ddc0cb4e0ef80300ada6b4e985bd4bb73bdc8d1c56a673240a83c4d |
memory/4980-26-0x0000000073390000-0x00000000733E1000-memory.dmp
memory/4980-28-0x0000000073390000-0x00000000733E1000-memory.dmp