Overview

overview

10

Static

static

3

aa023b42d8...18.dll

windows7-x64

10

aa023b42d8...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-08-2024 06:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    aa023b42d8bfbb61dccb9678e890f5f9_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    aa023b42d8bfbb61dccb9678e890f5f9

  • SHA1

    4d4fa60f05778f0781f2bbb112bdeefd21846fe1

  • SHA256

    eb9493d24f510de451b6e489d2136c1eb086ec4fac12f87848a7b6ba57f7dffc

  • SHA512

    c375a14a25a7662b130bda2c4b9e24979c93bea59f29b4518f77780bf59accda028247591b60b8ad1ec6216cb45e6772df224ddc4d75e0c6ad040aa8f4770970

  • SSDEEP

    24576:juYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:N9cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\aa023b42d8bfbb61dccb9678e890f5f9_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:4476
  • C:\Windows\system32\printfilterpipelinesvc.exe
    C:\Windows\system32\printfilterpipelinesvc.exe
    1⤵
      PID:4268
    • C:\Users\Admin\AppData\Local\DTF\printfilterpipelinesvc.exe
      C:\Users\Admin\AppData\Local\DTF\printfilterpipelinesvc.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:4572
    • C:\Windows\system32\msconfig.exe
      C:\Windows\system32\msconfig.exe
      1⤵
        PID:2208
      • C:\Users\Admin\AppData\Local\q94lA0AjU\msconfig.exe
        C:\Users\Admin\AppData\Local\q94lA0AjU\msconfig.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2512
      • C:\Windows\system32\lpksetup.exe
        C:\Windows\system32\lpksetup.exe
        1⤵
          PID:2848
        • C:\Users\Admin\AppData\Local\WxsA18\lpksetup.exe
          C:\Users\Admin\AppData\Local\WxsA18\lpksetup.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:4488

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\DTF\XmlLite.dll
          Filesize

          1.2MB

          MD5

          e9b1f199b317170e0605b96c51f378c5

          SHA1

          aa2dd0b9c267534e496abcaae8b5529972d950b8

          SHA256

          da6cd28680b8cc742cf54a78f47a0449ce7d97aadc637c61f631c3b689c4f35c

          SHA512

          6aa678faeb085a83796f33bf82b7efbb09a11fd35999618cd11ad5aa64a22f583087d046636d37ac9c057b46294c407defd138a35ba58415f079bac2f5219690

          Download Submit

        • C:\Users\Admin\AppData\Local\DTF\printfilterpipelinesvc.exe
          Filesize

          813KB

          MD5

          331a40eabaa5870e316b401bd81c4861

          SHA1

          ddff65771ca30142172c0d91d5bfff4eb1b12b73

          SHA256

          105099819555ed87ef3dab70a2eaf2cb61076f453266cec57ffccb8f4c00df88

          SHA512

          29992dbf10f327d77865af5e6ebbe66b937a5b4ad04c68cafbf4e6adbd6c6532c8a82ac7e638d97c1f053353a7c8a6d7e379f389af15443c94a1e8f9b16be5f8

          Download Submit

        • C:\Users\Admin\AppData\Local\WxsA18\dpx.dll
          Filesize

          1.2MB

          MD5

          bb38c39a9c8c194ca80d3fc09e9ef5ed

          SHA1

          40b2f551e76c0b748048beeff27b827dd9d1465b

          SHA256

          66a4dd27a1dcf49f4c63e1667ada8a1e7bb1861ca6b8457c59140dd9e28a0cbc

          SHA512

          67649dad890405689bb8511b3e81f8c80d740e64fef1576f4e26637c52fb039e3ed0decd1a56de9c8ee4f5bd443c5a7d11a734e25996f1a555e29ce739996dbc

          Download Submit

        • C:\Users\Admin\AppData\Local\WxsA18\lpksetup.exe
          Filesize

          728KB

          MD5

          c75516a32e0aea02a184074d55d1a997

          SHA1

          f9396946c078f8b0f28e3a6e21a97eeece31d13f

          SHA256

          cb3cbeaaff7c07b044f70177e2899a87e80840d177238eb7dd25b8d9e20bef22

          SHA512

          92994fdb75b15742e33e6d7a499664b722e45b9c160d8cc42d30bc727044063d589f45853692b5b754df6ff0fd21294dc32fed985b153f93f4bcf9f8c89a5bcc

          Download Submit

        • C:\Users\Admin\AppData\Local\q94lA0AjU\VERSION.dll
          Filesize

          1.2MB

          MD5

          f9799e359f7274c417ffde86c1ea106b

          SHA1

          b2cd9fc844583b466d54dd98e746fa941e14f314

          SHA256

          242b2ac570572c7891d0fde80cd696f1d8958c40f137d5969cac104ab49bac92

          SHA512

          d1dd7303167ad9fb043d91075eecd4fcfcd230018b4c15306082c7234c3288cba0921e0520d9fb7dc9614759cdf73c1c8df7b1ab24733f11fcf7a0d8639788f6

          Download Submit

        • C:\Users\Admin\AppData\Local\q94lA0AjU\msconfig.exe
          Filesize

          193KB

          MD5

          39009536cafe30c6ef2501fe46c9df5e

          SHA1

          6ff7b4d30f31186de899665c704a105227704b72

          SHA256

          93d2604f7fdf7f014ac5bef63ab177b6107f3cfc26da6cbd9a7ab50c96564a04

          SHA512

          95c9a8bc61c79108634f5578825544323e3d980ae97a105a325c58bc0e44b1d500637459969602f08d6d23d346baec6acd07d8351803981000c797190d48f03a

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Pvdelpvduyz.lnk
          Filesize

          1KB

          MD5

          1624bc1506dc74bbb67bc879c0b03773

          SHA1

          0ad8dbcc8e2e7658194a89357b8420b0c96f63bc

          SHA256

          080e35afb9d5b8e9e11bf6b215481220504f30854f879b06807e2a5a207f4f8e

          SHA512

          b9f591674816c315bcd1601c6eedb4495a9ed95ebd575cc2e935136ef2cd68d24c7335518f28fff364fdbf5a02cd207a5d393fbedb7d8963be49344e64aba556

          Download Submit

        • memory/2512-71-0x00007FF8D1230000-0x00007FF8D1362000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2512-65-0x000001FA609D0000-0x000001FA609D7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3404-11-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3404-36-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3404-34-0x0000000007A20000-0x0000000007A27000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3404-16-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3404-14-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3404-13-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3404-12-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3404-4-0x0000000008610000-0x0000000008611000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3404-8-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3404-17-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3404-6-0x00007FF8EEA9A000-0x00007FF8EEA9B000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3404-35-0x00007FF8EEEF0000-0x00007FF8EEF00000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3404-25-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3404-9-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3404-10-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3404-7-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3404-15-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4476-39-0x00007FF8E0C10000-0x00007FF8E0D41000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4476-3-0x000002CBC7550000-0x000002CBC7557000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4476-0-0x00007FF8E0C10000-0x00007FF8E0D41000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4488-87-0x00007FF8D1230000-0x00007FF8D1362000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4572-54-0x00007FF8D1230000-0x00007FF8D1362000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4572-51-0x00000229C3250000-0x00000229C3257000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4572-48-0x00007FF8D1230000-0x00007FF8D1362000-memory.dmp

          Filesize

          1.2MB

          Download