Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

ade4242e8a...18.dll

windows7-x64

10

ade4242e8a...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    129s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/08/2024, 04:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ade4242e8a6dc97b07a8721c32f1e24b_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    ade4242e8a6dc97b07a8721c32f1e24b

  • SHA1

    9c9b2fd98d42b18fcf370261a1a333d5402491a1

  • SHA256

    7c3d1d4eb81a4963b448e3c15635cde7559bcdb2fbec800bfd5f852e6c6d7711

  • SHA512

    fdb6f2c28514da871fab214d9de9b7042dc966ff3967172648734c534c4577a7e67287c03498f5300783194152f30a56909daa8e84eaad19e580924f579ac079

  • SSDEEP

    24576:buYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:F9cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\ade4242e8a6dc97b07a8721c32f1e24b_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:3228
  • C:\Windows\system32\phoneactivate.exe
    C:\Windows\system32\phoneactivate.exe
    1⤵
      PID:1972
    • C:\Users\Admin\AppData\Local\oBN3\phoneactivate.exe
      C:\Users\Admin\AppData\Local\oBN3\phoneactivate.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2888
    • C:\Windows\system32\dwm.exe
      C:\Windows\system32\dwm.exe
      1⤵
        PID:3184
      • C:\Users\Admin\AppData\Local\1fA4rQ\dwm.exe
        C:\Users\Admin\AppData\Local\1fA4rQ\dwm.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:800
      • C:\Windows\system32\Dxpserver.exe
        C:\Windows\system32\Dxpserver.exe
        1⤵
          PID:1068
        • C:\Users\Admin\AppData\Local\vNJGNfb\Dxpserver.exe
          C:\Users\Admin\AppData\Local\vNJGNfb\Dxpserver.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:4192

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\1fA4rQ\dwm.exe
          Filesize

          92KB

          MD5

          5c27608411832c5b39ba04e33d53536c

          SHA1

          f92f8b7439ce1de4c297046ed1d3ff9f20bc97af

          SHA256

          0ac827c9e35cdaa492ddd435079415805dcc276352112b040bcd34ef122cf565

          SHA512

          1fa25eabc08dff9ea25dfa7da310a677927c6344b76815696b0483f8860fa1469820ff15d88a78ed32f712d03003631d9aceaf9c9851de5dd40c1fc2a7bc1309

          Download Submit

        • C:\Users\Admin\AppData\Local\1fA4rQ\dxgi.dll
          Filesize

          1.2MB

          MD5

          cc372b56ec1ae5da7de2a378771380e3

          SHA1

          9b67b1cf4cde847269afbc48c7a043a5a3ca2edb

          SHA256

          40256d32b4d25556eb0adea543f99ee4f6b13d636f1a617f151a81e46cd4cab1

          SHA512

          d88011aabb791a11cd587bed21a4b75fe9261caf4d42a79aac178f66a1d677469b9f17deaf59c151c1fff38bc8452aabc1d0f6301ee0671eba05aa1acb5c00a1

          Download Submit

        • C:\Users\Admin\AppData\Local\oBN3\DUI70.dll
          Filesize

          1.4MB

          MD5

          f0664349c8237cd41b94168360314890

          SHA1

          35c2bacc0a5c3725cbdbdc7ffc5cf6b1dc41b26a

          SHA256

          5539fe8456012caf9c6993b11b4497157d2d5d8c887a51d62d0c8f81d944714b

          SHA512

          5067683d4fe9201ed40478b1b4fe93721e2b7cdac5b0eb3ed043707c9f1ccd8e26d503d2d02e149401233a8dfdeda98a7ff7aa755be0806505d880eaf82d04ad

          Download Submit

        • C:\Users\Admin\AppData\Local\oBN3\phoneactivate.exe
          Filesize

          107KB

          MD5

          32c31f06e0b68f349f68afdd08e45f3d

          SHA1

          e4b642f887e2c1d76b6b4777ade91e3cb3b9e27c

          SHA256

          cea83eb34233fed5ebeef8745c7c581a8adbefbcfc0e30e2d30a81000c821017

          SHA512

          fe61764b471465b164c9c2202ed349605117d57ceb0eca75acf8bda44e8744c115767ee0caed0b7feb70ba37b477d00805b3fdf0d0fa879dd4c8e3c1dc1c0d26

          Download Submit

        • C:\Users\Admin\AppData\Local\vNJGNfb\Dxpserver.exe
          Filesize

          310KB

          MD5

          6344f1a7d50da5732c960e243c672165

          SHA1

          b6d0236f79d4f988640a8445a5647aff5b5410f7

          SHA256

          b1081651ac33610824e2088ff64d1655993dd3d6073af1e5ffe0b4a0027f502f

          SHA512

          73f6fa01b880e6619fafa065c171bd0a2b7b2d908762b5aca15f2b8d856b5501b3884e3566ef9b8032c8cbf9bb15116e60c22fded4656c8857c974cda4213d65

          Download Submit

        • C:\Users\Admin\AppData\Local\vNJGNfb\dwmapi.dll
          Filesize

          1.2MB

          MD5

          72538662fc59b3fe4339d7ab278fe22a

          SHA1

          170eae2711184c42dd94ea8785c3685fb0b3b4c8

          SHA256

          deb923a9cd9323b615ad6d58fea290d666d9de5e18a35fec1cf8f79af3cd2e0c

          SHA512

          2ee43e65143c79a6a073a463b201d15d45f846a3a89788bd2241802e0acc306b37c50ec7ea57484eca9e8eb9cbde6a4cdb5db732d6463ad089d90e62d087476b

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ppmzgvduo.lnk
          Filesize

          1KB

          MD5

          de942f30675eda9e1218211f60f6f7db

          SHA1

          8ac23dd106de8b0145833f2992cd6af40a07416c

          SHA256

          a343a5b2d9c36b9c8f6d355dff1f94f47bf45e6d29810eafc6a9b145001f053b

          SHA512

          24c38fbb4b89c4f9e35ed938937c26e2e488ba830e9885480c1c1d23c899dc1aaf53da1546018a5ee9dba6cdd35ee0d90fab38df3d1bff9b9f6bd3208bfc83e7

          Download Submit

        • memory/800-70-0x00007FFF68560000-0x00007FFF68691000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/800-67-0x00007FFF68560000-0x00007FFF68691000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/800-66-0x0000025BCB330000-0x0000025BCB337000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2888-48-0x000001F5B4590000-0x000001F5B4597000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2888-51-0x00007FFF67D70000-0x00007FFF67EE6000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/2888-45-0x00007FFF67D70000-0x00007FFF67EE6000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3228-38-0x00007FFF77810000-0x00007FFF77940000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3228-0-0x00000239CA0E0000-0x00000239CA0E7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3228-1-0x00007FFF77810000-0x00007FFF77940000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3444-35-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3444-24-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3444-14-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3444-8-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3444-9-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3444-10-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3444-12-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3444-15-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3444-28-0x0000000007330000-0x0000000007337000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3444-7-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3444-29-0x00007FFF86230000-0x00007FFF86240000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3444-16-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3444-13-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3444-11-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3444-4-0x00000000083F0000-0x00000000083F1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3444-6-0x00007FFF8446A000-0x00007FFF8446B000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4192-84-0x00007FFF68560000-0x00007FFF68691000-memory.dmp

          Filesize

          1.2MB

          Download