Overview

overview

10

Static

static

3

cf87a56aaa...18.dll

windows7-x64

10

cf87a56aaa...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    131s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/09/2024, 12:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cf87a56aaa2dc88e7682b33d3a6e10a1_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    cf87a56aaa2dc88e7682b33d3a6e10a1

  • SHA1

    51de1ac388a07d0c3a25e3ee0a807a62e5494b10

  • SHA256

    5a38c0f8a4964449b78f6d1a7e9685cbf59f04951226ba93e772db38f3709fc6

  • SHA512

    cc2729ba0baf0e0ddca898d028557136829b317d06c962e1c02f90af7227aa15fac0979c473cfa3b19d70b9aca9382656522a008ad243628e9124c89dc5331d9

  • SSDEEP

    24576:ZVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:ZV8hf6STw1ZlQauvzSq01ICe6zvm

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\cf87a56aaa2dc88e7682b33d3a6e10a1_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1500
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4384,i,1828333185976713750,7918646547767660928,262144 --variations-seed-version --mojo-platform-channel-handle=4052 /prefetch:8
    1⤵
      PID:1184
    • C:\Windows\system32\RdpSaUacHelper.exe
      C:\Windows\system32\RdpSaUacHelper.exe
      1⤵
        PID:4516
      • C:\Users\Admin\AppData\Local\znR\RdpSaUacHelper.exe
        C:\Users\Admin\AppData\Local\znR\RdpSaUacHelper.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2564
      • C:\Windows\system32\rdpinit.exe
        C:\Windows\system32\rdpinit.exe
        1⤵
          PID:2388
        • C:\Users\Admin\AppData\Local\K7I\rdpinit.exe
          C:\Users\Admin\AppData\Local\K7I\rdpinit.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:5028
        • C:\Windows\system32\ProximityUxHost.exe
          C:\Windows\system32\ProximityUxHost.exe
          1⤵
            PID:3368
          • C:\Users\Admin\AppData\Local\2WUu8P\ProximityUxHost.exe
            C:\Users\Admin\AppData\Local\2WUu8P\ProximityUxHost.exe
            1⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Checks whether UAC is enabled
            PID:4596

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\2WUu8P\ProximityUxHost.exe
            Filesize

            263KB

            MD5

            9ea326415b83d77295c70a35feb75577

            SHA1

            f8fc6a4f7f97b242f35066f61d305e278155b8a8

            SHA256

            192bfde77bf280e48f92d1eceacdc7ec4bf31cda46f7d577c7d7c3ec3ac89d8f

            SHA512

            2b1943600f97abcd18778101e33eac00c2bd360a3eff62fef65f668a084d8fa38c3bbdedfc6c2b7e8410aa7c9c3df2734705dc502b4754259121adc9198c3692

            Download Submit

          • C:\Users\Admin\AppData\Local\2WUu8P\dwmapi.dll
            Filesize

            1.2MB

            MD5

            d249ff30d26af2a70127ccb974d749d9

            SHA1

            9bd9cf199fbdac4b0c8387a8894211db9a54e37e

            SHA256

            fc6d7fdb4a9dfc8cf86e3df60f96ed3133a5484e11e764fa261b383bfd8f3440

            SHA512

            02edf19ae57deb15d66f1a1027173572859aa51741e0e73e8527252db977dd97839a7aea708e2ed08bd743df10c42851a55f6f8ad9e64c489a7653beb7e02447

            Download Submit

          • C:\Users\Admin\AppData\Local\K7I\WTSAPI32.dll
            Filesize

            1.2MB

            MD5

            a064d1470330e5256e345ba182b7597b

            SHA1

            56477bb5736d3b42863dab354eb3fe66a1ac5fdd

            SHA256

            455706a1957c2f72c98ee793cc40f14df07eccc1756bce6c32be61f4cd58dfba

            SHA512

            7f12990aa12670c6297e26bc9e2060a094f68627d0ce3017d5ce47a4288b88d07abcc3b0fc267a4b43ca684ce5574d0972a2e691e8a8b8ac8aef381bccebdc87

            Download Submit

          • C:\Users\Admin\AppData\Local\K7I\rdpinit.exe
            Filesize

            343KB

            MD5

            b0ecd76d99c5f5134aeb52460add6f80

            SHA1

            51462078092c9d6b7fa2b9544ffe0a49eb258106

            SHA256

            51251863097f7c80ef59606152ec59e7522881c8e3886c194c43f56bcab92e1b

            SHA512

            16855c7db48b26297c78d37d52ad03f6af0f5a58e333e17ad83b34f5e8b200c5517c6481043af0ecf1b962af2378f38600bd968592f4e1018b5a1b9400adb367

            Download Submit

          • C:\Users\Admin\AppData\Local\znR\RdpSaUacHelper.exe
            Filesize

            33KB

            MD5

            0d5b016ac7e7b6257c069e8bb40845de

            SHA1

            5282f30e90cbd1be8da95b73bc1b6a7d041e43c2

            SHA256

            6a6fdd834af9c79c5ffc5e6b51700030259aeae535f8626df84b07b7d2cee067

            SHA512

            cd44d8b70fc67c692e6966b4ad86a7de9c96df0bade1b3a80cb4767be159d64f3cc04dc5934f7d843b15101865089e43b8aecabddc370b22caf0c48b56b3430e

            Download Submit

          • C:\Users\Admin\AppData\Local\znR\WINSTA.dll
            Filesize

            1.2MB

            MD5

            89ddb784b245037dd857f9312f12e327

            SHA1

            ca7cbaed41dda25ee4290242013e01d4a511adec

            SHA256

            078ea0c85c3bb4c1b7ea0167b8546ba2953dab01face6906637e74855bd5cb43

            SHA512

            a271d82f0d696e089cecd21f28a270f1628a58d6315eabaa20c235931a93e236a4f346ff0c88dd264f8af8d430d9dc66d4e6b59a2a9f206107fba4d21619c48c

            Download Submit

          • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Jmybglakcar.lnk
            Filesize

            1KB

            MD5

            3cc360e57197f246077f460216fff50c

            SHA1

            441ac7ef28044902d898dd7f8856152f635b95bb

            SHA256

            af79788f6a1f044114d73a9ccc931f3e76a2de4d638fba19f8078b5ac471d090

            SHA512

            968cffba4905ab9979f73a6c678603685bb9c9eb7ed4df9f6aeada955168df5319918f468a21331bb085e7d74f755d1e2429ddf4ce360bd314558fd46655d501

            Download Submit

          • memory/1500-0-0x0000020D814F0000-0x0000020D814F7000-memory.dmp

            Filesize

            28KB

            Download

          • memory/1500-39-0x0000000140000000-0x0000000140143000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/1500-1-0x0000000140000000-0x0000000140143000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/2564-52-0x0000000140000000-0x0000000140145000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/2564-47-0x0000000140000000-0x0000000140145000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/2564-46-0x0000020C6B500000-0x0000020C6B507000-memory.dmp

            Filesize

            28KB

            Download

          • memory/3408-25-0x0000000140000000-0x0000000140143000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/3408-16-0x0000000140000000-0x0000000140143000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/3408-7-0x0000000140000000-0x0000000140143000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/3408-6-0x0000000140000000-0x0000000140143000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/3408-10-0x0000000140000000-0x0000000140143000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/3408-9-0x0000000140000000-0x0000000140143000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/3408-12-0x0000000140000000-0x0000000140143000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/3408-11-0x0000000140000000-0x0000000140143000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/3408-15-0x00007FF873CBA000-0x00007FF873CBB000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3408-8-0x0000000140000000-0x0000000140143000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/3408-30-0x0000000002B90000-0x0000000002B97000-memory.dmp

            Filesize

            28KB

            Download

          • memory/3408-36-0x0000000140000000-0x0000000140143000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/3408-31-0x00007FF875A30000-0x00007FF875A40000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3408-4-0x0000000002C70000-0x0000000002C71000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3408-13-0x0000000140000000-0x0000000140143000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/3408-14-0x0000000140000000-0x0000000140143000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/4596-85-0x0000000140000000-0x0000000140144000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/5028-69-0x0000000140000000-0x0000000140144000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/5028-63-0x0000000140000000-0x0000000140144000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/5028-66-0x0000028E308D0000-0x0000028E308D7000-memory.dmp

            Filesize

            28KB

            Download