Overview

overview

10

Static

static

3

d29a9bff7a...18.dll

windows7-x64

10

d29a9bff7a...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-09-2024 18:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d29a9bff7a76be99fb115fbc9c46ab19_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    d29a9bff7a76be99fb115fbc9c46ab19

  • SHA1

    77923c1d6eb58ada0eba8ac9f95a6b6eeae99dd6

  • SHA256

    6c81b737c65a78dd31564f648152c40c15a1dacfab48130f46f5168f9526691f

  • SHA512

    cd7d1779641120ccd7f59842599b341f102bf4f5626a24b6393490c223f396945eca6bc9fca3567771fb3b5efd71b5e6290fdd1e2803aaf86ffd6be467958107

  • SSDEEP

    24576:huYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N7:z9cKrUqZWLAcUj

Score
10/10
dridexbotnetevasionpayloadpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Event Triggered Execution: Accessibility Features 1 TTPs

    Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.

    persistenceprivilege_escalation
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\d29a9bff7a76be99fb115fbc9c46ab19_JaffaCakes118.dll
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:1044
  • C:\Windows\system32\rdpclip.exe
    C:\Windows\system32\rdpclip.exe
    1⤵
      PID:1288
    • C:\Users\Admin\AppData\Local\DFeeLm\rdpclip.exe
      C:\Users\Admin\AppData\Local\DFeeLm\rdpclip.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:4368
    • C:\Windows\system32\dwm.exe
      C:\Windows\system32\dwm.exe
      1⤵
        PID:836
      • C:\Users\Admin\AppData\Local\nXR\dwm.exe
        C:\Users\Admin\AppData\Local\nXR\dwm.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2996
      • C:\Windows\system32\AtBroker.exe
        C:\Windows\system32\AtBroker.exe
        1⤵
          PID:1080
        • C:\Users\Admin\AppData\Local\euPxIw\AtBroker.exe
          C:\Users\Admin\AppData\Local\euPxIw\AtBroker.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1244

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\DFeeLm\dwmapi.dll
          Filesize

          1.2MB

          MD5

          843395d2b32167d86e6d562872d68d1f

          SHA1

          bcd1e367afb460c7994e231d6bac483aaf8e9c42

          SHA256

          31a276cdb73363e1630a63926985f0610bc5fa3fd5b84b573089418a5cbae614

          SHA512

          863fa0f18cd6ed5ccc75509e7fa8230898cfa80234e82f755453233b34f16d8dc704064e54ef54bc5093c6258623f464269b78a68e36e32f1399abae05f5ec84

          Download Submit

        • C:\Users\Admin\AppData\Local\DFeeLm\rdpclip.exe
          Filesize

          446KB

          MD5

          a52402d6bd4e20a519a2eeec53332752

          SHA1

          129f2b6409395ef877b9ca39dd819a2703946a73

          SHA256

          9d5be181d9309dea98039d2ce619afe745fc8a9a1b1c05cf860b3620b5203308

          SHA512

          632dda67066cff2b940f27e3f409e164684994a02bda57d74e958c462b9a0963e922be4a487c06126cecc9ef34d34913ef8315524bf8422f83c0c135b8af924e

          Download Submit

        • C:\Users\Admin\AppData\Local\euPxIw\AtBroker.exe
          Filesize

          90KB

          MD5

          30076e434a015bdf4c136e09351882cc

          SHA1

          584c958a35e23083a0861421357405afd26d9a0c

          SHA256

          ae7b1e298a6e38f0a3428151bfc5565ede50a8d98dafaa147b13cf89c61f2ddd

          SHA512

          675e310c2455acf9220735f34fa527afe87dac691e89cc0edc3c4659147e9fd223f96b7a3beea532047aa0ebc58880a7010343019a50aa73ce69a038e3592024

          Download Submit

        • C:\Users\Admin\AppData\Local\euPxIw\UxTheme.dll
          Filesize

          1.2MB

          MD5

          f4cc044df46f6aa2bbba3ec438c7b994

          SHA1

          c3483beffe53841ed0b4bd889a2601b99acca2b2

          SHA256

          1ecaa007c98a07566c61c6f5e98e0ac7102e9f66c94c63c310042df48cadd971

          SHA512

          f5a7ea805eff935903e0a5297224adef883fd55b9c6b11b80b3ed03fb3593712a07f388ed0ad4c50bb8d6560f5a21646097f9b6b76708a3f32828fe60586e41c

          Download Submit

        • C:\Users\Admin\AppData\Local\nXR\dwm.exe
          Filesize

          92KB

          MD5

          5c27608411832c5b39ba04e33d53536c

          SHA1

          f92f8b7439ce1de4c297046ed1d3ff9f20bc97af

          SHA256

          0ac827c9e35cdaa492ddd435079415805dcc276352112b040bcd34ef122cf565

          SHA512

          1fa25eabc08dff9ea25dfa7da310a677927c6344b76815696b0483f8860fa1469820ff15d88a78ed32f712d03003631d9aceaf9c9851de5dd40c1fc2a7bc1309

          Download Submit

        • C:\Users\Admin\AppData\Local\nXR\dxgi.dll
          Filesize

          1.2MB

          MD5

          a915356ea9395fbb308c3b9aef595daa

          SHA1

          25f13f5998585eb4cb4c99ae491251fd0f5bf9ca

          SHA256

          a36826537c63c1503cfa46576022bee5eccdddb6f1b75b7c0e2564b8a51414ea

          SHA512

          f6de8a89b56f60a4a81ef5b3f6e1bb27017a0892cafd0364710c12cd6501a89beb884409717451cae18287a984828efdc4ebf0b7fea425565a7a65427078b63b

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Pvdelpvduyz.lnk
          Filesize

          993B

          MD5

          19870a6f6c3159cdf01704341a134525

          SHA1

          58b5846efbabaf8b9bec314e069890dd911a5fb7

          SHA256

          b725a172009f35ecb62e8113410a3e2e40941dfd93e978d02f8ac5c5b4802a2d

          SHA512

          76d5caacc2239a36ca1c369f9777deb2c92cdd9dec9ffea29ba54fa0c98e290f187e612496c0c229df33ec808e17d5a3f61a9776e6e260c37bb6051746b8f8be

          Download Submit

        • memory/1044-3-0x00000000026A0000-0x00000000026A7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1044-0-0x00007FFF62FE0000-0x00007FFF63117000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1044-39-0x00007FFF62FE0000-0x00007FFF63117000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1244-80-0x00007FFF53950000-0x00007FFF53A88000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1244-85-0x00007FFF53950000-0x00007FFF53A88000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2996-71-0x00007FFF54DB0000-0x00007FFF54EE8000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2996-67-0x0000024D5EC40000-0x0000024D5EC47000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3448-8-0x0000000140000000-0x0000000140137000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3448-30-0x00007FFF72530000-0x00007FFF72540000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3448-10-0x0000000140000000-0x0000000140137000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3448-7-0x0000000140000000-0x0000000140137000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3448-12-0x0000000140000000-0x0000000140137000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3448-11-0x0000000140000000-0x0000000140137000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3448-13-0x0000000140000000-0x0000000140137000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3448-16-0x0000000140000000-0x0000000140137000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3448-6-0x00007FFF708AA000-0x00007FFF708AB000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3448-4-0x00000000080D0000-0x00000000080D1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3448-14-0x0000000140000000-0x0000000140137000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3448-17-0x0000000140000000-0x0000000140137000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3448-25-0x0000000140000000-0x0000000140137000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3448-9-0x0000000140000000-0x0000000140137000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3448-36-0x0000000140000000-0x0000000140137000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3448-29-0x00000000079A0000-0x00000000079A7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3448-15-0x0000000140000000-0x0000000140137000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4368-52-0x00007FFF54DB0000-0x00007FFF54EE8000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4368-47-0x00007FFF54DB0000-0x00007FFF54EE8000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4368-46-0x000001EBF70B0000-0x000001EBF70B7000-memory.dmp

          Filesize

          28KB

          Download