Overview

overview

10

Static

static

3

d60158a830...18.dll

windows7-x64

10

d60158a830...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-09-2024 09:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d60158a83044f3a9cfa793ff367a2974_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    d60158a83044f3a9cfa793ff367a2974

  • SHA1

    0da6da782bed9459503edc9a21ee5f6b7ec02c99

  • SHA256

    150e6355b4e5d64291ad78878bba7d155a2e5412875e36866ead632f7d9c6d82

  • SHA512

    11e61830d477990d7f361290af170844dd39d2e406e3e8b37234b3eb75d6ab21d1f2d353e96e8490a4497dc1892a66aaa639915d975e918baf9400b9f4fb6539

  • SSDEEP

    24576:vuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:R9cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\d60158a83044f3a9cfa793ff367a2974_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2020
  • C:\Windows\system32\SystemSettingsAdminFlows.exe
    C:\Windows\system32\SystemSettingsAdminFlows.exe
    1⤵
      PID:4680
    • C:\Users\Admin\AppData\Local\veosa\SystemSettingsAdminFlows.exe
      C:\Users\Admin\AppData\Local\veosa\SystemSettingsAdminFlows.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:4020
    • C:\Windows\system32\SystemPropertiesHardware.exe
      C:\Windows\system32\SystemPropertiesHardware.exe
      1⤵
        PID:2484
      • C:\Users\Admin\AppData\Local\TGCHbZ7U\SystemPropertiesHardware.exe
        C:\Users\Admin\AppData\Local\TGCHbZ7U\SystemPropertiesHardware.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:4404
      • C:\Windows\system32\phoneactivate.exe
        C:\Windows\system32\phoneactivate.exe
        1⤵
          PID:3928
        • C:\Users\Admin\AppData\Local\QZH\phoneactivate.exe
          C:\Users\Admin\AppData\Local\QZH\phoneactivate.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2124

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\QZH\DUI70.dll
          Filesize

          1.4MB

          MD5

          95c424c0b10354893302c351f04b3d96

          SHA1

          a272c27b729001b5723f27f27de00fa6c396de4f

          SHA256

          9a88aa52e9e0b15ef7fab4a24780f63a49030655da5d624f9289d4691ef5963d

          SHA512

          79af97c9bf54a1c33161fe5e4e7c60b3e569fc74f9a218ec0a0c1d31ed6d7d3292cb523f36ed884cc33ad06ff16b5e3fb2b2c2cc36575e76fc2311d1a5fc6cd6

          Download Submit

        • C:\Users\Admin\AppData\Local\QZH\phoneactivate.exe
          Filesize

          107KB

          MD5

          32c31f06e0b68f349f68afdd08e45f3d

          SHA1

          e4b642f887e2c1d76b6b4777ade91e3cb3b9e27c

          SHA256

          cea83eb34233fed5ebeef8745c7c581a8adbefbcfc0e30e2d30a81000c821017

          SHA512

          fe61764b471465b164c9c2202ed349605117d57ceb0eca75acf8bda44e8744c115767ee0caed0b7feb70ba37b477d00805b3fdf0d0fa879dd4c8e3c1dc1c0d26

          Download Submit

        • C:\Users\Admin\AppData\Local\TGCHbZ7U\SYSDM.CPL
          Filesize

          1.2MB

          MD5

          2de2b537e384ef015887f3d9c3d0ba41

          SHA1

          e1bd0b641cbfa85a4c5880fddddeaadf54065195

          SHA256

          68a53eb0087a1b2b76d87cfdd216a6e0a907be222b9327d1d625c49b361c1934

          SHA512

          753b22079cf5bb44de30141418343ae82101bb7dd60a616a40b35350fd1b2b3b079398baef668db7e4c596459e85fa7b2eb413bad5ac57e40d4acb3168d59083

          Download Submit

        • C:\Users\Admin\AppData\Local\TGCHbZ7U\SystemPropertiesHardware.exe
          Filesize

          82KB

          MD5

          bf5bc0d70a936890d38d2510ee07a2cd

          SHA1

          69d5971fd264d8128f5633db9003afef5fad8f10

          SHA256

          c8ebd920399ebcf3ab72bd325b71a6b4c6119dfecea03f25059a920c4d32acc7

          SHA512

          0e129044777cbbf5ea995715159c50773c1818fc5e8faa5c827fd631b44c086b34dfdcbe174b105891ccc3882cc63a8664d189fb6a631d8f589de4e01a862f51

          Download Submit

        • C:\Users\Admin\AppData\Local\veosa\SystemSettingsAdminFlows.exe
          Filesize

          506KB

          MD5

          50adb2c7c145c729b9de8b7cf967dd24

          SHA1

          a31757f08da6f95156777c1132b6d5f1db3d8f30

          SHA256

          a7a2e7122d27308df37b7ab718ef3ac239e4216669f51331e34e205f59fb0aec

          SHA512

          715b4c93e79e896da1cf86cf4455a84cba1aeac34b6fd72d2afdf203a2034f6f8fac1d6501f0dd277a17bd1d7ab73ddd1887e01a99f2d26f39efeb94d0aac9b0

          Download Submit

        • C:\Users\Admin\AppData\Local\veosa\newdev.dll
          Filesize

          1.2MB

          MD5

          a9a5d0949114fb999e0d09e4d3b9c32c

          SHA1

          a0d50bcfa136d037d9554105b0a86e31d170c640

          SHA256

          ff61447a9f60097e4f2b3f139d84eea9dc2530928ac84683de10c6ebc28c7fbb

          SHA512

          4ac05d9fae14ce24c06d18a703c8702d2c222a1502f2a90d2fe5ba12e189f6f1b4b19521e3fa7259cc8fe190779c0dc6303e3c0c408ac271d755abbf0eb613e5

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Mcinmsnhewplgza.lnk
          Filesize

          1KB

          MD5

          ff537ea0fbe569eb798109a603103691

          SHA1

          246ff3f7fbeb300ae379e79b19ec9be3999c38de

          SHA256

          8626cb85e0b18c4b8fa67918d0e45d3620c1c16dcb8f7db1320c2e9c6ad39801

          SHA512

          cfd152c779990192e23602bd7433e24be534a9a5314251e96f7fb317dab9a15e262c2f26359c8427d1afb7cecbc40ce4f2c8666cac1247d30c06362ab2253401

          Download Submit

        • memory/2020-38-0x00007FFE59680000-0x00007FFE597B0000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2020-1-0x00007FFE59680000-0x00007FFE597B0000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2020-0-0x0000026872830000-0x0000026872837000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2124-84-0x00007FFE49D10000-0x00007FFE49E86000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/2124-79-0x00007FFE49D10000-0x00007FFE49E86000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3432-24-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3432-12-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3432-11-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3432-8-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3432-7-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3432-35-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3432-10-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3432-29-0x00007FFE68190000-0x00007FFE681A0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3432-15-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3432-6-0x00007FFE66FCA000-0x00007FFE66FCB000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3432-4-0x0000000008770000-0x0000000008771000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3432-9-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3432-16-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3432-28-0x0000000008750000-0x0000000008757000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3432-13-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3432-14-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4020-51-0x00007FFE495A0000-0x00007FFE496D1000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4020-46-0x00007FFE495A0000-0x00007FFE496D1000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4020-45-0x000001B192CC0000-0x000001B192CC7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4404-68-0x00007FFE49D50000-0x00007FFE49E81000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4404-62-0x00007FFE49D50000-0x00007FFE49E81000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4404-65-0x0000029B855E0000-0x0000029B855E7000-memory.dmp

          Filesize

          28KB

          Download