Overview

overview

10

Static

static

3

ef144112ab...18.dll

windows7-x64

10

ef144112ab...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-09-2024 04:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ef144112ab3bd4e5fede0a35175b0865_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    ef144112ab3bd4e5fede0a35175b0865

  • SHA1

    ea9e920ef55c48d710b9dbd593ba87e1da2f1b35

  • SHA256

    a63b33397161f4ae306b3304283359d24e52c75aef053ef690794cc664069c91

  • SHA512

    15f45026594769fddeed6ff1f60f15b27cab2492bd12d4d5d910abdab1802e281540823bcde73c0eab38ecd5ab8bc38054b3d7da6db3bb71a4c1b8fd0d236ee1

  • SSDEEP

    24576:2uYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:29cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\ef144112ab3bd4e5fede0a35175b0865_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:3076
  • C:\Windows\system32\phoneactivate.exe
    C:\Windows\system32\phoneactivate.exe
    1⤵
      PID:4932
    • C:\Users\Admin\AppData\Local\RxVzNFAA\phoneactivate.exe
      C:\Users\Admin\AppData\Local\RxVzNFAA\phoneactivate.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:4044
    • C:\Windows\system32\CloudNotifications.exe
      C:\Windows\system32\CloudNotifications.exe
      1⤵
        PID:640
      • C:\Users\Admin\AppData\Local\KePJfbO\CloudNotifications.exe
        C:\Users\Admin\AppData\Local\KePJfbO\CloudNotifications.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:3592
      • C:\Windows\system32\GamePanel.exe
        C:\Windows\system32\GamePanel.exe
        1⤵
          PID:3588
        • C:\Users\Admin\AppData\Local\qo8W2xt\GamePanel.exe
          C:\Users\Admin\AppData\Local\qo8W2xt\GamePanel.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:4224

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\KePJfbO\CloudNotifications.exe
          Filesize

          59KB

          MD5

          b50dca49bc77046b6f480db6444c3d06

          SHA1

          cc9b38240b0335b1763badcceac37aa9ce547f9e

          SHA256

          96e7e1a3f0f4f6fc6bda3527ab8a739d6dfcab8e534aa7a02b023daebb3c0775

          SHA512

          2a0504ca336e86b92b2f5eff1c458ebd9df36c496331a7247ef0bb8b82eabd86ade7559ddb47ca4169e8365a97e80e5f1d3c1fc330364dea2450608bd692b1d3

          Download Submit

        • C:\Users\Admin\AppData\Local\KePJfbO\UxTheme.dll
          Filesize

          1.2MB

          MD5

          a1199c44fe8ed293e8df3b6e8489b5ef

          SHA1

          e31902eb09a4e86cc03de9d4a561ba4e8c86d6b6

          SHA256

          00b93726825825ecdaaedecb54864ee661f8e6f6bfb9e705d1cf899144d2188b

          SHA512

          bc35bf4351335db10397cc0d6a99ed91f22e295ba66784562230d736b4bdec15ba8556df541e4211f07d77cc7c23b1d5453b704b80d606d74ea8971a415396c7

          Download Submit

        • C:\Users\Admin\AppData\Local\RxVzNFAA\DUI70.dll
          Filesize

          1.4MB

          MD5

          c3a13ccf780ff2155533488516d07e0e

          SHA1

          e2acaa2c8d0819bd19b93c0bcb7f4456d62912ed

          SHA256

          05365007e2674ce40ab3b06015218cc59c64db1b0bfd361c7de0230d10166fc3

          SHA512

          2879625f2f70aba0bc4e766a778e356157b13755a5a6f93744b50a079fc74d2eb5d906a3d1bd4398712e47ed7a1cd5b309391fbfcede05a08e74e46218516b60

          Download Submit

        • C:\Users\Admin\AppData\Local\RxVzNFAA\phoneactivate.exe
          Filesize

          107KB

          MD5

          32c31f06e0b68f349f68afdd08e45f3d

          SHA1

          e4b642f887e2c1d76b6b4777ade91e3cb3b9e27c

          SHA256

          cea83eb34233fed5ebeef8745c7c581a8adbefbcfc0e30e2d30a81000c821017

          SHA512

          fe61764b471465b164c9c2202ed349605117d57ceb0eca75acf8bda44e8744c115767ee0caed0b7feb70ba37b477d00805b3fdf0d0fa879dd4c8e3c1dc1c0d26

          Download Submit

        • C:\Users\Admin\AppData\Local\qo8W2xt\GamePanel.exe
          Filesize

          1.2MB

          MD5

          266f6a62c16f6a889218800762b137be

          SHA1

          31b9bd85a37bf0cbb38a1c30147b83671458fa72

          SHA256

          71f8f11f26f3a7c1498373f20f0f4cc960513d0383fe24906eeb1bc9678beecd

          SHA512

          b21d9b0656ab6bd3b158922722a332f07096ddd4215c802776c5807c9cf6ece40082dd986ea6867bdc8d22878ce035a5c8dfcc26cfae94aeee059701b6bf1e68

          Download Submit

        • C:\Users\Admin\AppData\Local\qo8W2xt\dwmapi.dll
          Filesize

          1.2MB

          MD5

          2c9acb2da2da95787c717a06b31974f6

          SHA1

          5e193eaaebeb2107e6c0f7a2f2ea1b7fbb3bba09

          SHA256

          ee49b84b5908a4b3784a67a4929f713b2e3d2fe6064f76f6a7dd902471e12b1b

          SHA512

          8d8752d500bcb12459c8cbd64d9300b18a016ae9fccb65042ab6bb75f20aa02a03131bf3b52b95d82b9c955fc3e89d56717ac7f9391156adad0294d7078ec955

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ahvhgxnkgdxqlh.lnk
          Filesize

          1KB

          MD5

          2dd0c31bc5ea23bcd933166e8293b432

          SHA1

          580d8d35aafdbcae32036ddd63a13fb2e2d8d44c

          SHA256

          1b7107dae30d05b3af09e9c3191d6d56ca0e5bf4c225a61f84adbec0ea6f0bc9

          SHA512

          506407358c9918fd37ee93350564c782c1491301fd00102f84334d3b192307b75ae0d7d4add489d4f87e197aa102d3d417697a5d3eb653f9b736cb6450c7bade

          Download Submit

        • memory/3076-1-0x00007FFD629A0000-0x00007FFD62AD2000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3076-3-0x00007FFD71290000-0x00007FFD71485000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/3076-40-0x00007FFD71290000-0x00007FFD71485000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/3076-39-0x00007FFD629A0000-0x00007FFD62AD2000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3492-10-0x0000000140000000-0x0000000140132000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3492-30-0x00007FFD71270000-0x00007FFD71280000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3492-14-0x0000000140000000-0x0000000140132000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3492-12-0x0000000140000000-0x0000000140132000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3492-11-0x0000000140000000-0x0000000140132000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3492-17-0x0000000140000000-0x0000000140132000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3492-9-0x0000000140000000-0x0000000140132000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3492-8-0x0000000140000000-0x0000000140132000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3492-25-0x0000000140000000-0x0000000140132000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3492-29-0x0000000000890000-0x0000000000897000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3492-36-0x0000000140000000-0x0000000140132000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3492-16-0x0000000140000000-0x0000000140132000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3492-6-0x00007FFD6F34A000-0x00007FFD6F34B000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3492-4-0x0000000002680000-0x0000000002681000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3492-13-0x0000000140000000-0x0000000140132000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3492-15-0x0000000140000000-0x0000000140132000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3492-7-0x0000000140000000-0x0000000140132000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3592-69-0x0000010FC77E0000-0x0000010FC77E7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3592-66-0x00007FFD530E0000-0x00007FFD53213000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3592-72-0x00007FFD530E0000-0x00007FFD53213000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4044-53-0x00007FFD530A0000-0x00007FFD53218000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/4044-47-0x00007FFD530A0000-0x00007FFD53218000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/4044-50-0x000001CA9B310000-0x000001CA9B317000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4224-88-0x00007FFD530E0000-0x00007FFD53213000-memory.dmp

          Filesize

          1.2MB

          Download