Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

f4dcda795d...18.dll

windows7-x64

10

f4dcda795d...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/09/2024, 01:21 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f4dcda795d669eadc3e6aece306f5edd_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    f4dcda795d669eadc3e6aece306f5edd

  • SHA1

    11264496a75d446d6d6f443d8200caad04340ed9

  • SHA256

    1c173d1937e8af89b502f278fb6053f5a1823663ff45e9d9b174483c5d7b46df

  • SHA512

    93b7ade0fa90d5f7b0db616d79c498b43aeeb92de6e264c7908124c78f8b57cf5554e26ad36e7c08a36cf6c65207760eb60846c63e215dd3852226aa6d9ba165

  • SSDEEP

    24576:luYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9Nipt:f9cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\f4dcda795d669eadc3e6aece306f5edd_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:3112
  • C:\Windows\system32\rdpshell.exe
    C:\Windows\system32\rdpshell.exe
    1⤵
      PID:2216
    • C:\Users\Admin\AppData\Local\x9Gi\rdpshell.exe
      C:\Users\Admin\AppData\Local\x9Gi\rdpshell.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2444
    • C:\Windows\system32\MDMAppInstaller.exe
      C:\Windows\system32\MDMAppInstaller.exe
      1⤵
        PID:3472
      • C:\Users\Admin\AppData\Local\pel\MDMAppInstaller.exe
        C:\Users\Admin\AppData\Local\pel\MDMAppInstaller.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2328
      • C:\Windows\system32\PresentationSettings.exe
        C:\Windows\system32\PresentationSettings.exe
        1⤵
          PID:388
        • C:\Users\Admin\AppData\Local\L1EPN\PresentationSettings.exe
          C:\Users\Admin\AppData\Local\L1EPN\PresentationSettings.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1884

        Network

        • flag-us
          DNS
          232.168.11.51.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          232.168.11.51.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          8.8.8.8.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          8.8.8.8.in-addr.arpa
          IN PTR
          Response
          8.8.8.8.in-addr.arpa
          IN PTR
          dnsgoogle
        • flag-us
          DNS
          83.210.23.2.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          83.210.23.2.in-addr.arpa
          IN PTR
          Response
          83.210.23.2.in-addr.arpa
          IN PTR
          a2-23-210-83deploystaticakamaitechnologiescom
        • flag-us
          DNS
          68.159.190.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          68.159.190.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          28.118.140.52.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          28.118.140.52.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          13.86.106.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          13.86.106.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          50.23.12.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          50.23.12.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          15.164.165.52.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          15.164.165.52.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          172.214.232.199.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          172.214.232.199.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          172.210.232.199.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          172.210.232.199.in-addr.arpa
          IN PTR
          Response
        No results found
        • 8.8.8.8:53
          232.168.11.51.in-addr.arpa
          dns
          72 B
           158 B
           1
          1

          DNS Request

          232.168.11.51.in-addr.arpa

        • 8.8.8.8:53
          8.8.8.8.in-addr.arpa
          dns
          66 B
           90 B
           1
          1

          DNS Request

          8.8.8.8.in-addr.arpa

        • 8.8.8.8:53
          83.210.23.2.in-addr.arpa
          dns
          70 B
           133 B
           1
          1

          DNS Request

          83.210.23.2.in-addr.arpa

        • 8.8.8.8:53
          68.159.190.20.in-addr.arpa
          dns
          72 B
           158 B
           1
          1

          DNS Request

          68.159.190.20.in-addr.arpa

        • 8.8.8.8:53
          28.118.140.52.in-addr.arpa
          dns
          72 B
           158 B
           1
          1

          DNS Request

          28.118.140.52.in-addr.arpa

        • 8.8.8.8:53
          13.86.106.20.in-addr.arpa
          dns
          71 B
           157 B
           1
          1

          DNS Request

          13.86.106.20.in-addr.arpa

        • 8.8.8.8:53
          50.23.12.20.in-addr.arpa
          dns
          70 B
           156 B
           1
          1

          DNS Request

          50.23.12.20.in-addr.arpa

        • 8.8.8.8:53
          15.164.165.52.in-addr.arpa
          dns
          72 B
           146 B
           1
          1

          DNS Request

          15.164.165.52.in-addr.arpa

        • 8.8.8.8:53
          172.214.232.199.in-addr.arpa
          dns
          74 B
           128 B
           1
          1

          DNS Request

          172.214.232.199.in-addr.arpa

        • 8.8.8.8:53
          172.210.232.199.in-addr.arpa
          dns
          74 B
           128 B
           1
          1

          DNS Request

          172.210.232.199.in-addr.arpa

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\L1EPN\PresentationSettings.exe
          Filesize

          219KB

          MD5

          790799a168c41689849310f6c15f98fa

          SHA1

          a5d213fc1c71a56de9441b2e35411d83770c01ec

          SHA256

          6e59ab1a0b4ac177dc3397a54afcf68fcea3c1ee72c33bd08c89f04a6dac64b8

          SHA512

          8153b79d4681f21ade7afe995841c386bff8e491ad347f8e7c287df5f9053cae7458e273339146d9a920ceaa2ba0f41cc793d7b2c0fa80efbb41477d39470866

          Download Submit

        • C:\Users\Admin\AppData\Local\L1EPN\WINMM.dll
          Filesize

          1.2MB

          MD5

          d639e1cb206ad18e3475fff5cfd04acf

          SHA1

          e8706db05051cd1be76415c038ae2741008e372b

          SHA256

          1240fc04f5c9279655f19f588f16b2406b559a654d0efa5c225c4ecd36c9b6b5

          SHA512

          25455723c6a14a3dd661a77daf411b146ff0710466313adf39ac83108cb9cec0d460328ef5a888226661039f942e4837f69e7f0dafc09e06e13ac07d369912df

          Download Submit

        • C:\Users\Admin\AppData\Local\pel\MDMAppInstaller.exe
          Filesize

          151KB

          MD5

          30e978cc6830b04f1e7ed285cccaa746

          SHA1

          e915147c17e113c676c635e2102bbff90fb7aa52

          SHA256

          dc821931f63117962e2266acd3266e86bf8116d4a14b3adbebfade1d40b84766

          SHA512

          331923fa479f71c4c80b0e86ea238628666f95b6cf61cf4d741ae4a27ea2b8c636864dfac543d14599b4873f3b2ab397d07c4e4c17aca3f3b4e5871e24e50214

          Download Submit

        • C:\Users\Admin\AppData\Local\pel\WTSAPI32.dll
          Filesize

          1.2MB

          MD5

          8714b53cac2c5adcbb4b3b4abb3d4bd9

          SHA1

          0a19eaad1d23017e657bbe7c533ab6fd9562a2f3

          SHA256

          5c79ec51eb686f4055f20ae2ab1f3d48bab57f20108fbe0afc8a869ff1d66714

          SHA512

          953f391dc01ed9c5551a5a1d92a95051b5c319fa05f2cf205ac4507661213d98d0da66d6efabb52ec4cedb266d721e9d4ec0407aef521528938574777f7152ae

          Download Submit

        • C:\Users\Admin\AppData\Local\x9Gi\dwmapi.dll
          Filesize

          1.2MB

          MD5

          69f72333f1732138b7c8b79f3793543f

          SHA1

          aac47a955572572e69f757fff6e7618371a1b1f0

          SHA256

          ec8953a88a2e962053db4bb194a8da5e24383460b4c6b80216351bc87a9f9b10

          SHA512

          6b7671f630d20d65a161e88e8de34c777dba3dbc5f28f3172e13f7140b0b5798af37780e03ac329188b6b582305e99c3a76ea5023aac2527f78b8b73ed5ee656

          Download Submit

        • C:\Users\Admin\AppData\Local\x9Gi\rdpshell.exe
          Filesize

          468KB

          MD5

          428066713f225bb8431340fa670671d4

          SHA1

          47f6878ff33317c3fc09c494df729a463bda174c

          SHA256

          da6c395a2018d3439ad580a19e6a1ca5ff29ef9074411ee9f9f1b0a6365dfebd

          SHA512

          292aad2762ae4dc519c69411aa114a29894f60ffac103813db4946f2fac4f5a166f66523c421529d6847c0882d8ab467392ee8da1e3a4fca0d6d4e6ebda5b737

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Mihblavoyj.lnk
          Filesize

          1KB

          MD5

          7b763148fc19efbd49532e5b308eedf4

          SHA1

          ddbcf37ecee2f684dd96dd1c358ecac3fe10fc31

          SHA256

          ff9b0b7661bee93dfb3120f475730a8585bbc0f0c23beb56c1bf351d0d2ee510

          SHA512

          15a37be197b814f0d3323fc6287c8f6cb54e7377ad90b5b4d13314f355695d2bd350aae701203e164356427f7fb04f86942185448754e6bbe0f5c17e7277dab4

          Download Submit

        • memory/1884-79-0x00007FF920750000-0x00007FF920882000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1884-82-0x000002EBEE040000-0x000002EBEE047000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1884-85-0x00007FF920750000-0x00007FF920882000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2328-68-0x00007FF920900000-0x00007FF920A31000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2328-62-0x0000026A6F770000-0x0000026A6F777000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2444-51-0x00007FF920900000-0x00007FF920A31000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2444-45-0x00007FF920900000-0x00007FF920A31000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2444-48-0x0000025E034D0000-0x0000025E034D7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3112-0-0x000001CD84AC0000-0x000001CD84AC7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3112-38-0x00007FF92FE80000-0x00007FF92FFB0000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3112-1-0x00007FF92FE80000-0x00007FF92FFB0000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3388-27-0x0000000000740000-0x0000000000747000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3388-35-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3388-7-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3388-8-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3388-9-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3388-10-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3388-11-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3388-12-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3388-15-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3388-16-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3388-28-0x00007FF93E990000-0x00007FF93E9A0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3388-24-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3388-14-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3388-13-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3388-4-0x0000000002990000-0x0000000002991000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3388-5-0x00007FF93D63A000-0x00007FF93D63B000-memory.dmp

          Filesize

          4KB

          Download

        We care about your privacy.

        This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.