Overview

overview

10

Static

static

3

1a284e601d...18.dll

windows7-x64

10

1a284e601d...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    100s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-05-2024 01:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1a284e601d4b39b13a2c1ea67fe0433b_JaffaCakes118.dll

  • Size

    986KB

  • MD5

    1a284e601d4b39b13a2c1ea67fe0433b

  • SHA1

    396f1bbc283017fe8a3df5bd487d2731e7fe347f

  • SHA256

    3b7790a2520c63e35ddae8ac5a3aed6c09b16a1a3506d414c6aedfc65cba9b34

  • SHA512

    eb7ffe8c4f1da82e188214ed7af8ddd518afb30173cf058ac6ff54176f357fb95f629f36965342b5791dd5b85a82d5a9c8965866f480e356c4adba156f1d3386

  • SSDEEP

    24576:dVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:dV8hf6STw1ZlQauvzSq01ICe6zvm

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\1a284e601d4b39b13a2c1ea67fe0433b_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:4616
  • C:\Windows\system32\SystemSettingsAdminFlows.exe
    C:\Windows\system32\SystemSettingsAdminFlows.exe
    1⤵
      PID:2104
    • C:\Users\Admin\AppData\Local\Sso8n7qgT\SystemSettingsAdminFlows.exe
      C:\Users\Admin\AppData\Local\Sso8n7qgT\SystemSettingsAdminFlows.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:5768
    • C:\Windows\system32\rdpshell.exe
      C:\Windows\system32\rdpshell.exe
      1⤵
        PID:3736
      • C:\Users\Admin\AppData\Local\GmB\rdpshell.exe
        C:\Users\Admin\AppData\Local\GmB\rdpshell.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:5724
      • C:\Windows\system32\SppExtComObj.Exe
        C:\Windows\system32\SppExtComObj.Exe
        1⤵
          PID:1636
        • C:\Users\Admin\AppData\Local\C2Yex\SppExtComObj.Exe
          C:\Users\Admin\AppData\Local\C2Yex\SppExtComObj.Exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:4524

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Initial Access

        Execution

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Privilege Escalation

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Query Registry

        1
        T1012

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Resource Development

        Reconnaissance

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\C2Yex\ACTIVEDS.dll
          Filesize

          987KB

          MD5

          972d588fed89ed5d5e26b95b2b89baf0

          SHA1

          672993fc7474e1592c86ad8c23dd3ed30cebed12

          SHA256

          e530ac70cbc608133caabfd769b324da2a2fc7d8ebcd45635086ad7371be6222

          SHA512

          1ff9371584cb65fffeac5f506cdb2a5fa1361fd98937810cee127cea7958005f10baffd0e2e65cf3e4037547e5139c15e824e872c74900425d894ea82ce7acdd

          Download Submit
        • C:\Users\Admin\AppData\Local\C2Yex\SppExtComObj.Exe
          Filesize

          559KB

          MD5

          728a78909aa69ca0e976e94482350700

          SHA1

          6508dfcbf37df25cae8ae68cf1fcd4b78084abb7

          SHA256

          2a6581576305771044f07ea0fef27f77859996dbf66c2017e938f90bfc1e010c

          SHA512

          22bf985e71afa58a1365cc733c0aa03dabd4b44e7c6a136eb5f9b870db14470201b4ef88a19fa3864af6c44e79e1a01d6f8806062d9d4861ba7dac77d82074f1

          Download Submit
        • C:\Users\Admin\AppData\Local\GmB\dwmapi.dll
          Filesize

          988KB

          MD5

          18bc3fd089fd7e3c85f6b57b9587bdb3

          SHA1

          97f155f18698f646dbebe3e73d671b84742aed1b

          SHA256

          244ded450ab1cf7fcb3342cef2d2a73b6266f4feb2ea580de7ad11bfbb618fc9

          SHA512

          fa3d9dd5977e3b8b315ac60047459ad3b6433e95fc94aaf4489caf28f6c24716cdcd0b575f0b91abf65d51452a204b7decab103239e7a06afaa25cc38fee2cbb

          Download Submit
        • C:\Users\Admin\AppData\Local\GmB\rdpshell.exe
          Filesize

          468KB

          MD5

          428066713f225bb8431340fa670671d4

          SHA1

          47f6878ff33317c3fc09c494df729a463bda174c

          SHA256

          da6c395a2018d3439ad580a19e6a1ca5ff29ef9074411ee9f9f1b0a6365dfebd

          SHA512

          292aad2762ae4dc519c69411aa114a29894f60ffac103813db4946f2fac4f5a166f66523c421529d6847c0882d8ab467392ee8da1e3a4fca0d6d4e6ebda5b737

          Download Submit
        • C:\Users\Admin\AppData\Local\Sso8n7qgT\DUI70.dll
          Filesize

          1.2MB

          MD5

          311588e29d856f1995386eb54e6460ea

          SHA1

          ce4ef3abb54aaafeeaa9f21f39da1578da901555

          SHA256

          89e723cbcd985df46a7da056cbe94511c508963bbefb475ef56c230025ea63e3

          SHA512

          12756b1a11cfb3078927f409392e298926509fd8765a38e43f86abef86449f91a094bb4c414a1fde562108396656f643f8aee7ad44b1a353ee442871f4623660

          Download Submit
        • C:\Users\Admin\AppData\Local\Sso8n7qgT\SystemSettingsAdminFlows.exe
          Filesize

          506KB

          MD5

          50adb2c7c145c729b9de8b7cf967dd24

          SHA1

          a31757f08da6f95156777c1132b6d5f1db3d8f30

          SHA256

          a7a2e7122d27308df37b7ab718ef3ac239e4216669f51331e34e205f59fb0aec

          SHA512

          715b4c93e79e896da1cf86cf4455a84cba1aeac34b6fd72d2afdf203a2034f6f8fac1d6501f0dd277a17bd1d7ab73ddd1887e01a99f2d26f39efeb94d0aac9b0

          Download Submit
        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Puokv.lnk
          Filesize

          1KB

          MD5

          8dfb2c3334a3a0c1f507695dd5885498

          SHA1

          d90d2a8fd04e5cd0ad9096b0859fbc02dc99dc3d

          SHA256

          5c43863cef09f9e651743ed346db5036614177da32d2e254c41f3b952da18940

          SHA512

          dc6d73a95f2b2e3d17720b6623e75a85862b7c7e4eaa86e5ea4d8b682dc4bd94a8b07ff012ea227f87ea5f6f03c5f6423422551f96707ec6a363f4477da41fb9

          Download Submit
        • memory/3436-7-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/3436-33-0x00007FF8E3910000-0x00007FF8E3920000-memory.dmp
          Filesize

          64KB

          Download
        • memory/3436-11-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/3436-10-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/3436-9-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/3436-8-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/3436-14-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/3436-4-0x0000000002AE0000-0x0000000002AE1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3436-34-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/3436-6-0x00007FF8E308A000-0x00007FF8E308B000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3436-32-0x0000000000780000-0x0000000000787000-memory.dmp
          Filesize

          28KB

          Download
        • memory/3436-12-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/3436-13-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/3436-23-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/4524-83-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/4616-37-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/4616-0-0x000001ABF6A80000-0x000001ABF6A87000-memory.dmp
          Filesize

          28KB

          Download
        • memory/4616-1-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/5724-64-0x000001757C100000-0x000001757C107000-memory.dmp
          Filesize

          28KB

          Download
        • memory/5724-61-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/5724-67-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/5768-50-0x0000000140000000-0x0000000140142000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/5768-47-0x000002D4E9B00000-0x000002D4E9B07000-memory.dmp
          Filesize

          28KB

          Download
        • memory/5768-44-0x0000000140000000-0x0000000140142000-memory.dmp
          Filesize

          1.3MB

          Download