Overview

overview

10

Static

static

3

1d19acd154...18.dll

windows7-x64

10

1d19acd154...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    103s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-05-2024 15:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1d19acd154bf1676f07c6ca4ade6d4d6_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    1d19acd154bf1676f07c6ca4ade6d4d6

  • SHA1

    ebbf27f296de3c89a58021d31e054204698ab477

  • SHA256

    46041e5c693d0750c1d45de49962be9a767692f56c79ead576198d48ca0ed5d5

  • SHA512

    1dcb97135d50c4e6ddf243473883440ad34537fd54aae72929e7a1c4d57c1e301400ccd2c4c870e127bee8be69052b796f3a222b9bc4f41c73b033cb80f4f210

  • SSDEEP

    24576:FVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:FV8hf6STw1ZlQauvzSq01ICe6zvm

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\1d19acd154bf1676f07c6ca4ade6d4d6_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:3096
  • C:\Windows\system32\RecoveryDrive.exe
    C:\Windows\system32\RecoveryDrive.exe
    1⤵
      PID:1628
    • C:\Users\Admin\AppData\Local\BcMw4F06w\RecoveryDrive.exe
      C:\Users\Admin\AppData\Local\BcMw4F06w\RecoveryDrive.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2564
    • C:\Windows\system32\SystemPropertiesAdvanced.exe
      C:\Windows\system32\SystemPropertiesAdvanced.exe
      1⤵
        PID:2980
      • C:\Users\Admin\AppData\Local\QvGyJhC\SystemPropertiesAdvanced.exe
        C:\Users\Admin\AppData\Local\QvGyJhC\SystemPropertiesAdvanced.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:3756
      • C:\Windows\system32\sessionmsg.exe
        C:\Windows\system32\sessionmsg.exe
        1⤵
          PID:5072
        • C:\Users\Admin\AppData\Local\fKkhWk\sessionmsg.exe
          C:\Users\Admin\AppData\Local\fKkhWk\sessionmsg.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1772

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\BcMw4F06w\RecoveryDrive.exe
          Filesize

          911KB

          MD5

          b9b3dc6f2eb89e41ff27400952602c74

          SHA1

          24ae07e0db3ace0809d08bbd039db3a9d533e81b

          SHA256

          630518cb2e4636f889d12c98fb2e6be4e579c5eeb86f88695d3f7fff3f5515c4

          SHA512

          7906954b881f1051a0c7f098e096bc28eddcc48643b8bf3134dd57b8c18d8beba4f9a0ac5d348de2f9b8ea607c3e9cb0e61d91e4f3ba1fefb02839f928e3e3fe

          Download Submit

        • C:\Users\Admin\AppData\Local\BcMw4F06w\UxTheme.dll
          Filesize

          1.2MB

          MD5

          c41d6839c1f1ca4ec73f9eaf2409e1fa

          SHA1

          63882ba7db843a8d4e3657f7caea97f80ea4cda8

          SHA256

          97d6ab96faa525efd791c1f38f6b9720522b8cac00d1a3edd25c9e0faed3f3be

          SHA512

          fd2accf4b4fe1cc7a85d819ebf0dbeca8adefb1b9660dbc24dff86f51a11d16b07c23f44eff50c0357ec9969b5def4746b58f5ba32920005c8005b4044914206

          Download Submit

        • C:\Users\Admin\AppData\Local\QvGyJhC\SYSDM.CPL
          Filesize

          1.2MB

          MD5

          f2e64830a2c214738968617c3647f9e1

          SHA1

          68d13f550dd4b7ca079d38f45f773ca1c06096b9

          SHA256

          5a3b92a6a9bfeb85b94f5df7363244fe95b6c98782f564a42e6a00a0279d105a

          SHA512

          e0a549b0b0787d87b4d191ce8c65fe93b3cca78cff1c875ec9d51633cb016f63ffaef1e46939cca2111f9a97cab655cb72858c426d92f54d1d2d6d084c3eba51

          Download Submit

        • C:\Users\Admin\AppData\Local\QvGyJhC\SystemPropertiesAdvanced.exe
          Filesize

          82KB

          MD5

          fa040b18d2d2061ab38cf4e52e753854

          SHA1

          b1b37124e9afd6c860189ce4d49cebbb2e4c57bc

          SHA256

          c61fa0f8c5d8d61110adbcceaa453a6c1d31255b3244dc7e3b605a4a931c245c

          SHA512

          511f5981bd2c446f1f3039f6674f972651512305630bd688b1ef159af36a23cb836b43d7010b132a86b5f4d6c46206057abd31600f1e7dc930cb32ed962298a4

          Download Submit

        • C:\Users\Admin\AppData\Local\fKkhWk\DUser.dll
          Filesize

          1.2MB

          MD5

          4ad7655783f220338f7f6539ec36a6c6

          SHA1

          20ccd6cbffcf18b231d9182b75e1a4fbce71edfd

          SHA256

          baaa1073b0a84c71aaf4ccce1847eec64d49dec422514b799905712d9e81b664

          SHA512

          7ee30807c02d8a2c3911c70df7c0482656ecb7cb66976ad2a69c752a2660be3725629ab3c9e2fd20f6fe0036466b20c9cbe036340fef73365c0533c177e13c95

          Download Submit

        • C:\Users\Admin\AppData\Local\fKkhWk\sessionmsg.exe
          Filesize

          85KB

          MD5

          480f710806b68dfe478ca1ec7d7e79cc

          SHA1

          b4fc97fed2dbff9c4874cb65ede7b50699db37cd

          SHA256

          2416cd4aa577dbb2f8790a61e36fbab2b30bff81a4e1f67a5151c2fec29585bc

          SHA512

          29d3d234ebc45049a533b6a91b246ac043a56b9af67276aaf493b014ae34d73000f99a6b0c0b85d2dfb7fba54811cf8bbdfd167a9eed01a8617b7f05bf2971db

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Aibqacvbwgcfz.lnk
          Filesize

          1KB

          MD5

          1b40ee13acc468596e7244c2b6b59d8b

          SHA1

          c897cba440a1a12ab2b0cdafe3b970e7676de2e9

          SHA256

          23a6714bd9005dbc6d72e82acd8ef0814e1d6bac1249db2c84d844132640464e

          SHA512

          79e0775a933884f99ec2ee832042553b02ebfee556ec81bc2deff0ce92ec6b1cbf0e89db8c4c04f5fba55e3cd41af730393f8e66fe132d7d583a1e6fa7fa9bc5

          Download Submit

        • memory/1772-86-0x0000000140000000-0x0000000140146000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1772-85-0x0000011B71940000-0x0000011B71947000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1772-80-0x0000000140000000-0x0000000140146000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2564-49-0x000001BC5BC40000-0x000001BC5BC47000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2564-52-0x0000000140000000-0x0000000140145000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2564-46-0x0000000140000000-0x0000000140145000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3096-39-0x0000000140000000-0x0000000140144000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3096-0-0x0000000140000000-0x0000000140144000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3096-3-0x0000021250850000-0x0000021250857000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3528-14-0x0000000140000000-0x0000000140144000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3528-12-0x0000000140000000-0x0000000140144000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3528-6-0x00007FFE11C9A000-0x00007FFE11C9B000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3528-7-0x0000000140000000-0x0000000140144000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3528-25-0x0000000140000000-0x0000000140144000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3528-8-0x0000000140000000-0x0000000140144000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3528-9-0x0000000140000000-0x0000000140144000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3528-10-0x0000000140000000-0x0000000140144000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3528-11-0x0000000140000000-0x0000000140144000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3528-4-0x0000000003240000-0x0000000003241000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3528-13-0x0000000140000000-0x0000000140144000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3528-15-0x0000000140000000-0x0000000140144000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3528-16-0x0000000140000000-0x0000000140144000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3528-30-0x0000000003220000-0x0000000003227000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3528-31-0x00007FFE12FD0000-0x00007FFE12FE0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3528-36-0x0000000140000000-0x0000000140144000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3756-69-0x0000000140000000-0x0000000140145000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3756-66-0x0000024B147F0000-0x0000024B147F7000-memory.dmp

          Filesize

          28KB

          Download