Overview

overview

10

Static

static

3

1e677cd335...18.dll

windows7-x64

10

1e677cd335...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    131s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-05-2024 21:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1e677cd3350d2618878c7bf997c81d86_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    1e677cd3350d2618878c7bf997c81d86

  • SHA1

    1d30fba14ba2e56ba95d8a475ec7df48697dba24

  • SHA256

    11b81dc6921307de061b316f6f18bedd1c7dc8301e78e7d7b43ae64b90f3b9e0

  • SHA512

    ab751499a5cc3b05b151a6fc113ed44a641f907d7a17176c9e6cb4cb4799f09bd972c8b3df70e94722a813bd8f1e775010ef02037f633834dd68e2606a282594

  • SSDEEP

    24576:FVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:FV8hf6STw1ZlQauvzSq01ICe6zvm

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\1e677cd3350d2618878c7bf997c81d86_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1888
  • C:\Windows\system32\rstrui.exe
    C:\Windows\system32\rstrui.exe
    1⤵
      PID:3216
    • C:\Users\Admin\AppData\Local\Q1UfQvMuu\rstrui.exe
      C:\Users\Admin\AppData\Local\Q1UfQvMuu\rstrui.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:4224
    • C:\Windows\system32\WMPDMC.exe
      C:\Windows\system32\WMPDMC.exe
      1⤵
        PID:4704
      • C:\Users\Admin\AppData\Local\yXFR\WMPDMC.exe
        C:\Users\Admin\AppData\Local\yXFR\WMPDMC.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1860
      • C:\Windows\system32\BitLockerWizard.exe
        C:\Windows\system32\BitLockerWizard.exe
        1⤵
          PID:2660
        • C:\Users\Admin\AppData\Local\2K5tZg7x\BitLockerWizard.exe
          C:\Users\Admin\AppData\Local\2K5tZg7x\BitLockerWizard.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:4208

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Initial Access

        Execution

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Privilege Escalation

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Query Registry

        1
        T1012

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Resource Development

        Reconnaissance

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\2K5tZg7x\BitLockerWizard.exe
          Filesize

          100KB

          MD5

          6d30c96f29f64b34bc98e4c81d9b0ee8

          SHA1

          4a3adc355f02b9c69bdbe391bfb01469dee15cf0

          SHA256

          7758227642702e645af5e84d1c0e5690e07687c8209072a2c5f79379299edf74

          SHA512

          25471b0ac7156d9ee9d12181020039bf551ba3efe252b656030c12d93b8db2648a18bdf762740f2a5cd8e43640e4bd4e8742310dea15823fc76b9e1c126876b8

          Download Submit
        • C:\Users\Admin\AppData\Local\2K5tZg7x\FVEWIZ.dll
          Filesize

          1.2MB

          MD5

          a6714fa47ddddde3f824f8ccbf9651bd

          SHA1

          fbc5a6742429a27078e4cfdadbf1291f5e2b0eec

          SHA256

          142bfa84709c57c91f96fec5516bfb39698aa5932e5352c14322b74b70962a8c

          SHA512

          d2dfe62595d114faf74b49eeed3a2daad8bb2954e3a6c5256bbdfe3233db4445ba1c0f194843585512ab1ecbccb54d004cfd99ef5e8be432a28ffb444654d701

          Download Submit
        • C:\Users\Admin\AppData\Local\Q1UfQvMuu\SPP.dll
          Filesize

          1.2MB

          MD5

          6fc3418a6d72211ce0c962d7db9ed752

          SHA1

          1e7268a4793851f1d8b67054e6c5eb1810e2c98a

          SHA256

          bbf24ac0815e3c28ff29945eb7e1f199f4cde8e65736c87f210d656db903670f

          SHA512

          f601da7ceedaa0cae489ac4f2770fc87a4116df495372735f1d4cac12448ad2c1548aa7e57f1a2d103c97e106ec1676611642cc38af155e476a39d7a843711e5

          Download Submit
        • C:\Users\Admin\AppData\Local\Q1UfQvMuu\rstrui.exe
          Filesize

          268KB

          MD5

          4cad10846e93e85790865d5c0ab6ffd9

          SHA1

          8a223f4bab28afa4c7ed630f29325563c5dcda1a

          SHA256

          9ddcfcaf2ebc810cc2e593446681bc4ccbad39756b1712cf045db8dee6310b4b

          SHA512

          c0db44de0d35a70277f8621a318c5099378da675376e47545cfbfa7412e70a870fd05c92e0d6523ea2e0139d54d9eeaed14973762341fa3154406ae36f4ce7c6

          Download Submit
        • C:\Users\Admin\AppData\Local\yXFR\WMPDMC.exe
          Filesize

          1.5MB

          MD5

          59ce6e554da0a622febce19eb61c4d34

          SHA1

          176a4a410cb97b3d4361d2aea0edbf17e15d04c7

          SHA256

          c36eba7186f7367fe717595f3372a49503c9613893c2ab2eff38b625a50d04ba

          SHA512

          e9b0d310416b66e0055381391bb6b0c19ee26bbcf0e3bb9ea7d696d5851e6efbdd9bdeb250c74638b7d73b20528ea1dfb718e75ad5977aaad77aae36cc7b7e18

          Download Submit
        • C:\Users\Admin\AppData\Local\yXFR\dwmapi.dll
          Filesize

          1.2MB

          MD5

          257fee0a2caa103ef616e13cc2220efd

          SHA1

          548f768f6aa9b4369ba65e8bb73fcb8d3c4d64e7

          SHA256

          794592a3bc16fc8072451438ddbc77a6cabe587d30c442020581d1d86fa5be95

          SHA512

          4e6f8eff2c01f5ea84950d9ddb905ba49d6535cb5d1d56adfa50b0a2f1a4e688208faba2c470c9d52ed72f273b2c8c9d887274bd8006d07b1a33621e0c3b6c22

          Download Submit
        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ehesgegqlj.lnk
          Filesize

          1KB

          MD5

          8192c8abe12dae0ea9863c5314aca9ff

          SHA1

          4eed8569d1d02847ef2a65bb100873c923c95769

          SHA256

          b11587e18ece15c785c90a829825b00f9250b60a992d784bb8d6cc0ba88fce8a

          SHA512

          858e26254b90d7f556c9ec82969f8932b1140528552bf801fd91effa0e6615f8f45718f55d1f664ed5135d8ea049ed07c3a5023960dfe791d07f0fae9e1a276a

          Download Submit
        • memory/1860-70-0x0000000140000000-0x0000000140145000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1860-67-0x00000167BB570000-0x00000167BB577000-memory.dmp
          Filesize

          28KB

          Download
        • memory/1888-39-0x0000000140000000-0x0000000140144000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1888-3-0x00000232E6C80000-0x00000232E6C87000-memory.dmp
          Filesize

          28KB

          Download
        • memory/1888-1-0x0000000140000000-0x0000000140144000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3444-34-0x0000000002950000-0x0000000002957000-memory.dmp
          Filesize

          28KB

          Download
        • memory/3444-14-0x0000000140000000-0x0000000140144000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3444-10-0x0000000140000000-0x0000000140144000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3444-9-0x0000000140000000-0x0000000140144000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3444-8-0x0000000140000000-0x0000000140144000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3444-7-0x0000000140000000-0x0000000140144000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3444-12-0x0000000140000000-0x0000000140144000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3444-13-0x0000000140000000-0x0000000140144000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3444-15-0x0000000140000000-0x0000000140144000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3444-4-0x0000000002970000-0x0000000002971000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3444-6-0x0000000140000000-0x0000000140144000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3444-11-0x0000000140000000-0x0000000140144000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3444-32-0x00007FF90FCDA000-0x00007FF90FCDB000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3444-35-0x00007FF911630000-0x00007FF911640000-memory.dmp
          Filesize

          64KB

          Download
        • memory/3444-36-0x0000000140000000-0x0000000140144000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3444-24-0x0000000140000000-0x0000000140144000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/4208-84-0x0000029A19390000-0x0000029A19397000-memory.dmp
          Filesize

          28KB

          Download
        • memory/4208-87-0x0000000140000000-0x0000000140145000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/4224-53-0x0000000140000000-0x0000000140145000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/4224-48-0x0000000140000000-0x0000000140145000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/4224-47-0x00000234587E0000-0x00000234587E7000-memory.dmp
          Filesize

          28KB

          Download