Overview

overview

10

Static

static

3

1eeb67c0b2...18.dll

windows7-x64

10

1eeb67c0b2...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    112s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-05-2024 01:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1eeb67c0b2313b3e4bc8acd49939c136_JaffaCakes118.dll

  • Size

    986KB

  • MD5

    1eeb67c0b2313b3e4bc8acd49939c136

  • SHA1

    e94a3953ad29be223a423514e0fe230c65999e04

  • SHA256

    bcaa8df8f923d15444b1f1e63808c8b39ca0ac30d6c1288c294b5273f1a95387

  • SHA512

    b57a8252fd821cad9ea48f431ceb20da7a6be24530459096a5998e7cb16559372fd8942e54a64ebadd58e2765e843024e808bfe32eec5897c42c92caaa9e1533

  • SSDEEP

    24576:+VHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:+V8hf6STw1ZlQauvzSq01ICe6zvm

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\1eeb67c0b2313b3e4bc8acd49939c136_JaffaCakes118.dll
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:4032
  • C:\Windows\system32\BitLockerWizard.exe
    C:\Windows\system32\BitLockerWizard.exe
    1⤵
      PID:2492
    • C:\Users\Admin\AppData\Local\3iy\BitLockerWizard.exe
      C:\Users\Admin\AppData\Local\3iy\BitLockerWizard.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:4956
    • C:\Windows\system32\lpksetup.exe
      C:\Windows\system32\lpksetup.exe
      1⤵
        PID:1184
      • C:\Users\Admin\AppData\Local\L9gJ\lpksetup.exe
        C:\Users\Admin\AppData\Local\L9gJ\lpksetup.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:4944
      • C:\Windows\system32\rdpclip.exe
        C:\Windows\system32\rdpclip.exe
        1⤵
          PID:3984
        • C:\Users\Admin\AppData\Local\IFD\rdpclip.exe
          C:\Users\Admin\AppData\Local\IFD\rdpclip.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:4856

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Initial Access

        Execution

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Privilege Escalation

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Query Registry

        1
        T1012

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Resource Development

        Reconnaissance

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\3iy\BitLockerWizard.exe
          Filesize

          100KB

          MD5

          6d30c96f29f64b34bc98e4c81d9b0ee8

          SHA1

          4a3adc355f02b9c69bdbe391bfb01469dee15cf0

          SHA256

          7758227642702e645af5e84d1c0e5690e07687c8209072a2c5f79379299edf74

          SHA512

          25471b0ac7156d9ee9d12181020039bf551ba3efe252b656030c12d93b8db2648a18bdf762740f2a5cd8e43640e4bd4e8742310dea15823fc76b9e1c126876b8

          Download Submit
        • C:\Users\Admin\AppData\Local\3iy\FVEWIZ.dll
          Filesize

          988KB

          MD5

          d60aaa18141ebdb8f9dde7758a2cc8ec

          SHA1

          bb556a52354ba8256309ba070516862eb7bc180a

          SHA256

          37a3f3091065baffd5c3d7a1d56095ba3eeaee14563bab86daa935ac661045d8

          SHA512

          76de30f6b79c7326050eb77f3a005665243b2294200b25de6dc88f980ebeebd95e2d3d57f762ecbd5c6bd8aaa2caaba63d8fcdd46572452b2ffe0a6e2c1ba118

          Download Submit
        • C:\Users\Admin\AppData\Local\IFD\WTSAPI32.dll
          Filesize

          988KB

          MD5

          bf137a13a73139ef133ce5a2ecd289c0

          SHA1

          956076ff8bdc79f15f72bd119f04ea8eab9224b3

          SHA256

          ecb1587e2d4761ae95a7fee3cce5fb4deb62cf30d7ffdd28fb3485686cfdbf88

          SHA512

          4b73233a9609974f899bbed5d9c2853a0847f0dd610c39c25dc9925d30fd73d1c0079b06910a8897c182095393135af95ce64540e75a17c84304806b28969685

          Download Submit
        • C:\Users\Admin\AppData\Local\IFD\rdpclip.exe
          Filesize

          446KB

          MD5

          a52402d6bd4e20a519a2eeec53332752

          SHA1

          129f2b6409395ef877b9ca39dd819a2703946a73

          SHA256

          9d5be181d9309dea98039d2ce619afe745fc8a9a1b1c05cf860b3620b5203308

          SHA512

          632dda67066cff2b940f27e3f409e164684994a02bda57d74e958c462b9a0963e922be4a487c06126cecc9ef34d34913ef8315524bf8422f83c0c135b8af924e

          Download Submit
        • C:\Users\Admin\AppData\Local\L9gJ\dpx.dll
          Filesize

          986KB

          MD5

          9609e97f6263bedbd2d9e28fdc266259

          SHA1

          8ba5568149a6274e87de38c683871e146e93725e

          SHA256

          226a381572a4c569c48e57615719a9a4ed364e80d9e6828b3eb3d12223833c32

          SHA512

          c4877c058438413e31f618a2c98c2267e21da756818368de16a9510b8c4897c927af6ea89fce278b191583ed094d86d38fbf6c17c9d6b77e6be724a2e7e8d101

          Download Submit
        • C:\Users\Admin\AppData\Local\L9gJ\lpksetup.exe
          Filesize

          728KB

          MD5

          c75516a32e0aea02a184074d55d1a997

          SHA1

          f9396946c078f8b0f28e3a6e21a97eeece31d13f

          SHA256

          cb3cbeaaff7c07b044f70177e2899a87e80840d177238eb7dd25b8d9e20bef22

          SHA512

          92994fdb75b15742e33e6d7a499664b722e45b9c160d8cc42d30bc727044063d589f45853692b5b754df6ff0fd21294dc32fed985b153f93f4bcf9f8c89a5bcc

          Download Submit
        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Aibqacvbwgcfz.lnk
          Filesize

          1KB

          MD5

          c4338ffcab4ec18958be19837e2bd296

          SHA1

          c7f8ef7dab375e8bb871d73f01b1cdb33ab2bc92

          SHA256

          f889c6bec26e7c24b0c428b56800f8a10949c0db2c7b81289a9704a8b3b86a91

          SHA512

          2fa6f3888d4aec40139d796607016ffdac308d039b6a5b1193194c6e8dddd82a9ffaa13e7786130b6fc2897bf4f42340cc25a92b7a4338235b346c27b245e896

          Download Submit
        • memory/3448-8-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/3448-14-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/3448-33-0x0000000002370000-0x0000000002377000-memory.dmp
          Filesize

          28KB

          Download
        • memory/3448-32-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/3448-12-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/3448-10-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/3448-9-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/3448-4-0x00000000023B0000-0x00000000023B1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3448-23-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/3448-6-0x00007FF81FC6A000-0x00007FF81FC6B000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3448-13-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/3448-36-0x00007FF8219F0000-0x00007FF821A00000-memory.dmp
          Filesize

          64KB

          Download
        • memory/3448-11-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/3448-7-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/4032-37-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/4032-0-0x00000000021F0000-0x00000000021F7000-memory.dmp
          Filesize

          28KB

          Download
        • memory/4032-1-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/4856-83-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/4944-64-0x000002D847280000-0x000002D847287000-memory.dmp
          Filesize

          28KB

          Download
        • memory/4944-67-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/4956-50-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/4956-44-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/4956-47-0x00000158CA870000-0x00000158CA877000-memory.dmp
          Filesize

          28KB

          Download