Overview

overview

10

Static

static

3

248928b7b8...18.dll

windows7-x64

10

248928b7b8...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    101s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/05/2024, 10:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    248928b7b857f742be05aa928101d5f3_JaffaCakes118.dll

  • Size

    988KB

  • MD5

    248928b7b857f742be05aa928101d5f3

  • SHA1

    e395a8cf2db356a95dcbd1b5adff3937d12caadf

  • SHA256

    1df85ebabf3497906c02c02cd6731f3907815a8a3ccf2acdf3ae5fd6507e83e8

  • SHA512

    9cb1d87c8174314e944f637fb15624a8b6d0f0f29debbd6b7a82476737cf60dddcefed3e7fa76b8755798c2888cf64fab98c0071595d3466f99b0e78df3cf4e8

  • SSDEEP

    24576:GVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:GV8hf6STw1ZlQauvzSq01ICe6zvm

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\248928b7b857f742be05aa928101d5f3_JaffaCakes118.dll
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:4524
  • C:\Windows\system32\wextract.exe
    C:\Windows\system32\wextract.exe
    1⤵
      PID:4912
    • C:\Users\Admin\AppData\Local\cB9\wextract.exe
      C:\Users\Admin\AppData\Local\cB9\wextract.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:1952
    • C:\Windows\system32\PresentationHost.exe
      C:\Windows\system32\PresentationHost.exe
      1⤵
        PID:2452
      • C:\Users\Admin\AppData\Local\zhQp5X\PresentationHost.exe
        C:\Users\Admin\AppData\Local\zhQp5X\PresentationHost.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:2676
      • C:\Windows\system32\BdeUISrv.exe
        C:\Windows\system32\BdeUISrv.exe
        1⤵
          PID:4896
        • C:\Users\Admin\AppData\Local\P6sUFap\BdeUISrv.exe
          C:\Users\Admin\AppData\Local\P6sUFap\BdeUISrv.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:4436
        • C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
          C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
          1⤵
            PID:3628
          • C:\Users\Admin\AppData\Local\zr0hbweX\SystemPropertiesDataExecutionPrevention.exe
            C:\Users\Admin\AppData\Local\zr0hbweX\SystemPropertiesDataExecutionPrevention.exe
            1⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Checks whether UAC is enabled
            PID:2360

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\P6sUFap\BdeUISrv.exe
            Filesize

            54KB

            MD5

            8595075667ff2c9a9f9e2eebc62d8f53

            SHA1

            c48b54e571f05d4e21d015bb3926c2129f19191a

            SHA256

            20b05c77f898be08737082e969b39f54fa39753c8c0a06142eb7ad5e0764a2db

            SHA512

            080dbcdd9234c07efe6cea4919ffa305fdc381ccebed9d1020dd6551b54e20e52387e62a344502fa4a85249defd0f9b506528b8dd34675bc9f51f664b8fc4d88

            Download Submit

          • C:\Users\Admin\AppData\Local\P6sUFap\WTSAPI32.dll
            Filesize

            990KB

            MD5

            691fe43bfe95140d73a7f429ccfc4c44

            SHA1

            7af58ca370d26989a2bab57155a8aa323aa5bdae

            SHA256

            05b222f217822092abde5ef47db9c13e6271e7891747a55b5eeb089cf3863236

            SHA512

            5b6ec7669b9ef5a8cd9b16491b7b3f10e79c8ba86f111becd29b8de27f13ebb6022ee9eb903b2f7125c013a929fcfff6d1cefb3e8c580d06a23af29ac7f3d86c

            Download Submit

          • C:\Users\Admin\AppData\Local\cB9\VERSION.dll
            Filesize

            989KB

            MD5

            73df3e54cf8834d5688afa78eed07cab

            SHA1

            8190ac76e18d4f3542bb2ddb12a8302f57c4f5c6

            SHA256

            5104ccfba57ef0b7a7dad80e24fbd15bc146ccf30227a1e8c423906dcbd0055c

            SHA512

            4b8253abc7d743ad30a99c57e921842ddd52ae88074f6e9be78bbf5733b14f95a17b5806798ccaa4b0b16f45ffa2b73bfbc1aaeff7d8c1d9613523c64b628088

            Download Submit

          • C:\Users\Admin\AppData\Local\cB9\wextract.exe
            Filesize

            143KB

            MD5

            56e501e3e49cfde55eb1caabe6913e45

            SHA1

            ab2399cbf17dbee7b302bea49e40d4cee7caea76

            SHA256

            fbb6dc62abeeb222b49a63f43dc6eea96f3d7e9a8da55381c15d57a5d099f3e0

            SHA512

            2b536e86cbd8ab026529ba2c72c0fda97e9b6f0bc4fd96777024155852670cb41d17937cde372a44cdbad3e53b8cd3ef1a4a3ee9b34dfb3c2069822095f7a172

            Download Submit

          • C:\Users\Admin\AppData\Local\zhQp5X\PresentationHost.exe
            Filesize

            276KB

            MD5

            ef27d65b92d89e8175e6751a57ed9d93

            SHA1

            7279b58e711b459434f047e9098f9131391c3778

            SHA256

            17d6dcfaced6873a4ac0361ff14f48313f270ac9c465e9f02b5c12b5a5274c48

            SHA512

            40f46c3a131bb0388b8a3f7aee422936f6e2aa8d2cda547c43c4e7979c163d06c5aa20033a5156d3eeee5d455eeb929cbce89bcc8bb1766cbb65d7f03dd23e2e

            Download Submit

          • C:\Users\Admin\AppData\Local\zhQp5X\VERSION.dll
            Filesize

            989KB

            MD5

            21a83a4e1eb060c76995e5d4a5a4047d

            SHA1

            5532ecbfa161c7a71efe3fdc02529ec913d70993

            SHA256

            3bb8caa6c05867722bd3a4d69ea5aa9d172cc4265f92191e6ec60d312c43ece5

            SHA512

            2d02d1cb2707983b842f57a77b2103d1c3dced209b371ae4ebc02e6acb2bf68f0c3688f8269e9201f73db60a2fb75165e33d0a4103fc12d12980c8fa23827165

            Download Submit

          • C:\Users\Admin\AppData\Local\zr0hbweX\SYSDM.CPL
            Filesize

            988KB

            MD5

            43d91da61b14a57caa18745e2d9e424a

            SHA1

            eed47eb8eb635f70e491369b4f6f2fe20841d060

            SHA256

            b7ee2aa8e4cfe86830c91bba9df7efba721e7cdb7442e690ece471e6a4f32e90

            SHA512

            0f11544b63ba145ce86930050ccf6249652b5c5c01e548dd40dc63cd78bb5676a5df7cd02469738c96dbe5430b0e0fca5bc1c168dafad9d41a7b561bca6fb1f5

            Download Submit

          • C:\Users\Admin\AppData\Local\zr0hbweX\SystemPropertiesDataExecutionPrevention.exe
            Filesize

            82KB

            MD5

            de58532954c2704f2b2309ffc320651d

            SHA1

            0a9fc98f4d47dccb0b231edf9a63309314f68e3b

            SHA256

            1f810658969560f6e7d7a14f71d1196382e53b984ca190fa9b178ac4a32acfb3

            SHA512

            d4d57cc30d9079f4e9193ba42631e8e53d86b22e9c655d7a8c25e5be0e5e1d6dfff4714ddc23e3e392809d623b4f8d43c63893f74c325fc77459ac03c7a451ed

            Download Submit

          • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Aibqacvbwgcfz.lnk
            Filesize

            1KB

            MD5

            6f1790c28f827e29d485c72921ae325e

            SHA1

            9a7d38a6340641a58d3a0e1bc137205f042c9bfa

            SHA256

            375ec464393df6f8f92c3ccf435b0d0e74a595f77609dfe6e2b035dcf637f786

            SHA512

            2488da00fbff009bc4bd1818462545ff0b1fedfd74f396616f4e9cfb283ca1ebcf51cda0d41fc32a7b170af5a676c8f629284ec1fda4f59e02c59b636c850d1f

            Download Submit

          • memory/1952-50-0x0000000140000000-0x00000001400FD000-memory.dmp

            Filesize

            1012KB

            Download

          • memory/1952-45-0x0000000140000000-0x00000001400FD000-memory.dmp

            Filesize

            1012KB

            Download

          • memory/1952-44-0x000001E6DD040000-0x000001E6DD047000-memory.dmp

            Filesize

            28KB

            Download

          • memory/2360-92-0x0000000140000000-0x00000001400FD000-memory.dmp

            Filesize

            1012KB

            Download

          • memory/3412-34-0x0000000140000000-0x00000001400FC000-memory.dmp

            Filesize

            1008KB

            Download

          • memory/3412-23-0x0000000140000000-0x00000001400FC000-memory.dmp

            Filesize

            1008KB

            Download

          • memory/3412-7-0x0000000140000000-0x00000001400FC000-memory.dmp

            Filesize

            1008KB

            Download

          • memory/3412-6-0x00007FFD275AA000-0x00007FFD275AB000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3412-9-0x0000000140000000-0x00000001400FC000-memory.dmp

            Filesize

            1008KB

            Download

          • memory/3412-11-0x0000000140000000-0x00000001400FC000-memory.dmp

            Filesize

            1008KB

            Download

          • memory/3412-12-0x0000000140000000-0x00000001400FC000-memory.dmp

            Filesize

            1008KB

            Download

          • memory/3412-10-0x0000000140000000-0x00000001400FC000-memory.dmp

            Filesize

            1008KB

            Download

          • memory/3412-27-0x0000000002AF0000-0x0000000002AF7000-memory.dmp

            Filesize

            28KB

            Download

          • memory/3412-4-0x0000000002B90000-0x0000000002B91000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3412-28-0x00007FFD28C30000-0x00007FFD28C40000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3412-14-0x0000000140000000-0x00000001400FC000-memory.dmp

            Filesize

            1008KB

            Download

          • memory/3412-13-0x0000000140000000-0x00000001400FC000-memory.dmp

            Filesize

            1008KB

            Download

          • memory/3412-8-0x0000000140000000-0x00000001400FC000-memory.dmp

            Filesize

            1008KB

            Download

          • memory/4436-70-0x00000252DA560000-0x00000252DA567000-memory.dmp

            Filesize

            28KB

            Download

          • memory/4436-76-0x0000000140000000-0x00000001400FD000-memory.dmp

            Filesize

            1012KB

            Download

          • memory/4524-0-0x0000000002180000-0x0000000002187000-memory.dmp

            Filesize

            28KB

            Download

          • memory/4524-37-0x0000000140000000-0x00000001400FC000-memory.dmp

            Filesize

            1008KB

            Download

          • memory/4524-1-0x0000000140000000-0x00000001400FC000-memory.dmp

            Filesize

            1008KB

            Download