Overview

overview

10

Static

static

3

2bff80f70a...18.dll

windows7-x64

10

2bff80f70a...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    100s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-05-2024 22:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2bff80f70ad0151ec6bebe69e0bfb972_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    2bff80f70ad0151ec6bebe69e0bfb972

  • SHA1

    bd6f81939f482411bad7030994e6724092db7d5c

  • SHA256

    e75bb6327d366e83dd2f2e52c662343ef76dd47b5eb53ae2cc8cb27f047ed7cc

  • SHA512

    f29a1232faadd2e064dc5ec77ac2fad95e0050191a753bd24fb40e95146fec09cb890348d911fe33e788e3ae9ebb18dca63802efad76cf6fab06fc7b7a7e2245

  • SSDEEP

    24576:RVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:RV8hf6STw1ZlQauvzSq01ICe6zvm

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\2bff80f70ad0151ec6bebe69e0bfb972_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:116
  • C:\Windows\system32\mblctr.exe
    C:\Windows\system32\mblctr.exe
    1⤵
      PID:4720
    • C:\Users\Admin\AppData\Local\PBbEkzo9r\mblctr.exe
      C:\Users\Admin\AppData\Local\PBbEkzo9r\mblctr.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:3076
    • C:\Windows\system32\Netplwiz.exe
      C:\Windows\system32\Netplwiz.exe
      1⤵
        PID:1520
      • C:\Users\Admin\AppData\Local\rTi7h6R\Netplwiz.exe
        C:\Users\Admin\AppData\Local\rTi7h6R\Netplwiz.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:4768
      • C:\Windows\system32\dwm.exe
        C:\Windows\system32\dwm.exe
        1⤵
          PID:4400
        • C:\Users\Admin\AppData\Local\4Ip3NU\dwm.exe
          C:\Users\Admin\AppData\Local\4Ip3NU\dwm.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:3148

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\4Ip3NU\dwm.exe
          Filesize

          92KB

          MD5

          5c27608411832c5b39ba04e33d53536c

          SHA1

          f92f8b7439ce1de4c297046ed1d3ff9f20bc97af

          SHA256

          0ac827c9e35cdaa492ddd435079415805dcc276352112b040bcd34ef122cf565

          SHA512

          1fa25eabc08dff9ea25dfa7da310a677927c6344b76815696b0483f8860fa1469820ff15d88a78ed32f712d03003631d9aceaf9c9851de5dd40c1fc2a7bc1309

          Download Submit

        • C:\Users\Admin\AppData\Local\4Ip3NU\dxgi.dll
          Filesize

          1.2MB

          MD5

          e32e4f1cb2b361ae0f45e50b91f0f8d6

          SHA1

          32676ce7f5e441f1a6d0d21599790e1bf1ff4cce

          SHA256

          bae065cfc93c22c4321e5ba7011d58b153ce30fff19c00fa173391de0f453d35

          SHA512

          8f50081250b52bf8251c060ebd58c2f342a9bae11a546418608af0a591aab419a81b77c4ce84a935d5b4040d7304125b4bf0ee02213b0b794dd5cad8ba448890

          Download Submit

        • C:\Users\Admin\AppData\Local\PBbEkzo9r\dwmapi.dll
          Filesize

          1.2MB

          MD5

          c3f395cc249790fc46363e157eca8358

          SHA1

          59f1e6135043e1e2b701ff80ab765767cd3c0113

          SHA256

          4a0db34234e532383ee4c2a6525531a94a90e803a9d1a396e78683b1fe5afbfe

          SHA512

          f4d9297a12324786ad56017daecdbc9540ae1d2de8fe4f600596d678b4edf42345f9686c61e865066a35c47bf58795806d950c67fe9cc5b229e2ebc7dcb9085f

          Download Submit

        • C:\Users\Admin\AppData\Local\PBbEkzo9r\mblctr.exe
          Filesize

          790KB

          MD5

          d3db14eabb2679e08020bcd0c96fa9f6

          SHA1

          578dca7aad29409634064579d269e61e1f07d9dd

          SHA256

          3baa1dc0756ebb0c2c70a31be7147863d8d8ba056c1aa7f979307f8790d1ff69

          SHA512

          14dc895ae458ff0ca13d9c27aa5b4cfc906d338603d43389bb5f4429be593a587818855d1fe938f9ebebf46467fb0c1ab28247e8f9f5357098e8b822ecd8fffe

          Download Submit

        • C:\Users\Admin\AppData\Local\rTi7h6R\NETPLWIZ.dll
          Filesize

          1.2MB

          MD5

          928c8b0ca9ce185d611444b4e6d52f91

          SHA1

          08d12ef0dad0bdfaaa2a0b5d628aa25a9acdbba0

          SHA256

          5505a38b28f451574853dea8ecff977bb57233224e86cebdc762e0e903b01cb8

          SHA512

          d58eca5dc36682bd3ae23bb7e0a8efecd6c6614f3e8970e4e840ab861dce681319c75678c53585f2564cccf8daf52f17d1cb7dfb30c377349f24467bd448af9c

          Download Submit

        • C:\Users\Admin\AppData\Local\rTi7h6R\Netplwiz.exe
          Filesize

          40KB

          MD5

          520a7b7065dcb406d7eca847b81fd4ec

          SHA1

          d1b3b046a456630f65d482ff856c71dfd2f335c8

          SHA256

          8323b44b6e69f02356a5ab0d03a4fc87b953edcbd85c2b6281bf92bc0a3b224d

          SHA512

          7aea2810f38d1640d4aa87efbbe20783fe7b8e7f588864a3a384a37c91108d906abd89b235672608c98c46ed76db2b0039462098a1064ebe4108ec37b6087914

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Rkjap.lnk
          Filesize

          1KB

          MD5

          98cfa05fef3174c8fd7b522b5716bbc4

          SHA1

          c49044a3a9c20113cf420723feff66398eaa4f39

          SHA256

          010f99d711293c25803d73e525d3d1cdf33a48ad6b9a088cc9048765a28e49f7

          SHA512

          ee60612fc12feda53b72868fc13c719b71c06e577a89255ddad34bd596df9e82e30a0707a9ef5cca3de87963a1c749ef6da2a1b2f06e396dea672644d0eb6367

          Download Submit

        • memory/116-3-0x000001E2E5570000-0x000001E2E5577000-memory.dmp

          Filesize

          28KB

          Download

        • memory/116-0-0x0000000140000000-0x0000000140142000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/116-38-0x0000000140000000-0x0000000140142000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3076-49-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3076-48-0x0000028B9EB50000-0x0000028B9EB57000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3076-45-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3148-86-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3504-34-0x00007FF91D730000-0x00007FF91D740000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3504-33-0x0000000000F00000-0x0000000000F07000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3504-11-0x0000000140000000-0x0000000140142000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3504-8-0x0000000140000000-0x0000000140142000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3504-9-0x0000000140000000-0x0000000140142000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3504-12-0x0000000140000000-0x0000000140142000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3504-13-0x0000000140000000-0x0000000140142000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3504-36-0x0000000140000000-0x0000000140142000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3504-15-0x0000000140000000-0x0000000140142000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3504-7-0x0000000140000000-0x0000000140142000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3504-24-0x0000000140000000-0x0000000140142000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3504-6-0x00007FF91B9EA000-0x00007FF91B9EB000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3504-4-0x0000000002EA0000-0x0000000002EA1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3504-14-0x0000000140000000-0x0000000140142000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3504-10-0x0000000140000000-0x0000000140142000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/4768-68-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/4768-65-0x000002879FA20000-0x000002879FA27000-memory.dmp

          Filesize

          28KB

          Download