Overview

overview

10

Static

static

3

2a3eadb5b4...18.dll

windows7-x64

10

2a3eadb5b4...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    09-05-2024 13:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2a3eadb5b49e55c1d57f5fea6961bb2e_JaffaCakes118.dll

  • Size

    993KB

  • MD5

    2a3eadb5b49e55c1d57f5fea6961bb2e

  • SHA1

    de9bedff2a89a1668e5eb6054170522f5a373ba8

  • SHA256

    74cd2d4fa0961ef49cd9c03e280ba2b224d948f51f7c56d75592771ff1585cf6

  • SHA512

    beb1d186d80c5edce4f9c4db3ce524dc69724ecea929912c4bbfa85adda23e93538bba6fd66473f425d3868817e795287476c33d726064f1da2fc407561c28fa

  • SSDEEP

    24576:rVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:rV8hf6STw1ZlQauvzSq01ICe6zvm

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\2a3eadb5b49e55c1d57f5fea6961bb2e_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2328
  • C:\Windows\system32\rrinstaller.exe
    C:\Windows\system32\rrinstaller.exe
    1⤵
      PID:2540
    • C:\Users\Admin\AppData\Local\gnbE\rrinstaller.exe
      C:\Users\Admin\AppData\Local\gnbE\rrinstaller.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2456
    • C:\Windows\system32\BitLockerWizard.exe
      C:\Windows\system32\BitLockerWizard.exe
      1⤵
        PID:2500
      • C:\Users\Admin\AppData\Local\VQeuuH\BitLockerWizard.exe
        C:\Users\Admin\AppData\Local\VQeuuH\BitLockerWizard.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2472
      • C:\Windows\system32\dwm.exe
        C:\Windows\system32\dwm.exe
        1⤵
          PID:1208
        • C:\Users\Admin\AppData\Local\V6feIL0A\dwm.exe
          C:\Users\Admin\AppData\Local\V6feIL0A\dwm.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1272

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Initial Access

        Execution

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Privilege Escalation

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Query Registry

        1
        T1012

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Resource Development

        Reconnaissance

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\V6feIL0A\UxTheme.dll
          Filesize

          995KB

          MD5

          963f63aaecd57b734bcda916fe522c0a

          SHA1

          ef7ba64588e34969612c1986454e91ceee537052

          SHA256

          0571ef949e4675d474e06bc4ae30ca2e36299b53fa3ce81bac5ab88c3a48cf1c

          SHA512

          e16489f8b3d2b297928628f0d2cac78e79108c0d4e2d3dbaa64fec195dfe12666135b2c7e60f2870f85064a100092d65e57574e279b41cc86fd9f0145cb8d3c5

          Download Submit
        • C:\Users\Admin\AppData\Local\VQeuuH\FVEWIZ.dll
          Filesize

          995KB

          MD5

          fe27615486d93dbde00ba4dc22905148

          SHA1

          b65052cffae870c3044db1ae854ce6d5d12a4112

          SHA256

          df7b78e85e0c5d1ccbb176514a0876fe1f65dc5e5b6230b6e06be60c9d0224b4

          SHA512

          8a8db5aaa09c8b985ca6b9bcfc65457d412c361482cc4b089661d689ed16d8904efa51c79cbe462a6f4fdc73ecc2a4a2945eac982ce37cce04ace46c163762a3

          Download Submit
        • C:\Users\Admin\AppData\Local\gnbE\MFPlat.DLL
          Filesize

          998KB

          MD5

          cbe8807bf819c63a02e9b59d0d253571

          SHA1

          c0ad91178d38e47f8e10b26f50d225c28646fc36

          SHA256

          6bb2faae746290d89ca7cf398512e1098c4fd4a72d53cb9e856ffea56953cb50

          SHA512

          968b9dafb663033564670e5c80d8f8b28458ebb8f143f46f02105eb506036fa98980d53df754a57721085cc79c943ead4dada40dfe9570c7cbae78f1cb9e48dc

          Download Submit
        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Aqrvnhd.lnk
          Filesize

          1KB

          MD5

          a07a4ff2179396cdf14a87ad375ef412

          SHA1

          3e68b9f0c201ba30b1acc84b019fc0268eb36cdb

          SHA256

          bfd6dd4dcda73f92caf9db974bdbbfe152b7974bed770911d1f498c59ecc9fff

          SHA512

          4625a84650af3a66dc3cd8c592972162958eed2061d4e1a4a03dfe84225811fca8766787fde00987efda1d457a33e08ad8f7113338c33b80d74bf32b3d4956fa

          Download Submit
        • \Users\Admin\AppData\Local\V6feIL0A\dwm.exe
          Filesize

          117KB

          MD5

          f162d5f5e845b9dc352dd1bad8cef1bc

          SHA1

          35bc294b7e1f062ef5cb5fa1bd3fc942a3e37ae2

          SHA256

          8a7b7528db30ab123b060d8e41954d95913c07bb40cdae32e97f9edb0baf79c7

          SHA512

          7077e800453a4564a24af022636a2f6547bdae2c9c6f4ed080d0c98415ecc4fbf538109cbebd456e321b9b74a00613d647b63998e31925fbd841fc9d4613e851

          Download Submit
        • \Users\Admin\AppData\Local\VQeuuH\BitLockerWizard.exe
          Filesize

          98KB

          MD5

          08a761595ad21d152db2417d6fdb239a

          SHA1

          d84c1bc2e8c9afce9fb79916df9bca169f93a936

          SHA256

          ec0b9e5f29a43f9db44fa76b85701058f26776ab974044c1d4741591b74d0620

          SHA512

          8b07828e9c0edf09277f89294b8e1a54816f6f3d1fe132b3eb70370b81feb82d056ec31566793bd6f451725f79c3b4aeedb15a83216115e00943e0c19cab37c9

          Download Submit
        • \Users\Admin\AppData\Local\gnbE\rrinstaller.exe
          Filesize

          54KB

          MD5

          0d3a73b0b30252680b383532f1758649

          SHA1

          9f098d2037e4dd94eca6d04c37b3d4ad8b0cc931

          SHA256

          fc8a992b6ac311e1b1491ec3e31e273a41f7fdf3f68176321307b68489a03fbc

          SHA512

          a7961f4d8d0e07959d1501d721c7751b01af6704c7da5c1f31e40de5372ee6a1fce2f3e0077c8e6a1bed017e11ce4be9b0d17c04e30b222fb3f0df67b870b2d4

          Download Submit
        • memory/1272-93-0x0000000140000000-0x00000001400FE000-memory.dmp
          Filesize

          1016KB

          Download
        • memory/1356-8-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/1356-37-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/1356-23-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/1356-28-0x0000000077720000-0x0000000077722000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1356-27-0x0000000077591000-0x0000000077592000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1356-14-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/1356-10-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/1356-24-0x0000000002980000-0x0000000002987000-memory.dmp
          Filesize

          28KB

          Download
        • memory/1356-36-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/1356-73-0x0000000077486000-0x0000000077487000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1356-9-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/1356-5-0x00000000029A0000-0x00000000029A1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1356-11-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/1356-7-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/1356-12-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/1356-4-0x0000000077486000-0x0000000077487000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1356-13-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/2328-0-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/2328-3-0x0000000000120000-0x0000000000127000-memory.dmp
          Filesize

          28KB

          Download
        • memory/2328-44-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/2456-52-0x0000000140000000-0x00000001400FF000-memory.dmp
          Filesize

          1020KB

          Download
        • memory/2456-58-0x0000000140000000-0x00000001400FF000-memory.dmp
          Filesize

          1020KB

          Download
        • memory/2456-55-0x0000000000190000-0x0000000000197000-memory.dmp
          Filesize

          28KB

          Download
        • memory/2472-77-0x0000000140000000-0x00000001400FE000-memory.dmp
          Filesize

          1016KB

          Download
        • memory/2472-74-0x0000000000110000-0x0000000000117000-memory.dmp
          Filesize

          28KB

          Download
        • memory/2472-70-0x0000000140000000-0x00000001400FE000-memory.dmp
          Filesize

          1016KB

          Download