Overview

overview

10

Static

static

3

32c1af30f0...18.dll

windows7-x64

10

32c1af30f0...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-05-2024 04:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    32c1af30f0f5b0081b6523c5aaf5b099_JaffaCakes118.dll

  • Size

    996KB

  • MD5

    32c1af30f0f5b0081b6523c5aaf5b099

  • SHA1

    0859743d3d53acf62ea5a8e005deb4bc9f106664

  • SHA256

    6a97f1622c6915d1d477b97abd9977a2c49bb49a12c8bb38d43ffef5d91ff0c2

  • SHA512

    6340b8e7a8eaf787e863a82c3b3202411e6e43965ded038f0057a11fcbdc03034e73dbb38e08de68f24ffd17d002b24d36d654a6ded6e354f895e1e563578e0d

  • SSDEEP

    24576:9VHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:9V8hf6STw1ZlQauvzSq01ICe6zvm

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\32c1af30f0f5b0081b6523c5aaf5b099_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:4540
  • C:\Windows\system32\sdclt.exe
    C:\Windows\system32\sdclt.exe
    1⤵
      PID:3648
    • C:\Users\Admin\AppData\Local\x4eAG6mbS\sdclt.exe
      C:\Users\Admin\AppData\Local\x4eAG6mbS\sdclt.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2776
    • C:\Windows\system32\LicensingUI.exe
      C:\Windows\system32\LicensingUI.exe
      1⤵
        PID:3456
      • C:\Users\Admin\AppData\Local\IfY\LicensingUI.exe
        C:\Users\Admin\AppData\Local\IfY\LicensingUI.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2940
      • C:\Windows\system32\WFS.exe
        C:\Windows\system32\WFS.exe
        1⤵
          PID:5060
        • C:\Users\Admin\AppData\Local\RHk\WFS.exe
          C:\Users\Admin\AppData\Local\RHk\WFS.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2412

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Initial Access

        Execution

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Privilege Escalation

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Query Registry

        1
        T1012

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Resource Development

        Reconnaissance

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\IfY\DUI70.dll
          Filesize

          1.2MB

          MD5

          495590ed713f63b4aef3fe4e22f1d578

          SHA1

          2955aec7af117775c38e427a3f7178c58331e182

          SHA256

          90be3076c83dc5040fb69f46c87f13f973ac5531d9c6bc2b8678f4f9044fc14f

          SHA512

          ef6fe2f01fc861ee0aa52d0ffd57434dcb344cad766d8dc36ef953c5a32692371c9059feea698922bf1ec0ac4ddcf9daba76ca0f5458edc57bd4410c12fbd943

          Download Submit
        • C:\Users\Admin\AppData\Local\IfY\LicensingUI.exe
          Filesize

          142KB

          MD5

          8b4abc637473c79a003d30bb9c7a05e5

          SHA1

          d1cab953c16d4fdec2b53262f56ac14a914558ca

          SHA256

          0e9eb89aa0df9bb84a8f11b0bb3e9d89905355de34c91508968b4cb78bc3f6c5

          SHA512

          5a40c846c5b3a53ae09114709239d8238c322a7d3758b20ed3fc8e097fc1409f62b4990557c1192e894eabfa89741a9d88bd5175850d039b97dfdf380d1c6eeb

          Download Submit
        • C:\Users\Admin\AppData\Local\RHk\UxTheme.dll
          Filesize

          999KB

          MD5

          1658fb55538f5c11a2d25fd5c3505dbe

          SHA1

          e0ceaa77baa81caafa79126fdf70643eb911d1a2

          SHA256

          d4f612c066897b71fe5ea74da586db2fd7b3580b0cf419670e133cfdf257a078

          SHA512

          de5100c0f7d715bf60dfff946e0d9bda02bcbefd12f55166f868cc39d0dda91afd9bfaa2e89be9a86c7046847ed5b3d42b825f1fd8442e9aa18fd9b5ef7cde2a

          Download Submit
        • C:\Users\Admin\AppData\Local\RHk\WFS.exe
          Filesize

          944KB

          MD5

          3cbc8d0f65e3db6c76c119ed7c2ffd85

          SHA1

          e74f794d86196e3bbb852522479946cceeed7e01

          SHA256

          e23e4182efe7ed61aaf369696e1ce304c3818df33d1663872b6d3c75499d81f4

          SHA512

          26ae5845a804b9eb752078f1ffa80a476648a8a9508b4f7ba56c94acd4198f3ba59c77add4feb7e0420070222af56521ca5f6334f466d5db272c816930513f0a

          Download Submit
        • C:\Users\Admin\AppData\Local\x4eAG6mbS\sdclt.exe
          Filesize

          1.2MB

          MD5

          e09d48f225e7abcab14ebd3b8a9668ec

          SHA1

          1c5b9322b51c09a407d182df481609f7cb8c425d

          SHA256

          efd238ea79b93d07852d39052f1411618c36e7597e8af0966c4a3223f0021dc3

          SHA512

          384d606b90c4803e5144b4de24edc537cb22dd59336a18a58d229500ed36aec92c8467cae6d3f326647bd044d8074931da553c7809727fb70227e99c257df0b4

          Download Submit
        • C:\Users\Admin\AppData\Local\x4eAG6mbS\wer.dll
          Filesize

          1001KB

          MD5

          4c96ed085587ea28e26ba633b78fa0ed

          SHA1

          a8b2408e86c5d70f22d53469ab00bcd14a193b92

          SHA256

          5a91d1fa9c395f7576392d836d52308a7e18edd6bbaa6c922ae8ad0e5843f515

          SHA512

          575e52608eb193c5978f717c93fe22bd4b590f3f30731e6a14db845e05b9e7734f2a41b8582a84e30c31d725189886b15bf4ca97bc0cedb692ea274ee32edce2

          Download Submit
        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Rkjap.lnk
          Filesize

          1KB

          MD5

          eeeb09555348308eef1a9faaec6b5f03

          SHA1

          385fb39e6640a48d76e67ea67b8765bcee8f13a4

          SHA256

          7b82f88146c88921964689f0da63cdced8de34267c868b7b89271be2dee50238

          SHA512

          ff1aee20c4a9a77a3f9d54db3783a027ab36c5b5b4891ad8731d754810297672c725dfa925b529cc1726cf62db23442cf11f5617a60c98b6ed64d40341e457e2

          Download Submit
        • memory/2412-84-0x0000000140000000-0x00000001400FE000-memory.dmp
          Filesize

          1016KB

          Download
        • memory/2412-81-0x0000028E25690000-0x0000028E25697000-memory.dmp
          Filesize

          28KB

          Download
        • memory/2412-78-0x0000000140000000-0x00000001400FE000-memory.dmp
          Filesize

          1016KB

          Download
        • memory/2776-50-0x0000000140000000-0x00000001400FF000-memory.dmp
          Filesize

          1020KB

          Download
        • memory/2776-44-0x0000000140000000-0x00000001400FF000-memory.dmp
          Filesize

          1020KB

          Download
        • memory/2776-47-0x000002BE4F040000-0x000002BE4F047000-memory.dmp
          Filesize

          28KB

          Download
        • memory/2940-61-0x0000000140000000-0x0000000140143000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/2940-64-0x000001EC4B910000-0x000001EC4B917000-memory.dmp
          Filesize

          28KB

          Download
        • memory/2940-67-0x0000000140000000-0x0000000140143000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3552-13-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/3552-22-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/3552-6-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/3552-7-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/3552-8-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/3552-9-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/3552-11-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/3552-10-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/3552-12-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/3552-4-0x00000000079F0000-0x00000000079F1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3552-34-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/3552-23-0x00007FF9B898A000-0x00007FF9B898B000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3552-33-0x00007FF9BA670000-0x00007FF9BA680000-memory.dmp
          Filesize

          64KB

          Download
        • memory/3552-24-0x00000000079D0000-0x00000000079D7000-memory.dmp
          Filesize

          28KB

          Download
        • memory/4540-37-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/4540-1-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/4540-3-0x000001DFE5B00000-0x000001DFE5B07000-memory.dmp
          Filesize

          28KB

          Download