Overview

overview

10

Static

static

3

48261eb153...18.dll

windows7-x64

10

48261eb153...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-05-2024 21:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    48261eb1530a4239ebb56bb5bc9aa217_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    48261eb1530a4239ebb56bb5bc9aa217

  • SHA1

    cda82eb1ede80e356c15219eae4750b995cd2803

  • SHA256

    7bf840ca70c270a4d2ffdfa43d0cdc99dbce46c021d3487cff99b7326dbf121d

  • SHA512

    f0a98c79ddfa49e85ee1f69fcf8ef3eaefd76ae1c45b7a9e566e8da19263c9ece413c3367e6325b7604789668384acc28060d3e2f0fea92ed7992714f7c53fa4

  • SSDEEP

    24576:BVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8K:BV8hf6STw1ZlQauvzSq01ICe6zvmV

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\48261eb1530a4239ebb56bb5bc9aa217_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2064
  • C:\Windows\system32\wlrmdr.exe
    C:\Windows\system32\wlrmdr.exe
    1⤵
      PID:3840
    • C:\Users\Admin\AppData\Local\vSEc837tU\wlrmdr.exe
      C:\Users\Admin\AppData\Local\vSEc837tU\wlrmdr.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2708
    • C:\Windows\system32\mblctr.exe
      C:\Windows\system32\mblctr.exe
      1⤵
        PID:3444
      • C:\Users\Admin\AppData\Local\h2C\mblctr.exe
        C:\Users\Admin\AppData\Local\h2C\mblctr.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:812
      • C:\Windows\system32\SppExtComObj.Exe
        C:\Windows\system32\SppExtComObj.Exe
        1⤵
          PID:4124
        • C:\Users\Admin\AppData\Local\Y58pMka\SppExtComObj.Exe
          C:\Users\Admin\AppData\Local\Y58pMka\SppExtComObj.Exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:3896

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Y58pMka\ACTIVEDS.dll
          Filesize

          1.2MB

          MD5

          570a1ef7a514e385707a0113f26882f4

          SHA1

          54ac9d41f654f6cc42326307ac836981a4371ca0

          SHA256

          98027d643a15c31c1f5394da5ecfb71f49cfeb1bef2f5491e2d45bee627f95e0

          SHA512

          1e73bfe3b3ebfda6f2f899807c922890674a621b4fc09842e63969278534ec28345623684fe4f97503aebcd931211fee19de8e259355d84499df75679a6ed9d6

          Download Submit
        • C:\Users\Admin\AppData\Local\Y58pMka\SppExtComObj.Exe
          Filesize

          559KB

          MD5

          728a78909aa69ca0e976e94482350700

          SHA1

          6508dfcbf37df25cae8ae68cf1fcd4b78084abb7

          SHA256

          2a6581576305771044f07ea0fef27f77859996dbf66c2017e938f90bfc1e010c

          SHA512

          22bf985e71afa58a1365cc733c0aa03dabd4b44e7c6a136eb5f9b870db14470201b4ef88a19fa3864af6c44e79e1a01d6f8806062d9d4861ba7dac77d82074f1

          Download Submit
        • C:\Users\Admin\AppData\Local\h2C\WTSAPI32.dll
          Filesize

          1.2MB

          MD5

          f65cfb756d1aba00927b918120befc4b

          SHA1

          82d01af041be09bddb7ba5065792cdf21b8e09ee

          SHA256

          2fb2d1f13b8654b06ff1ca71639355fc5b964bbc90c1bebaf3172fb6fe2d1ce4

          SHA512

          2184211e374de1396fdbf62adb735cb85d302432f45c58a783d2fb4b45ba96d616ae2ddf4964ba163f9066dc8eea5d4dd610e3cab10b6d89dffcd8e3ee6ece3a

          Download Submit
        • C:\Users\Admin\AppData\Local\h2C\mblctr.exe
          Filesize

          790KB

          MD5

          d3db14eabb2679e08020bcd0c96fa9f6

          SHA1

          578dca7aad29409634064579d269e61e1f07d9dd

          SHA256

          3baa1dc0756ebb0c2c70a31be7147863d8d8ba056c1aa7f979307f8790d1ff69

          SHA512

          14dc895ae458ff0ca13d9c27aa5b4cfc906d338603d43389bb5f4429be593a587818855d1fe938f9ebebf46467fb0c1ab28247e8f9f5357098e8b822ecd8fffe

          Download Submit
        • C:\Users\Admin\AppData\Local\vSEc837tU\DUI70.dll
          Filesize

          1.5MB

          MD5

          6eaa1e8f897a740e9faa8a5208818199

          SHA1

          909bb7bae4995d80a1f2ed242dfa3e49e036c832

          SHA256

          fafc50c94983b923182ae73c805d2848124fe6a46e0cf60d164b9463f04ba864

          SHA512

          75933bcbe0ab87bf76cbd4da778b591f1c93308f79bbcaaa2d6472c9c411146db32843ad819c00086ca766f35e52caa61e935c8018a96799c9284e2f657aabf6

          Download Submit
        • C:\Users\Admin\AppData\Local\vSEc837tU\wlrmdr.exe
          Filesize

          66KB

          MD5

          ef9bba7a637a11b224a90bf90a8943ac

          SHA1

          4747ec6efd2d41e049159249c2d888189bb33d1d

          SHA256

          2fda95aafb2e9284c730bf912b93f60a75b151941adc14445ed1e056140325b1

          SHA512

          4c1fdb8e4bf25546a2a33c95268593746f5ae2666ce36c6d9ba5833357f13720c4722231224e82308af8c156485a2c86ffd97e3093717a28d1300d3787ef1831

          Download Submit
        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Arcabpqqvo.lnk
          Filesize

          1KB

          MD5

          919c2094f42a6085c16c6882b965b75d

          SHA1

          ac50a0b5c6b53d196443abca1c78e24bf4cfb091

          SHA256

          f1274126f09a458435d224f2de5f1a409db473b5b23136697f602e6d6a2eaa71

          SHA512

          c6207c3a721156a6dbf40fcc81627c3e3d66f58ae8c6296de5fedf56b83314d5893d78c05f5a9ba850e4a3b81e4fb7c0952f009677a4afd974f1e1141515cf0c

          Download Submit
        • memory/812-68-0x0000000140000000-0x0000000140143000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/812-65-0x000001FDFCB90000-0x000001FDFCB97000-memory.dmp
          Filesize

          28KB

          Download
        • memory/812-62-0x0000000140000000-0x0000000140143000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/2064-0-0x000002A7E6B60000-0x000002A7E6B67000-memory.dmp
          Filesize

          28KB

          Download
        • memory/2064-38-0x0000000140000000-0x0000000140142000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/2064-1-0x0000000140000000-0x0000000140142000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/2708-51-0x0000000140000000-0x0000000140188000-memory.dmp
          Filesize

          1.5MB

          Download
        • memory/2708-48-0x0000024187A30000-0x0000024187A37000-memory.dmp
          Filesize

          28KB

          Download
        • memory/2708-45-0x0000000140000000-0x0000000140188000-memory.dmp
          Filesize

          1.5MB

          Download
        • memory/3420-9-0x0000000140000000-0x0000000140142000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3420-11-0x0000000140000000-0x0000000140142000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3420-32-0x0000000140000000-0x0000000140142000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3420-33-0x00007FFEB469A000-0x00007FFEB469B000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3420-34-0x0000000000880000-0x0000000000887000-memory.dmp
          Filesize

          28KB

          Download
        • memory/3420-35-0x00007FFEB6270000-0x00007FFEB6280000-memory.dmp
          Filesize

          64KB

          Download
        • memory/3420-14-0x0000000140000000-0x0000000140142000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3420-7-0x0000000140000000-0x0000000140142000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3420-8-0x0000000140000000-0x0000000140142000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3420-23-0x0000000140000000-0x0000000140142000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3420-12-0x0000000140000000-0x0000000140142000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3420-13-0x0000000140000000-0x0000000140142000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3420-6-0x0000000140000000-0x0000000140142000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3420-10-0x0000000140000000-0x0000000140142000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3420-4-0x0000000002570000-0x0000000002571000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3896-85-0x0000000140000000-0x0000000140143000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3896-82-0x00000155D5A40000-0x00000155D5A47000-memory.dmp
          Filesize

          28KB

          Download