Overview

overview

10

Static

static

3

54af4213db...18.dll

windows7-x64

10

54af4213db...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-05-2024 12:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    54af4213db5f39efc01549040d6bd451_JaffaCakes118.dll

  • Size

    994KB

  • MD5

    54af4213db5f39efc01549040d6bd451

  • SHA1

    0d8faf654805116aba476def35902b5c4f9ac363

  • SHA256

    5af0a2900c62e7719bab11ff2e1b919266722b295b68e36c7112d036cc15afb5

  • SHA512

    8e3608df45d882c57400e9f1497a8f9e9be57a519626ff72c28c40c7833c915beb5544b06f4b34217b3c0c0f7b2696bbf72ff78a7182a3e7247ee81055b57b4d

  • SSDEEP

    24576:dVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:dV8hf6STw1ZlQauvzSq01ICe6zvm

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\54af4213db5f39efc01549040d6bd451_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:3300
  • C:\Windows\system32\quickassist.exe
    C:\Windows\system32\quickassist.exe
    1⤵
      PID:1784
    • C:\Users\Admin\AppData\Local\R1TzX\quickassist.exe
      C:\Users\Admin\AppData\Local\R1TzX\quickassist.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2064
    • C:\Windows\system32\mstsc.exe
      C:\Windows\system32\mstsc.exe
      1⤵
        PID:1036
      • C:\Users\Admin\AppData\Local\KkG\mstsc.exe
        C:\Users\Admin\AppData\Local\KkG\mstsc.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1280
      • C:\Windows\system32\InfDefaultInstall.exe
        C:\Windows\system32\InfDefaultInstall.exe
        1⤵
          PID:3852
        • C:\Users\Admin\AppData\Local\oXQzSf\InfDefaultInstall.exe
          C:\Users\Admin\AppData\Local\oXQzSf\InfDefaultInstall.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:4832

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\KkG\VERSION.dll
          Filesize

          995KB

          MD5

          2da9d1b3f154a0be1a008948ba4debc3

          SHA1

          4bbc0319d7efed749e3aaf6f80be8c496f174ade

          SHA256

          4e9da0b48bfbd0bd83ec5928e6796e3e990dac80691fb74dfeb4ea7c170d6bf1

          SHA512

          582e1de093e858808ddbb88b4271fa0c8598d87cdc8e75d3c6549988b0592f2e29e1b69d0164baa433d21a8745e4819cd98a5347681f228404aca6401f36132c

          Download Submit

        • C:\Users\Admin\AppData\Local\KkG\mstsc.exe
          Filesize

          1.5MB

          MD5

          3a26640414cee37ff5b36154b1a0b261

          SHA1

          e0c28b5fdf53a202a7543b67bbc97214bad490ed

          SHA256

          1d1b6b2edac7ac6494c9eecda3afb804f679d7190f4d1a80929380e85743823f

          SHA512

          76fc70ead57ddacd3dbcec1a4772bd46924d30b30018a36b13052d2f7272cc86b63bf85d5e4ec04aac08630d4b2637ca6e7d35c08ce6b675d63ed011f7d95ba2

          Download Submit

        • C:\Users\Admin\AppData\Local\R1TzX\UxTheme.dll
          Filesize

          997KB

          MD5

          212605a5773ae264665f43e9ca8cd404

          SHA1

          3563bafbeb07d2a17ce17e8c3f92b8d6c08f446e

          SHA256

          aa8bfb2a0193e56e9ffccaec787dbccc33cd8eaee6407ad230bd53ef14e63f8c

          SHA512

          4f361de52959750714b541f62e98f05b317556d28bf75641816edcbdb18dd8330427bcf1cb4363d6eb8989435ef932be213c6ae0915a10561e7c9c1c07ea07bc

          Download Submit

        • C:\Users\Admin\AppData\Local\R1TzX\quickassist.exe
          Filesize

          665KB

          MD5

          d1216f9b9a64fd943539cc2b0ddfa439

          SHA1

          6fad9aeb7780bdfd88a9a5a73b35b3e843605e6c

          SHA256

          c1e8fda00da574e8759ba262d76b6edc1d5f4a80620730ef0be7527e0d803db2

          SHA512

          c5fd7d81d1d478056fcbed0ba887ce551832f0104e7c31753c3c8760b4d63f38324f74e996684042acc8f9682fce8a8c85172741a868257e87d5e0f988c4e567

          Download Submit

        • C:\Users\Admin\AppData\Local\oXQzSf\InfDefaultInstall.exe
          Filesize

          13KB

          MD5

          ee18876c1e5de583de7547075975120e

          SHA1

          f7fcb3d77da74deee25de9296a7c7335916504e3

          SHA256

          e59127b5fe82714956c7a1f10392a8673086a8e1f609e059935c7da1fa015a5d

          SHA512

          08bc4d28b8f528582c58175a74871dd33ac97955c3709c991779fc34b5ba4b2ba6ff40476d9f59345b61b0153fd932b0ea539431a67ff5012cb2ac8ab392f73c

          Download Submit

        • C:\Users\Admin\AppData\Local\oXQzSf\newdev.dll
          Filesize

          995KB

          MD5

          ab1dfde67776a51534cca2ceeaba5454

          SHA1

          3544200b2e68d3d359ff057ca0da5efe5c534a6c

          SHA256

          66baebd9334bfdabf76bdc634f44302a2937de3d8c7898c0c55a2e5bad2afca0

          SHA512

          c05aff43b906f36d06893cc030d995528de81664fd9a07cf5e1fb2aca33d92d23ac7e9f8976ff29e1058508600c9779cdc4ea28afcfb44d3e1ae4a1ef6ee0843

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Arcabpqqvo.lnk
          Filesize

          1KB

          MD5

          3cf99342a44780c0ff253d0cd6b5b473

          SHA1

          74ac7cc83dcc98fcd05f4d0cbdba6772b46f2aa6

          SHA256

          dcbcdecc9df57b53ef867679896664797ae95123992f7e628a774be74121af54

          SHA512

          d1351a183c0324a14515d879ad05740ca420582cb9e8b091887709e395643fdc155def56362d34e2181a25873d06c7106fe2c4357134eeb134e3a9e8808179a5

          Download Submit

        • memory/1280-64-0x00000210EBCC0000-0x00000210EBCC7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1280-66-0x0000000140000000-0x00000001400FE000-memory.dmp

          Filesize

          1016KB

          Download

        • memory/2064-44-0x0000000140000000-0x00000001400FE000-memory.dmp

          Filesize

          1016KB

          Download

        • memory/2064-50-0x0000000140000000-0x00000001400FE000-memory.dmp

          Filesize

          1016KB

          Download

        • memory/2064-47-0x000001D074180000-0x000001D074187000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3300-0-0x0000000140000000-0x00000001400FD000-memory.dmp

          Filesize

          1012KB

          Download

        • memory/3300-37-0x0000000140000000-0x00000001400FD000-memory.dmp

          Filesize

          1012KB

          Download

        • memory/3300-3-0x0000025E26820000-0x0000025E26827000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3520-28-0x00007FFFB65B0000-0x00007FFFB65C0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3520-14-0x0000000140000000-0x00000001400FD000-memory.dmp

          Filesize

          1012KB

          Download

        • memory/3520-8-0x0000000140000000-0x00000001400FD000-memory.dmp

          Filesize

          1012KB

          Download

        • memory/3520-9-0x0000000140000000-0x00000001400FD000-memory.dmp

          Filesize

          1012KB

          Download

        • memory/3520-10-0x0000000140000000-0x00000001400FD000-memory.dmp

          Filesize

          1012KB

          Download

        • memory/3520-11-0x0000000140000000-0x00000001400FD000-memory.dmp

          Filesize

          1012KB

          Download

        • memory/3520-12-0x0000000140000000-0x00000001400FD000-memory.dmp

          Filesize

          1012KB

          Download

        • memory/3520-34-0x0000000140000000-0x00000001400FD000-memory.dmp

          Filesize

          1012KB

          Download

        • memory/3520-27-0x0000000002B10000-0x0000000002B17000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3520-23-0x0000000140000000-0x00000001400FD000-memory.dmp

          Filesize

          1012KB

          Download

        • memory/3520-13-0x0000000140000000-0x00000001400FD000-memory.dmp

          Filesize

          1012KB

          Download

        • memory/3520-7-0x0000000140000000-0x00000001400FD000-memory.dmp

          Filesize

          1012KB

          Download

        • memory/3520-4-0x0000000002AF0000-0x0000000002AF1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3520-6-0x00007FFFB642A000-0x00007FFFB642B000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4832-82-0x0000000140000000-0x00000001400FE000-memory.dmp

          Filesize

          1016KB

          Download