Overview

overview

10

Static

static

3

7303cf0368...18.dll

windows7-x64

10

7303cf0368...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-05-2024 19:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7303cf03681a2d8ce2bb2394c9ad8b2d_JaffaCakes118.dll

  • Size

    989KB

  • MD5

    7303cf03681a2d8ce2bb2394c9ad8b2d

  • SHA1

    3f05fbfc73e0417121d2136ec9625be7e98b657d

  • SHA256

    d0b3168b35cde2b10104172a2f4ea91ccc3c2fc7adeb848d4db55c48d7a333da

  • SHA512

    f9ccb27b279372bb96cb954359e7343f19be65340aa9aed4d66011f6ac718ac5ef4a42675d08344ad667778bb3a24c9392128a3149a40087d804b93e219063be

  • SSDEEP

    24576:jVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:jV8hf6STw1ZlQauvzSq01ICe6zvm

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\7303cf03681a2d8ce2bb2394c9ad8b2d_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1296
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3804,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=3404 /prefetch:8
    1⤵
      PID:4872
    • C:\Windows\system32\DisplaySwitch.exe
      C:\Windows\system32\DisplaySwitch.exe
      1⤵
        PID:4584
      • C:\Users\Admin\AppData\Local\Ryvq6Iw\DisplaySwitch.exe
        C:\Users\Admin\AppData\Local\Ryvq6Iw\DisplaySwitch.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:3532
      • C:\Windows\system32\BitLockerWizardElev.exe
        C:\Windows\system32\BitLockerWizardElev.exe
        1⤵
          PID:4880
        • C:\Users\Admin\AppData\Local\qLB9ouOYQ\BitLockerWizardElev.exe
          C:\Users\Admin\AppData\Local\qLB9ouOYQ\BitLockerWizardElev.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:324
        • C:\Windows\system32\DmNotificationBroker.exe
          C:\Windows\system32\DmNotificationBroker.exe
          1⤵
            PID:1092
          • C:\Users\Admin\AppData\Local\PWsR\DmNotificationBroker.exe
            C:\Users\Admin\AppData\Local\PWsR\DmNotificationBroker.exe
            1⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Checks whether UAC is enabled
            PID:4564

          Network

          MITRE ATT&CK Matrix ATT&CK v13

          Initial Access

          Execution

          Persistence

          Boot or Logon Autostart Execution

          1
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Privilege Escalation

          Boot or Logon Autostart Execution

          1
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Defense Evasion

          Modify Registry

          1
          T1112

          Credential Access

          Discovery

          System Information Discovery

          1
          T1082

          Query Registry

          1
          T1012

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Resource Development

          Reconnaissance

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\PWsR\DUI70.dll
            Filesize

            1.2MB

            MD5

            e8996ab8c0fb0ba1c01acaf31854fea1

            SHA1

            2c8c773e910e3dec71845e1ee2a607792dd4adf6

            SHA256

            e97979851b97d42e2e83c8255ec2061b3548fc1f772b5548986cb345d9267bf1

            SHA512

            2127684e14fb1befd4e8350d87cbc677b26cdef7198e7600c6f8ea4c7077df24f6ec13d154f829485acf12126504539395cce6c554b34f8134cf992f8be748cd

            Download Submit
          • C:\Users\Admin\AppData\Local\PWsR\DmNotificationBroker.exe
            Filesize

            32KB

            MD5

            f0bdc20540d314a2aad951c7e2c88420

            SHA1

            4ab344595a4a81ab5f31ed96d72f217b4cee790b

            SHA256

            f87537e5f26193a2273380f86cc9ac16d977f65b0eff2435e40be830fd99f7b5

            SHA512

            cb69e35b2954406735264a4ae8fe1eca1bd4575f553ab2178c70749ab997bda3c06496d2fce97872c51215a19093e51eea7cc8971af62ad9d5726f3a0d2730aa

            Download Submit
          • C:\Users\Admin\AppData\Local\Ryvq6Iw\DisplaySwitch.exe
            Filesize

            1.8MB

            MD5

            5338d4beddf23db817eb5c37500b5735

            SHA1

            1b5c56f00b53fca3205ff24770203af46cbc7c54

            SHA256

            8b581f1d15a6920e4ecfe172d8ef753d0a2bf1a47e686a8d5d8e01147fa4c65e

            SHA512

            173170b83e0048ee05da18c0c957744204954da58a93c532b669d62edb632c4c73d0744c13eb864ecf357ff12831aa46c4f2445dc33b62a4547385b9e0297b0c

            Download Submit
          • C:\Users\Admin\AppData\Local\Ryvq6Iw\dwmapi.dll
            Filesize

            991KB

            MD5

            56b393032a8726505ff74ea9021c62b3

            SHA1

            f063030926cf92398f2b10b7380f2e8793fc58ca

            SHA256

            4e7aa1f17fba950f3f94a629e91debb69ffd9640742db00d1a2944227fe2680e

            SHA512

            67a1b409f826f562071e89fda056550cbe343e692bd3af582ff35d3f19990ee28434a1b22535db8ffa21855b89445aaf311947a73a802696391459dbc0554ca5

            Download Submit
          • C:\Users\Admin\AppData\Local\qLB9ouOYQ\BitLockerWizardElev.exe
            Filesize

            100KB

            MD5

            8ac5a3a20cf18ae2308c64fd707eeb81

            SHA1

            31f2f0bdc2eb3e0d2a6cd626ea8ed71262865544

            SHA256

            803eb37617d450704766cb167dc9766e82102a94940a26a988ad26ab8be3f2f5

            SHA512

            85d0e28e4bffec709f26b2f0d20eb76373134af43bcaa70b97a03efa273b77dd4fbd4f6ee026774ce4029ab5a983aea057111efcd234ab1686a9bd0f7202748b

            Download Submit
          • C:\Users\Admin\AppData\Local\qLB9ouOYQ\FVEWIZ.dll
            Filesize

            991KB

            MD5

            e08875e49b8069c45c2af649bf385618

            SHA1

            4c396a9865b2c9e9fc95d680b549ac29e1686135

            SHA256

            080fa2d1d9d238a43d65b4e55f4e6ce1550bf6cafda082f5a52dda08f7b668c6

            SHA512

            923d87074e31070ef06f7e2828baa9440d130f1f515a6fcbd49fd2055a36ac232eadf3d8cf528d37f10e77e4d7d956d23849fa24e213a5f71d044075c0d7a864

            Download Submit
          • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Xpqmtuztdhk.lnk
            Filesize

            1KB

            MD5

            6e487f81e16a37804bec77f2b5ba2308

            SHA1

            0436c9798b762cd5437e7e1601e9741f0863fa75

            SHA256

            b41e0c22784b7951a3d28dc14f4a588c838beaa17c758e6706e40c428c467084

            SHA512

            db6010f43ba12f79bdadaa057128e841fed5ddd206fd7d8e6179ad4e2c0704689340b6ce7c10b4b45875d8e2145da18497b087eb636a8d2e45ea30a59f1104b6

            Download Submit
          • memory/324-67-0x0000000140000000-0x00000001400FD000-memory.dmp
            Filesize

            1012KB

            Download
          • memory/324-64-0x000001C761DB0000-0x000001C761DB7000-memory.dmp
            Filesize

            28KB

            Download
          • memory/1296-37-0x0000000140000000-0x00000001400FC000-memory.dmp
            Filesize

            1008KB

            Download
          • memory/1296-0-0x0000000140000000-0x00000001400FC000-memory.dmp
            Filesize

            1008KB

            Download
          • memory/1296-3-0x000001A953E40000-0x000001A953E47000-memory.dmp
            Filesize

            28KB

            Download
          • memory/3524-35-0x0000000000700000-0x0000000000707000-memory.dmp
            Filesize

            28KB

            Download
          • memory/3524-12-0x0000000140000000-0x00000001400FC000-memory.dmp
            Filesize

            1008KB

            Download
          • memory/3524-7-0x0000000140000000-0x00000001400FC000-memory.dmp
            Filesize

            1008KB

            Download
          • memory/3524-13-0x0000000140000000-0x00000001400FC000-memory.dmp
            Filesize

            1008KB

            Download
          • memory/3524-9-0x0000000140000000-0x00000001400FC000-memory.dmp
            Filesize

            1008KB

            Download
          • memory/3524-32-0x0000000140000000-0x00000001400FC000-memory.dmp
            Filesize

            1008KB

            Download
          • memory/3524-10-0x0000000140000000-0x00000001400FC000-memory.dmp
            Filesize

            1008KB

            Download
          • memory/3524-6-0x00007FF80332A000-0x00007FF80332B000-memory.dmp
            Filesize

            4KB

            Download
          • memory/3524-11-0x0000000140000000-0x00000001400FC000-memory.dmp
            Filesize

            1008KB

            Download
          • memory/3524-4-0x0000000000780000-0x0000000000781000-memory.dmp
            Filesize

            4KB

            Download
          • memory/3524-36-0x00007FF8048F0000-0x00007FF804900000-memory.dmp
            Filesize

            64KB

            Download
          • memory/3524-14-0x0000000140000000-0x00000001400FC000-memory.dmp
            Filesize

            1008KB

            Download
          • memory/3524-23-0x0000000140000000-0x00000001400FC000-memory.dmp
            Filesize

            1008KB

            Download
          • memory/3524-8-0x0000000140000000-0x00000001400FC000-memory.dmp
            Filesize

            1008KB

            Download
          • memory/3532-50-0x0000000140000000-0x00000001400FD000-memory.dmp
            Filesize

            1012KB

            Download
          • memory/3532-45-0x0000000140000000-0x00000001400FD000-memory.dmp
            Filesize

            1012KB

            Download
          • memory/3532-44-0x0000025F11360000-0x0000025F11367000-memory.dmp
            Filesize

            28KB

            Download
          • memory/4564-81-0x0000022D2ACA0000-0x0000022D2ACA7000-memory.dmp
            Filesize

            28KB

            Download
          • memory/4564-78-0x0000000140000000-0x0000000140142000-memory.dmp
            Filesize

            1.3MB

            Download
          • memory/4564-84-0x0000000140000000-0x0000000140142000-memory.dmp
            Filesize

            1.3MB

            Download