Overview

overview

10

Static

static

3

75041e0800...18.dll

windows7-x64

10

75041e0800...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-05-2024 09:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    75041e080029f4260716ff47118a17c9_JaffaCakes118.dll

  • Size

    994KB

  • MD5

    75041e080029f4260716ff47118a17c9

  • SHA1

    fdc117f6d7d18d6598fc9567ede55f1e7d8ff660

  • SHA256

    c83732ddabc264f9189e924b6644cbc263292ffd804a71a6ae270cd35d271f6f

  • SHA512

    0f290adb6563ef04f7201fb8291f66b234aad9509ec4b99e1d9298e394934fce9460a701f28eac75575a1cec03bc7c83084ab2dc14d079ba474b92b6368c6e64

  • SSDEEP

    24576:lVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:lV8hf6STw1ZlQauvzSq01ICe6zvm

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\75041e080029f4260716ff47118a17c9_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:4776
  • C:\Windows\system32\RdpSaUacHelper.exe
    C:\Windows\system32\RdpSaUacHelper.exe
    1⤵
      PID:2008
    • C:\Users\Admin\AppData\Local\VeUDcg\RdpSaUacHelper.exe
      C:\Users\Admin\AppData\Local\VeUDcg\RdpSaUacHelper.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:1192
    • C:\Windows\system32\rdpinput.exe
      C:\Windows\system32\rdpinput.exe
      1⤵
        PID:4492
      • C:\Users\Admin\AppData\Local\rT1660Y\rdpinput.exe
        C:\Users\Admin\AppData\Local\rT1660Y\rdpinput.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:3424
      • C:\Windows\system32\BitLockerWizard.exe
        C:\Windows\system32\BitLockerWizard.exe
        1⤵
          PID:3472
        • C:\Users\Admin\AppData\Local\tiy\BitLockerWizard.exe
          C:\Users\Admin\AppData\Local\tiy\BitLockerWizard.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:464

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Initial Access

        Execution

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Privilege Escalation

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Query Registry

        1
        T1012

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Resource Development

        Reconnaissance

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\VeUDcg\RdpSaUacHelper.exe
          Filesize

          33KB

          MD5

          0d5b016ac7e7b6257c069e8bb40845de

          SHA1

          5282f30e90cbd1be8da95b73bc1b6a7d041e43c2

          SHA256

          6a6fdd834af9c79c5ffc5e6b51700030259aeae535f8626df84b07b7d2cee067

          SHA512

          cd44d8b70fc67c692e6966b4ad86a7de9c96df0bade1b3a80cb4767be159d64f3cc04dc5934f7d843b15101865089e43b8aecabddc370b22caf0c48b56b3430e

          Download Submit
        • C:\Users\Admin\AppData\Local\VeUDcg\WINSTA.dll
          Filesize

          1001KB

          MD5

          0f40bd9f1ff71b0a17574ed6ad31e9c2

          SHA1

          1e12f717e8c67952629f0757318061476f331866

          SHA256

          03c51e63aa392e34493b6ad9e40abcb82bf201039c80fb04abf280041baf227a

          SHA512

          a0eb53918a4a46b80ef7facf60bc447dbce621ad8b747c39ce10f95bcd80e1ccdee6a85318d8a9e6bdc80c18f10487a7c3a226fc50f5a4ba8bfc2c7a21bea148

          Download Submit
        • C:\Users\Admin\AppData\Local\rT1660Y\WTSAPI32.dll
          Filesize

          997KB

          MD5

          c032e8dc1f1bfc29505916e251031ea6

          SHA1

          d0bc2dbe1192d552d820b35d68cb5c825a7a6c9d

          SHA256

          18439a66494203ff94423d9a06a10017cc1061eaf6c96a037023bc8823bdb8aa

          SHA512

          855cb5f390b15dada6b451df03c046569a68aa409a7fba96f31ee0d472fa38825d3b8c2102eabd5e63c3e891af180685c3177da25feb2169577395212f1a05a7

          Download Submit
        • C:\Users\Admin\AppData\Local\rT1660Y\rdpinput.exe
          Filesize

          180KB

          MD5

          bd99eeca92869f9a3084d689f335c734

          SHA1

          a2839f6038ea50a4456cd5c2a3ea003e7b77688c

          SHA256

          39bfb2214efeed47f4f5e50e6dff05541e29caeb27966520bdadd52c3d5e7143

          SHA512

          355433c3bbbaa3bcb849633d45713d8a7ac6f87a025732fbe83e259ec3a0cb4eabb18239df26609453f9fc6764c7276c5d0472f11cf12d15ef806aa7594d090e

          Download Submit
        • C:\Users\Admin\AppData\Local\tiy\BitLockerWizard.exe
          Filesize

          100KB

          MD5

          6d30c96f29f64b34bc98e4c81d9b0ee8

          SHA1

          4a3adc355f02b9c69bdbe391bfb01469dee15cf0

          SHA256

          7758227642702e645af5e84d1c0e5690e07687c8209072a2c5f79379299edf74

          SHA512

          25471b0ac7156d9ee9d12181020039bf551ba3efe252b656030c12d93b8db2648a18bdf762740f2a5cd8e43640e4bd4e8742310dea15823fc76b9e1c126876b8

          Download Submit
        • C:\Users\Admin\AppData\Local\tiy\FVEWIZ.dll
          Filesize

          997KB

          MD5

          a6d12d0907258e312b73ef574121237f

          SHA1

          4580924e6e7a8927086abad4b4b47db64dba84d1

          SHA256

          15ad9b824b66b0794709eab0831788f064c898a7eaae352689c1cc8fee8577ee

          SHA512

          117ae985472f6acd539879b57af655c4e5c63860d2759dcc0e702dd3126c9c5fd033530483dc90fc21c7f7f30274ec633dd30338771fdc66126921f0151b0107

          Download Submit
        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Arcabpqqvo.lnk
          Filesize

          1KB

          MD5

          f8b02b9f59d8f4326c0b1663aa90018d

          SHA1

          98d22370ccb1e32b761eeb0973df021bba49e363

          SHA256

          f562ce510f4f6021ffa54f13b79cbca2071a1eaf96e08174a4d149d5f9cb4d5c

          SHA512

          3046adc12a14e98d9cfaa9cb4de72902c1b5230bda06b25e7fc45e22359bb25947af33632e05b28463224ac5db0049d18705ab50b5f4a913a8882fc03fee5851

          Download Submit
        • memory/464-82-0x00000224F3BA0000-0x00000224F3BA7000-memory.dmp
          Filesize

          28KB

          Download
        • memory/464-85-0x0000000140000000-0x00000001400FF000-memory.dmp
          Filesize

          1020KB

          Download
        • memory/1192-51-0x0000000140000000-0x0000000140100000-memory.dmp
          Filesize

          1024KB

          Download
        • memory/1192-46-0x0000000140000000-0x0000000140100000-memory.dmp
          Filesize

          1024KB

          Download
        • memory/1192-45-0x000001F7C4040000-0x000001F7C4047000-memory.dmp
          Filesize

          28KB

          Download
        • memory/3424-62-0x0000000140000000-0x00000001400FF000-memory.dmp
          Filesize

          1020KB

          Download
        • memory/3424-65-0x000001A05E2F0000-0x000001A05E2F7000-memory.dmp
          Filesize

          28KB

          Download
        • memory/3424-68-0x0000000140000000-0x00000001400FF000-memory.dmp
          Filesize

          1020KB

          Download
        • memory/3500-35-0x0000000140000000-0x00000001400FE000-memory.dmp
          Filesize

          1016KB

          Download
        • memory/3500-32-0x00000000084A0000-0x00000000084A7000-memory.dmp
          Filesize

          28KB

          Download
        • memory/3500-6-0x00007FFE041AA000-0x00007FFE041AB000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3500-12-0x0000000140000000-0x00000001400FE000-memory.dmp
          Filesize

          1016KB

          Download
        • memory/3500-11-0x0000000140000000-0x00000001400FE000-memory.dmp
          Filesize

          1016KB

          Download
        • memory/3500-15-0x0000000140000000-0x00000001400FE000-memory.dmp
          Filesize

          1016KB

          Download
        • memory/3500-8-0x0000000140000000-0x00000001400FE000-memory.dmp
          Filesize

          1016KB

          Download
        • memory/3500-9-0x0000000140000000-0x00000001400FE000-memory.dmp
          Filesize

          1016KB

          Download
        • memory/3500-10-0x0000000140000000-0x00000001400FE000-memory.dmp
          Filesize

          1016KB

          Download
        • memory/3500-7-0x0000000140000000-0x00000001400FE000-memory.dmp
          Filesize

          1016KB

          Download
        • memory/3500-4-0x00000000084C0000-0x00000000084C1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3500-33-0x00007FFE04630000-0x00007FFE04640000-memory.dmp
          Filesize

          64KB

          Download
        • memory/3500-24-0x0000000140000000-0x00000001400FE000-memory.dmp
          Filesize

          1016KB

          Download
        • memory/3500-13-0x0000000140000000-0x00000001400FE000-memory.dmp
          Filesize

          1016KB

          Download
        • memory/3500-14-0x0000000140000000-0x00000001400FE000-memory.dmp
          Filesize

          1016KB

          Download
        • memory/4776-0-0x0000000140000000-0x00000001400FE000-memory.dmp
          Filesize

          1016KB

          Download
        • memory/4776-38-0x0000000140000000-0x00000001400FE000-memory.dmp
          Filesize

          1016KB

          Download
        • memory/4776-3-0x0000014418550000-0x0000014418557000-memory.dmp
          Filesize

          28KB

          Download