Overview

overview

10

Static

static

3

805cfbdf86...18.dll

windows7-x64

10

805cfbdf86...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    100s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-05-2024 10:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    805cfbdf86f0b96d764ec4d94cf2360c_JaffaCakes118.dll

  • Size

    987KB

  • MD5

    805cfbdf86f0b96d764ec4d94cf2360c

  • SHA1

    135e15ca1b80483e83e016dbcb11ba64dd289b7e

  • SHA256

    976e368f1c88cbaa179d651e604ec02dc14db5548b5051c9a70de81b1c41a600

  • SHA512

    992432c661273be9c0f7ad6e9568f5b892e8d6626c99347b31bb39f02e4acfe1bac47d63a7e20e8459e76840c26187c385bb6e1c88f350146e2bff6d1d3c6045

  • SSDEEP

    24576:4VHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:4V8hf6STw1ZlQauvzSq01ICe6zvm

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\805cfbdf86f0b96d764ec4d94cf2360c_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:3456
  • C:\Windows\system32\slui.exe
    C:\Windows\system32\slui.exe
    1⤵
      PID:3004
    • C:\Users\Admin\AppData\Local\FOS\slui.exe
      C:\Users\Admin\AppData\Local\FOS\slui.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:4852
    • C:\Windows\system32\mblctr.exe
      C:\Windows\system32\mblctr.exe
      1⤵
        PID:4972
      • C:\Users\Admin\AppData\Local\9yegC\mblctr.exe
        C:\Users\Admin\AppData\Local\9yegC\mblctr.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:3784
      • C:\Windows\system32\dccw.exe
        C:\Windows\system32\dccw.exe
        1⤵
          PID:4588
        • C:\Users\Admin\AppData\Local\5tbJZq\dccw.exe
          C:\Users\Admin\AppData\Local\5tbJZq\dccw.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:3512

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Initial Access

        Execution

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Privilege Escalation

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Query Registry

        1
        T1012

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Resource Development

        Reconnaissance

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\5tbJZq\dccw.exe
          Filesize

          101KB

          MD5

          cb9374911bf5237179785c739a322c0f

          SHA1

          3f4d3dd3d58c9f19dfbb414ded16969ebd9f74b9

          SHA256

          f7f3300b78148a34f6a35796c777a832b638b6d3193e11f4a37f45d4c6dfa845

          SHA512

          9d47521538148b1823c0a17baa86ddf932f06f46d5d8b63fa87b2cc220fb98ce3f933e32d771222937bb8e41c88030839d489d1cd78b062bffeb2980dc6864be

          Download Submit
        • C:\Users\Admin\AppData\Local\5tbJZq\mscms.dll
          Filesize

          992KB

          MD5

          dd2bb3428d9011e5e52b16638bfb6490

          SHA1

          65ac64b60519d369f2bc91525a70aec511202033

          SHA256

          7e46f570af8392e3961e527700b4e0e7daff56f9a23f308c49dbdf8ae6c14e4b

          SHA512

          3e18eb0c947ec8e6799dc2a38d4c62af880a84a792fa11f365dedfe780dbb5eb344e9ffa688ab9e5dec72d30afe09dfb84a9fccc7ba407cce6be116fa0b32aaf

          Download Submit
        • C:\Users\Admin\AppData\Local\9yegC\WTSAPI32.dll
          Filesize

          989KB

          MD5

          e3eacb839a96034daf2f4782581da822

          SHA1

          675dff15becea1bfe947d877fb4035763f2121c1

          SHA256

          e9d5eb333e8893264b17de61c86b220c95dc6ee51ebf12e591dd510f00bb05d2

          SHA512

          af093c2c67e282a98a258f0731f0b6797940fdc918a41f813f3c4bc9d36314e985c199077558d4873635c212f2bde091680c5164aea23b16b6a101fb91d30cc4

          Download Submit
        • C:\Users\Admin\AppData\Local\9yegC\mblctr.exe
          Filesize

          790KB

          MD5

          d3db14eabb2679e08020bcd0c96fa9f6

          SHA1

          578dca7aad29409634064579d269e61e1f07d9dd

          SHA256

          3baa1dc0756ebb0c2c70a31be7147863d8d8ba056c1aa7f979307f8790d1ff69

          SHA512

          14dc895ae458ff0ca13d9c27aa5b4cfc906d338603d43389bb5f4429be593a587818855d1fe938f9ebebf46467fb0c1ab28247e8f9f5357098e8b822ecd8fffe

          Download Submit
        • C:\Users\Admin\AppData\Local\FOS\WINBRAND.dll
          Filesize

          988KB

          MD5

          e819d984ad5afddf1856c8d9677fe301

          SHA1

          ae4dde87a5480a7acf82f496e93aa5bbd7e74fbf

          SHA256

          93063c55c9c4962730ec4804b4e5d832aa2b1f3779b095504ae92a892dfb6a73

          SHA512

          cd113ea8756da7a4dda2faac242129c23dfeea0898b84eb98014f456854951bf313398941ef2f7e16786223252062c51cf062cd9553a29e9866642fb63b7d029

          Download Submit
        • C:\Users\Admin\AppData\Local\FOS\slui.exe
          Filesize

          534KB

          MD5

          eb725ea35a13dc18eac46aa81e7f2841

          SHA1

          c0b3304c970324952e18c4a51073e3bdec73440b

          SHA256

          25e7624d469a592934ab8c509d12c153c2799e604c2a4b8a83650a7268577dff

          SHA512

          39192a1fad29654b3769f007298eff049d0688a3cb51390833ec563f44f9931cd3f6f8693db37b649b061b5aab379b166c15dade56d0fc414375243320375b26

          Download Submit
        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Hjyomsugwtoazg.lnk
          Filesize

          1KB

          MD5

          545defcac363b552485b395944b0c741

          SHA1

          7a12963e204f56f5c26be5ea2a503df054fb974e

          SHA256

          faf01e9b741775c894c41988176882e1e9ee2344b308432da4ed6fdbab176b0c

          SHA512

          2fd1016cca651b699e12a81da7599d1e103e2b7389aa1f29f6e925b0a54f195fed566ed703caa9c24daa47cf74f1ce6085486d39c8eb12df1285b87c97915514

          Download Submit
        • memory/3416-14-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/3416-8-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/3416-32-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/3416-36-0x00007FFA2D170000-0x00007FFA2D180000-memory.dmp
          Filesize

          64KB

          Download
        • memory/3416-11-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/3416-10-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/3416-9-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/3416-35-0x0000000007D00000-0x0000000007D07000-memory.dmp
          Filesize

          28KB

          Download
        • memory/3416-7-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/3416-23-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/3416-13-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/3416-12-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/3416-4-0x0000000008A50000-0x0000000008A51000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3416-6-0x00007FFA2CF2A000-0x00007FFA2CF2B000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3456-37-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/3456-2-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/3456-0-0x000001F9FBCD0000-0x000001F9FBCD7000-memory.dmp
          Filesize

          28KB

          Download
        • memory/3512-78-0x0000018E492F0000-0x0000018E492F7000-memory.dmp
          Filesize

          28KB

          Download
        • memory/3512-79-0x0000000140000000-0x00000001400FE000-memory.dmp
          Filesize

          1016KB

          Download
        • memory/3512-84-0x0000000140000000-0x00000001400FE000-memory.dmp
          Filesize

          1016KB

          Download
        • memory/3784-64-0x000001F7C2000000-0x000001F7C2007000-memory.dmp
          Filesize

          28KB

          Download
        • memory/3784-67-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/4852-50-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/4852-45-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/4852-44-0x000002147B0E0000-0x000002147B0E7000-memory.dmp
          Filesize

          28KB

          Download