Overview

overview

10

Static

static

3

87c3545cdc...18.dll

windows7-x64

10

87c3545cdc...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    108s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-05-2024 17:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    87c3545cdce9ac4de4d6b4b059dc87ba_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    87c3545cdce9ac4de4d6b4b059dc87ba

  • SHA1

    59faa155317c706c9cd0898511a9b55266db63d3

  • SHA256

    69410188e366c90d44d0f848b78601bd6174f0fb9825fb449368fc37aa6fb0ef

  • SHA512

    7f9dff0546abea7fb00682599d467f7c37acc4e6cadb59a814d12023eb33e5586a485d2657c6c47a2777198a63083855d5f10a08bbf19b519c93c826d94299ef

  • SSDEEP

    24576:xVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:xV8hf6STw1ZlQauvzSq01ICe6zvm

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\87c3545cdce9ac4de4d6b4b059dc87ba_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:5780
  • C:\Windows\system32\RdpSa.exe
    C:\Windows\system32\RdpSa.exe
    1⤵
      PID:1584
    • C:\Users\Admin\AppData\Local\Zez\RdpSa.exe
      C:\Users\Admin\AppData\Local\Zez\RdpSa.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2148
    • C:\Windows\system32\BdeUISrv.exe
      C:\Windows\system32\BdeUISrv.exe
      1⤵
        PID:2080
      • C:\Users\Admin\AppData\Local\8xCh\BdeUISrv.exe
        C:\Users\Admin\AppData\Local\8xCh\BdeUISrv.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:948
      • C:\Windows\system32\tcmsetup.exe
        C:\Windows\system32\tcmsetup.exe
        1⤵
          PID:5900
        • C:\Users\Admin\AppData\Local\IuBp\tcmsetup.exe
          C:\Users\Admin\AppData\Local\IuBp\tcmsetup.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1488

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\8xCh\BdeUISrv.exe
          Filesize

          54KB

          MD5

          8595075667ff2c9a9f9e2eebc62d8f53

          SHA1

          c48b54e571f05d4e21d015bb3926c2129f19191a

          SHA256

          20b05c77f898be08737082e969b39f54fa39753c8c0a06142eb7ad5e0764a2db

          SHA512

          080dbcdd9234c07efe6cea4919ffa305fdc381ccebed9d1020dd6551b54e20e52387e62a344502fa4a85249defd0f9b506528b8dd34675bc9f51f664b8fc4d88

          Download Submit

        • C:\Users\Admin\AppData\Local\8xCh\WTSAPI32.dll
          Filesize

          1.2MB

          MD5

          115ce9e43b254fa1a1cf2f28861ed775

          SHA1

          ff2d81d910885c7671d63a04fc2c104e3dcc34da

          SHA256

          3d2a06d6d43307b25dc6500575fa72737ce18d85eaeac33358c364d0d3fe04d1

          SHA512

          e7ae7cb4c8c797e3892763c99dda97ba575a252c9ec9f7dbd94d18754de88dc40b0c865394fab8530dcdcfba19dd58aa3f4a6ff1076beb4b2c342f9140f92279

          Download Submit

        • C:\Users\Admin\AppData\Local\IuBp\TAPI32.dll
          Filesize

          1.2MB

          MD5

          a8aa52d0d428a459dd0492601e090793

          SHA1

          151dd865244776839a48c3cf884e3e618b8f9625

          SHA256

          3b8a82c2c6fb7ec57138a76f1cec2f054335df931b65eb73a4c0d273b181d1dc

          SHA512

          505da7688165e787cd9d3361dace482785ef90afa82fbdc6ab93c973e5d1172f5f76fed1dd5c14ebc28db14a086894c997008516fa7aaa5904727d28e14f05b7

          Download Submit

        • C:\Users\Admin\AppData\Local\IuBp\tcmsetup.exe
          Filesize

          16KB

          MD5

          58f3b915b9ae7d63431772c2616b0945

          SHA1

          6346e837da3b0f551becb7cac6d160e3063696e9

          SHA256

          e243501ba2ef7a6f04f51410bb916faffe0ec23450a4d030ce6bfe747e544b39

          SHA512

          7b09192af460c502d1a94989a0d06191c8c7a058ce3a4541e3f45960a1e12529d0cdaff9da3d5bacfdceed57aeb6dc9a159c6c0a95675c438f99bf7e418c6dc5

          Download Submit

        • C:\Users\Admin\AppData\Local\Zez\RdpSa.exe
          Filesize

          56KB

          MD5

          5992f5b5d0b296b83877da15b54dd1b4

          SHA1

          0d87be8d4b7aeada4b55d1d05c0539df892f8f82

          SHA256

          32f60eabe54c4d0cd0f0ec29f48f55ca1ad097bf35097247b186fd70426f847c

          SHA512

          4f6da913af530301da1d0638aa2635ada446ebee6e27b5059db5c2b7fe439162ac3b1a595ecf4163a093890df9ac94d9085a53d8c991e48703f9d2691326e7e6

          Download Submit

        • C:\Users\Admin\AppData\Local\Zez\WINSTA.dll
          Filesize

          1.2MB

          MD5

          e8bb099506f40f12e19fb512493e209b

          SHA1

          3364370ea5f454e3a8258f545b6a99aac30def73

          SHA256

          d53a3c5a840ed606e8816f54cea93cbe73ca2acad851241fda629ecb597fd150

          SHA512

          7e94d50571721c4631c91a3895ecc693ca39b8c18d3420c97ecd634c63c6e272cdf9891e79e4085b523663a73b8b679c40b634a98e7818bd5e1a59c7270e29f2

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Arcabpqqvo.lnk
          Filesize

          1KB

          MD5

          a33d50199fc8a49e3a5382bf1cf7cd87

          SHA1

          d0dfbc5c700eccea6d4215d32187b69d3d673fa9

          SHA256

          641568dab044ee273fdb6b0ebd7c2ceb700a4e7c1e932abf40b06e24351be145

          SHA512

          bcc02823eebbabf5c19d73f48a976a8309bc31409688d542faf42ae3d1c2ceb9eade41c5daad6d55cb12fbc73cfbce050e85e91e5c44784f62674bc084ef3a59

          Download Submit

        • memory/948-69-0x0000000140000000-0x0000000140144000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/948-66-0x000001C76EBB0000-0x000001C76EBB7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/948-63-0x0000000140000000-0x0000000140144000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1488-85-0x0000024EAFAC0000-0x0000024EAFAC7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1488-88-0x0000000140000000-0x0000000140145000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2148-52-0x0000000140000000-0x0000000140145000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2148-49-0x0000029154620000-0x0000029154627000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2148-47-0x0000000140000000-0x0000000140145000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3384-15-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3384-13-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3384-9-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3384-4-0x00000000077B0000-0x00000000077B1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3384-8-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3384-7-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3384-10-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3384-11-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3384-12-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3384-6-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3384-14-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3384-24-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3384-28-0x00007FFA208BA000-0x00007FFA208BB000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3384-29-0x00000000077D0000-0x00000000077D7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3384-30-0x00007FFA21790000-0x00007FFA217A0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3384-36-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/5780-3-0x0000018414BB0000-0x0000018414BB7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/5780-39-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/5780-0-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download