Overview

overview

10

Static

static

3

a03c427291...18.dll

windows7-x64

10

a03c427291...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-06-2024 09:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a03c427291b7a95b1aab3b2d9839a4ac_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    a03c427291b7a95b1aab3b2d9839a4ac

  • SHA1

    f65ffc2a7a1d263bfa112d9bade412e2907a06fb

  • SHA256

    439fb687b9a2d78aa8385a756084b8c76c40972a59030daa92153cc60b8fa7d1

  • SHA512

    504fcbed01f3c79a4a32bf3646f5ac7d4933e2b0f374a8782b7d227cee484c929c6021c7359e707158d669bbe6fa1a8f887a063b03cb50b45d1e4562adbee208

  • SSDEEP

    24576:WVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:WV8hf6STw1ZlQauvzSq01ICe6zvm

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\a03c427291b7a95b1aab3b2d9839a4ac_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2920
  • C:\Windows\system32\BitLockerWizard.exe
    C:\Windows\system32\BitLockerWizard.exe
    1⤵
      PID:828
    • C:\Users\Admin\AppData\Local\YPMD5avn\BitLockerWizard.exe
      C:\Users\Admin\AppData\Local\YPMD5avn\BitLockerWizard.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2696
    • C:\Windows\system32\consent.exe
      C:\Windows\system32\consent.exe
      1⤵
        PID:3192
      • C:\Users\Admin\AppData\Local\ffoKKzT\consent.exe
        C:\Users\Admin\AppData\Local\ffoKKzT\consent.exe
        1⤵
        • Executes dropped EXE
        PID:2168
      • C:\Windows\system32\MusNotificationUx.exe
        C:\Windows\system32\MusNotificationUx.exe
        1⤵
          PID:3360
        • C:\Users\Admin\AppData\Local\nAX2\MusNotificationUx.exe
          C:\Users\Admin\AppData\Local\nAX2\MusNotificationUx.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:4968
        • C:\Windows\system32\isoburn.exe
          C:\Windows\system32\isoburn.exe
          1⤵
            PID:3884
          • C:\Users\Admin\AppData\Local\cXgY\isoburn.exe
            C:\Users\Admin\AppData\Local\cXgY\isoburn.exe
            1⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Checks whether UAC is enabled
            PID:1308

          Network

          MITRE ATT&CK Matrix ATT&CK v13

          Initial Access

          Execution

          Persistence

          Boot or Logon Autostart Execution

          1
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Privilege Escalation

          Boot or Logon Autostart Execution

          1
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Defense Evasion

          Modify Registry

          1
          T1112

          Credential Access

          Discovery

          System Information Discovery

          1
          T1082

          Query Registry

          1
          T1012

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Resource Development

          Reconnaissance

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\YPMD5avn\BitLockerWizard.exe
            Filesize

            100KB

            MD5

            6d30c96f29f64b34bc98e4c81d9b0ee8

            SHA1

            4a3adc355f02b9c69bdbe391bfb01469dee15cf0

            SHA256

            7758227642702e645af5e84d1c0e5690e07687c8209072a2c5f79379299edf74

            SHA512

            25471b0ac7156d9ee9d12181020039bf551ba3efe252b656030c12d93b8db2648a18bdf762740f2a5cd8e43640e4bd4e8742310dea15823fc76b9e1c126876b8

            Download Submit
          • C:\Users\Admin\AppData\Local\YPMD5avn\FVEWIZ.dll
            Filesize

            1.2MB

            MD5

            d07c716fe54bbe24c5c1d3fbd0ca9c90

            SHA1

            96eecf472095c988e1c7e7697fdece82f0865d94

            SHA256

            484e2b7c66c22b4cd415c82d4e9fc4f5298189bd9d18e4b9648bd81ac49f3d10

            SHA512

            8875e9bc6ec7f6ec9e2db89fbcde9be1717172910cf64809f53e69c8ede7c4e9ed9584aa8ae3d1f155ef6366944ed75b5f987d9936c6617e53f7f9a399bc5506

            Download Submit
          • C:\Users\Admin\AppData\Local\cXgY\UxTheme.dll
            Filesize

            1.2MB

            MD5

            9bf1dd1a536148da598b240ee80e4447

            SHA1

            b76eed504e848d61a849b4f4e63c972fa7bb61ed

            SHA256

            4018f166c09de97171b9538eda8dffc899ca7719f3454fca6b8250472b1d61ed

            SHA512

            e37d569643f72eb782a3f5a2d1cbc8480f956364690b406c6999dcb5f09300e19551979ba9d4b87229a0e88d0317a51370dc6401ff32d1e9d10f6ccc83634f54

            Download Submit
          • C:\Users\Admin\AppData\Local\cXgY\isoburn.exe
            Filesize

            119KB

            MD5

            68078583d028a4873399ae7f25f64bad

            SHA1

            a3c928fe57856a10aed7fee17670627fe663e6fe

            SHA256

            9478c095afe212bce91d2de1a3c3647109f2d54e46b9bf70843e839324458567

            SHA512

            25503a47c53fe83eeb56726b5a5eec5cb01bc783e866306f92242a7a8cbafa20a3209217e0f4561febfec78d2f64f1725727a6b2d3ee6da512618984d0bb0bc1

            Download Submit
          • C:\Users\Admin\AppData\Local\ffoKKzT\consent.exe
            Filesize

            162KB

            MD5

            6646631ce4ad7128762352da81f3b030

            SHA1

            1095bd4b63360fc2968d75622aa745e5523428ab

            SHA256

            56b2d516376328129132b815e22379ae8e7176825f059c9374a33cc844482e64

            SHA512

            1c00ed5d8568f6ebd119524b61573cfe71ca828bd8fbdd150158ec8b5db65fa066908d120d201fce6222707bcb78e0c1151b82fdc1dccf3ada867cb810feb6da

            Download Submit
          • C:\Users\Admin\AppData\Local\nAX2\MusNotificationUx.exe
            Filesize

            615KB

            MD5

            869a214114a81712199f3de5d69d9aad

            SHA1

            be973e4188eff0d53fdf0e9360106e8ad946d89f

            SHA256

            405c2df9a36d7cfb5c8382c96f04792eb88c11a6cfa36b1d2ec3e0bec8d17361

            SHA512

            befcdeb8de6e68b9ee0bacd4cbc80f7393a0213d4039b239c98585e0cd5db1755c75559a62372374cbfb7132b6a7973ea9e6a31952e0e0ba007079c56e6d9012

            Download Submit
          • C:\Users\Admin\AppData\Local\nAX2\XmlLite.dll
            Filesize

            1.2MB

            MD5

            b4877932f4a32f2f84fb501817d27987

            SHA1

            e104ff0c7f152cb51184690a50a9d4f13cc40e61

            SHA256

            db82423c0aba4a6716d3d3377e826f15bf465a91efbef9e165f354912b764067

            SHA512

            63ce6ef7d1791abe744e8cf677b1200e0eb6f91245d8c274ab0169a7210975a4e3c00b8f81065fc802b39e96549a65773c780f7d0f63978f2edcbe10816f0ce0

            Download Submit
          • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Jbphew.lnk
            Filesize

            1KB

            MD5

            4cccbaf004b904d050eb7cb7be222492

            SHA1

            2b517480cbf5c3c0ee36b4c84007dabf7f34b444

            SHA256

            a079da3bed61aa7a3f3b4fb55baf046e61055d53fb7eae01241155487be8026d

            SHA512

            774ed50aa846ed9b602e43b011aab8d63095b62c5578a29f77ae4bb3e29881da719f08bf2fcc1d87ff4ad16b05a236bb74be965215a4391effb9e62b6ceba536

            Download Submit
          • memory/1308-92-0x0000000140000000-0x0000000140143000-memory.dmp
            Filesize

            1.3MB

            Download
          • memory/2696-45-0x0000000140000000-0x0000000140143000-memory.dmp
            Filesize

            1.3MB

            Download
          • memory/2696-50-0x0000000140000000-0x0000000140143000-memory.dmp
            Filesize

            1.3MB

            Download
          • memory/2696-48-0x000001F9F8F20000-0x000001F9F8F27000-memory.dmp
            Filesize

            28KB

            Download
          • memory/2920-38-0x0000000140000000-0x0000000140142000-memory.dmp
            Filesize

            1.3MB

            Download
          • memory/2920-1-0x0000000140000000-0x0000000140142000-memory.dmp
            Filesize

            1.3MB

            Download
          • memory/2920-3-0x000001876C070000-0x000001876C077000-memory.dmp
            Filesize

            28KB

            Download
          • memory/3432-28-0x0000000002E00000-0x0000000002E07000-memory.dmp
            Filesize

            28KB

            Download
          • memory/3432-35-0x0000000140000000-0x0000000140142000-memory.dmp
            Filesize

            1.3MB

            Download
          • memory/3432-8-0x0000000140000000-0x0000000140142000-memory.dmp
            Filesize

            1.3MB

            Download
          • memory/3432-9-0x0000000140000000-0x0000000140142000-memory.dmp
            Filesize

            1.3MB

            Download
          • memory/3432-10-0x0000000140000000-0x0000000140142000-memory.dmp
            Filesize

            1.3MB

            Download
          • memory/3432-11-0x0000000140000000-0x0000000140142000-memory.dmp
            Filesize

            1.3MB

            Download
          • memory/3432-12-0x0000000140000000-0x0000000140142000-memory.dmp
            Filesize

            1.3MB

            Download
          • memory/3432-14-0x0000000140000000-0x0000000140142000-memory.dmp
            Filesize

            1.3MB

            Download
          • memory/3432-27-0x00007FFC8F48A000-0x00007FFC8F48B000-memory.dmp
            Filesize

            4KB

            Download
          • memory/3432-7-0x0000000140000000-0x0000000140142000-memory.dmp
            Filesize

            1.3MB

            Download
          • memory/3432-29-0x00007FFC8F890000-0x00007FFC8F8A0000-memory.dmp
            Filesize

            64KB

            Download
          • memory/3432-4-0x0000000002E40000-0x0000000002E41000-memory.dmp
            Filesize

            4KB

            Download
          • memory/3432-6-0x0000000140000000-0x0000000140142000-memory.dmp
            Filesize

            1.3MB

            Download
          • memory/3432-23-0x0000000140000000-0x0000000140142000-memory.dmp
            Filesize

            1.3MB

            Download
          • memory/3432-13-0x0000000140000000-0x0000000140142000-memory.dmp
            Filesize

            1.3MB

            Download
          • memory/4968-76-0x0000000140000000-0x0000000140143000-memory.dmp
            Filesize

            1.3MB

            Download
          • memory/4968-73-0x000001E402A40000-0x000001E402A47000-memory.dmp
            Filesize

            28KB

            Download