Overview

overview

10

Static

static

3

060a84bec4...18.dll

windows7-x64

10

060a84bec4...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240729-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240729-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-07-2024 02:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    060a84bec4029d28ef32d2da09fb89f0_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    060a84bec4029d28ef32d2da09fb89f0

  • SHA1

    01e4f103c7a644f11551433cd78daacb6fa120f2

  • SHA256

    a6db43ae471602cfbfd5321b0536f3afcc8b0314e54768fa4f593303193a7337

  • SHA512

    3e558efe6d582d27f042bcdda3b63c5075217a4cc1107474686c08fdac08d673c168bd61c1effe81e90d66401d3f5b75a15e61bb26a6af5fad4fc88d26ef1b0d

  • SSDEEP

    24576:zuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:99cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\060a84bec4029d28ef32d2da09fb89f0_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:228
  • C:\Windows\system32\PasswordOnWakeSettingFlyout.exe
    C:\Windows\system32\PasswordOnWakeSettingFlyout.exe
    1⤵
      PID:3604
    • C:\Users\Admin\AppData\Local\TIjb4TI\PasswordOnWakeSettingFlyout.exe
      C:\Users\Admin\AppData\Local\TIjb4TI\PasswordOnWakeSettingFlyout.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:1856
    • C:\Windows\system32\wermgr.exe
      C:\Windows\system32\wermgr.exe
      1⤵
        PID:1204
      • C:\Users\Admin\AppData\Local\0FoKtCZg\wermgr.exe
        C:\Users\Admin\AppData\Local\0FoKtCZg\wermgr.exe
        1⤵
        • Executes dropped EXE
        PID:4956
      • C:\Windows\system32\msinfo32.exe
        C:\Windows\system32\msinfo32.exe
        1⤵
          PID:3856
        • C:\Users\Admin\AppData\Local\nEB63\msinfo32.exe
          C:\Users\Admin\AppData\Local\nEB63\msinfo32.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:4336
        • C:\Windows\system32\cmstp.exe
          C:\Windows\system32\cmstp.exe
          1⤵
            PID:2740
          • C:\Users\Admin\AppData\Local\tBUjBI\cmstp.exe
            C:\Users\Admin\AppData\Local\tBUjBI\cmstp.exe
            1⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Checks whether UAC is enabled
            PID:2372

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\0FoKtCZg\wermgr.exe
            Filesize

            223KB

            MD5

            f7991343cf02ed92cb59f394e8b89f1f

            SHA1

            573ad9af63a6a0ab9b209ece518fd582b54cfef5

            SHA256

            1c09759dcd31fdc81bcd6685438d7efb34e0229f1096bfd57d41ecfe614d07dc

            SHA512

            fa3cf314100f5340c7d0f6a70632a308fcadb4b48785753310a053a510169979a89637b8b4fedf4d3690db6b8b55146e323cad70d704c4e2ede4edff5284237d

            Download Submit

          • C:\Users\Admin\AppData\Local\TIjb4TI\PasswordOnWakeSettingFlyout.exe
            Filesize

            44KB

            MD5

            591a98c65f624c52882c2b238d6cd4c4

            SHA1

            c960d08c19d777069cf265dcc281807fbd8502d7

            SHA256

            5e6ed524c955fb1ea3e24f132987143da3ec81db5041a0edcfa7bf3ac790eb06

            SHA512

            1999f23c90d85857461f8ddc5342470296f6939a654ac015780c2977f293c1f799fc992462f3d4d9181c97ab960db3291b85ea7c0537edcb57755706b20b6074

            Download Submit

          • C:\Users\Admin\AppData\Local\TIjb4TI\UxTheme.dll
            Filesize

            1.2MB

            MD5

            d559b549d067383178646e021c6d1dc3

            SHA1

            5ce2906026ba679827d19d45c78c21a5dfa55026

            SHA256

            502f45a05caa5c6e0fa1e0d40d206c73e00ab1f39264289b11581f68ed7505f0

            SHA512

            95e0d7900de4c592e32acbc139fb921846b7a90ff36e7d2e9f6d79752b4003d81f6517e3cddb49a888fc041527762cd50bf95c862f169a40ddee16f12bdd67ef

            Download Submit

          • C:\Users\Admin\AppData\Local\nEB63\SLC.dll
            Filesize

            1.2MB

            MD5

            d0c360525546b5f0e089c986c783f72a

            SHA1

            b146533018e87bce3f4fe4e93644086f52527dc2

            SHA256

            a9ca5a28bc9c67dd7848024b32a7200730ed08a670412fb3ac29bd015f4f74d6

            SHA512

            b945acf753ef2bdb30ccb8a4addd2bd9d769527d7d054c0a8733e57de8728015e6d7c87adcce4de28e40074cdae9298add7433668897ef58a814e3b5c566e858

            Download Submit

          • C:\Users\Admin\AppData\Local\nEB63\msinfo32.exe
            Filesize

            376KB

            MD5

            0aed91da63713bf9f881b03a604a1c9d

            SHA1

            b1b2d292cb1a4c13dc243b5eab13afb316a28b9a

            SHA256

            5cf1604d2473661266e08fc0e4e144ea98f99b7584c43585eb2b01551130fd14

            SHA512

            04bca9b321d702122b6e72c2ad15b7cd98924e5dfc3b8dd0e907ea28fd7826d3f72b98c67242b6698594df648d3c2b6b0952bb52a2363b687bbe44a66e830c03

            Download Submit

          • C:\Users\Admin\AppData\Local\tBUjBI\VERSION.dll
            Filesize

            1.2MB

            MD5

            d08c960b434e46ba5240ccac7c5308dd

            SHA1

            93ccd1264d81c6e44a9d92216cf3867f957f9d62

            SHA256

            fc6462337af4a9edd608d632b03ce06b9e5ef53fdbc7754b60b795b30398bff7

            SHA512

            7c91d5dcfe4f0bf35b4256819089becdc3a89dd92fb05488ac5b1a38fa487c1f804b66ff87a1f5fab823e6783c1cefd428e4625349bfa738747244791ef99890

            Download Submit

          • C:\Users\Admin\AppData\Local\tBUjBI\cmstp.exe
            Filesize

            96KB

            MD5

            4cc43fe4d397ff79fa69f397e016df52

            SHA1

            8fd6cf81ad40c9b123cd75611860a8b95c72869c

            SHA256

            f2d3905ee38b2b5c0b724d582f14eb1db7621ffb8f3826df686a20784341614c

            SHA512

            851ef9fa5a03ec8b9fea0094c6e4bfa0b9e71cee3412ee86b2dfc34682aa5fb6455fefe7fc0092b711956d7c880cf8a5761b63ee990aa8e72f3473086ac0f157

            Download Submit

          • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Tuujykmh.lnk
            Filesize

            1KB

            MD5

            e19e5bc2e6506dbc5e64fd590866277f

            SHA1

            7c9bc588168a4afc78d710bf54b6e1168b2abcf3

            SHA256

            62bbd04ad191ebb98a345044693cea6232bc8ce9c2168517c6b04f14dbf962ee

            SHA512

            27948d8852d5bff2d2cbb19f02054f8304954f130cea43813edfe8690e8055342ca6ccaf44695498208a8b9acb65b433741a610d53d2ad675a63af718cb30fa4

            Download Submit

          • memory/228-39-0x00007FFE3CB60000-0x00007FFE3CC91000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/228-3-0x000001BCE4DC0000-0x000001BCE4DC7000-memory.dmp

            Filesize

            28KB

            Download

          • memory/228-0-0x00007FFE3CB60000-0x00007FFE3CC91000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/1856-46-0x00007FFE3CB60000-0x00007FFE3CC92000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/1856-52-0x00007FFE3CB60000-0x00007FFE3CC92000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/1856-49-0x00000268A4AD0000-0x00000268A4AD7000-memory.dmp

            Filesize

            28KB

            Download

          • memory/2372-92-0x0000020F68AA0000-0x0000020F68AA7000-memory.dmp

            Filesize

            28KB

            Download

          • memory/2372-95-0x00007FFE3CB60000-0x00007FFE3CC92000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3396-35-0x0000000001010000-0x0000000001017000-memory.dmp

            Filesize

            28KB

            Download

          • memory/3396-33-0x0000000140000000-0x0000000140131000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3396-7-0x0000000140000000-0x0000000140131000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3396-10-0x0000000140000000-0x0000000140131000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3396-11-0x0000000140000000-0x0000000140131000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3396-13-0x0000000140000000-0x0000000140131000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3396-14-0x0000000140000000-0x0000000140131000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3396-12-0x0000000140000000-0x0000000140131000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3396-16-0x0000000140000000-0x0000000140131000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3396-8-0x0000000140000000-0x0000000140131000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3396-34-0x00007FFE46EAA000-0x00007FFE46EAB000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3396-38-0x00007FFE47610000-0x00007FFE47620000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3396-4-0x0000000001050000-0x0000000001051000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3396-9-0x0000000140000000-0x0000000140131000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3396-24-0x0000000140000000-0x0000000140131000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3396-15-0x0000000140000000-0x0000000140131000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3396-6-0x0000000140000000-0x0000000140131000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/4336-77-0x00007FFE3CB60000-0x00007FFE3CC92000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/4336-71-0x0000026674170000-0x0000026674177000-memory.dmp

            Filesize

            28KB

            Download