Overview

overview

10

Static

static

3

0f3c2af0c1...18.dll

windows7-x64

10

0f3c2af0c1...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240730-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-07-2024 07:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0f3c2af0c1a23bc40eec9f73f691c054_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    0f3c2af0c1a23bc40eec9f73f691c054

  • SHA1

    9b81c96e11542a05ce7b7e57aae15bc5b9aae3e8

  • SHA256

    cf8cfd47e22b61c794f94665ca10aebc9466050a3cedc6489305079f9d1a8e42

  • SHA512

    ae1a29dcff7326980b73de0419620ba7fdeba01a5271687145635a22d5c4aaeb3c62a30263a32a5fd2bbee15088544da443d4045fd71fc58a3e95b0afd39f6d7

  • SSDEEP

    24576:WuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:W9cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\0f3c2af0c1a23bc40eec9f73f691c054_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:556
  • C:\Windows\system32\quickassist.exe
    C:\Windows\system32\quickassist.exe
    1⤵
      PID:2824
    • C:\Users\Admin\AppData\Local\D0O\quickassist.exe
      C:\Users\Admin\AppData\Local\D0O\quickassist.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:208
    • C:\Windows\system32\rdpclip.exe
      C:\Windows\system32\rdpclip.exe
      1⤵
        PID:1796
      • C:\Users\Admin\AppData\Local\luhcKU\rdpclip.exe
        C:\Users\Admin\AppData\Local\luhcKU\rdpclip.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:4960
      • C:\Windows\system32\msconfig.exe
        C:\Windows\system32\msconfig.exe
        1⤵
          PID:4808
        • C:\Users\Admin\AppData\Local\hhuyLu\msconfig.exe
          C:\Users\Admin\AppData\Local\hhuyLu\msconfig.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:3288

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\D0O\UxTheme.dll
          Filesize

          1.2MB

          MD5

          b36789bd1fc85fd286ff5ce5c8182b8b

          SHA1

          4d41e603ba960e261d0fb8be8c4caaf27ef50b5b

          SHA256

          7a6ffebee75a92174120f129b31b52b09b3d3ee89f21dcc4adcdcca9ec82d19f

          SHA512

          a704094e0c72868e13e821f1263a6713076193f33bb0add0f403fa2456d008793b9e78f49c555a1fb148b67d8f745bab9ddd3de2a7cc5a82453231668114f822

          Download Submit

        • C:\Users\Admin\AppData\Local\D0O\quickassist.exe
          Filesize

          665KB

          MD5

          d1216f9b9a64fd943539cc2b0ddfa439

          SHA1

          6fad9aeb7780bdfd88a9a5a73b35b3e843605e6c

          SHA256

          c1e8fda00da574e8759ba262d76b6edc1d5f4a80620730ef0be7527e0d803db2

          SHA512

          c5fd7d81d1d478056fcbed0ba887ce551832f0104e7c31753c3c8760b4d63f38324f74e996684042acc8f9682fce8a8c85172741a868257e87d5e0f988c4e567

          Download Submit

        • C:\Users\Admin\AppData\Local\hhuyLu\VERSION.dll
          Filesize

          1.2MB

          MD5

          1dffc253b2480eb13347ab2584d275c4

          SHA1

          4fffdd3eda7936d3e603a516268b23657607db4c

          SHA256

          e225bfdaafb14b1cabab79b1d2240e15b170efafe28d00d724c4a7ebdf3e3b09

          SHA512

          44a9b770af4846f1f69925769c98b42f8746ab3c6b5fa5d8beeda3fcaa901d224ac491cff1f0247aaa830724e5559f3c8d0aeb1892aaef904a980a90e1b6559a

          Download Submit

        • C:\Users\Admin\AppData\Local\hhuyLu\msconfig.exe
          Filesize

          193KB

          MD5

          39009536cafe30c6ef2501fe46c9df5e

          SHA1

          6ff7b4d30f31186de899665c704a105227704b72

          SHA256

          93d2604f7fdf7f014ac5bef63ab177b6107f3cfc26da6cbd9a7ab50c96564a04

          SHA512

          95c9a8bc61c79108634f5578825544323e3d980ae97a105a325c58bc0e44b1d500637459969602f08d6d23d346baec6acd07d8351803981000c797190d48f03a

          Download Submit

        • C:\Users\Admin\AppData\Local\luhcKU\dwmapi.dll
          Filesize

          1.2MB

          MD5

          50ab62937549c8ee9b9a637f8039ab91

          SHA1

          778301f3edc6aaccac083075252c693d40899658

          SHA256

          7bc53b9eb55fffb2333c092b7d8ef989ead2da63cc3fb4d3712cbca74149be3b

          SHA512

          8a7bd2c46544dfae7a4881221774254031b790e5cdf2a692ec9c93300ca4d90c64ffc1fab0fd858367ddd5567aa5eb20f90c4c5f268c9bf639362fc9b84ba6a9

          Download Submit

        • C:\Users\Admin\AppData\Local\luhcKU\rdpclip.exe
          Filesize

          446KB

          MD5

          a52402d6bd4e20a519a2eeec53332752

          SHA1

          129f2b6409395ef877b9ca39dd819a2703946a73

          SHA256

          9d5be181d9309dea98039d2ce619afe745fc8a9a1b1c05cf860b3620b5203308

          SHA512

          632dda67066cff2b940f27e3f409e164684994a02bda57d74e958c462b9a0963e922be4a487c06126cecc9ef34d34913ef8315524bf8422f83c0c135b8af924e

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Vavjtzlerlz.lnk
          Filesize

          1KB

          MD5

          05a7ad7d3374b51806942689fce6490b

          SHA1

          8c64226883f19027ab950643f7aeb75524d0d5a6

          SHA256

          c6b66b3add130cbb06dd2d8c4bddd486721104035ccc7932e63c1cf6041838ab

          SHA512

          0f1f1e5ec88d4cbac5824bcaea6ed1715c0a7b87a173e874d510ac5a45eea2c00e4f30d653f5e2121db2d2e2c51b5766271382b9a3f8f566c1bddd8defa971b8

          Download Submit

        • memory/208-52-0x00007FFD6DE70000-0x00007FFD6DFA2000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/208-49-0x000001DE8C1D0000-0x000001DE8C1D7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/208-46-0x00007FFD6DE70000-0x00007FFD6DFA2000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/556-0-0x00007FFD6DE70000-0x00007FFD6DFA1000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/556-39-0x00007FFD6DE70000-0x00007FFD6DFA1000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/556-3-0x000002295C5D0000-0x000002295C5D7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3288-85-0x00007FFD6DE70000-0x00007FFD6DFA2000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3540-35-0x00007FFD78910000-0x00007FFD78920000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3540-33-0x00007FFD7814A000-0x00007FFD7814B000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3540-10-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3540-8-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3540-7-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3540-12-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3540-13-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3540-15-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3540-16-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3540-11-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3540-34-0x00000000014B0000-0x00000000014B7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3540-36-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3540-24-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3540-4-0x0000000001650000-0x0000000001651000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3540-9-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3540-14-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3540-6-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4960-69-0x00007FFD6DE70000-0x00007FFD6DFA2000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4960-66-0x000001F633C90000-0x000001F633C97000-memory.dmp

          Filesize

          28KB

          Download