Overview

overview

10

Static

static

3

16cc32046e...18.dll

windows7-x64

10

16cc32046e...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240730-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-07-2024 11:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    16cc32046e3f43e3f81212459202d425_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    16cc32046e3f43e3f81212459202d425

  • SHA1

    bc204f585686521d375206fe3e5a2102386b8373

  • SHA256

    2bfc8831b8af3293c743d4ee34b980c80195ce55d33ae89fbc3dabdaf73deef5

  • SHA512

    2288176da59029620b0ab7afb03cd977595d70028d8f704c4ce7ee0593862607ff1fb4c12e4fff079d8e827e1859104ebc4363edfd55d697231722163dcc6aed

  • SSDEEP

    24576:MuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:k9cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\16cc32046e3f43e3f81212459202d425_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1140
  • C:\Windows\system32\sessionmsg.exe
    C:\Windows\system32\sessionmsg.exe
    1⤵
      PID:3044
    • C:\Users\Admin\AppData\Local\pY3YX45\sessionmsg.exe
      C:\Users\Admin\AppData\Local\pY3YX45\sessionmsg.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:1200
    • C:\Windows\system32\msdt.exe
      C:\Windows\system32\msdt.exe
      1⤵
        PID:3704
      • C:\Users\Admin\AppData\Local\R9P5VxL\msdt.exe
        C:\Users\Admin\AppData\Local\R9P5VxL\msdt.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:3772
      • C:\Windows\system32\PasswordOnWakeSettingFlyout.exe
        C:\Windows\system32\PasswordOnWakeSettingFlyout.exe
        1⤵
          PID:700
        • C:\Users\Admin\AppData\Local\XP9T\PasswordOnWakeSettingFlyout.exe
          C:\Users\Admin\AppData\Local\XP9T\PasswordOnWakeSettingFlyout.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:800

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\R9P5VxL\UxTheme.dll
          Filesize

          1.2MB

          MD5

          23258cd626cba18a7450ff155c5c205a

          SHA1

          cd3c4e5619f2642c0610bfa239218ea776ef2462

          SHA256

          2380d125353f46b4688cbac7208238f32b53e3c94b9c8ff4a7ed21a0adb39ec4

          SHA512

          7079f76d4c07c889ad9d22eba1f088ed7e8b42225160952844935247f02d414f804d5df2f1afdc33b03d0f07b01eaae8cef2bd20089485c1ce1523676bc41480

          Download Submit

        • C:\Users\Admin\AppData\Local\R9P5VxL\msdt.exe
          Filesize

          421KB

          MD5

          992c3f0cc8180f2f51156671e027ae75

          SHA1

          942ec8c2ccfcacd75a1cd86cbe8873aee5115e29

          SHA256

          6859d1b5d1beaa2985b298f3fcee67f0aac747687a9dec2b4376585e99e9756f

          SHA512

          1f1b8d39e29274cfc87a9ef1510adb9c530086a421c121523376731c8933c6e234e9146310d3767ce888a8dce7a5713221f4d25e5b7b6398d06ae2be2b99eadf

          Download Submit

        • C:\Users\Admin\AppData\Local\XP9T\DUI70.dll
          Filesize

          1.4MB

          MD5

          dcb2e1a329633d016f1ada0373f71446

          SHA1

          c8345d13ac01cc0992e106900b9c45f71dc7758e

          SHA256

          b1286aea6970b087e357763b40d747c2b5ca151a5a528e8b726915adfcf7376a

          SHA512

          6455ff537bdc0c75235f87cf6af506b3bffb1983d22c36141607657877852b93029bb2b60c291cef2045b5a1fa3da2ef49b6c24b4a3e51e1c63773d42b81b57c

          Download Submit

        • C:\Users\Admin\AppData\Local\XP9T\PasswordOnWakeSettingFlyout.exe
          Filesize

          44KB

          MD5

          591a98c65f624c52882c2b238d6cd4c4

          SHA1

          c960d08c19d777069cf265dcc281807fbd8502d7

          SHA256

          5e6ed524c955fb1ea3e24f132987143da3ec81db5041a0edcfa7bf3ac790eb06

          SHA512

          1999f23c90d85857461f8ddc5342470296f6939a654ac015780c2977f293c1f799fc992462f3d4d9181c97ab960db3291b85ea7c0537edcb57755706b20b6074

          Download Submit

        • C:\Users\Admin\AppData\Local\pY3YX45\DUI70.dll
          Filesize

          1.4MB

          MD5

          04d0d6f10e8f89f4e7cbcca26ec2d823

          SHA1

          a8ecce61c38ba6cfd8bc1690f2c4853f72451583

          SHA256

          baae288cf16504179df42f7f362af53ff837aaa0314b3f592e898fc784b4d256

          SHA512

          0fd3cb79a275311da92897c5736071d1d2d80d3d9a96b0d3103af20df9d558e1e0c1bd784a5c555a44419afb67c1e664655755759659e1ebfa751668bf96f2e8

          Download Submit

        • C:\Users\Admin\AppData\Local\pY3YX45\sessionmsg.exe
          Filesize

          85KB

          MD5

          480f710806b68dfe478ca1ec7d7e79cc

          SHA1

          b4fc97fed2dbff9c4874cb65ede7b50699db37cd

          SHA256

          2416cd4aa577dbb2f8790a61e36fbab2b30bff81a4e1f67a5151c2fec29585bc

          SHA512

          29d3d234ebc45049a533b6a91b246ac043a56b9af67276aaf493b014ae34d73000f99a6b0c0b85d2dfb7fba54811cf8bbdfd167a9eed01a8617b7f05bf2971db

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Vavjtzlerlz.lnk
          Filesize

          1KB

          MD5

          46cf66f0d9cd18ba3705c2f3ff5f33f5

          SHA1

          fbf3c6aacc8ff900fb4652008b01c374d070a6bb

          SHA256

          45ba12db923d8b4637da0aaf02863313223d12fe88ab8839e3c56793c1c50f0d

          SHA512

          fb599a5cc1f074bc9478974094bc1187fbb99d2f88ec4055babd33c2eaa3099ff9697fe9dd7745bf77ee2e8ba21ceb8f8bbe3b01d492925ec713e97e0043e7a4

          Download Submit

        • memory/800-83-0x0000021A015F0000-0x0000021A015F7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/800-86-0x00007FFEF4230000-0x00007FFEF43A7000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/1140-39-0x00007FFEF4780000-0x00007FFEF48B1000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1140-1-0x00007FFEF4780000-0x00007FFEF48B1000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1140-3-0x000001FB39F40000-0x000001FB39F47000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1200-52-0x00007FFEF4230000-0x00007FFEF43A7000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/1200-49-0x00000239B9B40000-0x00000239B9B47000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1200-46-0x00007FFEF4230000-0x00007FFEF43A7000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3564-12-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3564-10-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3564-30-0x00000000004E0000-0x00000000004E7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3564-29-0x00007FFF0114A000-0x00007FFF0114B000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3564-31-0x00007FFF02FB0000-0x00007FFF02FC0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3564-6-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3564-7-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3564-8-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3564-9-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3564-36-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3564-11-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3564-15-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3564-4-0x0000000000810000-0x0000000000811000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3564-13-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3564-14-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3564-16-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3564-24-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3772-69-0x00007FFEF40C0000-0x00007FFEF41F2000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3772-63-0x00000186B1E50000-0x00000186B1E57000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3772-64-0x00007FFEF40C0000-0x00007FFEF41F2000-memory.dmp

          Filesize

          1.2MB

          Download