Overview

overview

10

Static

static

3

183815da44...18.dll

windows7-x64

10

183815da44...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-07-2024 16:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    183815da44d7ed5ae8729924751f4708_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    183815da44d7ed5ae8729924751f4708

  • SHA1

    814251ed5022db70b1fbc52aa18b04bad3e20a15

  • SHA256

    b02ff992c112d00fcf1259b6ca963384f823e45f0538a91b75c6c2349862dfea

  • SHA512

    f796d19444f9775721369f99a7d00ca31c83deff9df183524b81ed3675dc14e652b5c7af13b4eee7854af9703388ef4c96b6f93594b64d33e1ed7a8c0593a998

  • SSDEEP

    24576:+uYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:+9cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\183815da44d7ed5ae8729924751f4708_JaffaCakes118.dll
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:532
  • C:\Windows\system32\eudcedit.exe
    C:\Windows\system32\eudcedit.exe
    1⤵
      PID:3228
    • C:\Users\Admin\AppData\Local\LHhzGw\eudcedit.exe
      C:\Users\Admin\AppData\Local\LHhzGw\eudcedit.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:1140
    • C:\Windows\system32\dwm.exe
      C:\Windows\system32\dwm.exe
      1⤵
        PID:3304
      • C:\Users\Admin\AppData\Local\TLYz3FMhd\dwm.exe
        C:\Users\Admin\AppData\Local\TLYz3FMhd\dwm.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2952
      • C:\Windows\system32\OptionalFeatures.exe
        C:\Windows\system32\OptionalFeatures.exe
        1⤵
          PID:1316
        • C:\Users\Admin\AppData\Local\KRELYfI\OptionalFeatures.exe
          C:\Users\Admin\AppData\Local\KRELYfI\OptionalFeatures.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:4076

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\KRELYfI\OptionalFeatures.exe
          Filesize

          110KB

          MD5

          d6cd8bef71458804dbc33b88ace56372

          SHA1

          a18b58445be2492c5d37abad69b5aa0d29416a60

          SHA256

          fa2e741416994f2c1bf9ef7a16b9c4dbf20c84267e3da91ae6f1ad75ee9f49b8

          SHA512

          1bed8af2cf99a7f3bb36a34f4a71c34787904bd072ecdc731fb7498290dcf4024b956fb8b6912ad050b74aa861f0b0349081b77088f72732bda5075413b1f83d

          Download Submit

        • C:\Users\Admin\AppData\Local\KRELYfI\appwiz.cpl
          Filesize

          1.2MB

          MD5

          1c3561e223d54106e867825d612c63d0

          SHA1

          ed281f7a3028e3fb3e5d5773b78a03817857e990

          SHA256

          1d0ffe1b59bb0148c32d13831b66574ca6a1ede3e2866140b45bed81c4cd2e25

          SHA512

          0f89e746cdac7c0430050f4a0d5703177dd40a3dfba0f93cc34af99b67149ddee369a18a256b09f2bbe8d4aea625f9b1d54fee88fcebf749bc2cd23358f7bf4b

          Download Submit

        • C:\Users\Admin\AppData\Local\LHhzGw\MFC42u.dll
          Filesize

          1.2MB

          MD5

          16b63ad22d898be7c94bcde19136e2bb

          SHA1

          85867166dd822e44d7d28ea63f44150e7c273a5f

          SHA256

          01282232e73906b06b5610540a7404c12adf0c15750480a7e0c7f2e0028e7b58

          SHA512

          f93c53e63e456a98bf287e8427454655dddc9c672c8ca1d12ecc604dc6e3f16b8201a9d57360a3aeb2c2de68fc7c21021856552bcb436832967de5203ddaabdb

          Download Submit

        • C:\Users\Admin\AppData\Local\LHhzGw\eudcedit.exe
          Filesize

          365KB

          MD5

          a9de6557179d371938fbe52511b551ce

          SHA1

          def460b4028788ded82dc55c36cb0df28599fd5f

          SHA256

          83c8d1a7582b24b4bbc0d453c813487185c2b05c483bd1759ef647a7e7e92dfe

          SHA512

          5790cac8dae16a785b48f790e6645b137f211c1587fb64ea88e743b846ff3a886324afcfef4bebc61f869023b9a22ba925c461dfb2e12497b70f501e6b79153c

          Download Submit

        • C:\Users\Admin\AppData\Local\TLYz3FMhd\dwm.exe
          Filesize

          92KB

          MD5

          5c27608411832c5b39ba04e33d53536c

          SHA1

          f92f8b7439ce1de4c297046ed1d3ff9f20bc97af

          SHA256

          0ac827c9e35cdaa492ddd435079415805dcc276352112b040bcd34ef122cf565

          SHA512

          1fa25eabc08dff9ea25dfa7da310a677927c6344b76815696b0483f8860fa1469820ff15d88a78ed32f712d03003631d9aceaf9c9851de5dd40c1fc2a7bc1309

          Download Submit

        • C:\Users\Admin\AppData\Local\TLYz3FMhd\dxgi.dll
          Filesize

          1.2MB

          MD5

          60c56cd309e1aa5b3de885dca31733b5

          SHA1

          432ce9d05a440a4def77d362933cb083eb9db059

          SHA256

          5625ce9e356e8dd63caec6eadf19d3ecb25ebc660e6c12f92389dd1ba6dc610d

          SHA512

          df7c828b0bba0dc3a61a5690277a7c63138e55e6517d6fc08bd8e60fe06928a893eb8baf33ead5b29f07dc44b686cfd46e80b2588b419fe474d7bdba9bbbc990

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Zkmqfrdydbun.lnk
          Filesize

          1KB

          MD5

          5995b351514599638a20cd4275c5ae83

          SHA1

          83bfc246d940b096c5c8e114c82f952e18d4788b

          SHA256

          9aa71fd3581ff73704fb0b9ea2252cbafab84138e2281092c2fb1da9ebf6d099

          SHA512

          e4303323c765e08c0a5e55c0340a72a2b1d88fa65c0bd63ded8aa395ad4daf75799bbc9df9865ee524d6c7df066e51a55be44447c9857f3174dd92af2d859bea

          Download Submit

        • memory/532-0-0x00007FFF40310000-0x00007FFF40441000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/532-39-0x00007FFF40310000-0x00007FFF40441000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/532-3-0x00000000028D0000-0x00000000028D7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1140-52-0x00007FFF310F0000-0x00007FFF31228000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1140-47-0x00007FFF310F0000-0x00007FFF31228000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1140-46-0x000002747D790000-0x000002747D797000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2952-64-0x0000025CB1FE0000-0x0000025CB1FE7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2952-65-0x00007FFF310F0000-0x00007FFF31222000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2952-68-0x00007FFF310F0000-0x00007FFF31222000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3588-36-0x00007FFF4D03A000-0x00007FFF4D03B000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3588-16-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3588-7-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3588-9-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3588-10-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3588-11-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3588-12-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3588-13-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3588-15-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3588-8-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3588-33-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3588-37-0x0000000003230000-0x0000000003237000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3588-38-0x00007FFF4EED0000-0x00007FFF4EEE0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3588-24-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3588-14-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3588-6-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3588-4-0x0000000003250000-0x0000000003251000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4076-82-0x00007FFF310F0000-0x00007FFF31222000-memory.dmp

          Filesize

          1.2MB

          Download