Overview

overview

10

Static

static

3

1fcda2221e...18.dll

windows7-x64

10

1fcda2221e...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-07-2024 19:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1fcda2221e8944f12e34e61b96fbf88f_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    1fcda2221e8944f12e34e61b96fbf88f

  • SHA1

    c26145b0db9ad0248dfddd89daa1894826069a39

  • SHA256

    a2d0319fed40865b788210013d7a165b8a3d7ec6bb847d4529dbf2ba073a8f2e

  • SHA512

    d9013272340b574863dafb98738d70037fd279a809c9c4f5e898540c5fbd59fe53ce2aa545a03d3ebdcc922dc8da13f5a781624e1d858bb7784d59cb3322ae0d

  • SSDEEP

    24576:7uYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:l9cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\1fcda2221e8944f12e34e61b96fbf88f_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:3296
  • C:\Windows\system32\unregmp2.exe
    C:\Windows\system32\unregmp2.exe
    1⤵
      PID:4732
    • C:\Users\Admin\AppData\Local\7R4JB\unregmp2.exe
      C:\Users\Admin\AppData\Local\7R4JB\unregmp2.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2936
    • C:\Windows\system32\wbengine.exe
      C:\Windows\system32\wbengine.exe
      1⤵
        PID:2408
      • C:\Users\Admin\AppData\Local\5GLmi5\wbengine.exe
        C:\Users\Admin\AppData\Local\5GLmi5\wbengine.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2000
      • C:\Windows\system32\SystemPropertiesComputerName.exe
        C:\Windows\system32\SystemPropertiesComputerName.exe
        1⤵
          PID:1720
        • C:\Users\Admin\AppData\Local\vNoHmt\SystemPropertiesComputerName.exe
          C:\Users\Admin\AppData\Local\vNoHmt\SystemPropertiesComputerName.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:4416

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\5GLmi5\XmlLite.dll
          Filesize

          1.2MB

          MD5

          4a924b8788f9f88e64cd42ba3fd7efe3

          SHA1

          192f72c4d376e4a6111f082faa623fe597805662

          SHA256

          e899a0691e4578122d0b15ed264380361c7b2276507bb5364ed80063e7f7edc1

          SHA512

          1df0e3a314e9bb395f10079f9b24c2f9c16f077c1c450bcdf56ff4d763eca27c2de356c2a5f1b24f74e1c9f9457eac57c1ebfdb4148ed032b22cf2d9476dfb91

          Download Submit

        • C:\Users\Admin\AppData\Local\5GLmi5\wbengine.exe
          Filesize

          1.5MB

          MD5

          17270a354a66590953c4aac1cf54e507

          SHA1

          715babcc8e46b02ac498f4f06df7937904d9798d

          SHA256

          9954394b43783061f9290706320cc65597c29176d5b8e7a26fa1d6b3536832b4

          SHA512

          6be0ba6be84d01ab47f5a4ca98a6b940c43bd2d1e1a273d41c3e88aca47da11d932024b007716d1a6ffe6cee396b0e3e6971ab2afc293e72472f2e61c17b2a89

          Download Submit

        • C:\Users\Admin\AppData\Local\7R4JB\VERSION.dll
          Filesize

          1.2MB

          MD5

          a5004862e79c1141c4c4246c4d50090c

          SHA1

          3e65e9363e18d37462dbe2961aa45558b3c0cd13

          SHA256

          51fccad9013421a8bf26a3fded9afbfb22eed9bc794b1cc3900f0dd6f01448b1

          SHA512

          7a121aca9342fe37d2f68cc410fa1c47acab542e49b013110c9e4382206fef188d625f8734a650d7511f0e8d1616561b4d2ea1af0fa34e94a7048795420c5fb2

          Download Submit

        • C:\Users\Admin\AppData\Local\7R4JB\unregmp2.exe
          Filesize

          259KB

          MD5

          a6fc8ce566dec7c5873cb9d02d7b874e

          SHA1

          a30040967f75df85a1e3927bdce159b102011a61

          SHA256

          21f41fea24dddc8a32f902af7b0387a53a745013429d8fd3f5fa6916eadc839d

          SHA512

          f83e17dd305eb1bc24cca1f197e2440f9b501eafb9c9d44ede7c88b1520030a87d059bdcb8eadeac1eaedabcbc4fe50206821965d73f0f6671e27edd55c01cbc

          Download Submit

        • C:\Users\Admin\AppData\Local\vNoHmt\SYSDM.CPL
          Filesize

          1.2MB

          MD5

          d41e6c8c44226b2fde360a064525d9d9

          SHA1

          3d8c5db8a601be10eef0454b6ed333e6b91de37e

          SHA256

          435a4fa022db3f9291d13c2160cf45a31fdd2aa724797a456fa8013b67b8ee40

          SHA512

          ee765b4c4b21c88428c9d2ffa62d6f1799f321c34edf706f47153796c755c65049310be31ef9c13b02b40285d7f45b93ee454bf986733e8d877d0a467d560257

          Download Submit

        • C:\Users\Admin\AppData\Local\vNoHmt\SystemPropertiesComputerName.exe
          Filesize

          82KB

          MD5

          6711765f323289f5008a6a2a04b6f264

          SHA1

          d8116fdf73608b4b254ad83c74f2232584d24144

          SHA256

          bd3a97327326e2245938ec6099f20059b446ff0fe1c10b9317d15d1a1dd5331e

          SHA512

          438abd282d9d1c0e7e5db2ce027ff9522c3980278b32b2eae09c595884a8dcbfd5178bc5926b1d15f03174303382e13f5d5ecab9a5d8e31fc07ef39e66c012e8

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Igacdkfje.lnk
          Filesize

          1KB

          MD5

          9c76b16d9a562ec12734ecb70b55cd8a

          SHA1

          024266365ee7205a7b1dbf2add13f12d4e09ba8f

          SHA256

          2aab4597be88730383d0e98458867cd8556e4d0e382c3416c9fc79850552d42c

          SHA512

          9bcaae848001d9c50f8765827e82fef059b5c6f154e0be6601dbf0d977962c7b77186ac59fc69aacafb13180c2796b28e08422e6e2266d6b159c45b3343d2c20

          Download Submit

        • memory/2000-68-0x00007FFDA72A0000-0x00007FFDA73D2000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2000-63-0x000001D6DD840000-0x000001D6DD847000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2936-51-0x00007FFDA72A0000-0x00007FFDA73D2000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2936-45-0x00007FFDA72A0000-0x00007FFDA73D2000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2936-48-0x0000020540420000-0x0000020540427000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3296-0-0x00007FFDB6280000-0x00007FFDB63B1000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3296-38-0x00007FFDB6280000-0x00007FFDB63B1000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3296-3-0x000001D965240000-0x000001D965247000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3432-30-0x00007FFDC53B0000-0x00007FFDC53C0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3432-29-0x00000000057E0000-0x00000000057E7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3432-23-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3432-9-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3432-10-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3432-11-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3432-12-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3432-14-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3432-27-0x00007FFDC36CA000-0x00007FFDC36CB000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3432-8-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3432-35-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3432-15-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3432-13-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3432-6-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3432-7-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3432-4-0x0000000005800000-0x0000000005801000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4416-85-0x00007FFDA72A0000-0x00007FFDA73D2000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4416-79-0x00000297F7840000-0x00000297F7847000-memory.dmp

          Filesize

          28KB

          Download