Overview

overview

10

Static

static

3

20820c2a9b...18.dll

windows7-x64

10

20820c2a9b...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-07-2024 19:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    20820c2a9bf906522a7592b6a394f25c_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    20820c2a9bf906522a7592b6a394f25c

  • SHA1

    9468c6497d136660b8349d1748ba71152b749509

  • SHA256

    0837def50bbee311ec7d43a7769cea5a285fee80fc6cf2a9796573cb400bf4e8

  • SHA512

    6cefdee4fbb47b90237dc4a57f1c568f03de10963357fc6d319e2f9566a592f5605f4113dc471afc87329199cdecdf7a70b170d6af50be36e322ed7c4eb8d152

  • SSDEEP

    24576:XuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:Z9cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\20820c2a9bf906522a7592b6a394f25c_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:4028
  • C:\Windows\system32\wlrmdr.exe
    C:\Windows\system32\wlrmdr.exe
    1⤵
      PID:3004
    • C:\Users\Admin\AppData\Local\pyq3Sr1\wlrmdr.exe
      C:\Users\Admin\AppData\Local\pyq3Sr1\wlrmdr.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2492
    • C:\Windows\system32\SystemPropertiesPerformance.exe
      C:\Windows\system32\SystemPropertiesPerformance.exe
      1⤵
        PID:4464
      • C:\Users\Admin\AppData\Local\1hovx\SystemPropertiesPerformance.exe
        C:\Users\Admin\AppData\Local\1hovx\SystemPropertiesPerformance.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1320
      • C:\Windows\system32\RecoveryDrive.exe
        C:\Windows\system32\RecoveryDrive.exe
        1⤵
          PID:1544
        • C:\Users\Admin\AppData\Local\ZQDpmE7\RecoveryDrive.exe
          C:\Users\Admin\AppData\Local\ZQDpmE7\RecoveryDrive.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:4756

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\1hovx\SYSDM.CPL
          Filesize

          1.2MB

          MD5

          5e80c09f6b5d33a8dd0ea232e30dfa20

          SHA1

          f295bd0a2165f9307533e2eb3716e2b19473d497

          SHA256

          9d43e6d27094f25ca0825fdd58785ac39a3d23d14e05509c288551b7039d0208

          SHA512

          68cca080670dbad61e4cc1fd52994a3d1e2049b48524eff13f9b702ee56af2dafa6c235d801119be6c4e0de97561660fe3e981094cccba2ec2396be49c07b26c

          Download Submit

        • C:\Users\Admin\AppData\Local\1hovx\SystemPropertiesPerformance.exe
          Filesize

          82KB

          MD5

          e4fbf7cab8669c7c9cef92205d2f2ffc

          SHA1

          adbfa782b7998720fa85678cc85863b961975e28

          SHA256

          b266318d45a4245556a2e39b763f2f11eca780969105f6f103e53dd0a492bb30

          SHA512

          c5c62578d04133352d6cb7b018df96a7b55c18d6111ab8bf2bfe232a3315a63b07047fa5b0b88551d152085776c66169b47566242c8c4c5e0333c55adc64e1b6

          Download Submit

        • C:\Users\Admin\AppData\Local\ZQDpmE7\RecoveryDrive.exe
          Filesize

          911KB

          MD5

          b9b3dc6f2eb89e41ff27400952602c74

          SHA1

          24ae07e0db3ace0809d08bbd039db3a9d533e81b

          SHA256

          630518cb2e4636f889d12c98fb2e6be4e579c5eeb86f88695d3f7fff3f5515c4

          SHA512

          7906954b881f1051a0c7f098e096bc28eddcc48643b8bf3134dd57b8c18d8beba4f9a0ac5d348de2f9b8ea607c3e9cb0e61d91e4f3ba1fefb02839f928e3e3fe

          Download Submit

        • C:\Users\Admin\AppData\Local\ZQDpmE7\UxTheme.dll
          Filesize

          1.2MB

          MD5

          dc8f904e5914e066a9b970e38135f22c

          SHA1

          bfbec273dd2801a04f8185890eaa90f1a1ccf94e

          SHA256

          7db6b25f5a3d2ba133f994fa4093f374f42cc3afbe184f022a92de65480a7e3e

          SHA512

          6a734c93d55852eef8d6789ef70ac69cd02189258137d29385184a7ef2be3f89859899663cc400d9d47d95bb80b0d57f2c25e9ca0a9a89587e438fb160533613

          Download Submit

        • C:\Users\Admin\AppData\Local\pyq3Sr1\DUI70.dll
          Filesize

          1.4MB

          MD5

          938f0dc810578a5f3d8c6dbef0b866f6

          SHA1

          e79a7eafd2c20c65bf7b9bfde2623ad98fda508b

          SHA256

          5254f5ebfafd2c297eb496fcb927cd0f75382391eaa0f3a1c219ce41aaf64bdf

          SHA512

          8be8e9f2455b1d3308179ffab5cec2084035008d69521831b7d9d7b4183e9345296de26fe2f77df96e51ac24394947c08c6cd199e32207db1016a13387ac505d

          Download Submit

        • C:\Users\Admin\AppData\Local\pyq3Sr1\wlrmdr.exe
          Filesize

          66KB

          MD5

          ef9bba7a637a11b224a90bf90a8943ac

          SHA1

          4747ec6efd2d41e049159249c2d888189bb33d1d

          SHA256

          2fda95aafb2e9284c730bf912b93f60a75b151941adc14445ed1e056140325b1

          SHA512

          4c1fdb8e4bf25546a2a33c95268593746f5ae2666ce36c6d9ba5833357f13720c4722231224e82308af8c156485a2c86ffd97e3093717a28d1300d3787ef1831

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Urqdyypzfxj.lnk
          Filesize

          1KB

          MD5

          1eb49542ac233df22fe0c6a32afbbe58

          SHA1

          b7643343c6ee63c90d32f573fef054dd84870dd8

          SHA256

          93a8aad943cab5205e999ce3c0629b51808039376ec659554c2d220921cd3966

          SHA512

          5bf87884abd1f65e97032f893e006b3c28ddbf5339078db644d7da13ece7bd754d953b2b3d38aa02138107392e5b138c42960e0c975996252b6ec0315852445d

          Download Submit

        • memory/1320-62-0x000001A7303A0000-0x000001A7303A7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1320-63-0x00007FFD45690000-0x00007FFD457C1000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1320-68-0x00007FFD45690000-0x00007FFD457C1000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2492-51-0x00007FFD45650000-0x00007FFD457C6000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/2492-45-0x0000023AFFAC0000-0x0000023AFFAC7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2492-46-0x00007FFD45650000-0x00007FFD457C6000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3408-28-0x0000000002C70000-0x0000000002C77000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3408-4-0x0000000002C90000-0x0000000002C91000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3408-8-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3408-13-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3408-35-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3408-6-0x00007FFD6226A000-0x00007FFD6226B000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3408-10-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3408-11-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3408-14-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3408-15-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3408-16-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3408-9-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3408-29-0x00007FFD63490000-0x00007FFD634A0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3408-24-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3408-12-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3408-7-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4028-0-0x00007FFD54D10000-0x00007FFD54E40000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4028-38-0x00007FFD54D10000-0x00007FFD54E40000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4028-3-0x0000021C39FF0000-0x0000021C39FF7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4756-79-0x0000024AF2350000-0x0000024AF2357000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4756-80-0x00007FFD44B90000-0x00007FFD44CC1000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4756-85-0x00007FFD44B90000-0x00007FFD44CC1000-memory.dmp

          Filesize

          1.2MB

          Download