Overview

overview

10

Static

static

3

2eea949d5e...18.dll

windows7-x64

10

2eea949d5e...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240730-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-07-2024 00:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2eea949d5e460e676cfc46fedbfd7228_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    2eea949d5e460e676cfc46fedbfd7228

  • SHA1

    1aaa16ff737078f33d1d3a1698dba0c06d391505

  • SHA256

    0957af4a0171acd92171ed5b6922e5209095058c4d80bb1cb3cc770810c1786d

  • SHA512

    0d1df077e17274c752997be07d6337d3548b259af0da041dd48f86e64e08c3db2c32107d78698b25be88953cb2bb83efe044a8ac1f1879393b985b39ff17cba3

  • SSDEEP

    24576:/uYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:B9cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\2eea949d5e460e676cfc46fedbfd7228_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:3400
  • C:\Windows\system32\tcmsetup.exe
    C:\Windows\system32\tcmsetup.exe
    1⤵
      PID:4264
    • C:\Users\Admin\AppData\Local\Dsc8\tcmsetup.exe
      C:\Users\Admin\AppData\Local\Dsc8\tcmsetup.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:3820
    • C:\Windows\system32\tcmsetup.exe
      C:\Windows\system32\tcmsetup.exe
      1⤵
        PID:212
      • C:\Users\Admin\AppData\Local\sEd9\tcmsetup.exe
        C:\Users\Admin\AppData\Local\sEd9\tcmsetup.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2232
      • C:\Windows\system32\DWWIN.EXE
        C:\Windows\system32\DWWIN.EXE
        1⤵
          PID:4128
        • C:\Users\Admin\AppData\Local\YQv5v\DWWIN.EXE
          C:\Users\Admin\AppData\Local\YQv5v\DWWIN.EXE
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2144

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Dsc8\TAPI32.dll
          Filesize

          1.2MB

          MD5

          690c533ea8543caac701004414239744

          SHA1

          f6c9cc6c2355c0225adb252b3d3a19f7e5051403

          SHA256

          a1e71851bd41519d3eaca7b7f15f28d01cd29bd5ee88d8f2e2171ce14399f9c4

          SHA512

          0a2c10c35dd27b96651e5e76f115eec01bffba2154b8f8a4cba7c83a922fc9e42e8728a57457c2d1bde8f2b1e4a9af9ca91509775d1ad407e290d28ca19bb469

          Download Submit

        • C:\Users\Admin\AppData\Local\Dsc8\tcmsetup.exe
          Filesize

          16KB

          MD5

          58f3b915b9ae7d63431772c2616b0945

          SHA1

          6346e837da3b0f551becb7cac6d160e3063696e9

          SHA256

          e243501ba2ef7a6f04f51410bb916faffe0ec23450a4d030ce6bfe747e544b39

          SHA512

          7b09192af460c502d1a94989a0d06191c8c7a058ce3a4541e3f45960a1e12529d0cdaff9da3d5bacfdceed57aeb6dc9a159c6c0a95675c438f99bf7e418c6dc5

          Download Submit

        • C:\Users\Admin\AppData\Local\YQv5v\DWWIN.EXE
          Filesize

          229KB

          MD5

          444cc4d3422a0fdd45c1b78070026c60

          SHA1

          97162ff341fff1ec54b827ec02f8b86fd2d41a97

          SHA256

          4b3f620272e709ce3e01ae5b19ef0300bd476f2da6412637f703bbaded2821f0

          SHA512

          21742d330a6a5763ea41a8fed4d71b98e4a1b4c685675c4cfeb7253033c3a208c23902caf0efdf470a85e0770cb8fac8af0eb6d3a8511445b0570054b42d5553

          Download Submit

        • C:\Users\Admin\AppData\Local\YQv5v\wer.dll
          Filesize

          1.2MB

          MD5

          204cbeccb03444044025c255d68273bb

          SHA1

          fe69fcff084a7becbf3b74001a0ee8787ea1c5f8

          SHA256

          4335b1961135cc83d98c7b63203fbaf80c4539be93f73bd34e0cefe1cc3a98f2

          SHA512

          b51cadf6fc858a0eaaca59b15150f42f56226bd6e8ba853046efa3ebd643038478c8081c4fd00b45ff38a66cb1452eaeaef9038aaf3f7d9c434ac802622b85fa

          Download Submit

        • C:\Users\Admin\AppData\Local\sEd9\TAPI32.dll
          Filesize

          1.2MB

          MD5

          ce4a601635ebb9d18df34b5e1aea0e1e

          SHA1

          49bf177e8103d55dc19508a7bb933ac90492e7d6

          SHA256

          38510a3bc28c7327ee62a35507387909ffb5effcc574660c158f0062972f23c6

          SHA512

          379d8e459585d4098be0d9280b12e34541fece24ca6d65bafcdaf66f78e7049b069b51faee85ac9abce1c79a91775af841d9aff27cbbfba6beebce246a66dc43

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Rnqxvswjyjuqjvh.lnk
          Filesize

          1KB

          MD5

          0e5aafea786c9c2b9a083228e3de491f

          SHA1

          44a922a54fe58fcd92a5f132d21033a2d7a95fe3

          SHA256

          e7bf3b57f045d841a51972fc1f2bf17582b6c1ad6c1669dae7d832e365946e71

          SHA512

          15f284471eafa4601443bca6f28859d098dbd054d4547bc3eae9cb3098986fcddea32f2c0fd2c2373242886a57a5997f5a9cd63ea2e8101033974e3c8abd2b91

          Download Submit

        • memory/2144-83-0x0000028025240000-0x0000028025247000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2144-86-0x00007FFD56930000-0x00007FFD56A64000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2232-69-0x00007FFD56930000-0x00007FFD56A64000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2232-66-0x0000011921FD0000-0x0000011921FD7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3400-0-0x00007FFD56930000-0x00007FFD56A62000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3400-3-0x0000027430B50000-0x0000027430B57000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3400-39-0x00007FFD56930000-0x00007FFD56A62000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3468-9-0x0000000140000000-0x0000000140132000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3468-36-0x0000000140000000-0x0000000140132000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3468-10-0x0000000140000000-0x0000000140132000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3468-12-0x0000000140000000-0x0000000140132000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3468-8-0x0000000140000000-0x0000000140132000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3468-7-0x0000000140000000-0x0000000140132000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3468-13-0x0000000140000000-0x0000000140132000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3468-15-0x0000000140000000-0x0000000140132000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3468-16-0x0000000140000000-0x0000000140132000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3468-4-0x0000000000C00000-0x0000000000C01000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3468-6-0x0000000140000000-0x0000000140132000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3468-14-0x0000000140000000-0x0000000140132000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3468-28-0x00007FFD63CBA000-0x00007FFD63CBB000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3468-11-0x0000000140000000-0x0000000140132000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3468-29-0x0000000000B90000-0x0000000000B97000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3468-30-0x00007FFD652B0000-0x00007FFD652C0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3468-24-0x0000000140000000-0x0000000140132000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3820-52-0x00007FFD56930000-0x00007FFD56A64000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3820-46-0x00007FFD56930000-0x00007FFD56A64000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3820-49-0x000001D746CE0000-0x000001D746CE7000-memory.dmp

          Filesize

          28KB

          Download