Overview

overview

10

Static

static

3

31a99257d7...18.dll

windows7-x64

10

31a99257d7...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240730-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-07-2024 01:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    31a99257d7f59c024665683ec80d1f5f_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    31a99257d7f59c024665683ec80d1f5f

  • SHA1

    61d6669a7e007b64b69bdf93d0a39f232fc3e7e4

  • SHA256

    8cc5917a2fe27efc03ea4cdcc77b00fa7a8551f38d393735ebc0923a87961edd

  • SHA512

    c4fd03de3aedf2ae3bc58a744080b13ade5b66617046b33458ab11fc77b22d743f7144eb7705e97be0bad7a0844f643e5af901d07a1eab50ea8de79cc4c6da79

  • SSDEEP

    24576:vuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:R9cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\31a99257d7f59c024665683ec80d1f5f_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1464
  • C:\Windows\system32\EhStorAuthn.exe
    C:\Windows\system32\EhStorAuthn.exe
    1⤵
      PID:4464
    • C:\Users\Admin\AppData\Local\vs04hojOQ\EhStorAuthn.exe
      C:\Users\Admin\AppData\Local\vs04hojOQ\EhStorAuthn.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:752
    • C:\Windows\system32\DevicePairingWizard.exe
      C:\Windows\system32\DevicePairingWizard.exe
      1⤵
        PID:1152
      • C:\Users\Admin\AppData\Local\ljz\DevicePairingWizard.exe
        C:\Users\Admin\AppData\Local\ljz\DevicePairingWizard.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2908
      • C:\Windows\system32\wbengine.exe
        C:\Windows\system32\wbengine.exe
        1⤵
          PID:2968
        • C:\Users\Admin\AppData\Local\XaQCZbe\wbengine.exe
          C:\Users\Admin\AppData\Local\XaQCZbe\wbengine.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:456

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\XaQCZbe\XmlLite.dll
          Filesize

          1.2MB

          MD5

          0533e826c46979c38115b706ccf12c8a

          SHA1

          0668aa390708a1901b3d7e80de70472fa6769897

          SHA256

          ca4b2930f564157e54f55c801ea9778bf0145fbe24cd007334dfe97fa2007abd

          SHA512

          68aaf499ad0f79808ffe89884a78f20824028bbcdaab9659396de28ea9a3b1206516df847e2114620ab7a720f58272848bbcb2fd83f21bc3b8ff12db605bb1fc

          Download Submit

        • C:\Users\Admin\AppData\Local\XaQCZbe\wbengine.exe
          Filesize

          1.5MB

          MD5

          17270a354a66590953c4aac1cf54e507

          SHA1

          715babcc8e46b02ac498f4f06df7937904d9798d

          SHA256

          9954394b43783061f9290706320cc65597c29176d5b8e7a26fa1d6b3536832b4

          SHA512

          6be0ba6be84d01ab47f5a4ca98a6b940c43bd2d1e1a273d41c3e88aca47da11d932024b007716d1a6ffe6cee396b0e3e6971ab2afc293e72472f2e61c17b2a89

          Download Submit

        • C:\Users\Admin\AppData\Local\ljz\DevicePairingWizard.exe
          Filesize

          93KB

          MD5

          d0e40a5a0c7dad2d6e5040d7fbc37533

          SHA1

          b0eabbd37a97a1abcd90bd56394f5c45585699eb

          SHA256

          2adaf3a5d3fde149626e3fef0e943c7029a135c04688acf357b2d8d04c81981b

          SHA512

          1191c2efcadd53b74d085612025c44b6cd54dd69493632950e30ada650d5ed79e3468c138f389cd3bc21ea103059a63eb38d9d919a62d932a38830c93f57731f

          Download Submit

        • C:\Users\Admin\AppData\Local\ljz\MFC42u.dll
          Filesize

          1.2MB

          MD5

          626f879020bfd1fb49d5810f0050a036

          SHA1

          9dd20c2f54c45941ced76d918ba2e5a91d5230f1

          SHA256

          e41d3c9c6940b85f7dabbdab848a5298d16928f190d1d20b974747a77bbe197d

          SHA512

          877731aedafef5e9730ea209fa4cb79ba58c194d4122aeeb358624aef0e6a5b8ac8a71459d3bc5c8bfae2dad08c72cf6b613b79d154a8e6dc6e3f8a6a28553c6

          Download Submit

        • C:\Users\Admin\AppData\Local\vs04hojOQ\EhStorAuthn.exe
          Filesize

          128KB

          MD5

          d45618e58303edb4268a6cca5ec99ecc

          SHA1

          1f8049fc5ea8b57bb68e19fb55cb9dc1e18e9513

          SHA256

          d527323643be9df4d174c3169c6f2c7854a59b781654bcaebd154cb51fb4219c

          SHA512

          5d7ae663dcfedfaf00836dc018131851e5a40778bd582b417b9f0bbd4bb6d1b2eb8f37f7f5a01cd2beed78b6037ef6eb2a3290248d5e901173b1407990a202bd

          Download Submit

        • C:\Users\Admin\AppData\Local\vs04hojOQ\UxTheme.dll
          Filesize

          1.2MB

          MD5

          3ad32b66d695c519d83bebb40444a11d

          SHA1

          45a3cfa5b571ceb870c175afacd9d33518026586

          SHA256

          c287b34b0f8107d296b474273d1cda59303c78b1bcdfb08cb49c99365c749728

          SHA512

          5638c2582cbe41cdace4413c2c86e142d3b1d0855cd401fe7d5a35e69620dde0e90e17a09fe09dfc0e6daecea9cb96f0b22b8c37cb58548e2230afede47f697c

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ozpfed.lnk
          Filesize

          1KB

          MD5

          12457fbb96d65c18250afe32bbb2eaa7

          SHA1

          d758b327d89b7bca28a16d12ba836ae0a4f6dc42

          SHA256

          1b1a0689e92e5d11eab8e8a36f9373fcb61948750354d5b1ad9760a02fe2ee24

          SHA512

          ecf1f9c5e3b22f0921ac00bd3a74b7602b9aad662c006ec0a539da64905748dc2b7373ebc5e85e311993ce9df17ee79e19e2e41b4a7de373b697ab66e2583b24

          Download Submit

        • memory/456-79-0x0000014BE5A20000-0x0000014BE5A27000-memory.dmp

          Filesize

          28KB

          Download

        • memory/456-85-0x00007FF8EFA80000-0x00007FF8EFBB1000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/752-51-0x00007FF8EFA80000-0x00007FF8EFBB1000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/752-48-0x000001AF9B560000-0x000001AF9B567000-memory.dmp

          Filesize

          28KB

          Download

        • memory/752-45-0x00007FF8EFA80000-0x00007FF8EFBB1000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1464-0-0x00007FF8EFA90000-0x00007FF8EFBC0000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1464-38-0x00007FF8EFA90000-0x00007FF8EFBC0000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1464-3-0x00000288DD450000-0x00000288DD457000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2908-62-0x00007FF8EFA80000-0x00007FF8EFBB7000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2908-65-0x00000202990B0000-0x00000202990B7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2908-68-0x00007FF8EFA80000-0x00007FF8EFBB7000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3552-35-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3552-6-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3552-7-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3552-8-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3552-9-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3552-11-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3552-12-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3552-13-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3552-15-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3552-32-0x00007FF8FC56A000-0x00007FF8FC56B000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3552-33-0x0000000000560000-0x0000000000567000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3552-34-0x00007FF8FDFD0000-0x00007FF8FDFE0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3552-23-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3552-14-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3552-10-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3552-5-0x0000000002440000-0x0000000002441000-memory.dmp

          Filesize

          4KB

          Download