Overview

overview

10

Static

static

3

2fd8213300...18.dll

windows7-x64

10

2fd8213300...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240730-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-07-2024 01:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2fd82133005480e6e2d63dc37d378b35_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    2fd82133005480e6e2d63dc37d378b35

  • SHA1

    3b1e29f059c924bb0fd7186be4752c3dcfc8590c

  • SHA256

    df363cbf7ba7d2239bdc9e4ea6d89bc8dd24cae14179679808b08bd945cc40cc

  • SHA512

    d6b354724a91101e94f3c136b0b45f328d9e03176821b04ae1ebb49f0a603eb70505fc35e9a69a4cd867bf8b31015a229906b050ed0d55bdde1ea0c308ab77bb

  • SSDEEP

    24576:buYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:F9cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\2fd82133005480e6e2d63dc37d378b35_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1716
  • C:\Windows\system32\mfpmp.exe
    C:\Windows\system32\mfpmp.exe
    1⤵
      PID:1132
    • C:\Users\Admin\AppData\Local\pjv6T4v2\mfpmp.exe
      C:\Users\Admin\AppData\Local\pjv6T4v2\mfpmp.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2256
    • C:\Windows\system32\RdpSa.exe
      C:\Windows\system32\RdpSa.exe
      1⤵
        PID:5068
      • C:\Users\Admin\AppData\Local\B7EhKgIa\RdpSa.exe
        C:\Users\Admin\AppData\Local\B7EhKgIa\RdpSa.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1596
      • C:\Windows\system32\OptionalFeatures.exe
        C:\Windows\system32\OptionalFeatures.exe
        1⤵
          PID:3868
        • C:\Users\Admin\AppData\Local\how3\OptionalFeatures.exe
          C:\Users\Admin\AppData\Local\how3\OptionalFeatures.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:5080

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\B7EhKgIa\RdpSa.exe
          Filesize

          56KB

          MD5

          5992f5b5d0b296b83877da15b54dd1b4

          SHA1

          0d87be8d4b7aeada4b55d1d05c0539df892f8f82

          SHA256

          32f60eabe54c4d0cd0f0ec29f48f55ca1ad097bf35097247b186fd70426f847c

          SHA512

          4f6da913af530301da1d0638aa2635ada446ebee6e27b5059db5c2b7fe439162ac3b1a595ecf4163a093890df9ac94d9085a53d8c991e48703f9d2691326e7e6

          Download Submit

        • C:\Users\Admin\AppData\Local\B7EhKgIa\WINSTA.dll
          Filesize

          1.2MB

          MD5

          e981faf9dea1f393fa50c59f980b9393

          SHA1

          42e05bf5df634d593130a33f31f84a556b873356

          SHA256

          9158b4772600abc54a71d4ba985f65a8e0aead2a41936b6e3053fffa79068826

          SHA512

          90abc8dd1c7f57dc0fb807e8cb755fb60c5bc6f4897aca83cf4755e7b5b68fe67e33309412977f806e31355e8d9737b489f4a137f5716c7fd4c80b95933737a8

          Download Submit

        • C:\Users\Admin\AppData\Local\how3\OptionalFeatures.exe
          Filesize

          110KB

          MD5

          d6cd8bef71458804dbc33b88ace56372

          SHA1

          a18b58445be2492c5d37abad69b5aa0d29416a60

          SHA256

          fa2e741416994f2c1bf9ef7a16b9c4dbf20c84267e3da91ae6f1ad75ee9f49b8

          SHA512

          1bed8af2cf99a7f3bb36a34f4a71c34787904bd072ecdc731fb7498290dcf4024b956fb8b6912ad050b74aa861f0b0349081b77088f72732bda5075413b1f83d

          Download Submit

        • C:\Users\Admin\AppData\Local\how3\appwiz.cpl
          Filesize

          1.2MB

          MD5

          80be566de901797188fa626ae99f3736

          SHA1

          f5e96fa4ccfbcc23d93d5e80dccb2959d0a55340

          SHA256

          dc67f7a2d66a431f9c077a5d56efa6675a0c1b5ab1b666ad0fe95f66324cc0a1

          SHA512

          3d3c42580f54eea0f31d7739e69efa7ed4a0c2f78238d058231f4e937122d0ae4effa55693a64ea5f074bb7b084e41e96a1f5af634c36f2897251ac1ac1cfa6a

          Download Submit

        • C:\Users\Admin\AppData\Local\pjv6T4v2\MFPlat.DLL
          Filesize

          1.2MB

          MD5

          683ade4dffaf7e70d478ca6d4361ea5c

          SHA1

          5e43e9448d642d9031eac61f091b16790094f8f5

          SHA256

          f5a8721800ee1a9cd8a5ce3e020e246c7e8f20e60e322cddfcb89111facabbc9

          SHA512

          146e86b82d80de9046aa9ace651fa6ea22cd42554a2236c3b503028cb874264f00fa42b1db24bb0f82a6e989d350ebc2e0d78a574db1ec8157947907ef4d1a56

          Download Submit

        • C:\Users\Admin\AppData\Local\pjv6T4v2\mfpmp.exe
          Filesize

          46KB

          MD5

          8f8fd1988973bac0c5244431473b96a5

          SHA1

          ce81ea37260d7cafe27612606cf044921ad1304c

          SHA256

          27287ac874cef86be03aee7b6d34fdc3bd208070ed20e44621a305865fb7579e

          SHA512

          a91179e1561168b3b58f5ca893bce425d35f4a02aec20ac3d6fb944f5eb3c06b0a1b9d9f3fb9ea87869d65671d2b89b4ae19acf794372bdbd27f5e9756c5a8ab

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Rnqxvswjyjuqjvh.lnk
          Filesize

          1KB

          MD5

          faa040eced130d3aa68d36529a54b10b

          SHA1

          7926f6bd0670152bd92b7fb6a9d84097f248dddc

          SHA256

          917fdccd309c1ac83b34c3d029a17b8be336fb3074ca5ced87169413ad98ff1f

          SHA512

          e0bb7ad0897a210a6cf4f5362142d9f455f94aa6051962171dfda4976aabcda26b9dcd1d6ec7d497d48429dfb7400f9fd31fa60ae05e66c46b59792447f714bd

          Download Submit

        • memory/1596-68-0x00007FFEC9F30000-0x00007FFECA062000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1596-62-0x0000011E06FA0000-0x0000011E06FA7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1716-38-0x00007FFEC9F40000-0x00007FFECA070000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1716-0-0x00007FFEC9F40000-0x00007FFECA070000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1716-3-0x0000028087250000-0x0000028087257000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2256-51-0x00007FFEC9F30000-0x00007FFECA062000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2256-48-0x0000028B9F9C0000-0x0000028B9F9C7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2256-45-0x00007FFEC9F30000-0x00007FFECA062000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3572-36-0x00000000012E0000-0x00000000012E7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3572-15-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3572-23-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3572-8-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3572-9-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3572-10-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3572-11-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3572-13-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3572-14-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3572-7-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3572-32-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3572-33-0x00007FFED716A000-0x00007FFED716B000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3572-37-0x00007FFED8190000-0x00007FFED81A0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3572-12-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3572-6-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3572-4-0x0000000003170000-0x0000000003171000-memory.dmp

          Filesize

          4KB

          Download

        • memory/5080-80-0x00007FFEC9F30000-0x00007FFECA061000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/5080-85-0x00007FFEC9F30000-0x00007FFECA061000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/5080-79-0x000001D2F63F0000-0x000001D2F63F7000-memory.dmp

          Filesize

          28KB

          Download