Overview

overview

10

Static

static

3

371af98fd5...18.dll

windows7-x64

10

371af98fd5...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240730-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/07/2024, 03:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    371af98fd5d1b6a8ecf30ab87a8ce6af_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    371af98fd5d1b6a8ecf30ab87a8ce6af

  • SHA1

    ae32ecdcb944cc6f2bab0a65e06f3e93d3222edd

  • SHA256

    ef76520c0aed81b7d9370ec55c8b159f4e7ffe0266e3d7789e9e886179e17816

  • SHA512

    b63c15c5ebb0fecdf9b144d34b544b2d614fe7558ba7f6e626946fa75622745ec149e43270d30e204078244187ccafe889d6d9961d9cd85ca1dc6b8142d400eb

  • SSDEEP

    24576:2uYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9NA:29cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\371af98fd5d1b6a8ecf30ab87a8ce6af_JaffaCakes118.dll
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:4552
  • C:\Windows\system32\bdechangepin.exe
    C:\Windows\system32\bdechangepin.exe
    1⤵
      PID:2188
    • C:\Users\Admin\AppData\Local\U6fkeqgnr\bdechangepin.exe
      C:\Users\Admin\AppData\Local\U6fkeqgnr\bdechangepin.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2984
    • C:\Windows\system32\rdpinit.exe
      C:\Windows\system32\rdpinit.exe
      1⤵
        PID:2112
      • C:\Users\Admin\AppData\Local\YvtAyuv\rdpinit.exe
        C:\Users\Admin\AppData\Local\YvtAyuv\rdpinit.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2472
      • C:\Windows\system32\SystemPropertiesProtection.exe
        C:\Windows\system32\SystemPropertiesProtection.exe
        1⤵
          PID:4748
        • C:\Users\Admin\AppData\Local\2d3GO\SystemPropertiesProtection.exe
          C:\Users\Admin\AppData\Local\2d3GO\SystemPropertiesProtection.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:3952

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\2d3GO\SYSDM.CPL
          Filesize

          1.2MB

          MD5

          54faf9394764cc1311c8be9f130fd886

          SHA1

          3cd075190841cbc90ea7305d4ab45110503d6410

          SHA256

          c565b54ff1b087812dab95ea090f678d756da2f94a70331916c99313e7c7ef1e

          SHA512

          99cc49ce5ec484d918b2878366b322374b384bba393b495e2da54f96eb0939afd355461d8f6d93d66a98c4d7d3f6f3091b8e4247d1b0df954430f04579f2624a

          Download Submit

        • C:\Users\Admin\AppData\Local\2d3GO\SystemPropertiesProtection.exe
          Filesize

          82KB

          MD5

          26640d2d4fa912fc9a354ef6cfe500ff

          SHA1

          a343fd82659ce2d8de3beb587088867cf2ab8857

          SHA256

          a8ddf1b17b0cbc96a7eaedb0003aa7b1631da09ebfe85b387f8f630222511b37

          SHA512

          26162a3d9d4a8e3290dbcf6fe387b5c48ab1d9552aa02a38954649d877f408cb282e57580f81e15128e3a41da0eb58328d1d6253e1b57232f9a8cecdd99991dc

          Download Submit

        • C:\Users\Admin\AppData\Local\U6fkeqgnr\DUI70.dll
          Filesize

          1.5MB

          MD5

          3685efbe83dea803ae33f357e9125e0c

          SHA1

          f2cce7cf80d075e592dbb2ba414e4f7f29c7fd9c

          SHA256

          b8f809fdd09438bd054ae3435c9c3c30e3679366e82b7e81b693cf60a751f568

          SHA512

          69e25d5a6a5ace8c9a5299311cc3bb41ae3b1314432defb60b06651c8ba15db0a75098151323f66ce61f33c4bcf8b597f272e2c0907e3f936e4afd526abbac9f

          Download Submit

        • C:\Users\Admin\AppData\Local\U6fkeqgnr\bdechangepin.exe
          Filesize

          373KB

          MD5

          601a28eb2d845d729ddd7330cbae6fd6

          SHA1

          5cf9f6f9135c903d42a7756c638333db8621e642

          SHA256

          4d43f37576a0ebbaf97024cd5597d968ffe59c871b483554aea302dccb7253f6

          SHA512

          1687044612ceb705f79c806b176f885fd01449251b0097c2df70280b7d10a2b830ee30ac0f645a7e8d8067892f6562d933624de694295e22318863260222859d

          Download Submit

        • C:\Users\Admin\AppData\Local\YvtAyuv\WTSAPI32.dll
          Filesize

          1.2MB

          MD5

          feb4ce1ed20b7417c1c52711abaec327

          SHA1

          a67166227f856f84c4abe75099e696f10ea8e266

          SHA256

          ecda53cfac2e8f0440378bb93d1a06ff6140cf4a3c53c0c0358c9a53d68fe4c0

          SHA512

          48610326fbec10b93f319916d5737fb855721b3b722f048243b77a7f2d0fcc4ee317a5dfa1ccbb33016681946312e8e4f618d637c0ea4e6942eb2eda946adf5a

          Download Submit

        • C:\Users\Admin\AppData\Local\YvtAyuv\rdpinit.exe
          Filesize

          343KB

          MD5

          b0ecd76d99c5f5134aeb52460add6f80

          SHA1

          51462078092c9d6b7fa2b9544ffe0a49eb258106

          SHA256

          51251863097f7c80ef59606152ec59e7522881c8e3886c194c43f56bcab92e1b

          SHA512

          16855c7db48b26297c78d37d52ad03f6af0f5a58e333e17ad83b34f5e8b200c5517c6481043af0ecf1b962af2378f38600bd968592f4e1018b5a1b9400adb367

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Arrotspbllekcvw.lnk
          Filesize

          1KB

          MD5

          cf0435f20718aa0892ee551c78efedc6

          SHA1

          6561e2d16f2291fb5ffc2f37fc9504edeb9f07b3

          SHA256

          a62ea57f7ddd16bc359e3c9af82eae2caf758a62794482dfc319256645fc1a8d

          SHA512

          a55c8364e023575a87b72161779df855aaac2db9d951dfb6c416a1c2900952b3ef9a9ce74607f81febeaa8de7f903738b27f07412369bee0ed01f3ec2056dfe7

          Download Submit

        • memory/2472-66-0x0000028977AC0000-0x0000028977AC7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2472-63-0x00007FFC9BD80000-0x00007FFC9BEB8000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2472-69-0x00007FFC9BD80000-0x00007FFC9BEB8000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2984-52-0x00007FFC9BD40000-0x00007FFC9BEBD000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/2984-47-0x00007FFC9BD40000-0x00007FFC9BEBD000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/2984-46-0x0000013205C00000-0x0000013205C07000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3524-33-0x0000000001050000-0x0000000001057000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3524-14-0x0000000140000000-0x0000000140137000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3524-10-0x0000000140000000-0x0000000140137000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3524-9-0x0000000140000000-0x0000000140137000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3524-8-0x0000000140000000-0x0000000140137000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3524-7-0x0000000140000000-0x0000000140137000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3524-4-0x00000000010C0000-0x00000000010C1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3524-12-0x0000000140000000-0x0000000140137000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3524-13-0x0000000140000000-0x0000000140137000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3524-15-0x0000000140000000-0x0000000140137000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3524-16-0x0000000140000000-0x0000000140137000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3524-32-0x00007FFCA8B2A000-0x00007FFCA8B2B000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3524-6-0x0000000140000000-0x0000000140137000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3524-36-0x0000000140000000-0x0000000140137000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3524-34-0x00007FFCAAA50000-0x00007FFCAAA60000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3524-24-0x0000000140000000-0x0000000140137000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3524-11-0x0000000140000000-0x0000000140137000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3952-83-0x0000020637800000-0x0000020637807000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3952-86-0x00007FFC9BD80000-0x00007FFC9BEB8000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4552-0-0x0000000002290000-0x0000000002297000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4552-39-0x00007FFC9BD80000-0x00007FFC9BEB7000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4552-1-0x00007FFC9BD80000-0x00007FFC9BEB7000-memory.dmp

          Filesize

          1.2MB

          Download