Overview

overview

10

Static

static

3

7051b4e076...18.dll

windows7-x64

10

7051b4e076...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-07-2024 13:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7051b4e07604f97d31c07ff0f83c9620_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    7051b4e07604f97d31c07ff0f83c9620

  • SHA1

    9585328616c046d78fd9a9cd61c98ca4504ada1a

  • SHA256

    7da26cae9e489fcf070ff979bb244ed218c0b0fb16b33f36a0079c8b394ae41e

  • SHA512

    9665b1fab2412dec8035e0c89a9395b5bb46534a7a0b4317e06046c35a5cf26a1cd14ac0df62355d875be2a3ce8a956fddcda21fa01e32175da2af62639da6b6

  • SSDEEP

    24576:nuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9Nnpt:J9cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\7051b4e07604f97d31c07ff0f83c9620_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:4904
  • C:\Windows\system32\CustomShellHost.exe
    C:\Windows\system32\CustomShellHost.exe
    1⤵
      PID:1696
    • C:\Users\Admin\AppData\Local\yOVdc4\CustomShellHost.exe
      C:\Users\Admin\AppData\Local\yOVdc4\CustomShellHost.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:336
    • C:\Windows\system32\lpksetup.exe
      C:\Windows\system32\lpksetup.exe
      1⤵
        PID:2948
      • C:\Users\Admin\AppData\Local\qLcuq\lpksetup.exe
        C:\Users\Admin\AppData\Local\qLcuq\lpksetup.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2540
      • C:\Windows\system32\usocoreworker.exe
        C:\Windows\system32\usocoreworker.exe
        1⤵
          PID:3944
        • C:\Users\Admin\AppData\Local\cCxMR1\usocoreworker.exe
          C:\Users\Admin\AppData\Local\cCxMR1\usocoreworker.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2944

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\cCxMR1\XmlLite.dll
          Filesize

          1.2MB

          MD5

          f899b6a8f0818cb694cfad337c36bdd6

          SHA1

          6763949640d473ae664d54f4d9198119b156ebe9

          SHA256

          b19dc85ec027a97b33c842c50efde48ec6fff61d42d0d86e70e535924ac7a797

          SHA512

          f8843b0fdc4c2517e6218e70845ec67c2489bca807599fbd7e4b0426f219455e544df25e7cab84dcff2c8f5c6d4ad4fce91b74c3733cb622d671a839bf377a85

          Download Submit

        • C:\Users\Admin\AppData\Local\cCxMR1\usocoreworker.exe
          Filesize

          1.3MB

          MD5

          2c5efb321aa64af37dedc6383ce3198e

          SHA1

          a06d7020dd43a57047a62bfb443091cd9de946ba

          SHA256

          0fb6688a32340036f3eaab4a09a82dee533bfb2ca266c36f6142083134de6f0e

          SHA512

          5448ea01b24af7444505bda80064849a2efcc459011d32879e021e836fd573c9b1b9d3b37291d3f53ff536c691ac13a545b12f318a16c8a367421986bbf002ed

          Download Submit

        • C:\Users\Admin\AppData\Local\qLcuq\dpx.dll
          Filesize

          1.2MB

          MD5

          6f673f2f9de09b8515af87d2f52e695f

          SHA1

          451ac0536cb70d44d8b6b9f2363db88804cb664d

          SHA256

          a55a91c842e4747c2e61a7a05320470e9df476bdccd01e35f71784654c6ead33

          SHA512

          176a8a825df535d1d25e9467d601a935a7270a7e5fe02eb747c8d2b356e5bf1da2eb0ee17a513f6780595359e96263e1812f778f1bfd3c493982f7af0deac155

          Download Submit

        • C:\Users\Admin\AppData\Local\qLcuq\lpksetup.exe
          Filesize

          728KB

          MD5

          c75516a32e0aea02a184074d55d1a997

          SHA1

          f9396946c078f8b0f28e3a6e21a97eeece31d13f

          SHA256

          cb3cbeaaff7c07b044f70177e2899a87e80840d177238eb7dd25b8d9e20bef22

          SHA512

          92994fdb75b15742e33e6d7a499664b722e45b9c160d8cc42d30bc727044063d589f45853692b5b754df6ff0fd21294dc32fed985b153f93f4bcf9f8c89a5bcc

          Download Submit

        • C:\Users\Admin\AppData\Local\yOVdc4\CustomShellHost.exe
          Filesize

          835KB

          MD5

          70400e78b71bc8efdd063570428ae531

          SHA1

          cd86ecd008914fdd0389ac2dc00fe92d87746096

          SHA256

          91333f3282a2420359ae9d3adf537688741d21e964f021e2b152ab293447f289

          SHA512

          53005dda237fb23af79f54779c74a09835ad4cad3ca7b9dcec80e3793a60dd262f45b910bef96ab9c8e69d0c6990fea6ca5fee85d7f8425db523ae658372959e

          Download Submit

        • C:\Users\Admin\AppData\Local\yOVdc4\WTSAPI32.dll
          Filesize

          1.2MB

          MD5

          14ac565f066653a0dafb4a89c39429ef

          SHA1

          809a79cc6d4e4a54b52de86bd048d0e7ae375108

          SHA256

          97e6f685ac48819fea52af18318f5c8ab68555cac2fc6f90caae70fcb4a80690

          SHA512

          9b02d776157c568c0d0aac7a9a5c2602f271f4b4d9d00a92e170d68a35605ce0595a99a869e691afc797622c735670b303b0983104cdda81b34069b364f4cb9e

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Vpwtxgnuve.lnk
          Filesize

          1KB

          MD5

          2b9db8511cedd3124e9d684c2500136b

          SHA1

          589be04fc137a41f86758206f0559777dc12b235

          SHA256

          0c84190c865978267f2b4bede29858a3e5f4172cbc7d8ef4767cd85004a70909

          SHA512

          e4e5d84048d326ae6f7233e645702880079981f48ed8acd57173faca1c7445ae2bb7dfc3a7a69a573bbcfb9f03320f2205808a7a7f570b3e3f9fa95f880859ed

          Download Submit

        • memory/336-51-0x00007FFC1D6B0000-0x00007FFC1D7E1000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/336-48-0x00000225C3E20000-0x00000225C3E27000-memory.dmp

          Filesize

          28KB

          Download

        • memory/336-45-0x00007FFC1D6B0000-0x00007FFC1D7E1000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2540-68-0x00007FFC1D6B0000-0x00007FFC1D7E1000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2540-65-0x000001B7A24D0000-0x000001B7A24D7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2944-82-0x00000224A4110000-0x00000224A4117000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2944-85-0x00007FFC1D6B0000-0x00007FFC1D7E1000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3424-29-0x0000000002DF0000-0x0000000002DF7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3424-16-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3424-6-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3424-11-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3424-4-0x0000000002E10000-0x0000000002E11000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3424-8-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3424-9-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3424-12-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3424-14-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3424-7-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3424-28-0x00007FFC3A35A000-0x00007FFC3A35B000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3424-10-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3424-30-0x00007FFC3ACD0000-0x00007FFC3ACE0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3424-35-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3424-23-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3424-13-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4904-3-0x00000268F5DF0000-0x00000268F5DF7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4904-38-0x00007FFC2BC30000-0x00007FFC2BD60000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4904-1-0x00007FFC2BC30000-0x00007FFC2BD60000-memory.dmp

          Filesize

          1.2MB

          Download