Overview

overview

10

Static

static

3

8e19a8bb88...18.dll

windows7-x64

10

8e19a8bb88...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    130s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-08-2024 08:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8e19a8bb88b3a6f49c0280001d3d9048_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    8e19a8bb88b3a6f49c0280001d3d9048

  • SHA1

    c50c2ba966058ea5951583dbccd7b89fbeefad55

  • SHA256

    568409d2fe2b02aff5e1b17110ae744f95d9ec7a4f4f977026585845e2b428db

  • SHA512

    dbf21ae29251ca3aad7f084485f6f2362b03dc4cdbccc5f3d0566c37bb949537202638c57476f83b98f913fd60754e14dad052059835907ca177e41f3317d56a

  • SSDEEP

    24576:GuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:m9cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\8e19a8bb88b3a6f49c0280001d3d9048_JaffaCakes118.dll
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:4424
  • C:\Windows\system32\rstrui.exe
    C:\Windows\system32\rstrui.exe
    1⤵
      PID:3768
    • C:\Users\Admin\AppData\Local\XhcVq7vx9\rstrui.exe
      C:\Users\Admin\AppData\Local\XhcVq7vx9\rstrui.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:3168
    • C:\Windows\system32\SystemPropertiesProtection.exe
      C:\Windows\system32\SystemPropertiesProtection.exe
      1⤵
        PID:4348
      • C:\Users\Admin\AppData\Local\UyZdA\SystemPropertiesProtection.exe
        C:\Users\Admin\AppData\Local\UyZdA\SystemPropertiesProtection.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:4472
      • C:\Windows\system32\RecoveryDrive.exe
        C:\Windows\system32\RecoveryDrive.exe
        1⤵
          PID:1288
        • C:\Users\Admin\AppData\Local\ia9VB5d\RecoveryDrive.exe
          C:\Users\Admin\AppData\Local\ia9VB5d\RecoveryDrive.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:3608

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\UyZdA\SYSDM.CPL
          Filesize

          1.2MB

          MD5

          12e7922e4773c12f1484516b9ee4f12c

          SHA1

          4fa476d11a0ac10103954d1d333eb2ce442fb09f

          SHA256

          99df445627c5183d66bdef4343f032abade65754ea6373e1ac4229c9633cf4d5

          SHA512

          fcddc752235718fe218993bb4647daf9d00ca5b9427d055a1b272618e18883ebf8b397f653a18890ab0e2f115eb5529e32fb4e700073538c87a7954aa7a9a645

          Download Submit

        • C:\Users\Admin\AppData\Local\UyZdA\SystemPropertiesProtection.exe
          Filesize

          82KB

          MD5

          26640d2d4fa912fc9a354ef6cfe500ff

          SHA1

          a343fd82659ce2d8de3beb587088867cf2ab8857

          SHA256

          a8ddf1b17b0cbc96a7eaedb0003aa7b1631da09ebfe85b387f8f630222511b37

          SHA512

          26162a3d9d4a8e3290dbcf6fe387b5c48ab1d9552aa02a38954649d877f408cb282e57580f81e15128e3a41da0eb58328d1d6253e1b57232f9a8cecdd99991dc

          Download Submit

        • C:\Users\Admin\AppData\Local\XhcVq7vx9\SPP.dll
          Filesize

          1.2MB

          MD5

          33fd63123bd7e8bf9cca7a1ed38eed8b

          SHA1

          cfcb1d7dd4ae29de228c959ee1971d0703349933

          SHA256

          2b3d46164c8fd18752efd431bdd685333d1bb7af1a83a0a8a8c0629b24d25565

          SHA512

          81ebc317f7afc4176786cbec33d28c06e1c329e46ba62b15f98aa570f1fd1f48f3485d02ff61436d8c1533b664d6e5b14ce9ef2bfa858709bea95dd0af54f305

          Download Submit

        • C:\Users\Admin\AppData\Local\XhcVq7vx9\rstrui.exe
          Filesize

          268KB

          MD5

          4cad10846e93e85790865d5c0ab6ffd9

          SHA1

          8a223f4bab28afa4c7ed630f29325563c5dcda1a

          SHA256

          9ddcfcaf2ebc810cc2e593446681bc4ccbad39756b1712cf045db8dee6310b4b

          SHA512

          c0db44de0d35a70277f8621a318c5099378da675376e47545cfbfa7412e70a870fd05c92e0d6523ea2e0139d54d9eeaed14973762341fa3154406ae36f4ce7c6

          Download Submit

        • C:\Users\Admin\AppData\Local\ia9VB5d\ReAgent.dll
          Filesize

          1.2MB

          MD5

          907b757aa9b15c16a32baeebe530df9e

          SHA1

          5331847b5f366c6027df6e161fedbf08f2491315

          SHA256

          86132d8d283c5d39ef774b847274f75c637239e6b0e29609623a96b2ea4454f4

          SHA512

          56408a4f606773c2087169c63fcef4509658302b4b700facd3527181c204605a562c75c7a75313577f933420bead4b8cb6ae96c22c47b4ae27b08d4849756996

          Download Submit

        • C:\Users\Admin\AppData\Local\ia9VB5d\RecoveryDrive.exe
          Filesize

          911KB

          MD5

          b9b3dc6f2eb89e41ff27400952602c74

          SHA1

          24ae07e0db3ace0809d08bbd039db3a9d533e81b

          SHA256

          630518cb2e4636f889d12c98fb2e6be4e579c5eeb86f88695d3f7fff3f5515c4

          SHA512

          7906954b881f1051a0c7f098e096bc28eddcc48643b8bf3134dd57b8c18d8beba4f9a0ac5d348de2f9b8ea607c3e9cb0e61d91e4f3ba1fefb02839f928e3e3fe

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Nszgn.lnk
          Filesize

          1KB

          MD5

          ba7abe6bc9fd6188d6a1161d2e58cd04

          SHA1

          2150bf0b3ac5086375b2100d7b735f299f858f1e

          SHA256

          78d0e7ddb3728bdb9527abebe50e49e50f28ef1e6a9b0fb1fc901817612c46cd

          SHA512

          47b296353ee60b9d082e1dbf30ea78622a1ed94f2c91ef87e52fe1f9d585426dc9121275357dce6977436182c342365c572a143416bee843962721a1fbaf881b

          Download Submit

        • memory/3168-52-0x00007FFFC70E0000-0x00007FFFC7212000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3168-46-0x00007FFFC70E0000-0x00007FFFC7212000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3168-49-0x000001D089780000-0x000001D089787000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3408-38-0x00007FFFD5DF0000-0x00007FFFD5E00000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3408-24-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3408-17-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3408-15-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3408-12-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3408-13-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3408-10-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3408-8-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3408-7-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3408-4-0x0000000002FC0000-0x0000000002FC1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3408-34-0x00007FFFD42AA000-0x00007FFFD42AB000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3408-37-0x0000000001130000-0x0000000001137000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3408-11-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3408-33-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3408-14-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3408-6-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3408-9-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3608-80-0x00007FFFC6F70000-0x00007FFFC70A2000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3608-85-0x00007FFFC6F70000-0x00007FFFC70A2000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4424-0-0x00007FFFC75E0000-0x00007FFFC7711000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4424-39-0x00007FFFC75E0000-0x00007FFFC7711000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4424-3-0x0000000002950000-0x0000000002957000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4472-64-0x00007FFFC7080000-0x00007FFFC71B2000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4472-63-0x000001991BBE0000-0x000001991BBE7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4472-69-0x00007FFFC7080000-0x00007FFFC71B2000-memory.dmp

          Filesize

          1.2MB

          Download