Overview

overview

10

Static

static

3

8edbc8966c...18.dll

windows7-x64

10

8edbc8966c...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-08-2024 13:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8edbc8966c7188e465581d36300c7352_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    8edbc8966c7188e465581d36300c7352

  • SHA1

    659416a2b57a6473f69f7ec5d31c8126f4e00ba5

  • SHA256

    b85dc997c286d5e1c94c544310837a28f8b7376d5ff40fbf0af80af9cc43cc8f

  • SHA512

    fc026ad358a33716ee1bab7f8ebe962c6b2350d3ce6f100c92d35ed69a6d2c6f8a4e95d9b59c1dfa9d00e8513dbd4cfef34df0b045344d8b08ec8820a6fb5d1f

  • SSDEEP

    24576:fuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:h9cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\8edbc8966c7188e465581d36300c7352_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:4660
  • C:\Windows\system32\DevicePairingWizard.exe
    C:\Windows\system32\DevicePairingWizard.exe
    1⤵
      PID:1660
    • C:\Users\Admin\AppData\Local\5F1IOQWz9\DevicePairingWizard.exe
      C:\Users\Admin\AppData\Local\5F1IOQWz9\DevicePairingWizard.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2768
    • C:\Windows\system32\BitLockerWizard.exe
      C:\Windows\system32\BitLockerWizard.exe
      1⤵
        PID:2460
      • C:\Users\Admin\AppData\Local\Cr5SBJ6QT\BitLockerWizard.exe
        C:\Users\Admin\AppData\Local\Cr5SBJ6QT\BitLockerWizard.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:4040
      • C:\Windows\system32\wbengine.exe
        C:\Windows\system32\wbengine.exe
        1⤵
          PID:1940
        • C:\Users\Admin\AppData\Local\EOJDVFAB3\wbengine.exe
          C:\Users\Admin\AppData\Local\EOJDVFAB3\wbengine.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:5076

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\5F1IOQWz9\DevicePairingWizard.exe
          Filesize

          93KB

          MD5

          d0e40a5a0c7dad2d6e5040d7fbc37533

          SHA1

          b0eabbd37a97a1abcd90bd56394f5c45585699eb

          SHA256

          2adaf3a5d3fde149626e3fef0e943c7029a135c04688acf357b2d8d04c81981b

          SHA512

          1191c2efcadd53b74d085612025c44b6cd54dd69493632950e30ada650d5ed79e3468c138f389cd3bc21ea103059a63eb38d9d919a62d932a38830c93f57731f

          Download Submit

        • C:\Users\Admin\AppData\Local\5F1IOQWz9\MFC42u.dll
          Filesize

          1.2MB

          MD5

          c59499ff205795550a92b0fcfcc557a7

          SHA1

          aa5fe54b181d43debb04e3f644b897bc8bac165d

          SHA256

          642ea3d1e04965c553a7abad827ca28816875984b645409aa9908bf4322a505c

          SHA512

          385c3fdb68c7c4caf39c2843d410634e14866c1c982f23e07bd1f41227accb7e635f849f24775d9a5f3afd9f7b494c54777c74e95cb3ebfa02dc1e70ad74b52d

          Download Submit

        • C:\Users\Admin\AppData\Local\Cr5SBJ6QT\BitLockerWizard.exe
          Filesize

          100KB

          MD5

          6d30c96f29f64b34bc98e4c81d9b0ee8

          SHA1

          4a3adc355f02b9c69bdbe391bfb01469dee15cf0

          SHA256

          7758227642702e645af5e84d1c0e5690e07687c8209072a2c5f79379299edf74

          SHA512

          25471b0ac7156d9ee9d12181020039bf551ba3efe252b656030c12d93b8db2648a18bdf762740f2a5cd8e43640e4bd4e8742310dea15823fc76b9e1c126876b8

          Download Submit

        • C:\Users\Admin\AppData\Local\Cr5SBJ6QT\FVEWIZ.dll
          Filesize

          1.2MB

          MD5

          1c6b9512c2130f5623a20392f0225f05

          SHA1

          6f6b0426c9c6d1fc8b7f61674c4318b0a724c815

          SHA256

          f1e5e82a861696e0065492a6d4696129005981ed8d4520028364e1423e140a8c

          SHA512

          cd705ab8ca17626c26bb985d2f0f8da8c6e0a57e258526ec32615553bd2ca606d7930ddf0da6edfcebe46192c235a02d028ee5121a8e9d9ab8b91a4cc84b8ad3

          Download Submit

        • C:\Users\Admin\AppData\Local\EOJDVFAB3\SPP.dll
          Filesize

          1.2MB

          MD5

          15a7207e49d13236b071020a37410162

          SHA1

          8a860a7ded0035a335c33479d216508187232ff6

          SHA256

          39d4997210a7d9337c5b3a98eae3e7e04bd4e14daaeb2f84dd3fb19c60d1773b

          SHA512

          d84dd663b0e7a9ad0d1412e0427db850fa7f40086e67d02767b188b5e9f030ba22b46c14a470344c6293fa74040b9eb975397ac4b1774f6fb410bfac798cdb5a

          Download Submit

        • C:\Users\Admin\AppData\Local\EOJDVFAB3\wbengine.exe
          Filesize

          1.5MB

          MD5

          17270a354a66590953c4aac1cf54e507

          SHA1

          715babcc8e46b02ac498f4f06df7937904d9798d

          SHA256

          9954394b43783061f9290706320cc65597c29176d5b8e7a26fa1d6b3536832b4

          SHA512

          6be0ba6be84d01ab47f5a4ca98a6b940c43bd2d1e1a273d41c3e88aca47da11d932024b007716d1a6ffe6cee396b0e3e6971ab2afc293e72472f2e61c17b2a89

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Plbydas.lnk
          Filesize

          1KB

          MD5

          ab7631ae8e33f3f6c74e2813ec2791ff

          SHA1

          2ca1e06b1fffaa72892b335d02935e5267d782cb

          SHA256

          eb3467ab1d10140786d39341f4b8172aa8de758d2b05673e735583222fa8c334

          SHA512

          c6698347a0bad3ab0c892252120bde1cba1afb2c98d9011687a30ffeef5bf6483cbe735f93d64c8dce007ac581cc67a44be30e06b5d7ef6484802b23a41ac4a9

          Download Submit

        • memory/2768-51-0x00007FF9B8460000-0x00007FF9B8597000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2768-48-0x000001DC1AD40000-0x000001DC1AD47000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2768-45-0x00007FF9B8460000-0x00007FF9B8597000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3432-33-0x00007FF9C7530000-0x00007FF9C7540000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3432-7-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3432-11-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3432-9-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3432-8-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3432-24-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3432-10-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3432-12-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3432-6-0x00007FF9C644A000-0x00007FF9C644B000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3432-15-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3432-32-0x0000000000BE0000-0x0000000000BE7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3432-4-0x0000000000EF0000-0x0000000000EF1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3432-35-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3432-17-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3432-14-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3432-13-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4040-65-0x000001EFB64F0000-0x000001EFB64F7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4040-63-0x00007FF9B8460000-0x00007FF9B8591000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4040-68-0x00007FF9B8460000-0x00007FF9B8591000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4660-3-0x000001A8C84B0000-0x000001A8C84B7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4660-38-0x00007FF9B8DC0000-0x00007FF9B8EF0000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4660-1-0x00007FF9B8DC0000-0x00007FF9B8EF0000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/5076-82-0x0000020ACF040000-0x0000020ACF047000-memory.dmp

          Filesize

          28KB

          Download

        • memory/5076-84-0x00007FF9B8460000-0x00007FF9B8591000-memory.dmp

          Filesize

          1.2MB

          Download