Overview

overview

10

Static

static

3

9178704734...18.dll

windows7-x64

10

9178704734...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-08-2024 03:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9178704734b911ca29d7dc5c900578fc_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    9178704734b911ca29d7dc5c900578fc

  • SHA1

    0cf6ddebd252f71169e021735ed2cefa724ebd12

  • SHA256

    baff5c31fbc24802e6699a7b10eb759d7555eb590d051c768980a2fafbf4265c

  • SHA512

    9fe6a6b935c4cae65dbcaef7bd292c4a2c7ad47ee83db4b5abec59a7cda5701521493f66aa0f0739aadb1577c54e431f3fba153bea54fae0a1c9f623a6ab6891

  • SSDEEP

    24576:VuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:v9cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\9178704734b911ca29d7dc5c900578fc_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1180
  • C:\Windows\system32\dpapimig.exe
    C:\Windows\system32\dpapimig.exe
    1⤵
      PID:1860
    • C:\Users\Admin\AppData\Local\Vi1VQ\dpapimig.exe
      C:\Users\Admin\AppData\Local\Vi1VQ\dpapimig.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2416
    • C:\Windows\system32\mspaint.exe
      C:\Windows\system32\mspaint.exe
      1⤵
        PID:2400
      • C:\Users\Admin\AppData\Local\K13vM\mspaint.exe
        C:\Users\Admin\AppData\Local\K13vM\mspaint.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:896
      • C:\Windows\system32\ie4ushowIE.exe
        C:\Windows\system32\ie4ushowIE.exe
        1⤵
          PID:4792
        • C:\Users\Admin\AppData\Local\IRlfJ6G62\ie4ushowIE.exe
          C:\Users\Admin\AppData\Local\IRlfJ6G62\ie4ushowIE.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1508

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\IRlfJ6G62\VERSION.dll
          Filesize

          1.2MB

          MD5

          83ebacf145a040b981094dc698d989fe

          SHA1

          90d870ad895780ce54e4632e4ab3ce74b446d66a

          SHA256

          ae3332d574203a05fc727196842885616d357da4d3624e4552f48eefb484c6ca

          SHA512

          72040426ff32526c4bf08e85774d63f4144773980188401d69bbe1f9976280ef600294c58c12cbf7586a2cfecbbbc0f5032ffe69f6f7ab0d6681da4f23cee0fb

          Download Submit

        • C:\Users\Admin\AppData\Local\IRlfJ6G62\ie4ushowIE.exe
          Filesize

          76KB

          MD5

          9de952f476abab0cd62bfd81e20a3deb

          SHA1

          109cc4467b78dad4b12a3225020ea590bccee3e6

          SHA256

          e9cb6336359ac6f71ac75af2836efb28daa3bafd10a1f0b775dcdc2ec8850a6b

          SHA512

          3cbe50a146ca50b0657a78a2d89a34630c69823005668906785b2d2015cc6139c8dbbf7aefa5fe55957ef55ae06e758933b3b41eaf822e49dba3b7700582e2c9

          Download Submit

        • C:\Users\Admin\AppData\Local\K13vM\MFC42u.dll
          Filesize

          1.2MB

          MD5

          98651635d6f443d2d66fde5e56b17c1e

          SHA1

          50663c076c010cce6bebaa6d4440dddf07056017

          SHA256

          cab305cd2ab0867ccc22bd03a9b1a8f5008d7c29e7f786b1e69ce5ee121cf949

          SHA512

          7dcd6a0fa8861f66bce1cdef96fc9064b7437d6160c9d57acc8f0eef5041188ba629279cb124091fd4da006566c4e22598a11cd94650794a576a9a9ebd41aa4c

          Download Submit

        • C:\Users\Admin\AppData\Local\K13vM\mspaint.exe
          Filesize

          965KB

          MD5

          f221a4ccafec690101c59f726c95b646

          SHA1

          2098e4b62eaab213cbee73ba40fe4f1b8901a782

          SHA256

          94aa32a2c9c1d2db78318d9c68262c2f834abe26b6e9a661700324b55fdd5709

          SHA512

          8e3f4e4f68565ef09f5e762d6bb41b160711bbacac9dfcbe33edea9885fd042e6ce9a248bfcc62f9cffdb8e6bbe1b04c89bd41fcd9a373a5c8bc7bbff96dceaf

          Download Submit

        • C:\Users\Admin\AppData\Local\Vi1VQ\DUI70.dll
          Filesize

          1.4MB

          MD5

          ff407aab3088a76e4d3f647a162b385f

          SHA1

          8ab7c7a7b829871013e7bdeff7ca0f547ac87d24

          SHA256

          9aaece9dc7e4dfa3a57bacc2c6a1db9c8e4f792e948cb6498c37a1ae557d53e5

          SHA512

          54cb8fc437ed7c2c4a2e6cea5d9af87b1279cb0e8b207f630d0a5f318f45267226e25743feffa707bd6fe383f049c694379dde997b7f4cfe4ae07c34a91ada9a

          Download Submit

        • C:\Users\Admin\AppData\Local\Vi1VQ\dpapimig.exe
          Filesize

          76KB

          MD5

          b6d6477a0c90a81624c6a8548026b4d0

          SHA1

          e6eac6941d27f76bbd306c2938c0a962dbf1ced1

          SHA256

          a8147d08b82609c72d588a0a604cd3c1f2076befcc719d282c7cbd6525ae89eb

          SHA512

          72ec8b79e3438f0f981129a323ad39db84df7dd14a796a820bdbc74ea8fa13eee843d1ea030a0c1caeda2e2d69952f14a821a73825b38dd9415047aca597b1fe

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yfsfrqrlkk.lnk
          Filesize

          1KB

          MD5

          6b80cade142da1bb4bc6dd34d024c44a

          SHA1

          4a9b158ec2a5d921186f2e3c20e9ef6568f1cd02

          SHA256

          845222d0ea6851b4d5320d38da54bc4eb41f9ab37e1960469689dfe140111463

          SHA512

          e33e21892447b215d06d77df62293d9ed9474330eaea40fbdd440d0dd5ca61d797e2096f1456b00ce375a7796519467a1061e524f5cb61570fd45abb483ceea2

          Download Submit

        • memory/896-66-0x000001A2379F0000-0x000001A2379F7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/896-63-0x00007FFC997C0000-0x00007FFC998F7000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/896-67-0x00007FFC997C0000-0x00007FFC998F7000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1180-3-0x000002E528B20000-0x000002E528B27000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1180-0-0x00007FFCA87D0000-0x00007FFCA8900000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1180-38-0x00007FFCA87D0000-0x00007FFCA8900000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1508-76-0x00007FFC99820000-0x00007FFC99951000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1508-81-0x000001B530170000-0x000001B530177000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1508-82-0x00007FFC99820000-0x00007FFC99951000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2416-51-0x00007FFC997E0000-0x00007FFC99956000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/2416-45-0x00007FFC997E0000-0x00007FFC99956000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/2416-48-0x000001AF3CE30000-0x000001AF3CE37000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3548-32-0x00007FFCB6E0A000-0x00007FFCB6E0B000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3548-35-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3548-6-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3548-7-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3548-8-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3548-9-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3548-11-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3548-13-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3548-14-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3548-15-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3548-33-0x0000000000750000-0x0000000000757000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3548-34-0x00007FFCB8030000-0x00007FFCB8040000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3548-23-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3548-12-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3548-10-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3548-4-0x0000000002930000-0x0000000002931000-memory.dmp

          Filesize

          4KB

          Download