Overview

overview

10

Static

static

3

919faabaf4...18.dll

windows7-x64

10

919faabaf4...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-08-2024 04:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    919faabaf40217b576a1f93cab032587_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    919faabaf40217b576a1f93cab032587

  • SHA1

    846b9da7874bf67d4ac2c506113852d2d65b363d

  • SHA256

    c1c7e9180c08d543ddb651df2858b8d84fe6964012ba3cba206d3d025db49e36

  • SHA512

    724addbbc986ecb110c698cdd916c8ef00d6e28d509533d10793c21476fa39c0e371ca7032a9a0cf4a5bdc80728e1221377c84b09d7a577551dadeda30b409b5

  • SSDEEP

    24576:KuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:S9cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\919faabaf40217b576a1f93cab032587_JaffaCakes118.dll
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:4236
  • C:\Windows\system32\SystemPropertiesRemote.exe
    C:\Windows\system32\SystemPropertiesRemote.exe
    1⤵
      PID:4392
    • C:\Users\Admin\AppData\Local\Ibcw\SystemPropertiesRemote.exe
      C:\Users\Admin\AppData\Local\Ibcw\SystemPropertiesRemote.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2284
    • C:\Windows\system32\wlrmdr.exe
      C:\Windows\system32\wlrmdr.exe
      1⤵
        PID:1152
      • C:\Users\Admin\AppData\Local\WSTCfYPE7\wlrmdr.exe
        C:\Users\Admin\AppData\Local\WSTCfYPE7\wlrmdr.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2508
      • C:\Windows\system32\DevicePairingWizard.exe
        C:\Windows\system32\DevicePairingWizard.exe
        1⤵
          PID:4460
        • C:\Users\Admin\AppData\Local\U4xMxKRzM\DevicePairingWizard.exe
          C:\Users\Admin\AppData\Local\U4xMxKRzM\DevicePairingWizard.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:3600

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Ibcw\SYSDM.CPL
          Filesize

          1.2MB

          MD5

          94d254a26b8a0b58d8fda9593e5e6d82

          SHA1

          68a2dbf69bfd6245d170c45a4f7e17899e8d94ac

          SHA256

          ec29a655c3a70ee249d3b4c786548cf495ced90bbaab94dbf964457e9a05f951

          SHA512

          5a53eda3f25ff80ee0d72550ce7efa1b5486cbeefa6a954e2dae84a3a23cfdd2d1bd2a82f4e2b5012b909ab0024376f149a0b4b6ef08215acc567f7a05f30da1

          Download Submit

        • C:\Users\Admin\AppData\Local\Ibcw\SystemPropertiesRemote.exe
          Filesize

          82KB

          MD5

          cdce1ee7f316f249a3c20cc7a0197da9

          SHA1

          dadb23af07827758005ec0235ac1573ffcea0da6

          SHA256

          7984e2bff295c8dbcbd3cd296d0741e3a6844b8db9f962abdbc8d333e9a83932

          SHA512

          f1dc529ebfed814adcf3e68041243ee02ba33b56c356a63eba5ef2cb6ede1eda192e03349f6a200d34dfab67263df79cf295be3706f4197b9008ccdc53410c26

          Download Submit

        • C:\Users\Admin\AppData\Local\U4xMxKRzM\DevicePairingWizard.exe
          Filesize

          93KB

          MD5

          d0e40a5a0c7dad2d6e5040d7fbc37533

          SHA1

          b0eabbd37a97a1abcd90bd56394f5c45585699eb

          SHA256

          2adaf3a5d3fde149626e3fef0e943c7029a135c04688acf357b2d8d04c81981b

          SHA512

          1191c2efcadd53b74d085612025c44b6cd54dd69493632950e30ada650d5ed79e3468c138f389cd3bc21ea103059a63eb38d9d919a62d932a38830c93f57731f

          Download Submit

        • C:\Users\Admin\AppData\Local\U4xMxKRzM\MFC42u.dll
          Filesize

          1.2MB

          MD5

          86fcf57438295bb3356e13afbb9209b6

          SHA1

          ebc52f86e4cd1f18d0ef6f4f7f59b09ade52b9a0

          SHA256

          b8cb90766a7feba8d113536a252daa29b9bb3190b1cc8f2138979f8af6220dcc

          SHA512

          0f3dcc0c2ca682d07c0a4650ea342400c6f4baed97dfef4a165efb06628a19024b054fe5365bf90cb0ea1d48204c613cfffeab616af66ab17997171d9e4dda14

          Download Submit

        • C:\Users\Admin\AppData\Local\WSTCfYPE7\DUI70.dll
          Filesize

          1.4MB

          MD5

          61117cfb7e56ed36d6cfa90e2eb7c9a1

          SHA1

          250911ac7b54403d1acadeedb0740458a8ee2d58

          SHA256

          0349fac70dd20f7b4940a2db5bcb35da4fe9bfc4fa1d8e28cad510f99579c631

          SHA512

          a9eeea6684dd39edb3dad9951612916fa94864fe5ee1a6dc06a9de6b6142c4c43d6dda39dd70f8e223bc6b87e0109601d687e42cec27ab91f2911806577845d2

          Download Submit

        • C:\Users\Admin\AppData\Local\WSTCfYPE7\wlrmdr.exe
          Filesize

          66KB

          MD5

          ef9bba7a637a11b224a90bf90a8943ac

          SHA1

          4747ec6efd2d41e049159249c2d888189bb33d1d

          SHA256

          2fda95aafb2e9284c730bf912b93f60a75b151941adc14445ed1e056140325b1

          SHA512

          4c1fdb8e4bf25546a2a33c95268593746f5ae2666ce36c6d9ba5833357f13720c4722231224e82308af8c156485a2c86ffd97e3093717a28d1300d3787ef1831

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Mihblavoyj.lnk
          Filesize

          1KB

          MD5

          91fa6c335558a6f432b297ecf4e116cd

          SHA1

          ef6d097be68ce6cb0b9a84a1a6590e52c5882586

          SHA256

          057c36c6ea37cc6a65df8dc0d8d73ddbdf17d5077af324fcddd8f473761d60cb

          SHA512

          23529ff9fddbd0007553db0f055fb06b29c52cfe8c15cb9b2ccf3d69676987511a0f838b1f3d33455aa9b51b382addc8e91bac904edda6d864f5433875e52708

          Download Submit

        • memory/2284-51-0x00007FFA0A0D0000-0x00007FFA0A201000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2284-46-0x00007FFA0A0D0000-0x00007FFA0A201000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2284-45-0x0000020BACC50000-0x0000020BACC57000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2508-65-0x000001BB2CB50000-0x000001BB2CB57000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2508-62-0x00007FFA0A090000-0x00007FFA0A206000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/2508-68-0x00007FFA0A090000-0x00007FFA0A206000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3504-28-0x0000000001000000-0x0000000001007000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3504-4-0x0000000003010000-0x0000000003011000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3504-16-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3504-7-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3504-36-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3504-6-0x00007FFA268BA000-0x00007FFA268BB000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3504-9-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3504-10-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3504-12-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3504-13-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3504-15-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3504-8-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3504-29-0x00007FFA27730000-0x00007FFA27740000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3504-24-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3504-14-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3504-11-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3600-79-0x0000022862C00000-0x0000022862C07000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3600-80-0x00007FFA0A0D0000-0x00007FFA0A207000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3600-85-0x00007FFA0A0D0000-0x00007FFA0A207000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4236-0-0x00007FFA19720000-0x00007FFA19850000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4236-38-0x00007FFA19720000-0x00007FFA19850000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4236-3-0x0000000001F80000-0x0000000001F87000-memory.dmp

          Filesize

          28KB

          Download