Overview

overview

10

Static

static

3

9451d3c072...18.dll

windows7-x64

10

9451d3c072...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/08/2024, 18:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9451d3c0720234ff8d9c569a4aad8091_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    9451d3c0720234ff8d9c569a4aad8091

  • SHA1

    93bbf76f507f8cb828ce56565b2c49f24cdc833e

  • SHA256

    563a650a72c772c648f6b34055b1d31c379fa7beef40d6eba02aa25b5a7316d2

  • SHA512

    21682d7762390f1504933c3e1a978d806a2334f43f5ac6d6d2c575bbfd950c1dc8eb8b4cd4216a893f23b3cc814cbe48e6e493c5da6cb998960a19edce17f88d

  • SSDEEP

    24576:quYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:y9cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\9451d3c0720234ff8d9c569a4aad8091_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2072
  • C:\Windows\system32\ddodiag.exe
    C:\Windows\system32\ddodiag.exe
    1⤵
      PID:1892
    • C:\Users\Admin\AppData\Local\1648Tu3\ddodiag.exe
      C:\Users\Admin\AppData\Local\1648Tu3\ddodiag.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:1844
    • C:\Windows\system32\SystemPropertiesRemote.exe
      C:\Windows\system32\SystemPropertiesRemote.exe
      1⤵
        PID:4696
      • C:\Users\Admin\AppData\Local\EgKXkS\SystemPropertiesRemote.exe
        C:\Users\Admin\AppData\Local\EgKXkS\SystemPropertiesRemote.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:428
      • C:\Windows\system32\msra.exe
        C:\Windows\system32\msra.exe
        1⤵
          PID:3588
        • C:\Users\Admin\AppData\Local\po7DInOS4\msra.exe
          C:\Users\Admin\AppData\Local\po7DInOS4\msra.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1876

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\1648Tu3\XmlLite.dll
          Filesize

          1.2MB

          MD5

          5e6e254a012278632bc4858d99c577f6

          SHA1

          d43d818672ebf97ec83a02be54694e1c99821fa8

          SHA256

          49d49f3d3a6382f70c4c3e802b25c9a6ae30a92bc23d91ccccf097388e8b50d7

          SHA512

          4b269206481876b7f0ccfbb8ff7d90f00bfaa8487a6f3973107b951d10768f033854af336cb2ac44786fb90ab078a1a53bb95bbe6b059c6b8e3e37ae840c701a

          Download Submit

        • C:\Users\Admin\AppData\Local\1648Tu3\ddodiag.exe
          Filesize

          39KB

          MD5

          85feee634a6aee90f0108e26d3d9bc1f

          SHA1

          a7b1fa32fe7ed67bd51dea438f2f767e3fef0ca2

          SHA256

          99c63175504781e9278824d487da082da7c014e99f1024227af164986d3a27c6

          SHA512

          b81a3e1723a5180c5168cd7bb5181c631f4f57c59780bb82a502160b7874777f3eef1ebe1b14f66c97f9f1a4721af13b6fbcdff2045c8563c18b5d12540953ff

          Download Submit

        • C:\Users\Admin\AppData\Local\EgKXkS\SYSDM.CPL
          Filesize

          1.2MB

          MD5

          3c56d5d99e98863f940bb5116f877abc

          SHA1

          2ec6c08dcac5e64bcc594be7a2c51fd221597bac

          SHA256

          4bd4b4ffc521b87c991dfe846790012c5abb6520b3a0d58891115c6d028011af

          SHA512

          7591ebfe6fcd030fcbfd6582d5a320da29b0b08adae0e2032a2bf7358fc969355c32c95c662611bed7c23f5786eedbe50f9307f6f0701930eb24efa788167a3f

          Download Submit

        • C:\Users\Admin\AppData\Local\EgKXkS\SystemPropertiesRemote.exe
          Filesize

          82KB

          MD5

          cdce1ee7f316f249a3c20cc7a0197da9

          SHA1

          dadb23af07827758005ec0235ac1573ffcea0da6

          SHA256

          7984e2bff295c8dbcbd3cd296d0741e3a6844b8db9f962abdbc8d333e9a83932

          SHA512

          f1dc529ebfed814adcf3e68041243ee02ba33b56c356a63eba5ef2cb6ede1eda192e03349f6a200d34dfab67263df79cf295be3706f4197b9008ccdc53410c26

          Download Submit

        • C:\Users\Admin\AppData\Local\po7DInOS4\NDFAPI.DLL
          Filesize

          1.2MB

          MD5

          b49711c305ad1ac1f4bdc67d5a3a8eff

          SHA1

          2676306ddf74c6d86b444eb0a42b6c3b0444976b

          SHA256

          6c37a36dd0f3e400252328360e678dfd8f1170deca5bc8f39e8ff1910b7aaf85

          SHA512

          011f7747359edfebc98235bd016f72ba79a014bb0acff3042789489e1c24faa4affa09ce831749f71b5b78e0358b478d62229842cc34bd4e7ae4fc8137593e06

          Download Submit

        • C:\Users\Admin\AppData\Local\po7DInOS4\msra.exe
          Filesize

          579KB

          MD5

          dcda3b7b8eb0bfbccb54b4d6a6844ad6

          SHA1

          316a2925e451f739f45e31bc233a95f91bf775fa

          SHA256

          011e1decd6683afe5f1e397fe9697f2cf592ae21766a7629e234682f721658ae

          SHA512

          18e8c99f8b86375627aba0d2b10cf4db24ee5ac61a3d6a73d382a83ec63217c7e455570d4fa7dcdbb188dcc73988689661f8cab2337ae8c615fa6bc9a08f71f5

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Pvdelpvduyz.lnk
          Filesize

          1KB

          MD5

          012a3ed5127a23d3f541f58ce587e727

          SHA1

          9402d7114658f08bef6e4cbbfe41f210884c67ae

          SHA256

          31d1de71941d2c17d18e73aaee7d24cc6dd104bd21a3d0ede961677110e3db14

          SHA512

          8c7f13fcf43da57eac61fcf908dd7a4d654ea77236ffa266a4a5a66e948fba96be2fcbec0d260456262bc1ef1a1e8b698f923612e4a242a991f1c5d0739628c9

          Download Submit

        • memory/428-69-0x00007FFD2D9F0000-0x00007FFD2DB22000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/428-63-0x00007FFD2D9F0000-0x00007FFD2DB22000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/428-66-0x0000019B8EDF0000-0x0000019B8EDF7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1844-52-0x00007FFD2DA50000-0x00007FFD2DB82000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1844-49-0x0000013B93FB0000-0x0000013B93FB7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1844-46-0x00007FFD2DA50000-0x00007FFD2DB82000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1876-82-0x000001B760E70000-0x000001B760E77000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1876-86-0x00007FFD2D9F0000-0x00007FFD2DB22000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2072-0-0x000001501E580000-0x000001501E587000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2072-39-0x00007FFD2E8E0000-0x00007FFD2EA11000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2072-1-0x00007FFD2E8E0000-0x00007FFD2EA11000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3548-36-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3548-7-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3548-8-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3548-9-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3548-12-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3548-13-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3548-14-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3548-16-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3548-17-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3548-34-0x00000000014B0000-0x00000000014B7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3548-35-0x00007FFD3D290000-0x00007FFD3D2A0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3548-25-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3548-15-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3548-10-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3548-11-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3548-4-0x0000000002FC0000-0x0000000002FC1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3548-6-0x00007FFD3B8BA000-0x00007FFD3B8BB000-memory.dmp

          Filesize

          4KB

          Download