Overview

overview

10

Static

static

3

982fabb733...18.dll

windows7-x64

10

982fabb733...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    136s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-08-2024 23:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    982fabb733c2a30259122452b2464dd0_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    982fabb733c2a30259122452b2464dd0

  • SHA1

    4b02a19b6354b3274f756d19a1496c1483a27ff1

  • SHA256

    4dcf29b7d5c46b1647550492fea89934c0279562875c1c1f5d2a32eadddfef2f

  • SHA512

    5f48b719565cb370e264d9443e0971f9e275b174caa06002d85f1cd596d3665113fb51b63bc99688d50072d8d4c0adb4eadb182e541dfd374562348e9091974e

  • SSDEEP

    24576:fuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:h9cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\982fabb733c2a30259122452b2464dd0_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:4252
  • C:\Windows\system32\wusa.exe
    C:\Windows\system32\wusa.exe
    1⤵
      PID:4032
    • C:\Users\Admin\AppData\Local\2fJoHw\wusa.exe
      C:\Users\Admin\AppData\Local\2fJoHw\wusa.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:1500
    • C:\Windows\system32\mstsc.exe
      C:\Windows\system32\mstsc.exe
      1⤵
        PID:2880
      • C:\Users\Admin\AppData\Local\IHpkWv76\mstsc.exe
        C:\Users\Admin\AppData\Local\IHpkWv76\mstsc.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:3536
      • C:\Windows\system32\ie4uinit.exe
        C:\Windows\system32\ie4uinit.exe
        1⤵
          PID:1696
        • C:\Users\Admin\AppData\Local\0phc\ie4uinit.exe
          C:\Users\Admin\AppData\Local\0phc\ie4uinit.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:3696

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\0phc\VERSION.dll
          Filesize

          1.2MB

          MD5

          2b9924177be7ab6a0ca6ae3326535a7e

          SHA1

          2707e757d914da9528cdb0b3e7640429c1f53284

          SHA256

          a8b3dfcf012e0a2f6433f6c350239a5b6748bc525f9c6ea84860d7d543565a91

          SHA512

          9194c0a486b57a39f043e0921237b05e56d94c534b4ba6e1f2027456a38f825a090f20e7d64a8c8e83ddfe878f51faeebdae56acc8079d8cbe94d5dc2931f013

          Download Submit

        • C:\Users\Admin\AppData\Local\0phc\ie4uinit.exe
          Filesize

          262KB

          MD5

          a2f0104edd80ca2c24c24356d5eacc4f

          SHA1

          8269b9fd9231f04ed47419bd565c69dc677fab56

          SHA256

          5d85c4d62cc26996826b9d96a9153f7e05a2260342bd913b3730610a1809203c

          SHA512

          e7bb87f9f6c82cb945b95f62695be98b3fa827a24fa8c4187fe836d4e7d3e7ae3b95101edd3c41d65f6cb684910f5954a67307d450072acd8d475212db094390

          Download Submit

        • C:\Users\Admin\AppData\Local\2fJoHw\WTSAPI32.dll
          Filesize

          1.2MB

          MD5

          340669bd9ce1411faa23aa31a1835464

          SHA1

          d2c78e432702ae159272715cf0a70a3f41768b85

          SHA256

          8e5941c2400b59fd334107123eb11ecfbf3c1c9689baf1d2f382bdfd70563aca

          SHA512

          c73681ee82b6c4f1a722fc838044008e22f383fe0240e4f88e784b57b4b493294717525cefffddabc561bedef251877ac407f9a39dfa5337772bdbea2a28dc75

          Download Submit

        • C:\Users\Admin\AppData\Local\2fJoHw\wusa.exe
          Filesize

          309KB

          MD5

          e43499ee2b4cf328a81bace9b1644c5d

          SHA1

          b2b55641f2799e3fdb3bea709c9532017bbac59d

          SHA256

          3e30230bbf3ceee3e58162b61eed140e9616210833a6ad7df3e106bc7492d2fb

          SHA512

          04823764520871f9202d346b08a194bdd5f5929db6d5c2f113911f84aece7471c8d3bd2c4256119a303dbe18a0c055dbc5034d80b1f27a43744104544731f52b

          Download Submit

        • C:\Users\Admin\AppData\Local\IHpkWv76\Secur32.dll
          Filesize

          1.2MB

          MD5

          9eb98700aa6e1d8d641b36813e6546c0

          SHA1

          619c33cc4b27402555bb763d753a1b5909b8bc35

          SHA256

          656aab45037ed2abf9ffd1e4d5d508847a60a35a725808edd6068efe2377719f

          SHA512

          b0ae75d23c58bc13f8dfb4d396f522e8d66d0dd0af9e70c61dadfc4ddd69a0ac243f949c189e2a186211e27bd9ccee1e6810a93e1e698291d3f6592c2832c0fb

          Download Submit

        • C:\Users\Admin\AppData\Local\IHpkWv76\mstsc.exe
          Filesize

          1.5MB

          MD5

          3a26640414cee37ff5b36154b1a0b261

          SHA1

          e0c28b5fdf53a202a7543b67bbc97214bad490ed

          SHA256

          1d1b6b2edac7ac6494c9eecda3afb804f679d7190f4d1a80929380e85743823f

          SHA512

          76fc70ead57ddacd3dbcec1a4772bd46924d30b30018a36b13052d2f7272cc86b63bf85d5e4ec04aac08630d4b2637ca6e7d35c08ce6b675d63ed011f7d95ba2

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Mcinmsnhewplgza.lnk
          Filesize

          1KB

          MD5

          0826872ea66a4f47efcf62f96fe33038

          SHA1

          1464f5175af7b57e223a9fce9c827aa9a6b702cc

          SHA256

          763196086dd272afbe39a488345ceb08878de30aab224e64df86be1be5fc49ae

          SHA512

          9b040be886e1d3638c4f23d58ac8507ea0c4d2dec408b497c9aef83eae94d978140782feca9773acc269141221c5d118e3f889ecc27d2cbd6b7de5260da9fd99

          Download Submit

        • memory/1500-51-0x00007FFE6EEA0000-0x00007FFE6EFD1000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1500-48-0x0000026408EA0000-0x0000026408EA7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1500-45-0x00007FFE6EEA0000-0x00007FFE6EFD1000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3464-31-0x00007FFE8BC5A000-0x00007FFE8BC5B000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3464-35-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3464-10-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3464-9-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3464-8-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3464-7-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3464-6-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3464-11-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3464-4-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3464-14-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3464-15-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3464-12-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3464-32-0x00000000007B0000-0x00000000007B7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3464-33-0x00007FFE8C6B0000-0x00007FFE8C6C0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3464-23-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3464-13-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3536-62-0x0000021658D10000-0x0000021658D17000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3536-68-0x00007FFE6EEA0000-0x00007FFE6EFD1000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3696-80-0x00007FFE6DCC0000-0x00007FFE6DDF1000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3696-85-0x00007FFE6DCC0000-0x00007FFE6DDF1000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4252-0-0x00000228AFC80000-0x00000228AFC87000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4252-38-0x00007FFE7D390000-0x00007FFE7D4C0000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4252-2-0x00007FFE7D390000-0x00007FFE7D4C0000-memory.dmp

          Filesize

          1.2MB

          Download