Overview

overview

10

Static

static

3

967a503506...18.dll

windows7-x64

10

967a503506...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    130s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-08-2024 14:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    967a503506ff447b27fe29ef9b72c2c1_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    967a503506ff447b27fe29ef9b72c2c1

  • SHA1

    b6378a7ad579db6ba868da3c051f6d38b7077094

  • SHA256

    93524ff07e2650a8134290cd0c894af2b4855d4654788141ee640f34109f1ea2

  • SHA512

    d7fbf7538148c5f22c51b82e9c98da414e322fb915f2fb3d103466abe7c35a4753b39eec181ceec22e381f091aaeed3c64007721e0e85119410c6c1b87093b1a

  • SSDEEP

    24576:quYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:y9cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\967a503506ff447b27fe29ef9b72c2c1_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:5068
  • C:\Windows\system32\FXSCOVER.exe
    C:\Windows\system32\FXSCOVER.exe
    1⤵
      PID:3600
    • C:\Users\Admin\AppData\Local\bYVKwzL\FXSCOVER.exe
      C:\Users\Admin\AppData\Local\bYVKwzL\FXSCOVER.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:860
    • C:\Windows\system32\cmstp.exe
      C:\Windows\system32\cmstp.exe
      1⤵
        PID:956
      • C:\Users\Admin\AppData\Local\uqJ\cmstp.exe
        C:\Users\Admin\AppData\Local\uqJ\cmstp.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:4644
      • C:\Windows\system32\SystemSettingsRemoveDevice.exe
        C:\Windows\system32\SystemSettingsRemoveDevice.exe
        1⤵
          PID:4076
        • C:\Users\Admin\AppData\Local\6GR7WlXeX\SystemSettingsRemoveDevice.exe
          C:\Users\Admin\AppData\Local\6GR7WlXeX\SystemSettingsRemoveDevice.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2760

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\6GR7WlXeX\DUI70.dll
          Filesize

          1.4MB

          MD5

          4a6e9c7577719570f905325b0624c157

          SHA1

          20d250816b8b856ab3e3317055fc825f7aa75b20

          SHA256

          a0d03a615ded10705345c21323c8d8a1570e82248820cd9bd610dd9b0bdf9c55

          SHA512

          6cb22283349d94782dd051c7609dd160bf135b18dedd2fefdf292eb2bee4b44206841809103d59a418fe512570c1e6fdadc295cb64214b44393ba37dca8e2f36

          Download Submit

        • C:\Users\Admin\AppData\Local\6GR7WlXeX\SystemSettingsRemoveDevice.exe
          Filesize

          39KB

          MD5

          7853f1c933690bb7c53c67151cbddeb0

          SHA1

          d47a1ad0ccba4c988c8ffc5cbf9636fd4f4fa6e6

          SHA256

          9500731b2a3442f11dfd08a8adfe027e7f32ef5834c628eed4b78be74168470d

          SHA512

          831993d610539d44422d769de6561a4622e1b9cb3d73253774b6cecabf57654a74cd88b4ebe20921585ea96d977225b9501f02a0f6a1fc7d2cad6824fd539304

          Download Submit

        • C:\Users\Admin\AppData\Local\bYVKwzL\FXSCOVER.exe
          Filesize

          242KB

          MD5

          5769f78d00f22f76a4193dc720d0b2bd

          SHA1

          d62b6cab057e88737cba43fe9b0c6d11a28b53e8

          SHA256

          40e8e6dabfa1485b11cdccf220eb86eeaa8256e99e344cf2b2098d4cdb788a31

          SHA512

          b4b3448a2635b21690c71254d964832e89bf947f7a0d32e79dcc84730f11d4afb4149a810a768878e52f88fc8baec45f1a2fec8e22c5301e9f39fe4fc6a57e3f

          Download Submit

        • C:\Users\Admin\AppData\Local\bYVKwzL\MFC42u.dll
          Filesize

          1.2MB

          MD5

          54de43d27ad089f85561e6e2632573dc

          SHA1

          13c98f87a612a423d0b9f7939368ca986296dcc2

          SHA256

          5046f8d67f0f6378a6d7a08760ff5797e8d3bc3aff30c1df9b2c74b4b36bff8b

          SHA512

          2f82dce9c59bdd86e82bd40ea6012b6d4ab6282a56a1dfc395f9d69603341c15f622082505de3dcae8ddb5132ee6bf6baeee7e52a2b198a87021004339946716

          Download Submit

        • C:\Users\Admin\AppData\Local\uqJ\VERSION.dll
          Filesize

          1.2MB

          MD5

          cfbad9972efe9a2cc6c3904362d3d60d

          SHA1

          812798bf60e9c093080116fe73aad4d2c117a8ae

          SHA256

          7633b9d4143fc557605ddde8ee333cf207d7783949ceb98eeccb18c1a6b53364

          SHA512

          964db4845c0281c530c73a701a91c38a44d83ac1e34e140875423ea83f7f05e74d2f298626eaf28404b7bd5e225cb3894bd8c14a0d4cb985f421e0600a7375fc

          Download Submit

        • C:\Users\Admin\AppData\Local\uqJ\cmstp.exe
          Filesize

          96KB

          MD5

          4cc43fe4d397ff79fa69f397e016df52

          SHA1

          8fd6cf81ad40c9b123cd75611860a8b95c72869c

          SHA256

          f2d3905ee38b2b5c0b724d582f14eb1db7621ffb8f3826df686a20784341614c

          SHA512

          851ef9fa5a03ec8b9fea0094c6e4bfa0b9e71cee3412ee86b2dfc34682aa5fb6455fefe7fc0092b711956d7c880cf8a5761b63ee990aa8e72f3473086ac0f157

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Nszgn.lnk
          Filesize

          1KB

          MD5

          fe43f0dc0e4ab669758b04d197eaed6e

          SHA1

          4fb2b178b8ec8dfe9a163df0c3598eda63e9ab42

          SHA256

          1565a21ffa71ef4c5a36a66b91ada02544e2f0e03f11482d2388ac2b0867478c

          SHA512

          55aae523e48fdd93a6d59747af8e63bbc53c37183bdbf6797f7ffd16f586bb6672149d71ba2739c9bb680ff67820127a98e00b7de35ecb8e87ca29cc92c4db94

          Download Submit

        • memory/860-52-0x00007FFC008F0000-0x00007FFC00A28000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/860-49-0x000002591CA90000-0x000002591CA97000-memory.dmp

          Filesize

          28KB

          Download

        • memory/860-46-0x00007FFC008F0000-0x00007FFC00A28000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2760-80-0x00007FFC007F0000-0x00007FFC00967000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/2760-83-0x000001B24C7B0000-0x000001B24C7B7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2760-86-0x00007FFC007F0000-0x00007FFC00967000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/2992-6-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2992-14-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2992-9-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2992-8-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2992-7-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2992-4-0x00000000026F0000-0x00000000026F1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2992-11-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2992-12-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2992-15-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2992-38-0x00007FFC1EDF0000-0x00007FFC1EE00000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2992-16-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2992-33-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2992-36-0x00007FFC1D41A000-0x00007FFC1D41B000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2992-37-0x00000000026B0000-0x00000000026B7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2992-13-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2992-24-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2992-10-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4644-69-0x00007FFC00830000-0x00007FFC00962000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4644-66-0x000001B43A9A0000-0x000001B43A9A7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4644-63-0x00007FFC00830000-0x00007FFC00962000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/5068-39-0x00007FFC108D0000-0x00007FFC10A01000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/5068-2-0x00007FFC108D0000-0x00007FFC10A01000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/5068-1-0x000002316A780000-0x000002316A787000-memory.dmp

          Filesize

          28KB

          Download