Overview

overview

10

Static

static

3

a26e9ff518...18.dll

windows7-x64

10

a26e9ff518...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-08-2024 11:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a26e9ff518e0a7dcb126011e6236057a_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    a26e9ff518e0a7dcb126011e6236057a

  • SHA1

    e091c8effd602b07c71fc1a3aa7bf3ea81302b0f

  • SHA256

    fd8a212a919eac3265b57d306f28a39c130b445c81776bec3488c009dad0b51f

  • SHA512

    9ad562df0826fb24e9aecf56a22bda8b666c7820e177e686ab2a7ef32b4d6081f1de7dc855fec328d026bf7bb6fee458b8cb46203481604e9b1d996daa0971b5

  • SSDEEP

    24576:OuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:u9cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 28 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\a26e9ff518e0a7dcb126011e6236057a_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1592
  • C:\Windows\system32\RecoveryDrive.exe
    C:\Windows\system32\RecoveryDrive.exe
    1⤵
      PID:556
    • C:\Users\Admin\AppData\Local\tr5tLMK\RecoveryDrive.exe
      C:\Users\Admin\AppData\Local\tr5tLMK\RecoveryDrive.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:4000
    • C:\Windows\system32\PresentationSettings.exe
      C:\Windows\system32\PresentationSettings.exe
      1⤵
        PID:1644
      • C:\Users\Admin\AppData\Local\Jlkf\PresentationSettings.exe
        C:\Users\Admin\AppData\Local\Jlkf\PresentationSettings.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2124
      • C:\Windows\system32\mblctr.exe
        C:\Windows\system32\mblctr.exe
        1⤵
          PID:1120
        • C:\Users\Admin\AppData\Local\PPk5P\mblctr.exe
          C:\Users\Admin\AppData\Local\PPk5P\mblctr.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2412

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Jlkf\PresentationSettings.exe
          Filesize

          219KB

          MD5

          790799a168c41689849310f6c15f98fa

          SHA1

          a5d213fc1c71a56de9441b2e35411d83770c01ec

          SHA256

          6e59ab1a0b4ac177dc3397a54afcf68fcea3c1ee72c33bd08c89f04a6dac64b8

          SHA512

          8153b79d4681f21ade7afe995841c386bff8e491ad347f8e7c287df5f9053cae7458e273339146d9a920ceaa2ba0f41cc793d7b2c0fa80efbb41477d39470866

          Download Submit

        • C:\Users\Admin\AppData\Local\Jlkf\WINMM.dll
          Filesize

          1.2MB

          MD5

          84e82667305e08da3900835e2341b28c

          SHA1

          4074a00eac1e6b861a47464b201d60c83b2e543d

          SHA256

          ff87027fdfe8e22474fff7cebe1ff32f214ee1b4d8d45fa5d2027f328cbd38a1

          SHA512

          f505220fc37d498489449b797f38a0e947371c8124be1c9fea04ff39a47182836c9226432bf5d2ed96a310fe50a4016412a87736a796844aa5b9aa872f7ad6db

          Download Submit

        • C:\Users\Admin\AppData\Local\PPk5P\WINMM.dll
          Filesize

          1.2MB

          MD5

          b236ed5df38947c91dbca6797b78a815

          SHA1

          ffc61cb833561a9856a75304a169e7d55efe6428

          SHA256

          eafac8a297afe9d038ea794cbf3b18591204edc7cdbd3d65133480c7b8d89f1b

          SHA512

          700e61ff7214a4c5830ee609f65c9c0d41fc4b91358badad111bf0279bf04baca9f88cbdb2c285e2dd9063b5ccceda7eaaddf46a08fa940f1a0a9b69737d0e85

          Download Submit

        • C:\Users\Admin\AppData\Local\PPk5P\mblctr.exe
          Filesize

          790KB

          MD5

          d3db14eabb2679e08020bcd0c96fa9f6

          SHA1

          578dca7aad29409634064579d269e61e1f07d9dd

          SHA256

          3baa1dc0756ebb0c2c70a31be7147863d8d8ba056c1aa7f979307f8790d1ff69

          SHA512

          14dc895ae458ff0ca13d9c27aa5b4cfc906d338603d43389bb5f4429be593a587818855d1fe938f9ebebf46467fb0c1ab28247e8f9f5357098e8b822ecd8fffe

          Download Submit

        • C:\Users\Admin\AppData\Local\tr5tLMK\RecoveryDrive.exe
          Filesize

          911KB

          MD5

          b9b3dc6f2eb89e41ff27400952602c74

          SHA1

          24ae07e0db3ace0809d08bbd039db3a9d533e81b

          SHA256

          630518cb2e4636f889d12c98fb2e6be4e579c5eeb86f88695d3f7fff3f5515c4

          SHA512

          7906954b881f1051a0c7f098e096bc28eddcc48643b8bf3134dd57b8c18d8beba4f9a0ac5d348de2f9b8ea607c3e9cb0e61d91e4f3ba1fefb02839f928e3e3fe

          Download Submit

        • C:\Users\Admin\AppData\Local\tr5tLMK\UxTheme.dll
          Filesize

          1.2MB

          MD5

          494811ad15871f11e9b77fabf43f6072

          SHA1

          5dff8b17b6b21a71275b4ae91f34de34952517b9

          SHA256

          7ed9907c5b4817f46202db6a648baa050341fa15b085a2dca0868cf36c822446

          SHA512

          7abb3e5eeb8e2cffbd37efa0334e4165051b05aa7c9f5b3ed6ce15d7b650f0515327c6b5c867a9d8f08680a6faf4f2ec93e485ac6a15f150a44965c8d19bb69f

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Plbydas.lnk
          Filesize

          1KB

          MD5

          c1299cecac225020b8a9e3ba24d5bb7e

          SHA1

          ec88faec0d21ae0ec9c033c00c53cdaa83f692bb

          SHA256

          6887ea3bc9b6f368ab3f0bda59cce0fd4b857d1d6b933161d04deaa7bd3780f1

          SHA512

          de9d7040d960b7f883651568505ad9febde44e073e29de5c961d8aed53154db9829fbc4c273d030cd812ebc168bc72133614393cb2ea1acb971c95a5b1bcf88a

          Download Submit

        • memory/1592-1-0x00007FFED0EF0000-0x00007FFED1021000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1592-39-0x00007FFED0EF0000-0x00007FFED1021000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1592-0-0x000001C577D40000-0x000001C577D47000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2124-69-0x00007FFEC19A0000-0x00007FFEC1AD3000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2124-63-0x00007FFEC19A0000-0x00007FFEC1AD3000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2124-66-0x0000018C58030000-0x0000018C58037000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2412-85-0x00007FFEC19A0000-0x00007FFEC1AD3000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3576-25-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3576-30-0x00007FFEDF190000-0x00007FFEDF1A0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3576-11-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3576-9-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3576-8-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3576-12-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3576-13-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3576-14-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3576-4-0x0000000002A50000-0x0000000002A51000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3576-5-0x00007FFEDE1FA000-0x00007FFEDE1FB000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3576-7-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3576-16-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3576-29-0x0000000000C50000-0x0000000000C57000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3576-10-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3576-36-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3576-17-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3576-15-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4000-52-0x00007FFEC06D0000-0x00007FFEC0802000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4000-49-0x0000027E4F340000-0x0000027E4F347000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4000-46-0x00007FFEC06D0000-0x00007FFEC0802000-memory.dmp

          Filesize

          1.2MB

          Download