Overview

overview

10

Static

static

3

a908ca5262...18.dll

windows7-x64

10

a908ca5262...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    125s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-08-2024 01:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a908ca52629cfab8057cb8d662b488b1_JaffaCakes118.dll

  • Size

    909KB

  • MD5

    a908ca52629cfab8057cb8d662b488b1

  • SHA1

    29d811439833907b69f1a6c2b09c95f499f52038

  • SHA256

    139721b2a97521b2eea00f077fd1e95eb0859296937b1579b0223e8e16b5c628

  • SHA512

    a2bb59d5211b2e08e4b277c78c9470580828726efcf39548a7b6b9ca51afa12c487abdfbd7762f45b2f7be2bdad357d9026c2a59f8558625c36f1508cf8db29b

  • SSDEEP

    12288:Late3r/6VSBuehNcvwh8zqv8gxLBkVHUR8LlRYchYN7QBAs2bh:LN3r/fHhSv3zqvRLBCHUyj7BA

Score
10/10
dridexbotnetevasionloaderpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Loader 'dmod' strings 10 IoCs

    Detects 'dmod' strings in Dridex loader.

    botnetloader
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\a908ca52629cfab8057cb8d662b488b1_JaffaCakes118.dll
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:3364
  • C:\Windows\system32\eudcedit.exe
    C:\Windows\system32\eudcedit.exe
    1⤵
      PID:3556
    • C:\Users\Admin\AppData\Local\HErhszWN\eudcedit.exe
      C:\Users\Admin\AppData\Local\HErhszWN\eudcedit.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:5000
    • C:\Windows\system32\msra.exe
      C:\Windows\system32\msra.exe
      1⤵
        PID:3416
      • C:\Users\Admin\AppData\Local\9xro5K\msra.exe
        C:\Users\Admin\AppData\Local\9xro5K\msra.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:3112
      • C:\Windows\system32\DevicePairingWizard.exe
        C:\Windows\system32\DevicePairingWizard.exe
        1⤵
          PID:1568
        • C:\Users\Admin\AppData\Local\TMq\DevicePairingWizard.exe
          C:\Users\Admin\AppData\Local\TMq\DevicePairingWizard.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:5040

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\9xro5K\NDFAPI.DLL
          Filesize

          910KB

          MD5

          f923d4e02f2f4167274c466a67cda81d

          SHA1

          142c9a46f1af6d07d9a768b06617001352d1d709

          SHA256

          12acba0bdd3b3fce7d989dc47bf933584b918d63997013d85a10a0fd089423e3

          SHA512

          4f40131aa84c8d591d41b16d92c14d7cb058801a03d1b09d3af68d8db5c8092fd76392262ef46d45b35aa075d8c4bb8f0016613b421bd322d99ccc793899f916

          Download Submit

        • C:\Users\Admin\AppData\Local\9xro5K\msra.exe
          Filesize

          579KB

          MD5

          dcda3b7b8eb0bfbccb54b4d6a6844ad6

          SHA1

          316a2925e451f739f45e31bc233a95f91bf775fa

          SHA256

          011e1decd6683afe5f1e397fe9697f2cf592ae21766a7629e234682f721658ae

          SHA512

          18e8c99f8b86375627aba0d2b10cf4db24ee5ac61a3d6a73d382a83ec63217c7e455570d4fa7dcdbb188dcc73988689661f8cab2337ae8c615fa6bc9a08f71f5

          Download Submit

        • C:\Users\Admin\AppData\Local\HErhszWN\MFC42u.dll
          Filesize

          937KB

          MD5

          0e390087ddbc66b7cbefa1fb442bbb7d

          SHA1

          12b03bffbff75248c66d98024b5f90edbc7aa194

          SHA256

          5f9489f1e1bc5832c6d6bd366f6e2428042dbd9ec0ccdb01febb34c0422d38cc

          SHA512

          eaef7f3bda24e3ceee87ae0110e32e877440ef5fd59424363ae2f4e4fa9c4ee085c0b257c8e730e5691a25ebea085c39fd8ea307513c9a2666c437d6a1be7898

          Download Submit

        • C:\Users\Admin\AppData\Local\HErhszWN\eudcedit.exe
          Filesize

          365KB

          MD5

          a9de6557179d371938fbe52511b551ce

          SHA1

          def460b4028788ded82dc55c36cb0df28599fd5f

          SHA256

          83c8d1a7582b24b4bbc0d453c813487185c2b05c483bd1759ef647a7e7e92dfe

          SHA512

          5790cac8dae16a785b48f790e6645b137f211c1587fb64ea88e743b846ff3a886324afcfef4bebc61f869023b9a22ba925c461dfb2e12497b70f501e6b79153c

          Download Submit

        • C:\Users\Admin\AppData\Local\TMq\DevicePairingWizard.exe
          Filesize

          93KB

          MD5

          d0e40a5a0c7dad2d6e5040d7fbc37533

          SHA1

          b0eabbd37a97a1abcd90bd56394f5c45585699eb

          SHA256

          2adaf3a5d3fde149626e3fef0e943c7029a135c04688acf357b2d8d04c81981b

          SHA512

          1191c2efcadd53b74d085612025c44b6cd54dd69493632950e30ada650d5ed79e3468c138f389cd3bc21ea103059a63eb38d9d919a62d932a38830c93f57731f

          Download Submit

        • C:\Users\Admin\AppData\Local\TMq\MFC42u.dll
          Filesize

          937KB

          MD5

          43b3bce31fc1937bbf0950ff0b36f8b8

          SHA1

          5fa022657ab0fffb375c665955691bb68a149c0b

          SHA256

          29cf2c79719d413801e47edb7dd000c4ced2e030870092e58d0145bd53105877

          SHA512

          49f1f40187569eb9e93e2457df9f4ee772d1efd3831acbf2fdc21a374551efa783991dd59b7ab19dc88551a3cf370e983433a271b50659c702c5e70cb1e57d8b

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Piobvoh.lnk
          Filesize

          1KB

          MD5

          86a952590657ef65082aea285dad2216

          SHA1

          950a2e2900f54e10972ac72e8b5a24ccfb1c2abf

          SHA256

          07016cbcf2dd14e8820ccca59de8a178e32684273e3f92a000091bed2594879a

          SHA512

          04049783a88889857a3b2db840dc3149137ac15fa5f464b996a40b4549457b5973d952b29b0e0017200615e3cfb5aa1628fbf13c249fb573987c6b6ba5087e09

          Download Submit

        • memory/3112-65-0x000001560F100000-0x000001560F107000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3112-62-0x00007FFAE7FF0000-0x00007FFAE80DA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/3112-68-0x00007FFAE7FF0000-0x00007FFAE80DA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/3364-0-0x0000000002140000-0x0000000002147000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3364-38-0x00007FFAEC350000-0x00007FFAEC439000-memory.dmp

          Filesize

          932KB

          Download

        • memory/3364-2-0x00007FFAEC350000-0x00007FFAEC439000-memory.dmp

          Filesize

          932KB

          Download

        • memory/3524-24-0x0000000140000000-0x00000001400E9000-memory.dmp

          Filesize

          932KB

          Download

        • memory/3524-29-0x00007FFAF6AF0000-0x00007FFAF6B00000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3524-10-0x0000000140000000-0x00000001400E9000-memory.dmp

          Filesize

          932KB

          Download

        • memory/3524-7-0x0000000140000000-0x00000001400E9000-memory.dmp

          Filesize

          932KB

          Download

        • memory/3524-15-0x0000000140000000-0x00000001400E9000-memory.dmp

          Filesize

          932KB

          Download

        • memory/3524-9-0x0000000140000000-0x00000001400E9000-memory.dmp

          Filesize

          932KB

          Download

        • memory/3524-8-0x0000000140000000-0x00000001400E9000-memory.dmp

          Filesize

          932KB

          Download

        • memory/3524-12-0x0000000140000000-0x00000001400E9000-memory.dmp

          Filesize

          932KB

          Download

        • memory/3524-13-0x0000000140000000-0x00000001400E9000-memory.dmp

          Filesize

          932KB

          Download

        • memory/3524-17-0x0000000140000000-0x00000001400E9000-memory.dmp

          Filesize

          932KB

          Download

        • memory/3524-6-0x00007FFAF656A000-0x00007FFAF656B000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3524-4-0x0000000008450000-0x0000000008451000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3524-16-0x0000000140000000-0x00000001400E9000-memory.dmp

          Filesize

          932KB

          Download

        • memory/3524-18-0x0000000140000000-0x00000001400E9000-memory.dmp

          Filesize

          932KB

          Download

        • memory/3524-35-0x0000000140000000-0x00000001400E9000-memory.dmp

          Filesize

          932KB

          Download

        • memory/3524-28-0x00000000083F0000-0x00000000083F7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3524-11-0x0000000140000000-0x00000001400E9000-memory.dmp

          Filesize

          932KB

          Download

        • memory/3524-14-0x0000000140000000-0x00000001400E9000-memory.dmp

          Filesize

          932KB

          Download

        • memory/5000-51-0x00007FFAE7FF0000-0x00007FFAE80E0000-memory.dmp

          Filesize

          960KB

          Download

        • memory/5000-46-0x00007FFAE7FF0000-0x00007FFAE80E0000-memory.dmp

          Filesize

          960KB

          Download

        • memory/5000-45-0x000001CB80050000-0x000001CB80057000-memory.dmp

          Filesize

          28KB

          Download

        • memory/5040-79-0x0000023B22B40000-0x0000023B22B47000-memory.dmp

          Filesize

          28KB

          Download

        • memory/5040-85-0x00007FFAE7FF0000-0x00007FFAE80E0000-memory.dmp

          Filesize

          960KB

          Download