Overview

overview

10

Static

static

3

afb00d3860...18.dll

windows7-x64

10

afb00d3860...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-08-2024 14:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    afb00d38603a12de72531ad560e85254_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    afb00d38603a12de72531ad560e85254

  • SHA1

    f7b662d6bfbf3821b03f572deec18a07b7e8f175

  • SHA256

    c51312f6ea110b81ae4ddec3ee994b9cd14b800568ab4e0e99a903f4c77fb9aa

  • SHA512

    b6993eff1aa74e7b4f03882b20759469eb807511f4c9d02fdc939a44b1ff04b7217dd80037a8caa205c9d784cad6d840a5867026f84bbd3390ad63cc12b903d2

  • SSDEEP

    24576:uuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:O9cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\afb00d38603a12de72531ad560e85254_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2912
  • C:\Windows\system32\tabcal.exe
    C:\Windows\system32\tabcal.exe
    1⤵
      PID:3648
    • C:\Users\Admin\AppData\Local\GxTiIj\tabcal.exe
      C:\Users\Admin\AppData\Local\GxTiIj\tabcal.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2488
    • C:\Windows\system32\EhStorAuthn.exe
      C:\Windows\system32\EhStorAuthn.exe
      1⤵
        PID:2828
      • C:\Users\Admin\AppData\Local\zaKjgs\EhStorAuthn.exe
        C:\Users\Admin\AppData\Local\zaKjgs\EhStorAuthn.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:3828
      • C:\Windows\system32\bdechangepin.exe
        C:\Windows\system32\bdechangepin.exe
        1⤵
          PID:4504
        • C:\Users\Admin\AppData\Local\qg9Eg\bdechangepin.exe
          C:\Users\Admin\AppData\Local\qg9Eg\bdechangepin.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2348

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\GxTiIj\HID.DLL
          Filesize

          1.2MB

          MD5

          c8b69a633d1e7e71bb9a49c08dcd059b

          SHA1

          db4dbb2144e136041ccbb4bdba0e95dd24593ebe

          SHA256

          84fb038115758cf95ecd75cc8c8d49396d732bb6b8a57947fe06c0ebd0bc714f

          SHA512

          783b76061351c119d59ce2d3bb4cba399388a63a0578b9f9976de865984d87b95524b94b113f804171de722f0127534503e05ee3514906523d4b9d8bbc83fd3c

          Download Submit

        • C:\Users\Admin\AppData\Local\GxTiIj\tabcal.exe
          Filesize

          84KB

          MD5

          40f4014416ff0cbf92a9509f67a69754

          SHA1

          1798ff7324724a32c810e2075b11c09b41e4fede

          SHA256

          f31b4c751dbca276446119ba775787c3eb032da72eabcd40ad96a55826a3f33c

          SHA512

          646dfe4cfe90d068c3da4c35f7053bb0f57687875a0f3469c0683e707306e6a42b0baca3e944d78f9be5c564bb0600202c32c223a770f89d3e2b07a24673c259

          Download Submit

        • C:\Users\Admin\AppData\Local\qg9Eg\DUI70.dll
          Filesize

          1.4MB

          MD5

          fc0c9263528ff75c533bfdf72a939d69

          SHA1

          f8d73e90af54c62c6dd3e5d0f86c72248e9971b4

          SHA256

          0a8f9d86062a58308cdf2bfe787a773cd819d330de67703f5a03973c01edb332

          SHA512

          d9c14f42ec3217ef9bc04c86cf6917b7faa4cb427facfec9f3efc1365d2586dbc988475078512b9aa487f8e419780ea3a9237e53adbe240e250e6f46f3cd0b60

          Download Submit

        • C:\Users\Admin\AppData\Local\qg9Eg\bdechangepin.exe
          Filesize

          373KB

          MD5

          601a28eb2d845d729ddd7330cbae6fd6

          SHA1

          5cf9f6f9135c903d42a7756c638333db8621e642

          SHA256

          4d43f37576a0ebbaf97024cd5597d968ffe59c871b483554aea302dccb7253f6

          SHA512

          1687044612ceb705f79c806b176f885fd01449251b0097c2df70280b7d10a2b830ee30ac0f645a7e8d8067892f6562d933624de694295e22318863260222859d

          Download Submit

        • C:\Users\Admin\AppData\Local\zaKjgs\EhStorAuthn.exe
          Filesize

          128KB

          MD5

          d45618e58303edb4268a6cca5ec99ecc

          SHA1

          1f8049fc5ea8b57bb68e19fb55cb9dc1e18e9513

          SHA256

          d527323643be9df4d174c3169c6f2c7854a59b781654bcaebd154cb51fb4219c

          SHA512

          5d7ae663dcfedfaf00836dc018131851e5a40778bd582b417b9f0bbd4bb6d1b2eb8f37f7f5a01cd2beed78b6037ef6eb2a3290248d5e901173b1407990a202bd

          Download Submit

        • C:\Users\Admin\AppData\Local\zaKjgs\UxTheme.dll
          Filesize

          1.2MB

          MD5

          87a2adc3456c7010aafe78952e3e88d7

          SHA1

          d85a676cb42a62d5feef29e944c7e5ea8865c146

          SHA256

          b486312265046dd4f3adbd5838031afde8b8e03f7910b7994ba506b9ccc0043f

          SHA512

          ffda1b58e01fac67dca82cc73ace00d127cac270d86d2f6ce1634867fadd174f7a8067fcf799c353ccfeee01daabd2a017d756a96c4caa83dca7e54e501d0343

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Mihblavoyj.lnk
          Filesize

          1KB

          MD5

          f3d0075ec704bcb2f0e315f7fa74bc04

          SHA1

          6f4038fa2f028c52fc36b919185893b6d2a2135d

          SHA256

          2de7c955af4e9bbd293f1d7291ff60c02d3346df12bfea467eb5966c19c45b52

          SHA512

          c47f0a1d121464d3adb34c8e7e7670207da51f1f51f4186d6646e8cd64bc354e06f8c00e6d3da68da0ebf01f0333fd10d81b218ee9252991b0aff4238c5ca79e

          Download Submit

        • memory/2348-86-0x00007FFA7C210000-0x00007FFA7C387000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/2348-83-0x000001F166050000-0x000001F166057000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2348-80-0x00007FFA7C210000-0x00007FFA7C387000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/2488-47-0x00007FFA7C250000-0x00007FFA7C382000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2488-52-0x00007FFA7C250000-0x00007FFA7C382000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2488-46-0x000001815A8D0000-0x000001815A8D7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2912-39-0x00007FFA8B4B0000-0x00007FFA8B5E1000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2912-0-0x0000021F49960000-0x0000021F49967000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2912-1-0x00007FFA8B4B0000-0x00007FFA8B5E1000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3400-36-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3400-29-0x0000000002DD0000-0x0000000002DD7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3400-8-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3400-11-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3400-12-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3400-13-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3400-14-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3400-16-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3400-17-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3400-9-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3400-30-0x00007FFA99AD0000-0x00007FFA99AE0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3400-5-0x00007FFA9821A000-0x00007FFA9821B000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3400-4-0x0000000007430000-0x0000000007431000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3400-25-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3400-15-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3400-7-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3400-10-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3828-69-0x00007FFA7C250000-0x00007FFA7C382000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3828-63-0x00000270A6C90000-0x00000270A6C97000-memory.dmp

          Filesize

          28KB

          Download