Overview

overview

10

Static

static

3

b01fcdb7f9...18.dll

windows7-x64

10

b01fcdb7f9...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-08-2024 17:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b01fcdb7f976ea702d6ed85384860517_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    b01fcdb7f976ea702d6ed85384860517

  • SHA1

    a98626defa6c2fcdc1f8c94989630b178e4525b5

  • SHA256

    acc1afe396b1cea595c410a56c82f0049395618df8725ff337259994b0d5b486

  • SHA512

    4629219101f8d1b5905a8bc282db82afbb7110a1d5102e4f860f73fdd9588fdec3afb47c954194428a77ae05add3fc8a829c8064b1fcb2d286eb82fa525fedd9

  • SSDEEP

    24576:KuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:S9cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\b01fcdb7f976ea702d6ed85384860517_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1656
  • C:\Windows\system32\Netplwiz.exe
    C:\Windows\system32\Netplwiz.exe
    1⤵
      PID:2284
    • C:\Users\Admin\AppData\Local\GJCgOKB\Netplwiz.exe
      C:\Users\Admin\AppData\Local\GJCgOKB\Netplwiz.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:4296
    • C:\Windows\system32\mblctr.exe
      C:\Windows\system32\mblctr.exe
      1⤵
        PID:2304
      • C:\Users\Admin\AppData\Local\ahiP\mblctr.exe
        C:\Users\Admin\AppData\Local\ahiP\mblctr.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:3160
      • C:\Windows\system32\SystemPropertiesRemote.exe
        C:\Windows\system32\SystemPropertiesRemote.exe
        1⤵
          PID:3584
        • C:\Users\Admin\AppData\Local\RcpX\SystemPropertiesRemote.exe
          C:\Users\Admin\AppData\Local\RcpX\SystemPropertiesRemote.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:556

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\GJCgOKB\NETPLWIZ.dll
          Filesize

          1.2MB

          MD5

          62f0510391fd3142250f153f972f9929

          SHA1

          7e22129514907fcd4d04a76c441bbc8d74441b18

          SHA256

          d20db7ec37b68b49f608fc4be0211f00745a7369832a42c3073719227ddddb6a

          SHA512

          b9f93571cd5cc520b022bc61e562d7421e8df57ab2ad7ac36997a28d20587e7aa7220b5ff7a24998aa932250de737eca3649f605247fce980645440398779ecb

          Download Submit

        • C:\Users\Admin\AppData\Local\GJCgOKB\Netplwiz.exe
          Filesize

          40KB

          MD5

          520a7b7065dcb406d7eca847b81fd4ec

          SHA1

          d1b3b046a456630f65d482ff856c71dfd2f335c8

          SHA256

          8323b44b6e69f02356a5ab0d03a4fc87b953edcbd85c2b6281bf92bc0a3b224d

          SHA512

          7aea2810f38d1640d4aa87efbbe20783fe7b8e7f588864a3a384a37c91108d906abd89b235672608c98c46ed76db2b0039462098a1064ebe4108ec37b6087914

          Download Submit

        • C:\Users\Admin\AppData\Local\RcpX\SYSDM.CPL
          Filesize

          1.2MB

          MD5

          1cd7cae845597609fddd107b25b303b1

          SHA1

          9a9320f944a9ec2dacb832b763665d9b85d9fbf4

          SHA256

          8dac39f0e07fa0e6072905f514d3469e39924482eb5f06ae6fc047160741c71c

          SHA512

          64dc0fe93d7b7c3c5b8e4e646321eb1c796ff2d59fa8a19d8b338d4eb035f138eaf4e2178dbfdc2a8f9dc37df916d11e4df4267e0591021610ab0d43de7f3fef

          Download Submit

        • C:\Users\Admin\AppData\Local\RcpX\SystemPropertiesRemote.exe
          Filesize

          82KB

          MD5

          cdce1ee7f316f249a3c20cc7a0197da9

          SHA1

          dadb23af07827758005ec0235ac1573ffcea0da6

          SHA256

          7984e2bff295c8dbcbd3cd296d0741e3a6844b8db9f962abdbc8d333e9a83932

          SHA512

          f1dc529ebfed814adcf3e68041243ee02ba33b56c356a63eba5ef2cb6ede1eda192e03349f6a200d34dfab67263df79cf295be3706f4197b9008ccdc53410c26

          Download Submit

        • C:\Users\Admin\AppData\Local\ahiP\WINMM.dll
          Filesize

          1.2MB

          MD5

          918328419f4f5a89b57c8ee8cbfd2f0c

          SHA1

          923658d07272c789d09bbf99e7f2b097fbe71c7e

          SHA256

          20587091903cec21790571d1ef9c7cac46d7e17d60ad2d450cd8acd9bf599928

          SHA512

          1419b30423a619fb8ec8af5fdfc3c62fbda36633a94f72affeacbafe5468ba9f3ca5ae5dd6ef525df122496e33d19d897f2ad7f086e3c75fec07a1d5a4b95fe0

          Download Submit

        • C:\Users\Admin\AppData\Local\ahiP\mblctr.exe
          Filesize

          790KB

          MD5

          d3db14eabb2679e08020bcd0c96fa9f6

          SHA1

          578dca7aad29409634064579d269e61e1f07d9dd

          SHA256

          3baa1dc0756ebb0c2c70a31be7147863d8d8ba056c1aa7f979307f8790d1ff69

          SHA512

          14dc895ae458ff0ca13d9c27aa5b4cfc906d338603d43389bb5f4429be593a587818855d1fe938f9ebebf46467fb0c1ab28247e8f9f5357098e8b822ecd8fffe

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Nszgn.lnk
          Filesize

          1KB

          MD5

          d5e677145666deb046552842c528f95c

          SHA1

          b7dc125ad930f1aa6d6211b17a0cf640c945eaf3

          SHA256

          091ca19c610953f304545d42f205d1a8ba928e2aabe1c3d7d646f2eaeb38ab60

          SHA512

          4f33cf85bb6190a72e575440d073e07504bd02d8508fa57ff6f867f7bd2cacac639e56960f3b9ac10a25f2b3626f66df594a3370eb364df27f982e985fad2c16

          Download Submit

        • memory/556-85-0x00007FFA80600000-0x00007FFA80731000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/556-79-0x000002B962D80000-0x000002B962D87000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1656-0-0x00007FFA8F930000-0x00007FFA8FA60000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1656-38-0x00007FFA8F930000-0x00007FFA8FA60000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1656-3-0x000001CF1D600000-0x000001CF1D607000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3160-65-0x000002529CFB0000-0x000002529CFB7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3160-62-0x00007FFA80600000-0x00007FFA80732000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3160-68-0x00007FFA80600000-0x00007FFA80732000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3512-16-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3512-10-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3512-7-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3512-8-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3512-9-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3512-11-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3512-4-0x0000000003590000-0x0000000003591000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3512-24-0x00007FFA9C14A000-0x00007FFA9C14B000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3512-34-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3512-6-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3512-12-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3512-13-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3512-14-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3512-23-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3512-25-0x0000000003570000-0x0000000003577000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3512-37-0x00007FFA9DF90000-0x00007FFA9DFA0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4296-51-0x00007FFA80600000-0x00007FFA80731000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4296-48-0x000001875A250000-0x000001875A257000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4296-45-0x00007FFA80600000-0x00007FFA80731000-memory.dmp

          Filesize

          1.2MB

          Download