Overview

overview

10

Static

static

3

b0b3677fee...18.dll

windows7-x64

10

b0b3677fee...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    125s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-08-2024 20:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b0b3677fee7f89faf693ca213d5a015d_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    b0b3677fee7f89faf693ca213d5a015d

  • SHA1

    ef0d03cc3e7ca79436e44f139ccee4e5d065a1ed

  • SHA256

    e830844dc22da54e71775c667850099c419ea975fd46ae52ac0773851674d20e

  • SHA512

    351cc8237892250cf03be76334365d619aeb23c2876afcd16f47d7b5004c4ea3359dda729cd9fe0e7234734c70896cd1dd77a0cad54d7734254f718a1473638e

  • SSDEEP

    24576:vuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:R9cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\b0b3677fee7f89faf693ca213d5a015d_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:4840
  • C:\Windows\system32\raserver.exe
    C:\Windows\system32\raserver.exe
    1⤵
      PID:4072
    • C:\Users\Admin\AppData\Local\9GN6Pa\raserver.exe
      C:\Users\Admin\AppData\Local\9GN6Pa\raserver.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:3208
    • C:\Windows\system32\SysResetErr.exe
      C:\Windows\system32\SysResetErr.exe
      1⤵
        PID:4844
      • C:\Users\Admin\AppData\Local\vCIGG\SysResetErr.exe
        C:\Users\Admin\AppData\Local\vCIGG\SysResetErr.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2296
      • C:\Windows\system32\SysResetErr.exe
        C:\Windows\system32\SysResetErr.exe
        1⤵
          PID:3024
        • C:\Users\Admin\AppData\Local\ekBZzC\SysResetErr.exe
          C:\Users\Admin\AppData\Local\ekBZzC\SysResetErr.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1416

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\9GN6Pa\WTSAPI32.dll
          Filesize

          1.2MB

          MD5

          e04504b17012d50faefbd8702c4e0b2f

          SHA1

          873f4323824d4d82c057dc84662751ba372a260e

          SHA256

          4a7b0d5e41b9b5565d3fa615ae0810c2a0ba23587a332ddeb96ebbf1c721eb06

          SHA512

          e0a00a7ee75bfad39fba493e8476f90c8fa38be9074038a9fee4bd92fc4e55f12c4c5bbc88446bf481424d91835f6f19b06f824c025a1f811d7ef2678895bd1f

          Download Submit

        • C:\Users\Admin\AppData\Local\9GN6Pa\raserver.exe
          Filesize

          132KB

          MD5

          d1841c6ee4ea45794ced131d4b68b60e

          SHA1

          4be6d2116060d7c723ac2d0b5504efe23198ea01

          SHA256

          38732626242988cc5b8f97fe8d3b030d483046ef66ea90d7ea3607f1adc0600d

          SHA512

          d8bad215872c5956c6e8acac1cd3ad19b85f72b224b068fb71cfd1493705bc7d3390853ba923a1aa461140294f8793247df018484a378e4f026c2a12cb3fa5c9

          Download Submit

        • C:\Users\Admin\AppData\Local\ekBZzC\DUI70.dll
          Filesize

          1.4MB

          MD5

          552b10faae9156c5c3f9235b4c09a21b

          SHA1

          16624110fb4657c5499d9f44cdd20877ef98acc4

          SHA256

          39bab8ec70ad5fde5db2250cae4864f81769343cb024f560b8c70d4788e9b7ab

          SHA512

          f6804e967b21e500d039949ce3f4a345c3850a2c28b47793eb198b34ca5eaa0b62e47c350b1e929eb05cbb30078c6784d7ce07ace2efcc74d595abc1ab5503c1

          Download Submit

        • C:\Users\Admin\AppData\Local\vCIGG\DUI70.dll
          Filesize

          1.4MB

          MD5

          07840f4e317b2673b60ca7d7a1ec1b0a

          SHA1

          9397b6e93f7cc529f31b5109938a1d53c8f6d503

          SHA256

          7d8f11d10b0112249008699aa2f3d996caa55ef2f832cdec0b3d9860ba6702ce

          SHA512

          b5c231d6ebf0d7b2fb002b36e7a3228e8a2296a936cd092e76a757e16c3940c0fd7990e2b3a15d20d9156e319d5687eccb839757a432e425fdb3c550762cc510

          Download Submit

        • C:\Users\Admin\AppData\Local\vCIGG\SysResetErr.exe
          Filesize

          41KB

          MD5

          090c6f458d61b7ddbdcfa54e761b8b57

          SHA1

          c5a93e9d6eca4c3842156cc0262933b334113864

          SHA256

          a324e3ba7309164f215645a6db3e74ed35c7034cc07a011ebed2fa60fda4d9cd

          SHA512

          c9ef79397f3a843dcf2bcb5f761d90a4bdadb08e2ca85a35d8668cb13c308b275ed6aa2c8b9194a1f29964e0754ad05e89589025a0b670656386a8d448a1f542

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Mcinmsnhewplgza.lnk
          Filesize

          1KB

          MD5

          adb9320486d9e1b2b84d0744b2eb7b15

          SHA1

          035d986064212be34c526c05929322e6b1ca2d7e

          SHA256

          ed5ca3c2ada580929366a140020e80a80c6f3efabc9ac3c12b1135e05091d8a1

          SHA512

          928c6d70560800d3990cf734584567bc2f5c202f5ead99994bfdb6e272e5e91ef9397ee8720fb90fe9f3f240e9904c5d34f59d2b3a5435a0defb4bf19290e791

          Download Submit

        • memory/1416-82-0x000002C9DAD60000-0x000002C9DAD67000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1416-85-0x00007FF886D60000-0x00007FF886ED6000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/2296-65-0x000001D75DE90000-0x000001D75DE97000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2296-62-0x00007FF886D60000-0x00007FF886ED6000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/2296-68-0x00007FF886D60000-0x00007FF886ED6000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3208-51-0x00007FF8870B0000-0x00007FF8871E1000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3208-48-0x000002374BA20000-0x000002374BA27000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3208-45-0x00007FF8870B0000-0x00007FF8871E1000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3444-35-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3444-15-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3444-16-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3444-7-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3444-6-0x00007FF8A374A000-0x00007FF8A374B000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3444-9-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3444-10-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3444-12-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3444-13-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3444-8-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3444-24-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3444-4-0x0000000007F20000-0x0000000007F21000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3444-28-0x0000000007F00000-0x0000000007F07000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3444-29-0x00007FF8A5210000-0x00007FF8A5220000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3444-14-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3444-11-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4840-0-0x00007FF8963C0000-0x00007FF8964F0000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4840-38-0x00007FF8963C0000-0x00007FF8964F0000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4840-3-0x000002D355100000-0x000002D355107000-memory.dmp

          Filesize

          28KB

          Download