Overview

overview

10

Static

static

3

b79de8bd57...18.dll

windows7-x64

10

b79de8bd57...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-08-2024 12:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b79de8bd575fd4c340b9fa4352696533_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    b79de8bd575fd4c340b9fa4352696533

  • SHA1

    7e1b2fab1003993cb117cae87b239b42e657a56d

  • SHA256

    5f809c22a4793c5f79ce37d5621580998d890837537e420d638ef1681964220d

  • SHA512

    1d573f55c41b7315076e602eccc5a5830fc284e63df96863350c19cb21f363703759ab404a324298ee9c4731b9399041814c5d53e194f15bc21c486118cf5d0a

  • SSDEEP

    24576:vuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:R9cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 5 IoCs
    evasiontrojan
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\b79de8bd575fd4c340b9fa4352696533_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1884
  • C:\Windows\system32\rdpshell.exe
    C:\Windows\system32\rdpshell.exe
    1⤵
      PID:4496
    • C:\Users\Admin\AppData\Local\CUyNSRND\rdpshell.exe
      C:\Users\Admin\AppData\Local\CUyNSRND\rdpshell.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:4120
    • C:\Windows\system32\mmc.exe
      C:\Windows\system32\mmc.exe
      1⤵
        PID:1688
      • C:\Users\Admin\AppData\Local\tY2WGyM2s\mmc.exe
        C:\Users\Admin\AppData\Local\tY2WGyM2s\mmc.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:4944
      • C:\Windows\system32\SystemPropertiesRemote.exe
        C:\Windows\system32\SystemPropertiesRemote.exe
        1⤵
          PID:1856
        • C:\Users\Admin\AppData\Local\2s6\SystemPropertiesRemote.exe
          C:\Users\Admin\AppData\Local\2s6\SystemPropertiesRemote.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1880
        • C:\Windows\system32\SppExtComObj.Exe
          C:\Windows\system32\SppExtComObj.Exe
          1⤵
            PID:772
          • C:\Users\Admin\AppData\Local\YoTWRgkj\SppExtComObj.Exe
            C:\Users\Admin\AppData\Local\YoTWRgkj\SppExtComObj.Exe
            1⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Checks whether UAC is enabled
            PID:3300

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\2s6\SYSDM.CPL
            Filesize

            1.2MB

            MD5

            65183ca7e7dc1d2a3de180faa80f5403

            SHA1

            515414389eddc2d03741ae72615e0652e1849939

            SHA256

            83dba18f640fe71b92d8e0fd74b5477b9500cd66beb4bc7c661aa88afe36ed74

            SHA512

            b0c233ad5d5535bf7954cca01e05a1b85a50798d25690059b272c2d74deb27ff1085755e41edc7b47394757591c0cc90742df28458d1379cfa32b79af53d9c67

            Download Submit

          • C:\Users\Admin\AppData\Local\2s6\SystemPropertiesRemote.exe
            Filesize

            82KB

            MD5

            cdce1ee7f316f249a3c20cc7a0197da9

            SHA1

            dadb23af07827758005ec0235ac1573ffcea0da6

            SHA256

            7984e2bff295c8dbcbd3cd296d0741e3a6844b8db9f962abdbc8d333e9a83932

            SHA512

            f1dc529ebfed814adcf3e68041243ee02ba33b56c356a63eba5ef2cb6ede1eda192e03349f6a200d34dfab67263df79cf295be3706f4197b9008ccdc53410c26

            Download Submit

          • C:\Users\Admin\AppData\Local\CUyNSRND\dwmapi.dll
            Filesize

            1.2MB

            MD5

            d26c67d5ee37f89a5ff1d428f109633a

            SHA1

            1574ed33d384ddc8664bcf9e05bb5a4e16f8cd29

            SHA256

            5226fbbc5d4bdb028bf8061d411f83d381d98c154b5a41871d88582b50e3df4a

            SHA512

            d59eb5501433d12235dacc12d6095048ccdf95b45ec52a5e7862b420019454fda7a12aeed240fb28d75227baf2e41352fb1a328227fbb0366b0d25659abd7739

            Download Submit

          • C:\Users\Admin\AppData\Local\CUyNSRND\rdpshell.exe
            Filesize

            468KB

            MD5

            428066713f225bb8431340fa670671d4

            SHA1

            47f6878ff33317c3fc09c494df729a463bda174c

            SHA256

            da6c395a2018d3439ad580a19e6a1ca5ff29ef9074411ee9f9f1b0a6365dfebd

            SHA512

            292aad2762ae4dc519c69411aa114a29894f60ffac103813db4946f2fac4f5a166f66523c421529d6847c0882d8ab467392ee8da1e3a4fca0d6d4e6ebda5b737

            Download Submit

          • C:\Users\Admin\AppData\Local\YoTWRgkj\ACTIVEDS.dll
            Filesize

            1.2MB

            MD5

            e372f9f681bdc2a361dd62ef7caed8fd

            SHA1

            c26405a17b81a0c75f3dc0a604625da4ecb1d9f2

            SHA256

            56ee9db744abff04d8d4064a724e159b566332f0e99b1719021a80368e11135a

            SHA512

            163e14b0c28c5046890e5e303c6bfe581fa6f8de83961ddb7e0f1be1efccc153086d94c52cbde4b4ae47103cc6b533e401d47fa1f1a14a33090bdab5ea421896

            Download Submit

          • C:\Users\Admin\AppData\Local\YoTWRgkj\SppExtComObj.Exe
            Filesize

            559KB

            MD5

            728a78909aa69ca0e976e94482350700

            SHA1

            6508dfcbf37df25cae8ae68cf1fcd4b78084abb7

            SHA256

            2a6581576305771044f07ea0fef27f77859996dbf66c2017e938f90bfc1e010c

            SHA512

            22bf985e71afa58a1365cc733c0aa03dabd4b44e7c6a136eb5f9b870db14470201b4ef88a19fa3864af6c44e79e1a01d6f8806062d9d4861ba7dac77d82074f1

            Download Submit

          • C:\Users\Admin\AppData\Local\tY2WGyM2s\MFC42u.dll
            Filesize

            1.2MB

            MD5

            44f89e03da9ab3c8285fb1e519f7e7e4

            SHA1

            58857b0ad5ec74e53012bba3be266eecbc6c817b

            SHA256

            fd0ef4519a7782f29e4ce064302fd2868dc4b094ff71acf7f9f75ca9cb0e0f7f

            SHA512

            b8ba19535dd7e287d8bd2e579d6533aa61bfdb9da0336ec0b1dfed450bbe60b5d28f24fd01129c7eca99af6bdf77395f1dc3755d528387718b34582d7d6befd6

            Download Submit

          • C:\Users\Admin\AppData\Local\tY2WGyM2s\mmc.exe
            Filesize

            1.8MB

            MD5

            8c86b80518406f14a4952d67185032d6

            SHA1

            9269f1fbcf65fefbc88a2e239519c21efe0f6ba5

            SHA256

            895eef1eda5700a425934ae3782d4741dfefb7deafa53891bde490150187b98a

            SHA512

            1bbdaa3ae8b5716ad2bd517055533e286ddb8a6c23cbc7aa602143dbb1ae132b513088ab61527c49737c554269c51416cceb80206ac8128ac6b003f1864eb099

            Download Submit

          • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Mcinmsnhewplgza.lnk
            Filesize

            1KB

            MD5

            c634d5365af1ba3853355c371b1f37d4

            SHA1

            58817b920b651f87432d1b3b297663f3f3722c7b

            SHA256

            c3fcfe40191a5c624cad274fb478439e42fb059dd6938fb6f8a072a27e0cfee0

            SHA512

            60d52215fa95eff218b2e257aaca622fa5eb6324b5a93c8a53f76dcc6e6e97808435ed79983ba130edaac4d4a96c003dab9c7361aa08d3fab82a711f3ff21c76

            Download Submit

          • memory/1880-80-0x00007FFF2AE30000-0x00007FFF2AF61000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/1880-77-0x0000025FF5AD0000-0x0000025FF5AD7000-memory.dmp

            Filesize

            28KB

            Download

          • memory/1884-0-0x0000024A15390000-0x0000024A15397000-memory.dmp

            Filesize

            28KB

            Download

          • memory/1884-38-0x00007FFF3AF90000-0x00007FFF3B0C0000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/1884-1-0x00007FFF3AF90000-0x00007FFF3B0C0000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3300-96-0x00007FFF2AE30000-0x00007FFF2AF61000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3524-16-0x0000000140000000-0x0000000140130000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3524-4-0x0000000002920000-0x0000000002921000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3524-7-0x0000000140000000-0x0000000140130000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3524-9-0x0000000140000000-0x0000000140130000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3524-24-0x0000000140000000-0x0000000140130000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3524-10-0x0000000140000000-0x0000000140130000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3524-8-0x0000000140000000-0x0000000140130000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3524-35-0x0000000140000000-0x0000000140130000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3524-5-0x00007FFF4941A000-0x00007FFF4941B000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3524-12-0x0000000140000000-0x0000000140130000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3524-13-0x0000000140000000-0x0000000140130000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3524-11-0x0000000140000000-0x0000000140130000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3524-14-0x0000000140000000-0x0000000140130000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3524-29-0x00007FFF495D0000-0x00007FFF495E0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3524-15-0x0000000140000000-0x0000000140130000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3524-28-0x0000000000740000-0x0000000000747000-memory.dmp

            Filesize

            28KB

            Download

          • memory/4120-45-0x0000029A34B10000-0x0000029A34B17000-memory.dmp

            Filesize

            28KB

            Download

          • memory/4120-51-0x00007FFF2AE30000-0x00007FFF2AF61000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/4120-46-0x00007FFF2AE30000-0x00007FFF2AF61000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/4944-67-0x00007FFF2ADD0000-0x00007FFF2AF07000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/4944-64-0x00007FFF2ADD0000-0x00007FFF2AF07000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/4944-63-0x0000000002380000-0x0000000002387000-memory.dmp

            Filesize

            28KB

            Download