Overview

overview

10

Static

static

3

bac626c330...18.dll

windows7-x64

10

bac626c330...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-08-2024 07:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bac626c330c4f54cf739b1840fe180b4_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    bac626c330c4f54cf739b1840fe180b4

  • SHA1

    ac00babc73192095dd0a99e15052dbc94b0076f1

  • SHA256

    d590a58d203fa7da5c807e2bdd946aaf55f04d2413ad267dc07bbc97de70476b

  • SHA512

    7452f661484866a623ab1c1b44c5cec0074f9f642ad6d15c0f3d7f1297dd3c224fa67f59d9e626627374ad4a57fdc1bb8be2a5e89a8f5a91cb3ef5d8732de942

  • SSDEEP

    24576:uuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:O9cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\bac626c330c4f54cf739b1840fe180b4_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:4584
  • C:\Windows\system32\SysResetErr.exe
    C:\Windows\system32\SysResetErr.exe
    1⤵
      PID:5064
    • C:\Users\Admin\AppData\Local\C0ZdB\SysResetErr.exe
      C:\Users\Admin\AppData\Local\C0ZdB\SysResetErr.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:3160
    • C:\Windows\system32\rstrui.exe
      C:\Windows\system32\rstrui.exe
      1⤵
        PID:3228
      • C:\Users\Admin\AppData\Local\368OSEjus\rstrui.exe
        C:\Users\Admin\AppData\Local\368OSEjus\rstrui.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:3968
      • C:\Windows\system32\WindowsActionDialog.exe
        C:\Windows\system32\WindowsActionDialog.exe
        1⤵
          PID:1752
        • C:\Users\Admin\AppData\Local\bSAR\WindowsActionDialog.exe
          C:\Users\Admin\AppData\Local\bSAR\WindowsActionDialog.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2984

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\368OSEjus\SPP.dll
          Filesize

          1.2MB

          MD5

          e490035a6d4b952abcc3ebde22cb3b5f

          SHA1

          fc83eff212c320e11b168f6097ee56fd9cf68c33

          SHA256

          a5ab869e25cfa21aae661aeb5700ec8646b28863a4f1e06e78c60e7c3e7306d0

          SHA512

          f783f2465d93f179eddd48e70e308a4d769bd27ee3d5e59348f187e4e3d8e14739dbfa5d5afcc60ba80276963791ee548fa8abb27d85d082b9b83b832586873d

          Download Submit

        • C:\Users\Admin\AppData\Local\368OSEjus\rstrui.exe
          Filesize

          268KB

          MD5

          4cad10846e93e85790865d5c0ab6ffd9

          SHA1

          8a223f4bab28afa4c7ed630f29325563c5dcda1a

          SHA256

          9ddcfcaf2ebc810cc2e593446681bc4ccbad39756b1712cf045db8dee6310b4b

          SHA512

          c0db44de0d35a70277f8621a318c5099378da675376e47545cfbfa7412e70a870fd05c92e0d6523ea2e0139d54d9eeaed14973762341fa3154406ae36f4ce7c6

          Download Submit

        • C:\Users\Admin\AppData\Local\C0ZdB\DUI70.dll
          Filesize

          1.4MB

          MD5

          ef8cbeda2b1df558dce4fa6f6ec0a7b9

          SHA1

          3a0bfcfe3081ffba84bcd625d2051dc016880780

          SHA256

          a767c4dc55e1b37603baccd9be6e0bc5bce7c3c0ea6ad6d23523e3f5e8e2de32

          SHA512

          989b8c7dd227abedde2f34e9e3353e5c553aaeb044983d407d0d04663f34551641a2f6d848d8c964db5207b67abe4089b4af319043b60c26eb4dea50e31cdc38

          Download Submit

        • C:\Users\Admin\AppData\Local\C0ZdB\SysResetErr.exe
          Filesize

          41KB

          MD5

          090c6f458d61b7ddbdcfa54e761b8b57

          SHA1

          c5a93e9d6eca4c3842156cc0262933b334113864

          SHA256

          a324e3ba7309164f215645a6db3e74ed35c7034cc07a011ebed2fa60fda4d9cd

          SHA512

          c9ef79397f3a843dcf2bcb5f761d90a4bdadb08e2ca85a35d8668cb13c308b275ed6aa2c8b9194a1f29964e0754ad05e89589025a0b670656386a8d448a1f542

          Download Submit

        • C:\Users\Admin\AppData\Local\bSAR\DUI70.dll
          Filesize

          1.4MB

          MD5

          11a4bce680217f72aa00ddc23e0de673

          SHA1

          9a29ad57df54f05f1fb4988115625bae2c528ce2

          SHA256

          d446b3c65db4aa76d3a05ef19e798b1865bdc1caea9beca8bf8e59c2bbb8b0a0

          SHA512

          4d36c7139098807a49887ec2ff83d00e2e1aa1edf7794b2f79292db5624ad562e6bfb6a27a070e411c1218301029b8ff3e2982f2389a66681e541824a10b90cb

          Download Submit

        • C:\Users\Admin\AppData\Local\bSAR\WindowsActionDialog.exe
          Filesize

          61KB

          MD5

          73c523b6556f2dc7eefc662338d66f8d

          SHA1

          1e6f9a1d885efa4d76f1e7a8be2e974f2b65cea5

          SHA256

          0c6397bfbcd7b1fcefb6de01a506578e36651725a61078c69708f1f92c41ea31

          SHA512

          69d0f23d1abaad657dd4672532936ef35f0e9d443caf9e19898017656a66ed46e75e7e05261c7e7636799c58feccd01dc93975d6a598cbb73242ddb48c6ec912

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Mihblavoyj.lnk
          Filesize

          1KB

          MD5

          5846370700aaa39e2135e4a514e68a45

          SHA1

          663c20b95e2dea20ac288dc0b1ca955b2d6d396a

          SHA256

          30bec11f51d68ecd805fb7c0bd0a0d692fc0ac94aff96dea632a0cb9c467d5aa

          SHA512

          1578773ff99948cf199e6da83c55b8e96f4d77dd70df2b631e65bf4736527a0c59287d9a6718f28924e897ebb1687c43f537966565a40ee9bda97c4c8a4330ea

          Download Submit

        • memory/2984-82-0x00007FFAB1CA0000-0x00007FFAB1E17000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/2984-81-0x00000207EEAF0000-0x00000207EEAF7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2984-87-0x00007FFAB1CA0000-0x00007FFAB1E17000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3160-53-0x00007FFAB1D00000-0x00007FFAB1E77000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3160-48-0x00007FFAB1D00000-0x00007FFAB1E77000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3160-47-0x000002BEB8850000-0x000002BEB8857000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3420-36-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3420-17-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3420-12-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3420-10-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3420-8-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3420-9-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3420-4-0x0000000008690000-0x0000000008691000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3420-6-0x00007FFAC45FA000-0x00007FFAC45FB000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3420-14-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3420-7-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3420-25-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3420-34-0x0000000008670000-0x0000000008677000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3420-13-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3420-35-0x00007FFAC5850000-0x00007FFAC5860000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3420-16-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3420-11-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3420-15-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3968-64-0x00007FFAB1C60000-0x00007FFAB1D92000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3968-70-0x00007FFAB1C60000-0x00007FFAB1D92000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3968-65-0x000001A256B20000-0x000001A256B27000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4584-1-0x00007FFAB6600000-0x00007FFAB6731000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4584-40-0x00007FFAC5870000-0x00007FFAC5A65000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/4584-39-0x00007FFAB6600000-0x00007FFAB6731000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4584-3-0x00007FFAC5870000-0x00007FFAC5A65000-memory.dmp

          Filesize

          2.0MB

          Download