Overview

overview

10

Static

static

3

c1fad4e897...18.dll

windows7-x64

10

c1fad4e897...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-08-2024 01:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c1fad4e897cfb353e662f497347789ac_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    c1fad4e897cfb353e662f497347789ac

  • SHA1

    a99d03b2b5f0cb26545802db4e02bc084167538b

  • SHA256

    8bf41e771cc975937d4117383a49b019d875fe2dcae707a9c85962982a31e608

  • SHA512

    0249475d0007c2ebdc99cf646c0172654df481d3be3b6821d27110ed444af2eab1ec1451df24e30afae68e3f2a098d358af877790833ee6993d041d4aff9eb2c

  • SSDEEP

    24576:xuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9Nd:j9cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\c1fad4e897cfb353e662f497347789ac_JaffaCakes118.dll
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:2876
  • C:\Windows\system32\bdechangepin.exe
    C:\Windows\system32\bdechangepin.exe
    1⤵
      PID:320
    • C:\Users\Admin\AppData\Local\440FuDV\bdechangepin.exe
      C:\Users\Admin\AppData\Local\440FuDV\bdechangepin.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:4344
    • C:\Windows\system32\wbengine.exe
      C:\Windows\system32\wbengine.exe
      1⤵
        PID:3176
      • C:\Users\Admin\AppData\Local\jH6dM\wbengine.exe
        C:\Users\Admin\AppData\Local\jH6dM\wbengine.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2656
      • C:\Windows\system32\LicensingUI.exe
        C:\Windows\system32\LicensingUI.exe
        1⤵
          PID:1976
        • C:\Users\Admin\AppData\Local\pTLzuRyDt\LicensingUI.exe
          C:\Users\Admin\AppData\Local\pTLzuRyDt\LicensingUI.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:3920

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\440FuDV\DUI70.dll
          Filesize

          1.5MB

          MD5

          66705648ad1535a0e27ba44fdacaa80d

          SHA1

          97621a2fd0d6f7ad15cd41c668c6fb3f84c06765

          SHA256

          2d2e0ea56dad92d0d4f791a4b322c4ec346e154aacf756a2b99a44f42017552c

          SHA512

          d6dbf56903f4e6a6d25a521b9c6af01a92ba86b61b69b5e5788833a1bdd4fa24cd7f15b590bc3f8eb845c6bb6444f9a17cf46053dd7eb4ab79986ca7603f25a4

          Download Submit

        • C:\Users\Admin\AppData\Local\440FuDV\bdechangepin.exe
          Filesize

          373KB

          MD5

          601a28eb2d845d729ddd7330cbae6fd6

          SHA1

          5cf9f6f9135c903d42a7756c638333db8621e642

          SHA256

          4d43f37576a0ebbaf97024cd5597d968ffe59c871b483554aea302dccb7253f6

          SHA512

          1687044612ceb705f79c806b176f885fd01449251b0097c2df70280b7d10a2b830ee30ac0f645a7e8d8067892f6562d933624de694295e22318863260222859d

          Download Submit

        • C:\Users\Admin\AppData\Local\jH6dM\wbengine.exe
          Filesize

          1.5MB

          MD5

          17270a354a66590953c4aac1cf54e507

          SHA1

          715babcc8e46b02ac498f4f06df7937904d9798d

          SHA256

          9954394b43783061f9290706320cc65597c29176d5b8e7a26fa1d6b3536832b4

          SHA512

          6be0ba6be84d01ab47f5a4ca98a6b940c43bd2d1e1a273d41c3e88aca47da11d932024b007716d1a6ffe6cee396b0e3e6971ab2afc293e72472f2e61c17b2a89

          Download Submit

        • C:\Users\Admin\AppData\Local\jH6dM\wer.dll
          Filesize

          1.2MB

          MD5

          411e248c984e4538640c209804f79160

          SHA1

          6f256a0352642de7b24a227297538e32eb415c9b

          SHA256

          15c25978f371a417372a9d20ba12a89f44be68f3c6a56dbfcb4d068f710c9240

          SHA512

          b87b01e42849d7a040c12bc61661e603ffb7688ee0f441050b380fa4a6dd9fc61438d00109e39a4a59e7d3377e829d826a497dc9b5d520d21021e6188f81e55c

          Download Submit

        • C:\Users\Admin\AppData\Local\pTLzuRyDt\DUI70.dll
          Filesize

          1.5MB

          MD5

          0baffd49c682bfd3054b55631341cf96

          SHA1

          0a9a4909f7adc499e6e39d26ac7d0d90ad02facd

          SHA256

          6d7862c2ccbad356a743ea06911b606fb0bc23e3d524b7064d0be0589ab7eb9e

          SHA512

          eca0af4b77f9cfea307776936167793949ec56a42db6254c3e5a998cf99dd15b66dc13af1e2f2e14caaf6cf5d90dab5eaf7eb81a331746b652280476deb986d0

          Download Submit

        • C:\Users\Admin\AppData\Local\pTLzuRyDt\LicensingUI.exe
          Filesize

          142KB

          MD5

          8b4abc637473c79a003d30bb9c7a05e5

          SHA1

          d1cab953c16d4fdec2b53262f56ac14a914558ca

          SHA256

          0e9eb89aa0df9bb84a8f11b0bb3e9d89905355de34c91508968b4cb78bc3f6c5

          SHA512

          5a40c846c5b3a53ae09114709239d8238c322a7d3758b20ed3fc8e097fc1409f62b4990557c1192e894eabfa89741a9d88bd5175850d039b97dfdf380d1c6eeb

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Mihblavoyj.lnk
          Filesize

          1KB

          MD5

          ca84a7b4f4efb59994e7f6592e58e73f

          SHA1

          11837121134c366cb7fde089b456f004eed7921a

          SHA256

          aa4036ea49c6bcedb24b0eefcf3db97a9e6ef554835a57263034fe8ecfb474d6

          SHA512

          ada6b32228b1aab7306838571e75e4bcc70182ef5fb4f535896d32cbf74023d58fee8f69de29215d257fd8c6835e11d74f94baf5b47d793bc0819b55c31a36ca

          Download Submit

        • memory/2656-72-0x00007FFDDA970000-0x00007FFDDAAB8000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2656-66-0x00007FFDDA970000-0x00007FFDDAAB8000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2656-69-0x000001FEBCB90000-0x000001FEBCB97000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2876-3-0x0000000000F10000-0x0000000000F17000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2876-0-0x00007FFDE9370000-0x00007FFDE94B6000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2876-40-0x00007FFDE9370000-0x00007FFDE94B6000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3460-9-0x0000000140000000-0x0000000140146000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3460-31-0x00007FFDF8050000-0x00007FFDF8060000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3460-10-0x0000000140000000-0x0000000140146000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3460-13-0x0000000140000000-0x0000000140146000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3460-8-0x0000000140000000-0x0000000140146000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3460-16-0x0000000140000000-0x0000000140146000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3460-7-0x0000000140000000-0x0000000140146000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3460-14-0x0000000140000000-0x0000000140146000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3460-17-0x0000000140000000-0x0000000140146000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3460-18-0x0000000140000000-0x0000000140146000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3460-5-0x0000000002D30000-0x0000000002D31000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3460-4-0x00007FFDF72BA000-0x00007FFDF72BB000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3460-11-0x0000000140000000-0x0000000140146000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3460-26-0x0000000140000000-0x0000000140146000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3460-30-0x00000000010E0000-0x00000000010E7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3460-37-0x0000000140000000-0x0000000140146000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3460-12-0x0000000140000000-0x0000000140146000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3460-15-0x0000000140000000-0x0000000140146000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3920-88-0x00007FFDDA930000-0x00007FFDDAABC000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/4344-47-0x00007FFDDA930000-0x00007FFDDAABC000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/4344-53-0x00007FFDDA930000-0x00007FFDDAABC000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/4344-50-0x0000016896D80000-0x0000016896D87000-memory.dmp

          Filesize

          28KB

          Download