Overview

overview

10

Static

static

3

c3c93bcc9d...18.dll

windows7-x64

10

c3c93bcc9d...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-08-2024 20:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c3c93bcc9d7cf09e654aed755118dc42_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    c3c93bcc9d7cf09e654aed755118dc42

  • SHA1

    c0fa398ff4e417f227437ac86c2c413ce2780553

  • SHA256

    15fc496e1a8c2e1c17ef2dbf6fa1652413dc871ea598f12b6d1ea8cc4489665a

  • SHA512

    78cd2acaa474107add69b9dda4b927bc5c1ff78fd1e72328b97a02575516ddc93254a093c9580b37b020572a7cceeeebdf8c9f6bf51e778b17c3a3414f92c8a2

  • SSDEEP

    24576:YVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:YV8hf6STw1ZlQauvzSq01ICe6zvm

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\c3c93bcc9d7cf09e654aed755118dc42_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:112
  • C:\Windows\system32\WFS.exe
    C:\Windows\system32\WFS.exe
    1⤵
      PID:3696
    • C:\Users\Admin\AppData\Local\WLjUA\WFS.exe
      C:\Users\Admin\AppData\Local\WLjUA\WFS.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:3924
    • C:\Windows\system32\PresentationHost.exe
      C:\Windows\system32\PresentationHost.exe
      1⤵
        PID:1876
      • C:\Users\Admin\AppData\Local\RnCBQxff\PresentationHost.exe
        C:\Users\Admin\AppData\Local\RnCBQxff\PresentationHost.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:652
      • C:\Windows\system32\InfDefaultInstall.exe
        C:\Windows\system32\InfDefaultInstall.exe
        1⤵
          PID:3392
        • C:\Users\Admin\AppData\Local\LM7\InfDefaultInstall.exe
          C:\Users\Admin\AppData\Local\LM7\InfDefaultInstall.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1764
        • C:\Windows\system32\omadmclient.exe
          C:\Windows\system32\omadmclient.exe
          1⤵
            PID:1684
          • C:\Users\Admin\AppData\Local\Bz97y\omadmclient.exe
            C:\Users\Admin\AppData\Local\Bz97y\omadmclient.exe
            1⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Checks whether UAC is enabled
            PID:4488

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Bz97y\XmlLite.dll
            Filesize

            1.2MB

            MD5

            5dc5015e89929764e9ffb763285b0f2d

            SHA1

            b711ca0c834394c4bb45026166d5a7c320528102

            SHA256

            0ea3582c82b02af829ac5bf91d4ff9bb704d9e2d565f1a2aaaa4f18b86a5b69e

            SHA512

            c7d9b548697bc9d4c16b84f892625a53a59f60de455347ecaace1763bb32fe5ae0128066f30594aa56bfe8c5d09a37ce5df2064a245d7181256e0bbb48777d92

            Download Submit

          • C:\Users\Admin\AppData\Local\Bz97y\omadmclient.exe
            Filesize

            425KB

            MD5

            8992b5b28a996eb83761dafb24959ab4

            SHA1

            697ecb33b8ff5b0e73ef29ce471153b368b1b729

            SHA256

            e0c6c1b082c5d61be95b7fad95155b7cb2e516d6dcd51b8e1554a176876699e7

            SHA512

            4ab0d71f6f9e5a5d0870d8e6eaa4b5db74ea6148de0a00603e3e56303d0fec4722172e0207b9678a5bd0136f2d43d43b9d34907183369ab3b9b9c1484034fe3d

            Download Submit

          • C:\Users\Admin\AppData\Local\LM7\InfDefaultInstall.exe
            Filesize

            13KB

            MD5

            ee18876c1e5de583de7547075975120e

            SHA1

            f7fcb3d77da74deee25de9296a7c7335916504e3

            SHA256

            e59127b5fe82714956c7a1f10392a8673086a8e1f609e059935c7da1fa015a5d

            SHA512

            08bc4d28b8f528582c58175a74871dd33ac97955c3709c991779fc34b5ba4b2ba6ff40476d9f59345b61b0153fd932b0ea539431a67ff5012cb2ac8ab392f73c

            Download Submit

          • C:\Users\Admin\AppData\Local\LM7\newdev.dll
            Filesize

            1.2MB

            MD5

            c7a2dc2da89ca529340682e3d9891537

            SHA1

            57b84377e7f95a6532339bfc632e2a441737c32e

            SHA256

            953c3850443a307e47ad21a36dd488fb36265b4a875bf296b9aae023f9afb8d2

            SHA512

            554d28e25970fe94d92ae2c4fc31aad53c774b2efca9a83cb7aa836ec47c5bcd4b6b10d09a8b76a51e90ad0d4d46d95067b1161151e3da810c525bed2e0ac0c1

            Download Submit

          • C:\Users\Admin\AppData\Local\RnCBQxff\PresentationHost.exe
            Filesize

            276KB

            MD5

            ef27d65b92d89e8175e6751a57ed9d93

            SHA1

            7279b58e711b459434f047e9098f9131391c3778

            SHA256

            17d6dcfaced6873a4ac0361ff14f48313f270ac9c465e9f02b5c12b5a5274c48

            SHA512

            40f46c3a131bb0388b8a3f7aee422936f6e2aa8d2cda547c43c4e7979c163d06c5aa20033a5156d3eeee5d455eeb929cbce89bcc8bb1766cbb65d7f03dd23e2e

            Download Submit

          • C:\Users\Admin\AppData\Local\RnCBQxff\VERSION.dll
            Filesize

            1.2MB

            MD5

            42655843c3644b8731c0e1f26f8033ee

            SHA1

            27d79cbcb319e1fe5860347b58d63efaec12e2f0

            SHA256

            174fb1228b44064cfb3072ca23b575312f0c131882041dfe78d77abfa9b6dded

            SHA512

            8121e0c35859467c73495b47d11dba713b0782d7ac1e4dbd619eec97590cdd61809b1c4f8e9f253108ee7136a17c09b53f16f678c9478ae85d0b0d9180502439

            Download Submit

          • C:\Users\Admin\AppData\Local\WLjUA\MFC42u.dll
            Filesize

            1.3MB

            MD5

            bbf01d8125257132097db818641b74a6

            SHA1

            c17cacb529b586f52660dc2eed257686cf21c2ac

            SHA256

            21306b595629f241a5c959e8641726b2db5ce16da1cd25d81f3811ce95e12f34

            SHA512

            635e1664707681625e0b3e9c2f1a55ecd62c629b2080fcc06bcced0b04e715d8f583b63355a5a442f03227e2e169a20c941b06195f4789a4451990d9fffc3c3f

            Download Submit

          • C:\Users\Admin\AppData\Local\WLjUA\WFS.exe
            Filesize

            944KB

            MD5

            3cbc8d0f65e3db6c76c119ed7c2ffd85

            SHA1

            e74f794d86196e3bbb852522479946cceeed7e01

            SHA256

            e23e4182efe7ed61aaf369696e1ce304c3818df33d1663872b6d3c75499d81f4

            SHA512

            26ae5845a804b9eb752078f1ffa80a476648a8a9508b4f7ba56c94acd4198f3ba59c77add4feb7e0420070222af56521ca5f6334f466d5db272c816930513f0a

            Download Submit

          • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ahvhgxnkgdxqlh.lnk
            Filesize

            1KB

            MD5

            8dfe342e3448043c4da5d7071b475761

            SHA1

            ca642adb054bb0803ccaa48c2f02ec4642c7a462

            SHA256

            2f23d8b4bf3abd510255de561f16fd2d9541bde504587dc83e509865698e626b

            SHA512

            c62c9567cd937e04f29ad27205733935fa31389fce00a65151921468bc738e72e4142e04b49a4701e7e568d83bd3a1b4ec6634f4f126b3af6087e3f0f05b1288

            Download Submit

          • memory/112-3-0x000001DEEB680000-0x000001DEEB687000-memory.dmp

            Filesize

            28KB

            Download

          • memory/112-0-0x0000000140000000-0x0000000140143000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/112-39-0x0000000140000000-0x0000000140143000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/1764-77-0x0000000140000000-0x0000000140144000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/1764-72-0x0000000140000000-0x0000000140144000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/3372-29-0x0000000002E90000-0x0000000002E97000-memory.dmp

            Filesize

            28KB

            Download

          • memory/3372-36-0x0000000140000000-0x0000000140143000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/3372-10-0x0000000140000000-0x0000000140143000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/3372-7-0x0000000140000000-0x0000000140143000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/3372-9-0x0000000140000000-0x0000000140143000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/3372-11-0x0000000140000000-0x0000000140143000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/3372-12-0x0000000140000000-0x0000000140143000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/3372-4-0x00000000070F0000-0x00000000070F1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3372-5-0x00007FF8FCEDA000-0x00007FF8FCEDB000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3372-14-0x0000000140000000-0x0000000140143000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/3372-13-0x0000000140000000-0x0000000140143000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/3372-15-0x0000000140000000-0x0000000140143000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/3372-25-0x0000000140000000-0x0000000140143000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/3372-8-0x0000000140000000-0x0000000140143000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/3372-30-0x00007FF8FDF10000-0x00007FF8FDF20000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3372-16-0x0000000140000000-0x0000000140143000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/3924-52-0x0000000140000000-0x000000014014A000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/3924-49-0x00000152FC450000-0x00000152FC457000-memory.dmp

            Filesize

            28KB

            Download

          • memory/3924-46-0x0000000140000000-0x000000014014A000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/4488-93-0x0000000140000000-0x0000000140144000-memory.dmp

            Filesize

            1.3MB

            Download