Overview

overview

10

Static

static

3

c475c91a90...18.dll

windows7-x64

10

c475c91a90...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-08-2024 06:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c475c91a904071b04d95d5a7014606ef_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    c475c91a904071b04d95d5a7014606ef

  • SHA1

    286435d35c1b37e4763a51151eef94b6d2daf663

  • SHA256

    85c13dbe9f69e69df02a7b9a97fdfea89e59ef6749f2594d320bb81a6b935142

  • SHA512

    6435bd692cfdb0027f0697b25355f393d57e627148c9776abc24c9856609dc334fd12fdd2434c120465aa84f7755a0a09ba5bf0e26c5bd5108d1a39e5cd7c01c

  • SSDEEP

    24576:FuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:/9cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\c475c91a904071b04d95d5a7014606ef_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:4448
  • C:\Windows\system32\CloudNotifications.exe
    C:\Windows\system32\CloudNotifications.exe
    1⤵
      PID:3900
    • C:\Users\Admin\AppData\Local\8e02\CloudNotifications.exe
      C:\Users\Admin\AppData\Local\8e02\CloudNotifications.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:4336
    • C:\Windows\system32\GamePanel.exe
      C:\Windows\system32\GamePanel.exe
      1⤵
        PID:2656
      • C:\Users\Admin\AppData\Local\ftdlMzYr9\GamePanel.exe
        C:\Users\Admin\AppData\Local\ftdlMzYr9\GamePanel.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:4868
      • C:\Windows\system32\InfDefaultInstall.exe
        C:\Windows\system32\InfDefaultInstall.exe
        1⤵
          PID:2984
        • C:\Users\Admin\AppData\Local\c5J\InfDefaultInstall.exe
          C:\Users\Admin\AppData\Local\c5J\InfDefaultInstall.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2812

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\8e02\CloudNotifications.exe
          Filesize

          59KB

          MD5

          b50dca49bc77046b6f480db6444c3d06

          SHA1

          cc9b38240b0335b1763badcceac37aa9ce547f9e

          SHA256

          96e7e1a3f0f4f6fc6bda3527ab8a739d6dfcab8e534aa7a02b023daebb3c0775

          SHA512

          2a0504ca336e86b92b2f5eff1c458ebd9df36c496331a7247ef0bb8b82eabd86ade7559ddb47ca4169e8365a97e80e5f1d3c1fc330364dea2450608bd692b1d3

          Download Submit

        • C:\Users\Admin\AppData\Local\8e02\UxTheme.dll
          Filesize

          1.2MB

          MD5

          d62790653c8f042dca269d25d8f423a0

          SHA1

          877ad79622cc71d1db402638a7d469d3a8d92f21

          SHA256

          766a6bb7b77ab45eb9c4a08c21930a931f71ed966fcfa4c20d942030534155fe

          SHA512

          5870c350f62e8f32408d72549dbc46f665245c6d38298af7b6d4c266cfb7d369bea373497abb739b3180199b6b24476439042c608ad8b46df3b6adc5ccd71ee5

          Download Submit

        • C:\Users\Admin\AppData\Local\c5J\InfDefaultInstall.exe
          Filesize

          13KB

          MD5

          ee18876c1e5de583de7547075975120e

          SHA1

          f7fcb3d77da74deee25de9296a7c7335916504e3

          SHA256

          e59127b5fe82714956c7a1f10392a8673086a8e1f609e059935c7da1fa015a5d

          SHA512

          08bc4d28b8f528582c58175a74871dd33ac97955c3709c991779fc34b5ba4b2ba6ff40476d9f59345b61b0153fd932b0ea539431a67ff5012cb2ac8ab392f73c

          Download Submit

        • C:\Users\Admin\AppData\Local\c5J\newdev.dll
          Filesize

          1.2MB

          MD5

          ecaf5c92ad446b67cbc553618cdc5a69

          SHA1

          8e9f5664b61a69837cc4e108b7f825ded319f93d

          SHA256

          1cf9cda21b8e7383f5cb37c36f334289a9d0dbe21220f1eca4f07feedf246ba9

          SHA512

          a7ad3f3dcde10e3bead1d7c939e78f1b19dfc43eeb0c33a79f0365bc87e6231164ed1c035a05bbbc1592475d9664316098d92652d9d23782d6530033e426929b

          Download Submit

        • C:\Users\Admin\AppData\Local\ftdlMzYr9\GamePanel.exe
          Filesize

          1.2MB

          MD5

          266f6a62c16f6a889218800762b137be

          SHA1

          31b9bd85a37bf0cbb38a1c30147b83671458fa72

          SHA256

          71f8f11f26f3a7c1498373f20f0f4cc960513d0383fe24906eeb1bc9678beecd

          SHA512

          b21d9b0656ab6bd3b158922722a332f07096ddd4215c802776c5807c9cf6ece40082dd986ea6867bdc8d22878ce035a5c8dfcc26cfae94aeee059701b6bf1e68

          Download Submit

        • C:\Users\Admin\AppData\Local\ftdlMzYr9\dwmapi.dll
          Filesize

          1.2MB

          MD5

          d1412c3ff40147165270d21424292635

          SHA1

          975c0399a059cd4295e276b679da2cfe95ae13e4

          SHA256

          7f4945bebc4b85453720e194c3b6db2c79561502c021d8cab28c04e5cc61f5f2

          SHA512

          0bf9bb6e3a9bfca02c9d8db1b2c14db4bb356d774f3d1fbbea579840f7d551f1a51f8a20d509de24cf9fb451c68350c99a1914f25e6a6f7a59e6ff51e6c9688c

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ahvhgxnkgdxqlh.lnk
          Filesize

          1KB

          MD5

          3688711c228bdae140070eb0ee412e1c

          SHA1

          9da9495d3bfe30eeab2a7ba2279ac1bb469df251

          SHA256

          ec40e6e80fc98f705bad57e89b15aca7b041cc3029a4b7edc8fae79ee94bd146

          SHA512

          24df8eb586f1c589ecf865a38bad542ba9e0b81503dfe7381ebeb91c98dbba6451cbd38ed440aa0acc645dfa2d510620fac74b3898f0779426df12228a2648b0

          Download Submit

        • memory/2812-85-0x00007FFA3C200000-0x00007FFA3C332000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3440-10-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3440-35-0x00007FFA59970000-0x00007FFA59980000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3440-25-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3440-18-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3440-16-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3440-14-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3440-13-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3440-11-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3440-4-0x00000000028F0000-0x00000000028F1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3440-9-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3440-8-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3440-6-0x00007FFA587FA000-0x00007FFA587FB000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3440-36-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3440-34-0x0000000002830000-0x0000000002837000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3440-12-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3440-7-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3440-15-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4336-52-0x00007FFA3C200000-0x00007FFA3C332000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4336-49-0x000001AACF110000-0x000001AACF117000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4336-46-0x00007FFA3C200000-0x00007FFA3C332000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4448-39-0x00007FFA4B120000-0x00007FFA4B251000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4448-0-0x00007FFA4B120000-0x00007FFA4B251000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4448-3-0x00000115E4EB0000-0x00000115E4EB7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4868-63-0x0000020722DA0000-0x0000020722DA7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4868-69-0x00007FFA3C200000-0x00007FFA3C332000-memory.dmp

          Filesize

          1.2MB

          Download