Overview

overview

10

Static

static

3

c8baf35e81...18.dll

windows7-x64

10

c8baf35e81...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-08-2024 11:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c8baf35e81d9fdc69131c9ceba69f06a_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    c8baf35e81d9fdc69131c9ceba69f06a

  • SHA1

    ad1495128510e0a7eadda3d4ede0a06c3744a46f

  • SHA256

    21bd6ef058050b15306f88b3ce55c92df07610ac8025a9975c8aaa3a47a53ebf

  • SHA512

    b46cad51d6d6a86609bd120b4b9effe3f715bdc7526682c846bf6301e9c2cfb041b8920301201398059c0385a1152669c7c7d6704599203e24b225ed5d970b9e

  • SSDEEP

    24576:9uYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9Nat:X9cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\c8baf35e81d9fdc69131c9ceba69f06a_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:4792
  • C:\Windows\system32\SystemPropertiesRemote.exe
    C:\Windows\system32\SystemPropertiesRemote.exe
    1⤵
      PID:232
    • C:\Users\Admin\AppData\Local\qR8OP\SystemPropertiesRemote.exe
      C:\Users\Admin\AppData\Local\qR8OP\SystemPropertiesRemote.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:3908
    • C:\Windows\system32\mblctr.exe
      C:\Windows\system32\mblctr.exe
      1⤵
        PID:8
      • C:\Users\Admin\AppData\Local\gKqNu\mblctr.exe
        C:\Users\Admin\AppData\Local\gKqNu\mblctr.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:960
      • C:\Windows\system32\FXSCOVER.exe
        C:\Windows\system32\FXSCOVER.exe
        1⤵
          PID:1084
        • C:\Users\Admin\AppData\Local\PpeYJS7ZX\FXSCOVER.exe
          C:\Users\Admin\AppData\Local\PpeYJS7ZX\FXSCOVER.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:4776

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\PpeYJS7ZX\FXSCOVER.exe
          Filesize

          242KB

          MD5

          5769f78d00f22f76a4193dc720d0b2bd

          SHA1

          d62b6cab057e88737cba43fe9b0c6d11a28b53e8

          SHA256

          40e8e6dabfa1485b11cdccf220eb86eeaa8256e99e344cf2b2098d4cdb788a31

          SHA512

          b4b3448a2635b21690c71254d964832e89bf947f7a0d32e79dcc84730f11d4afb4149a810a768878e52f88fc8baec45f1a2fec8e22c5301e9f39fe4fc6a57e3f

          Download Submit

        • C:\Users\Admin\AppData\Local\PpeYJS7ZX\MFC42u.dll
          Filesize

          1.2MB

          MD5

          be52995913315d91cf2f458d618a9720

          SHA1

          a30a34d0786dd0148011be32a4c76b83efa898e9

          SHA256

          dfe45b9743f5125e708b1bef434d88fbf6a9f967d9e5e69030d37373557824ff

          SHA512

          24d3f535d056df36d535e1319e396d57e2243bdd8a374a3dd6e3d40b26c4f4fd578adf5154079dae726e9aaf4b7830eb9a312e004a3c7ffa2ed7fb911edf40d4

          Download Submit

        • C:\Users\Admin\AppData\Local\gKqNu\WTSAPI32.dll
          Filesize

          1.2MB

          MD5

          d5e9e4bd5e5ba6e21ecba3a10e748dd2

          SHA1

          7660b8305f00d4468d6cb9c6bb69934007f0af66

          SHA256

          05016ce80a093d589d7190d8226861bdd21d708bb1121b62624431e56576e6bf

          SHA512

          c017d362d92d965ffa074695c42e8d1cf5789d54ec9b340d0cf6e0436b6ab0f25ace81ccd40f8bd6b8f71b43438b8c26e0b4629978a662e8e840f80536f59415

          Download Submit

        • C:\Users\Admin\AppData\Local\gKqNu\mblctr.exe
          Filesize

          790KB

          MD5

          d3db14eabb2679e08020bcd0c96fa9f6

          SHA1

          578dca7aad29409634064579d269e61e1f07d9dd

          SHA256

          3baa1dc0756ebb0c2c70a31be7147863d8d8ba056c1aa7f979307f8790d1ff69

          SHA512

          14dc895ae458ff0ca13d9c27aa5b4cfc906d338603d43389bb5f4429be593a587818855d1fe938f9ebebf46467fb0c1ab28247e8f9f5357098e8b822ecd8fffe

          Download Submit

        • C:\Users\Admin\AppData\Local\qR8OP\SYSDM.CPL
          Filesize

          1.2MB

          MD5

          f4d58ecb13c5bd533b20e99067d78bf2

          SHA1

          984412a577e63a08301e6b8e25abc7461fcdc834

          SHA256

          f8a39e4cde0c066de09ac2b1283313d9fba07f4de0af9c7328e047fa81a3de0c

          SHA512

          431051c5bffbf1422496492377727e7a474f1d914c7e2d40e0e69e60b1a9f1ba69666b8973a49d10ac4533bd14256046bbbfd94061bdeb11bd7a617c6a853ef7

          Download Submit

        • C:\Users\Admin\AppData\Local\qR8OP\SystemPropertiesRemote.exe
          Filesize

          82KB

          MD5

          cdce1ee7f316f249a3c20cc7a0197da9

          SHA1

          dadb23af07827758005ec0235ac1573ffcea0da6

          SHA256

          7984e2bff295c8dbcbd3cd296d0741e3a6844b8db9f962abdbc8d333e9a83932

          SHA512

          f1dc529ebfed814adcf3e68041243ee02ba33b56c356a63eba5ef2cb6ede1eda192e03349f6a200d34dfab67263df79cf295be3706f4197b9008ccdc53410c26

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Pvdelpvduyz.lnk
          Filesize

          762B

          MD5

          99d6a18706b1a37220370ac0ffc7c21a

          SHA1

          c60eb38b63b1080af34a75bd6c29abb1992ba9de

          SHA256

          75c4cf3882dfd24f2985134939451312eb971de0a561d5f9a90d50a5aaafa63c

          SHA512

          942201fefee3de8fb8919203df795613d2dd1fd89fdefd37a312e2c7a863eb5689a7f3de51ba06a77b0db59703f2410e09c0be74bc0d9bebdacfedd15a579749

          Download Submit

        • memory/960-69-0x00007FFEC3200000-0x00007FFEC3332000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/960-66-0x000001F024260000-0x000001F024267000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3552-9-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3552-7-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3552-16-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3552-14-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3552-13-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3552-11-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3552-10-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3552-6-0x00007FFEE063A000-0x00007FFEE063B000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3552-8-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3552-30-0x00007FFEE1AF0000-0x00007FFEE1B00000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3552-4-0x0000000008270000-0x0000000008271000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3552-25-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3552-29-0x0000000008240000-0x0000000008247000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3552-17-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3552-12-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3552-15-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3552-36-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3908-46-0x00007FFEC3200000-0x00007FFEC3332000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3908-52-0x00007FFEC3200000-0x00007FFEC3332000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3908-49-0x0000020B7E340000-0x0000020B7E347000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4776-83-0x0000025A1B910000-0x0000025A1B917000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4776-80-0x00007FFEC3200000-0x00007FFEC3338000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4776-86-0x00007FFEC3200000-0x00007FFEC3338000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4792-39-0x00007FFED33D0000-0x00007FFED3501000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4792-0-0x0000026DF0C10000-0x0000026DF0C17000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4792-1-0x00007FFED33D0000-0x00007FFED3501000-memory.dmp

          Filesize

          1.2MB

          Download