Overview

overview

10

Static

static

3

c92e3efca0...18.dll

windows7-x64

10

c92e3efca0...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-08-2024 16:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c92e3efca093f668248b1296266083b3_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    c92e3efca093f668248b1296266083b3

  • SHA1

    3517fccb614a9acae54875fde47e75835f4c88ab

  • SHA256

    e19ce29247123b0510e9008cfc58ebfc1f044a10d788b56ed1aaec774735d9db

  • SHA512

    32b944dfd3c52e2b742ca82e14ebca4c7a2e441cb8f86ca9808f9d40b9f757afd4ea651291cabf0ed62beb646c092f3c553c8b5789b09207aa01561fe2af1455

  • SSDEEP

    24576:+VHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:+V8hf6STw1ZlQauvzSq01ICe6zvm

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\c92e3efca093f668248b1296266083b3_JaffaCakes118.dll
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:804
  • C:\Windows\system32\wusa.exe
    C:\Windows\system32\wusa.exe
    1⤵
      PID:4624
    • C:\Users\Admin\AppData\Local\QuBdfV\wusa.exe
      C:\Users\Admin\AppData\Local\QuBdfV\wusa.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:4876
    • C:\Windows\system32\BitLockerWizard.exe
      C:\Windows\system32\BitLockerWizard.exe
      1⤵
        PID:1172
      • C:\Users\Admin\AppData\Local\EJo\BitLockerWizard.exe
        C:\Users\Admin\AppData\Local\EJo\BitLockerWizard.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:3228
      • C:\Windows\system32\SystemSettingsAdminFlows.exe
        C:\Windows\system32\SystemSettingsAdminFlows.exe
        1⤵
          PID:4824
        • C:\Users\Admin\AppData\Local\oOEDnvz\SystemSettingsAdminFlows.exe
          C:\Users\Admin\AppData\Local\oOEDnvz\SystemSettingsAdminFlows.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:4832

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\EJo\BitLockerWizard.exe
          Filesize

          100KB

          MD5

          6d30c96f29f64b34bc98e4c81d9b0ee8

          SHA1

          4a3adc355f02b9c69bdbe391bfb01469dee15cf0

          SHA256

          7758227642702e645af5e84d1c0e5690e07687c8209072a2c5f79379299edf74

          SHA512

          25471b0ac7156d9ee9d12181020039bf551ba3efe252b656030c12d93b8db2648a18bdf762740f2a5cd8e43640e4bd4e8742310dea15823fc76b9e1c126876b8

          Download Submit

        • C:\Users\Admin\AppData\Local\EJo\FVEWIZ.dll
          Filesize

          1.2MB

          MD5

          b18e5383900b9619a538a24d0f87fab1

          SHA1

          6b01409bcb3730ca18bff58e9920867477984caf

          SHA256

          4f272078944363ef384f2d23dcb467e4e63bb374fd6a6014cde4c3f1f083e1a7

          SHA512

          36af77a99282e41bc63d54b2dc0a0bf62ef6cc524933a8d73055357d46cd438cd90f16e08e85bfd562036ee9fdf89bcb0ae78022ee6ec9ea4fa1f3698ae704ed

          Download Submit

        • C:\Users\Admin\AppData\Local\QuBdfV\WTSAPI32.dll
          Filesize

          1.2MB

          MD5

          7f2d9e555fe1255fab430f7bf929d3fb

          SHA1

          7134f4f2705514b9cf5063558d50546056aebdb9

          SHA256

          f6af0ac9fca2c612643db88cd5f82e7e0a578ee6e16f30da241c6acbb608dfbb

          SHA512

          63355655e000f0b7cd7c26a36f78bce0c982390727a3433c7db9e58e9dc17505b98d6447aa12b2acf469cfe1a7140a474990bd91756c534943f4eafe43dcd489

          Download Submit

        • C:\Users\Admin\AppData\Local\QuBdfV\wusa.exe
          Filesize

          309KB

          MD5

          e43499ee2b4cf328a81bace9b1644c5d

          SHA1

          b2b55641f2799e3fdb3bea709c9532017bbac59d

          SHA256

          3e30230bbf3ceee3e58162b61eed140e9616210833a6ad7df3e106bc7492d2fb

          SHA512

          04823764520871f9202d346b08a194bdd5f5929db6d5c2f113911f84aece7471c8d3bd2c4256119a303dbe18a0c055dbc5034d80b1f27a43744104544731f52b

          Download Submit

        • C:\Users\Admin\AppData\Local\oOEDnvz\SystemSettingsAdminFlows.exe
          Filesize

          506KB

          MD5

          50adb2c7c145c729b9de8b7cf967dd24

          SHA1

          a31757f08da6f95156777c1132b6d5f1db3d8f30

          SHA256

          a7a2e7122d27308df37b7ab718ef3ac239e4216669f51331e34e205f59fb0aec

          SHA512

          715b4c93e79e896da1cf86cf4455a84cba1aeac34b6fd72d2afdf203a2034f6f8fac1d6501f0dd277a17bd1d7ab73ddd1887e01a99f2d26f39efeb94d0aac9b0

          Download Submit

        • C:\Users\Admin\AppData\Local\oOEDnvz\newdev.dll
          Filesize

          1.2MB

          MD5

          acab7e7fa42825b942682ccdeb61864d

          SHA1

          db8bb57efbeb708dff71f85c1d83268c862c7d35

          SHA256

          6acfd4cd8f30432e889f9b1eed9ebf6797666d4ce982cafdf5c3132b2d2e4e26

          SHA512

          c200290d2e4325c991547b6e5caa1e34a9aa71de3d72f968121192e8e68d4b29f2c76abeacf1386257be7762eb1b0a7725e10197d9542608961d7cf0577ecff7

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yfsfrqrlkk.lnk
          Filesize

          1KB

          MD5

          2cefb93d091b849718b8d944f897971e

          SHA1

          8183bb7c68dfe94fe57dcabcbebdebad2e7c95f8

          SHA256

          2520f3050add58707046d0f7c8049b8b33106bc4e833a95f4f5143c64d72fb13

          SHA512

          8435126dc0f079335480abc9b4dc660459c038ac60e4ea333c6dde1ca075cfea98ee45eeb093e7b523d293e88e3e329ad4252f972994c9356496e9c58fcae148

          Download Submit

        • memory/804-0-0x0000000140000000-0x0000000140142000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/804-3-0x00000000006A0000-0x00000000006A7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/804-38-0x0000000140000000-0x0000000140142000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3228-68-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3228-62-0x000001EB687C0000-0x000001EB687C7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3416-8-0x0000000140000000-0x0000000140142000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3416-29-0x00007FF9ED550000-0x00007FF9ED560000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3416-10-0x0000000140000000-0x0000000140142000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3416-7-0x0000000140000000-0x0000000140142000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3416-35-0x0000000140000000-0x0000000140142000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3416-11-0x0000000140000000-0x0000000140142000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3416-13-0x0000000140000000-0x0000000140142000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3416-15-0x0000000140000000-0x0000000140142000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3416-6-0x00007FF9EB7AA000-0x00007FF9EB7AB000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3416-4-0x0000000007CB0000-0x0000000007CB1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3416-12-0x0000000140000000-0x0000000140142000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3416-24-0x0000000140000000-0x0000000140142000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3416-28-0x0000000006B60000-0x0000000006B67000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3416-9-0x0000000140000000-0x0000000140142000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3416-14-0x0000000140000000-0x0000000140142000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/4832-84-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/4876-49-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/4876-46-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/4876-45-0x00000218D4330000-0x00000218D4337000-memory.dmp

          Filesize

          28KB

          Download