Overview

overview

10

Static

static

3

cb97f3b10b...18.dll

windows7-x64

10

cb97f3b10b...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-08-2024 20:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cb97f3b10b212687f53bd9a867b48792_JaffaCakes118.dll

  • Size

    989KB

  • MD5

    cb97f3b10b212687f53bd9a867b48792

  • SHA1

    af2894245835fca466a102b9cc5269ba2e4d8cd6

  • SHA256

    028d57c42088b9a1346732bb9d7d19c2324293e9e7e1d7b39e602edaa9c878de

  • SHA512

    977ba2dcd9c2ebd059ebf35c9b010c45dc8d80c1b3105ee1607bd99dc663517a126a8c4a3726bacd84d5545a14c921d689537dee31b7e6db15075ffda9e2ac66

  • SSDEEP

    24576:xVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:xV8hf6STw1ZlQauvzSq01ICe6zvm

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\cb97f3b10b212687f53bd9a867b48792_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1940
  • C:\Windows\system32\msra.exe
    C:\Windows\system32\msra.exe
    1⤵
      PID:5104
    • C:\Users\Admin\AppData\Local\G2ej5\msra.exe
      C:\Users\Admin\AppData\Local\G2ej5\msra.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:4000
    • C:\Windows\system32\RecoveryDrive.exe
      C:\Windows\system32\RecoveryDrive.exe
      1⤵
        PID:332
      • C:\Users\Admin\AppData\Local\8si1ED4wj\RecoveryDrive.exe
        C:\Users\Admin\AppData\Local\8si1ED4wj\RecoveryDrive.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:4660
      • C:\Windows\system32\ddodiag.exe
        C:\Windows\system32\ddodiag.exe
        1⤵
          PID:2356
        • C:\Users\Admin\AppData\Local\KlEHH7\ddodiag.exe
          C:\Users\Admin\AppData\Local\KlEHH7\ddodiag.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2400

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\8si1ED4wj\ReAgent.dll
          Filesize

          991KB

          MD5

          0c22564240f9819b72d5c02436dbeb60

          SHA1

          49ee3759755766f2833ab8d2d5af086aa5d2d8e6

          SHA256

          d982b0fd24bee6ea5652db174de1651222240aa60bf474d416803c13b005f2c3

          SHA512

          1a3c213cc41274fb3c3180f9d66d945727029acea382d716acacb294df52573412afaad4f14f7fb822e0a6628a2ebc3bd6c1e7a76435cc61e279e1af105f0fa3

          Download Submit

        • C:\Users\Admin\AppData\Local\8si1ED4wj\RecoveryDrive.exe
          Filesize

          911KB

          MD5

          b9b3dc6f2eb89e41ff27400952602c74

          SHA1

          24ae07e0db3ace0809d08bbd039db3a9d533e81b

          SHA256

          630518cb2e4636f889d12c98fb2e6be4e579c5eeb86f88695d3f7fff3f5515c4

          SHA512

          7906954b881f1051a0c7f098e096bc28eddcc48643b8bf3134dd57b8c18d8beba4f9a0ac5d348de2f9b8ea607c3e9cb0e61d91e4f3ba1fefb02839f928e3e3fe

          Download Submit

        • C:\Users\Admin\AppData\Local\G2ej5\UxTheme.dll
          Filesize

          992KB

          MD5

          e0254601081ad3d92a1b12f87709648d

          SHA1

          7f39a9b0448d330b30c13a5913e87e5c60ed801c

          SHA256

          26bff440c58f720197a3a81606979c6c01dcada1e73d6fef7a23e0fe4c14eaf7

          SHA512

          1c288b19cfbca6db2eaf73ff4c1332faae093d94e8fceda89f401110824f2c113e409674be3d3dfd46e4f6a5642c2d9f63380d171207eaea2c00ef888000c026

          Download Submit

        • C:\Users\Admin\AppData\Local\G2ej5\msra.exe
          Filesize

          579KB

          MD5

          dcda3b7b8eb0bfbccb54b4d6a6844ad6

          SHA1

          316a2925e451f739f45e31bc233a95f91bf775fa

          SHA256

          011e1decd6683afe5f1e397fe9697f2cf592ae21766a7629e234682f721658ae

          SHA512

          18e8c99f8b86375627aba0d2b10cf4db24ee5ac61a3d6a73d382a83ec63217c7e455570d4fa7dcdbb188dcc73988689661f8cab2337ae8c615fa6bc9a08f71f5

          Download Submit

        • C:\Users\Admin\AppData\Local\KlEHH7\XmlLite.dll
          Filesize

          990KB

          MD5

          4606c25af9617dc6718b0055e9e98183

          SHA1

          f77a12984a2f8c5aa9242cb38f230592c3d35aa7

          SHA256

          2724084c9db4a2ca6fd10cdc8885ef62e9e806af928d32de53980b997a1bc806

          SHA512

          c119579f5231106bdfd31a8d9bd0a9ff688f9a732a55e847a3715c8cc0663e01234ff03ac1da155e50108d97a36a5453f7dacbe412768aadb69df02246eae713

          Download Submit

        • C:\Users\Admin\AppData\Local\KlEHH7\ddodiag.exe
          Filesize

          39KB

          MD5

          85feee634a6aee90f0108e26d3d9bc1f

          SHA1

          a7b1fa32fe7ed67bd51dea438f2f767e3fef0ca2

          SHA256

          99c63175504781e9278824d487da082da7c014e99f1024227af164986d3a27c6

          SHA512

          b81a3e1723a5180c5168cd7bb5181c631f4f57c59780bb82a502160b7874777f3eef1ebe1b14f66c97f9f1a4721af13b6fbcdff2045c8563c18b5d12540953ff

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Pvdelpvduyz.lnk
          Filesize

          1KB

          MD5

          cf1c936d9c28b3a17d745b91d8a6c941

          SHA1

          338f46bbd4a8a2ec6542f496174cdc49023b1237

          SHA256

          f94b63e514de785946c595a276eb4f9db99bc4e21e379efabc168b9473a89739

          SHA512

          11d3264617f2d5d693dfd409842af8b8d0d220769c7c1f64b0ea9113e68ebbdb3c5e2d03eaced76070b53f31449fac50e3a949870934d2c2cd6cfc348d0dabc3

          Download Submit

        • memory/1940-0-0x0000000140000000-0x00000001400FC000-memory.dmp

          Filesize

          1008KB

          Download

        • memory/1940-3-0x000001DAC0AC0000-0x000001DAC0AC7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1940-37-0x0000000140000000-0x00000001400FC000-memory.dmp

          Filesize

          1008KB

          Download

        • memory/2400-84-0x0000000140000000-0x00000001400FD000-memory.dmp

          Filesize

          1012KB

          Download

        • memory/2400-78-0x000002756A660000-0x000002756A667000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3404-8-0x0000000140000000-0x00000001400FC000-memory.dmp

          Filesize

          1008KB

          Download

        • memory/3404-6-0x00007FFC5FE9A000-0x00007FFC5FE9B000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3404-10-0x0000000140000000-0x00000001400FC000-memory.dmp

          Filesize

          1008KB

          Download

        • memory/3404-34-0x0000000140000000-0x00000001400FC000-memory.dmp

          Filesize

          1008KB

          Download

        • memory/3404-11-0x0000000140000000-0x00000001400FC000-memory.dmp

          Filesize

          1008KB

          Download

        • memory/3404-12-0x0000000140000000-0x00000001400FC000-memory.dmp

          Filesize

          1008KB

          Download

        • memory/3404-14-0x0000000140000000-0x00000001400FC000-memory.dmp

          Filesize

          1008KB

          Download

        • memory/3404-23-0x0000000140000000-0x00000001400FC000-memory.dmp

          Filesize

          1008KB

          Download

        • memory/3404-4-0x0000000002BC0000-0x0000000002BC1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3404-9-0x0000000140000000-0x00000001400FC000-memory.dmp

          Filesize

          1008KB

          Download

        • memory/3404-24-0x00000000029E0000-0x00000000029E7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3404-25-0x00007FFC61CB0000-0x00007FFC61CC0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3404-7-0x0000000140000000-0x00000001400FC000-memory.dmp

          Filesize

          1008KB

          Download

        • memory/3404-13-0x0000000140000000-0x00000001400FC000-memory.dmp

          Filesize

          1008KB

          Download

        • memory/4000-50-0x0000000140000000-0x00000001400FD000-memory.dmp

          Filesize

          1012KB

          Download

        • memory/4000-47-0x000001BDA4CA0000-0x000001BDA4CA7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4000-44-0x0000000140000000-0x00000001400FD000-memory.dmp

          Filesize

          1012KB

          Download

        • memory/4660-67-0x0000000140000000-0x00000001400FD000-memory.dmp

          Filesize

          1012KB

          Download

        • memory/4660-64-0x0000016F9F150000-0x0000016F9F157000-memory.dmp

          Filesize

          28KB

          Download