Overview

overview

10

Static

static

3

cf42baf701...18.dll

windows7-x64

10

cf42baf701...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    115s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-09-2024 09:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cf42baf701af133c3b5644942b098edd_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    cf42baf701af133c3b5644942b098edd

  • SHA1

    fa131bba515e453c67ecb025dfd4f8f2d76a01bc

  • SHA256

    912ee7943db3b7e80cca61c022154f0fc13ef29ff948a89bbc87ed1b2938ac94

  • SHA512

    873c88128d15175aed92577de51d2113723f00fb10358551affa4764e619707a453d25f2d3f3d5a028dfd9784cabb051916424dfde4df87aa2a0ee34beaae750

  • SSDEEP

    24576:9uYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:X9cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Event Triggered Execution: Accessibility Features 1 TTPs

    Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.

    persistenceprivilege_escalation
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\cf42baf701af133c3b5644942b098edd_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:4804
  • C:\Windows\system32\AtBroker.exe
    C:\Windows\system32\AtBroker.exe
    1⤵
      PID:2468
    • C:\Users\Admin\AppData\Local\BwoDxEr\AtBroker.exe
      C:\Users\Admin\AppData\Local\BwoDxEr\AtBroker.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:1192
    • C:\Windows\system32\eudcedit.exe
      C:\Windows\system32\eudcedit.exe
      1⤵
        PID:1332
      • C:\Users\Admin\AppData\Local\C9pY6\eudcedit.exe
        C:\Users\Admin\AppData\Local\C9pY6\eudcedit.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2872
      • C:\Windows\system32\ddodiag.exe
        C:\Windows\system32\ddodiag.exe
        1⤵
          PID:4636
        • C:\Users\Admin\AppData\Local\DPKucxB2\ddodiag.exe
          C:\Users\Admin\AppData\Local\DPKucxB2\ddodiag.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:3252

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\BwoDxEr\AtBroker.exe
          Filesize

          90KB

          MD5

          30076e434a015bdf4c136e09351882cc

          SHA1

          584c958a35e23083a0861421357405afd26d9a0c

          SHA256

          ae7b1e298a6e38f0a3428151bfc5565ede50a8d98dafaa147b13cf89c61f2ddd

          SHA512

          675e310c2455acf9220735f34fa527afe87dac691e89cc0edc3c4659147e9fd223f96b7a3beea532047aa0ebc58880a7010343019a50aa73ce69a038e3592024

          Download Submit

        • C:\Users\Admin\AppData\Local\BwoDxEr\UxTheme.dll
          Filesize

          1.2MB

          MD5

          69a1e2f329b4e4170c666bcd8ae295ae

          SHA1

          51c96e0822fe15a30da8f37a072d2bb6d0270402

          SHA256

          65925f3b45676aeb82237c821f43c9ca96996223d952e41ef81c1451b9983b74

          SHA512

          c14d69c81cecf28f6e06e32fb63e962049b414c63251cd69de6d6eb817274bf1b094f757a916338608aa59c36f76d21be7e5d2931858ffdaef624840f2b9e92f

          Download Submit

        • C:\Users\Admin\AppData\Local\C9pY6\MFC42u.dll
          Filesize

          1.2MB

          MD5

          1877c843a76b6e9773a8d622362daa98

          SHA1

          99f3e0014282bb97add8796652638bdcec3de494

          SHA256

          3c2c9092f28c5d2c92295be2a8e47cc9cac56549bc3970e7c67ad9ee5bda3db6

          SHA512

          dc415e4063fc094ed3a4218424c41a0fb824b0f725d8dbcecab07fe87ece9460672912fae0d2d2714ae70e199cb791c812fa9495d6ca44522a09545d64f13f13

          Download Submit

        • C:\Users\Admin\AppData\Local\C9pY6\eudcedit.exe
          Filesize

          365KB

          MD5

          a9de6557179d371938fbe52511b551ce

          SHA1

          def460b4028788ded82dc55c36cb0df28599fd5f

          SHA256

          83c8d1a7582b24b4bbc0d453c813487185c2b05c483bd1759ef647a7e7e92dfe

          SHA512

          5790cac8dae16a785b48f790e6645b137f211c1587fb64ea88e743b846ff3a886324afcfef4bebc61f869023b9a22ba925c461dfb2e12497b70f501e6b79153c

          Download Submit

        • C:\Users\Admin\AppData\Local\DPKucxB2\XmlLite.dll
          Filesize

          1.2MB

          MD5

          a2cc2d5c1d5f93081bbc3b1ecfb81c71

          SHA1

          03610827f2625c19645ffd2a77766fa142f76204

          SHA256

          7985cc32cff5cafecdbfe7eabf131af880f7ea8d112e6990f7623a5d8aa214ab

          SHA512

          e588b3826daf2dd9edad0261fc54911e14a93b31545e1607bcd6476162cdf624b3825048a6428b6be1ecd7c4cbf4bd9ec855ab1472fc32863c258a02bdbda664

          Download Submit

        • C:\Users\Admin\AppData\Local\DPKucxB2\ddodiag.exe
          Filesize

          39KB

          MD5

          85feee634a6aee90f0108e26d3d9bc1f

          SHA1

          a7b1fa32fe7ed67bd51dea438f2f767e3fef0ca2

          SHA256

          99c63175504781e9278824d487da082da7c014e99f1024227af164986d3a27c6

          SHA512

          b81a3e1723a5180c5168cd7bb5181c631f4f57c59780bb82a502160b7874777f3eef1ebe1b14f66c97f9f1a4721af13b6fbcdff2045c8563c18b5d12540953ff

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Pvdelpvduyz.lnk
          Filesize

          1KB

          MD5

          996161abcb167e02ffdecd28cc29ae49

          SHA1

          8dc1f612e067a5b9d03a848337356289c6e7826b

          SHA256

          6bc7a8b999bf09077aba1da731d447aaa59c85350cd11b384386fb4867896615

          SHA512

          2c9ff0be4f2016f68bb9b55c9dc9b9a001b8626f059aa2a7b48a80d7cf9c7504e1792631ebe6b286427e98634e028c80ce331f335b2a4ef816d513902c46a97f

          Download Submit

        • memory/1192-45-0x0000018ACCB80000-0x0000018ACCB87000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1192-46-0x00007FF8BDBC0000-0x00007FF8BDCF1000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1192-51-0x00007FF8BDBC0000-0x00007FF8BDCF1000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2872-68-0x00007FF8BDBC0000-0x00007FF8BDCF7000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2872-65-0x000001CBA3F40000-0x000001CBA3F47000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2872-62-0x00007FF8BDBC0000-0x00007FF8BDCF7000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3252-79-0x000001F977C90000-0x000001F977C97000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3252-85-0x00007FF8BDBC0000-0x00007FF8BDCF1000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3400-29-0x0000000000D50000-0x0000000000D57000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3400-16-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3400-7-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3400-6-0x00007FF8DAB1A000-0x00007FF8DAB1B000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3400-9-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3400-10-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3400-11-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3400-13-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3400-15-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3400-8-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3400-24-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3400-4-0x0000000003050000-0x0000000003051000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3400-35-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3400-33-0x00007FF8DB7B0000-0x00007FF8DB7C0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3400-14-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3400-12-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4804-0-0x00007FF8CD680000-0x00007FF8CD7B0000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4804-38-0x00007FF8CD680000-0x00007FF8CD7B0000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4804-3-0x0000020E18270000-0x0000020E18277000-memory.dmp

          Filesize

          28KB

          Download