Overview

overview

10

Static

static

3

d26885945e...18.dll

windows7-x64

10

d26885945e...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-09-2024 16:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d26885945eb4456891a98cf5150c51bb_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    d26885945eb4456891a98cf5150c51bb

  • SHA1

    2a51c4f78684aff8b1b4ee5831bc78276d7c0c02

  • SHA256

    72a98167067dce07044af99248b5e58b14dcdad86d1e6e1a677014103bb08698

  • SHA512

    aa8f8b39916d5ad5b0ed3fc278abb0912f899e85f333ed1772c87e104e7c5bbcda1251c2f16f4682c2b26f36228330f234264de60c8e88916c36dacecf916a76

  • SSDEEP

    24576:juYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:N9cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\d26885945eb4456891a98cf5150c51bb_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:4656
  • C:\Windows\system32\DWWIN.EXE
    C:\Windows\system32\DWWIN.EXE
    1⤵
      PID:840
    • C:\Users\Admin\AppData\Local\8HPCdV\DWWIN.EXE
      C:\Users\Admin\AppData\Local\8HPCdV\DWWIN.EXE
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:3652
    • C:\Windows\system32\mblctr.exe
      C:\Windows\system32\mblctr.exe
      1⤵
        PID:4496
      • C:\Users\Admin\AppData\Local\uaCFb\mblctr.exe
        C:\Users\Admin\AppData\Local\uaCFb\mblctr.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1212
      • C:\Windows\system32\BitLockerWizard.exe
        C:\Windows\system32\BitLockerWizard.exe
        1⤵
          PID:964
        • C:\Users\Admin\AppData\Local\xZb7\BitLockerWizard.exe
          C:\Users\Admin\AppData\Local\xZb7\BitLockerWizard.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:4436

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\8HPCdV\DWWIN.EXE
          Filesize

          229KB

          MD5

          444cc4d3422a0fdd45c1b78070026c60

          SHA1

          97162ff341fff1ec54b827ec02f8b86fd2d41a97

          SHA256

          4b3f620272e709ce3e01ae5b19ef0300bd476f2da6412637f703bbaded2821f0

          SHA512

          21742d330a6a5763ea41a8fed4d71b98e4a1b4c685675c4cfeb7253033c3a208c23902caf0efdf470a85e0770cb8fac8af0eb6d3a8511445b0570054b42d5553

          Download Submit

        • C:\Users\Admin\AppData\Local\8HPCdV\VERSION.dll
          Filesize

          1.2MB

          MD5

          6043268b575781f5a0def839dcb2a303

          SHA1

          e0a3237dd985b19059cfb7027526571de0511d81

          SHA256

          6ce281f36b0e87d2da90658966e185b24109905bd09176a524661c572aedb079

          SHA512

          4b0af7edcc972e97f7cd21fe63a7d035b9c6f05b923e42a51cf313a282387f96d43ca5ef8bf1954144c4cdd559359bd7c00152d4d4af02012a8dcd0ae7def43e

          Download Submit

        • C:\Users\Admin\AppData\Local\uaCFb\WINMM.dll
          Filesize

          1.2MB

          MD5

          244eb765885b6600cf69097f947e4400

          SHA1

          5a856c379f03e670f909d7b6a856f4ac47c54b4e

          SHA256

          7f9feabc9dbfc61454118cdb01ad685fa56d00b1d232c3f40243cc511d795eb6

          SHA512

          063d9087878ca4b53990081bdc11fc0953d42a9561f7c30793505f209a29648f82e98a45846e7809a4938ec2bf8937abe4995620862b801526a6825ba505b1ef

          Download Submit

        • C:\Users\Admin\AppData\Local\uaCFb\mblctr.exe
          Filesize

          790KB

          MD5

          d3db14eabb2679e08020bcd0c96fa9f6

          SHA1

          578dca7aad29409634064579d269e61e1f07d9dd

          SHA256

          3baa1dc0756ebb0c2c70a31be7147863d8d8ba056c1aa7f979307f8790d1ff69

          SHA512

          14dc895ae458ff0ca13d9c27aa5b4cfc906d338603d43389bb5f4429be593a587818855d1fe938f9ebebf46467fb0c1ab28247e8f9f5357098e8b822ecd8fffe

          Download Submit

        • C:\Users\Admin\AppData\Local\xZb7\BitLockerWizard.exe
          Filesize

          100KB

          MD5

          6d30c96f29f64b34bc98e4c81d9b0ee8

          SHA1

          4a3adc355f02b9c69bdbe391bfb01469dee15cf0

          SHA256

          7758227642702e645af5e84d1c0e5690e07687c8209072a2c5f79379299edf74

          SHA512

          25471b0ac7156d9ee9d12181020039bf551ba3efe252b656030c12d93b8db2648a18bdf762740f2a5cd8e43640e4bd4e8742310dea15823fc76b9e1c126876b8

          Download Submit

        • C:\Users\Admin\AppData\Local\xZb7\FVEWIZ.dll
          Filesize

          1.2MB

          MD5

          5f1f653a2cb3131ef565d3ea2c0d905f

          SHA1

          a055e403617614a88ab39c3565d6a01e3f6d2943

          SHA256

          b466febd4f4806f1dcbb22d288b0557b8ab4d57d45958e8bed8ef3b54e09620f

          SHA512

          8687b0c2875a315cd7215a337907052a62d48fb2c0ddf90b05b6cd7cd8b0e78253e40f76b43ff15cc25e76118b264167f0ec8ec7a804668d6beaac7f205ad764

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Pvdelpvduyz.lnk
          Filesize

          1KB

          MD5

          2111b434eb8d84eafd21012ac05e2b63

          SHA1

          becf32da3fea31b584d5606cb525c5f6b3908b59

          SHA256

          2c79fb39730d7de13051868819e8138baafefc93223cd843a91402b5bcef70c2

          SHA512

          55f748bda0992b6e009b6b036e4fe53b1ea84fa426a7ac885670275114b2bfff4f7c9dd0fa045dc6ab21476fddb3e4f825729691ceabcf7f945fa5f93886d5eb

          Download Submit

        • memory/1212-68-0x00007FFC445F0000-0x00007FFC44723000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1212-62-0x000001A9DCF90000-0x000001A9DCF97000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1212-63-0x00007FFC445F0000-0x00007FFC44723000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3404-28-0x00000000029E0000-0x00000000029E7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3404-29-0x00007FFC61CB0000-0x00007FFC61CC0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3404-13-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3404-12-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3404-10-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3404-9-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3404-8-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3404-7-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3404-6-0x00007FFC5FE9A000-0x00007FFC5FE9B000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3404-16-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3404-24-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3404-4-0x0000000002BC0000-0x0000000002BC1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3404-11-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3404-14-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3404-15-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3404-35-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3652-51-0x00007FFC445F0000-0x00007FFC44722000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3652-45-0x00007FFC445F0000-0x00007FFC44722000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3652-48-0x000001ABC3510000-0x000001ABC3517000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4436-79-0x0000022BDD620000-0x0000022BDD627000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4436-85-0x00007FFC445F0000-0x00007FFC44722000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4656-0-0x00000242AA970000-0x00000242AA977000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4656-38-0x00007FFC537D0000-0x00007FFC53901000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4656-1-0x00007FFC537D0000-0x00007FFC53901000-memory.dmp

          Filesize

          1.2MB

          Download