Overview

overview

10

Static

static

3

d61f5b5b8d...18.dll

windows7-x64

10

d61f5b5b8d...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    134s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-09-2024 10:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d61f5b5b8dafce129496a33195e5842b_JaffaCakes118.dll

  • Size

    1.1MB

  • MD5

    d61f5b5b8dafce129496a33195e5842b

  • SHA1

    c165d40db3e1414e961795118dece8d52b686e81

  • SHA256

    624fd6a2c2a29a89d845271773a63a2950d9e12759de4910e0dd2ad5685e8476

  • SHA512

    0929356ae9dc07a9e06f109da209500a440fa60411f34ae6bce955ce44e7642e8dea450049bd3cd5ff7ed1ad37eeba294091d1ec6ea8eb8c1f4e7804f87f7546

  • SSDEEP

    12288:tdMIwS97wJs6tSKDXEabXaC+jhc1S8XXk7CZzHsZH9dq0TGu:DMIJxSDX3bqjhcfHk7MzH6zl

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 8 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\d61f5b5b8dafce129496a33195e5842b_JaffaCakes118.dll
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:2252
  • C:\Windows\system32\ddodiag.exe
    C:\Windows\system32\ddodiag.exe
    1⤵
      PID:2448
    • C:\Users\Admin\AppData\Local\SR1zm\ddodiag.exe
      C:\Users\Admin\AppData\Local\SR1zm\ddodiag.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:5060
    • C:\Windows\system32\LockScreenContentServer.exe
      C:\Windows\system32\LockScreenContentServer.exe
      1⤵
        PID:2156
      • C:\Users\Admin\AppData\Local\ahclpB8\LockScreenContentServer.exe
        C:\Users\Admin\AppData\Local\ahclpB8\LockScreenContentServer.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:4084
      • C:\Windows\system32\CloudNotifications.exe
        C:\Windows\system32\CloudNotifications.exe
        1⤵
          PID:932
        • C:\Users\Admin\AppData\Local\rM2ksr\CloudNotifications.exe
          C:\Users\Admin\AppData\Local\rM2ksr\CloudNotifications.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:3636

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\SR1zm\XmlLite.dll
          Filesize

          1.1MB

          MD5

          eb60e805a87fe94302d1deef7f44745f

          SHA1

          04f7ae8fafd2009b085818deaf7f4efcf3445857

          SHA256

          5e2478c0b783df5a24f1a83545979ea966bd318844aff58aaa8d92eaea90767e

          SHA512

          3fea8c89505ba14014c65025e8879a67b0b6bd4b760d239195452b2e662cf4ab2964565870a129defea764776f074a4a9e61d3cfc9c8197d2b25b8c6c100aa9f

          Download Submit

        • C:\Users\Admin\AppData\Local\SR1zm\ddodiag.exe
          Filesize

          39KB

          MD5

          85feee634a6aee90f0108e26d3d9bc1f

          SHA1

          a7b1fa32fe7ed67bd51dea438f2f767e3fef0ca2

          SHA256

          99c63175504781e9278824d487da082da7c014e99f1024227af164986d3a27c6

          SHA512

          b81a3e1723a5180c5168cd7bb5181c631f4f57c59780bb82a502160b7874777f3eef1ebe1b14f66c97f9f1a4721af13b6fbcdff2045c8563c18b5d12540953ff

          Download Submit

        • C:\Users\Admin\AppData\Local\ahclpB8\LockScreenContentServer.exe
          Filesize

          47KB

          MD5

          a0b7513c98cf46ca2cea3a567fec137c

          SHA1

          2307fc8e3fc620ea3c2fdc6248ad4658479ba995

          SHA256

          cb2278884f04fd34753f7a20e5865ef5fc4fa47c28df9ac14ad6e922713af8c6

          SHA512

          3928485a60ffa7f2d2b7d0be51863e1f8197578cfb397f1086a1ab5132843a23bbc4042b04b5d01fafad04878bd839161fa492d0cf1a6bac6be92023cdee3d15

          Download Submit

        • C:\Users\Admin\AppData\Local\ahclpB8\dwmapi.dll
          Filesize

          1.1MB

          MD5

          cdf11673fc644001e6fdb4b183f89ad1

          SHA1

          3444019f3121939e6aae10dbd728f3ee22ebe3a7

          SHA256

          b08e455927459633748195c38261a922cb335f22bd5560d759e779880a16537d

          SHA512

          f02fb7d615133667b570e980b722d4983915c556535173c8acd246e181228a1268129499e52fe0d36f76269ede3832a7de720e0593d4c096cedc2537a2441cb1

          Download Submit

        • C:\Users\Admin\AppData\Local\rM2ksr\CloudNotifications.exe
          Filesize

          59KB

          MD5

          b50dca49bc77046b6f480db6444c3d06

          SHA1

          cc9b38240b0335b1763badcceac37aa9ce547f9e

          SHA256

          96e7e1a3f0f4f6fc6bda3527ab8a739d6dfcab8e534aa7a02b023daebb3c0775

          SHA512

          2a0504ca336e86b92b2f5eff1c458ebd9df36c496331a7247ef0bb8b82eabd86ade7559ddb47ca4169e8365a97e80e5f1d3c1fc330364dea2450608bd692b1d3

          Download Submit

        • C:\Users\Admin\AppData\Local\rM2ksr\UxTheme.dll
          Filesize

          1.1MB

          MD5

          cf9a7ef85c9598ea76be6788396792fd

          SHA1

          c82cc3e17d5d90370c8c1fff2a767c26e8b597ee

          SHA256

          d3e67cecf8403919325b651ab5f5a6123b908ed4fd1acc7666ecfa4dc74255b0

          SHA512

          8458bfe1551bb438b9a6d36fe2dd900fba17fda0a6329697c49143651a03185fc3b4c36abe34b3550ea96cfb877dd6b6edba9b49928a074927271a233e866053

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Plbydas.lnk
          Filesize

          1KB

          MD5

          3891ec771a822ef20c9245c549db3f36

          SHA1

          29d3215d99b12455f83ed8edfc4238c1c41d7e4d

          SHA256

          61d55a21ed5c39c2fc3c699adb85fb52f90edde689da557a25ea051bdf9f845b

          SHA512

          9e916e7b62b9b9b803ed257112b6888e66c9fd0bc03dc69b10731a63df3c735298819ac04e5b36458f32442116fb1c0f9cea6a600d3eb2f6c1cbfb196dca9122

          Download Submit

        • memory/2252-0-0x0000000002110000-0x0000000002117000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2252-1-0x0000000140000000-0x0000000140117000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/2252-59-0x0000000140000000-0x0000000140117000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3504-13-0x0000000140000000-0x0000000140117000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3504-47-0x00007FFBB29B0000-0x00007FFBB29C0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3504-31-0x0000000140000000-0x0000000140117000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3504-30-0x0000000140000000-0x0000000140117000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3504-29-0x0000000140000000-0x0000000140117000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3504-28-0x0000000140000000-0x0000000140117000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3504-27-0x0000000140000000-0x0000000140117000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3504-25-0x0000000140000000-0x0000000140117000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3504-23-0x0000000140000000-0x0000000140117000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3504-22-0x0000000140000000-0x0000000140117000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3504-21-0x0000000140000000-0x0000000140117000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3504-20-0x0000000140000000-0x0000000140117000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3504-18-0x0000000140000000-0x0000000140117000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3504-17-0x0000000140000000-0x0000000140117000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3504-16-0x0000000140000000-0x0000000140117000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3504-15-0x0000000140000000-0x0000000140117000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3504-33-0x0000000140000000-0x0000000140117000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3504-12-0x0000000140000000-0x0000000140117000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3504-11-0x0000000140000000-0x0000000140117000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3504-10-0x0000000140000000-0x0000000140117000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3504-9-0x0000000140000000-0x0000000140117000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3504-45-0x0000000140000000-0x0000000140117000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3504-46-0x00007FFBB29C0000-0x00007FFBB29D0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3504-32-0x0000000140000000-0x0000000140117000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3504-8-0x0000000140000000-0x0000000140117000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3504-7-0x0000000140000000-0x0000000140117000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3504-19-0x0000000140000000-0x0000000140117000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3504-14-0x0000000140000000-0x0000000140117000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3504-6-0x0000000140000000-0x0000000140117000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3504-57-0x0000000140000000-0x0000000140117000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3504-34-0x0000000140000000-0x0000000140117000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3504-35-0x0000000140000000-0x0000000140117000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3504-44-0x0000000007CA0000-0x0000000007CA7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3504-4-0x00007FFBB1B8A000-0x00007FFBB1B8B000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3504-3-0x0000000007CF0000-0x0000000007CF1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3504-24-0x0000000140000000-0x0000000140117000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3504-36-0x0000000140000000-0x0000000140117000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3504-26-0x0000000140000000-0x0000000140117000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3636-100-0x000001B44CB80000-0x000001B44CB87000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3636-103-0x0000000140000000-0x0000000140118000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/4084-84-0x00000286A0780000-0x00000286A0787000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4084-87-0x0000000140000000-0x0000000140118000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/5060-71-0x0000000140000000-0x0000000140118000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/5060-66-0x0000000140000000-0x0000000140118000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/5060-68-0x0000018028770000-0x0000018028777000-memory.dmp

          Filesize

          28KB

          Download