Overview

overview

10

Static

static

3

d7046a77ab...18.dll

windows7-x64

10

d7046a77ab...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-09-2024 20:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d7046a77abea80c3feecd1943072d1b6_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    d7046a77abea80c3feecd1943072d1b6

  • SHA1

    d9896c3622da161c675d7ef431325b7fcca71886

  • SHA256

    c6925804ea54a33bcdcc830d09ffdd297160f57775da5c00d32e11339e07730c

  • SHA512

    3493cc0763646606dbf3483df2b6c76ed45b9412bf45f6cce0b499eb047fb209c0f84414e2a60ef5c8e2528c39241147467ec2948be4405aa8acd52e01b2b187

  • SSDEEP

    24576:suYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:E9cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\d7046a77abea80c3feecd1943072d1b6_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:788
  • C:\Windows\system32\DWWIN.EXE
    C:\Windows\system32\DWWIN.EXE
    1⤵
      PID:4816
    • C:\Users\Admin\AppData\Local\hmuU1\DWWIN.EXE
      C:\Users\Admin\AppData\Local\hmuU1\DWWIN.EXE
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:4996
    • C:\Windows\system32\dwm.exe
      C:\Windows\system32\dwm.exe
      1⤵
        PID:4620
      • C:\Users\Admin\AppData\Local\W4qS7kay\dwm.exe
        C:\Users\Admin\AppData\Local\W4qS7kay\dwm.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:5036
      • C:\Windows\system32\DWWIN.EXE
        C:\Windows\system32\DWWIN.EXE
        1⤵
          PID:932
        • C:\Users\Admin\AppData\Local\0EZ\DWWIN.EXE
          C:\Users\Admin\AppData\Local\0EZ\DWWIN.EXE
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:428

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\0EZ\VERSION.dll
          Filesize

          1.2MB

          MD5

          e40c5e60cdccb2ad5edb89457de86647

          SHA1

          fa1c93836e458fbe45d70bf4f9de5fb909e19a47

          SHA256

          f36ac44dc3ff4f3ad22b61a9b764be2fd04f35b4fdbd37717803f11bdc90fb80

          SHA512

          9e89c8a67db766ca7086c34729f5e3b2e7b123b30def535d9ebb73b2bed3fb8a04330965e3755fa55403bbe1093b19ef078a26469ab49a73fe16c2dad45a0625

          Download Submit

        • C:\Users\Admin\AppData\Local\W4qS7kay\dwm.exe
          Filesize

          92KB

          MD5

          5c27608411832c5b39ba04e33d53536c

          SHA1

          f92f8b7439ce1de4c297046ed1d3ff9f20bc97af

          SHA256

          0ac827c9e35cdaa492ddd435079415805dcc276352112b040bcd34ef122cf565

          SHA512

          1fa25eabc08dff9ea25dfa7da310a677927c6344b76815696b0483f8860fa1469820ff15d88a78ed32f712d03003631d9aceaf9c9851de5dd40c1fc2a7bc1309

          Download Submit

        • C:\Users\Admin\AppData\Local\W4qS7kay\dxgi.dll
          Filesize

          1.2MB

          MD5

          f523c2dc9c1281bf80ac389e584a507b

          SHA1

          ed9960ab79f3df85e00dd2446160ba7109036620

          SHA256

          41a82036289d26f02536040043f65e94ef2410720166fb7f21fd4a1d0033896e

          SHA512

          da767ffbec84efbf4f24beacb2cf23ebbc0acac15191aa00fe34c7653dc0147500399543d6e5e56bca700ffb2d4a7b362da4ffb78f6e3720e792384050b5ca91

          Download Submit

        • C:\Users\Admin\AppData\Local\hmuU1\DWWIN.EXE
          Filesize

          229KB

          MD5

          444cc4d3422a0fdd45c1b78070026c60

          SHA1

          97162ff341fff1ec54b827ec02f8b86fd2d41a97

          SHA256

          4b3f620272e709ce3e01ae5b19ef0300bd476f2da6412637f703bbaded2821f0

          SHA512

          21742d330a6a5763ea41a8fed4d71b98e4a1b4c685675c4cfeb7253033c3a208c23902caf0efdf470a85e0770cb8fac8af0eb6d3a8511445b0570054b42d5553

          Download Submit

        • C:\Users\Admin\AppData\Local\hmuU1\VERSION.dll
          Filesize

          1.2MB

          MD5

          96b4aa6ad73978ac188b732b50639b92

          SHA1

          8ba2854c9340639fbce56e94326a36ee6dc48519

          SHA256

          4801fdcc62e0331352df53623c25b205f5ece9c522b533e294592eb9e835e5e6

          SHA512

          f835546e2b3a146725797d6c4021f739b81f346ae6760122b403f90d3ff63c2829c283a0e9ac628e3210d60ff8753a9f2aac019d27b6456ef626c8d983f0d681

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Pvdelpvduyz.lnk
          Filesize

          1KB

          MD5

          bed0ec45ccada987962693c4c9fef496

          SHA1

          c66ad7275e943d1795f19617b7e748f57efbd725

          SHA256

          aa5a4cf2deb7cd80768d61bed9f2f29845ad691f24a643e42a8cdb23567eb799

          SHA512

          d57b84a6ecab6c5a30dd147585079c2116e43b74a6b16496420000b7429e376533ab726cc0ba4cfb2f81bf00d4105abad1f8b06600ae7c4aa3ad8c6fca9fce5b

          Download Submit

        • memory/428-83-0x00007FFCED7B0000-0x00007FFCED8E2000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/788-1-0x000001A8B2B20000-0x000001A8B2B27000-memory.dmp

          Filesize

          28KB

          Download

        • memory/788-0-0x00007FFCFC470000-0x00007FFCFC5A1000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/788-39-0x00007FFCFC470000-0x00007FFCFC5A1000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3440-17-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3440-30-0x0000000003670000-0x0000000003677000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3440-12-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3440-10-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3440-9-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3440-8-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3440-14-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3440-7-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3440-36-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3440-16-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3440-25-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3440-13-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3440-4-0x0000000003690000-0x0000000003691000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3440-5-0x00007FFD0A34A000-0x00007FFD0A34B000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3440-11-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3440-31-0x00007FFD0AF10000-0x00007FFD0AF20000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3440-15-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4996-52-0x00007FFCED7B0000-0x00007FFCED8E2000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4996-49-0x000001F03DF80000-0x000001F03DF87000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4996-47-0x00007FFCED7B0000-0x00007FFCED8E2000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/5036-65-0x0000025FA79D0000-0x0000025FA79D7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/5036-69-0x00007FFCED7B0000-0x00007FFCED8E2000-memory.dmp

          Filesize

          1.2MB

          Download