Overview

overview

10

Static

static

3

d88233c134...18.dll

windows7-x64

10

d88233c134...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-09-2024 15:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d88233c134145cb03ea57d46a0d34923_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    d88233c134145cb03ea57d46a0d34923

  • SHA1

    ca7a8098357ce83214652ba7e02c7dc385861760

  • SHA256

    44e7d8edde3c976623785b7bd9aef613f93911a38728631c59dc4c7d1b625e39

  • SHA512

    1e3efe4ca779e216fa379aa69d87f9939c25c5f16b646f610da94bce18037cd13d78b5a05b8682cbd366fb9651fbf3e0baa95652f774e4e3c6a8d138947dd50d

  • SSDEEP

    24576:5VHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:5V8hf6STw1ZlQauvzSq01ICe6zvm

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\d88233c134145cb03ea57d46a0d34923_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:3920
  • C:\Windows\system32\MusNotificationUx.exe
    C:\Windows\system32\MusNotificationUx.exe
    1⤵
      PID:1276
    • C:\Users\Admin\AppData\Local\oSdiLk\MusNotificationUx.exe
      C:\Users\Admin\AppData\Local\oSdiLk\MusNotificationUx.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2796
    • C:\Windows\system32\FXSCOVER.exe
      C:\Windows\system32\FXSCOVER.exe
      1⤵
        PID:3828
      • C:\Users\Admin\AppData\Local\z3g21TWE\FXSCOVER.exe
        C:\Users\Admin\AppData\Local\z3g21TWE\FXSCOVER.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:3232
      • C:\Windows\system32\wusa.exe
        C:\Windows\system32\wusa.exe
        1⤵
          PID:2208
        • C:\Users\Admin\AppData\Local\r1jF\wusa.exe
          C:\Users\Admin\AppData\Local\r1jF\wusa.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2852

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\oSdiLk\MusNotificationUx.exe
          Filesize

          615KB

          MD5

          869a214114a81712199f3de5d69d9aad

          SHA1

          be973e4188eff0d53fdf0e9360106e8ad946d89f

          SHA256

          405c2df9a36d7cfb5c8382c96f04792eb88c11a6cfa36b1d2ec3e0bec8d17361

          SHA512

          befcdeb8de6e68b9ee0bacd4cbc80f7393a0213d4039b239c98585e0cd5db1755c75559a62372374cbfb7132b6a7973ea9e6a31952e0e0ba007079c56e6d9012

          Download Submit

        • C:\Users\Admin\AppData\Local\oSdiLk\XmlLite.dll
          Filesize

          1.2MB

          MD5

          e0a0499140b7467a89528f34507a928c

          SHA1

          b6405e8f541c0ad370148970f719170f8ae0e124

          SHA256

          05636db198bb50d749750e5317ec1fb04b0898e3a12e887b4e6fa6c852c41225

          SHA512

          17bf66ee325988cb4060f8832608ff398421954a224775598450e828454a98eec0626d38763e762f3fab71212a16c02535816cff17affde22b9938a40fdc8f7c

          Download Submit

        • C:\Users\Admin\AppData\Local\r1jF\dpx.dll
          Filesize

          1.2MB

          MD5

          ef687c96927c475d4881258281b7c234

          SHA1

          8c35c45f537739d5cb0754f704442356e1ff12eb

          SHA256

          28e651826c722f2ff5460dc526276d132525f67fb551a3aa4f449b9060285482

          SHA512

          102d0ddb79ea8a7a1660d1219c5a87f6fe76aff7bd33d6af31ee20d0679e279d36c9ce496ee9e01ba375505860e85298892286e60d510ec0f684d6e43349edae

          Download Submit

        • C:\Users\Admin\AppData\Local\r1jF\wusa.exe
          Filesize

          309KB

          MD5

          e43499ee2b4cf328a81bace9b1644c5d

          SHA1

          b2b55641f2799e3fdb3bea709c9532017bbac59d

          SHA256

          3e30230bbf3ceee3e58162b61eed140e9616210833a6ad7df3e106bc7492d2fb

          SHA512

          04823764520871f9202d346b08a194bdd5f5929db6d5c2f113911f84aece7471c8d3bd2c4256119a303dbe18a0c055dbc5034d80b1f27a43744104544731f52b

          Download Submit

        • C:\Users\Admin\AppData\Local\z3g21TWE\FXSCOVER.exe
          Filesize

          242KB

          MD5

          5769f78d00f22f76a4193dc720d0b2bd

          SHA1

          d62b6cab057e88737cba43fe9b0c6d11a28b53e8

          SHA256

          40e8e6dabfa1485b11cdccf220eb86eeaa8256e99e344cf2b2098d4cdb788a31

          SHA512

          b4b3448a2635b21690c71254d964832e89bf947f7a0d32e79dcc84730f11d4afb4149a810a768878e52f88fc8baec45f1a2fec8e22c5301e9f39fe4fc6a57e3f

          Download Submit

        • C:\Users\Admin\AppData\Local\z3g21TWE\MFC42u.dll
          Filesize

          1.3MB

          MD5

          abfdc98bd80b9c28f68cd228c9488fa0

          SHA1

          37235e2e242c099d1cd130b13122ef37d78938b6

          SHA256

          837ee2e79837ab3854b56636e2e6b5942a6defedc3de929c5d2c3026cea44abe

          SHA512

          a595f3001486306f07bc7a187ce1a406fe7268e6b8f9927bb2e5d68748b950166053f9ab7d58005c4b15c6ebfac5640301b29a3d9a1dc544f68e53571a096e41

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Pvdelpvduyz.lnk
          Filesize

          1KB

          MD5

          efc07e3033ca8ec9959938cd38cfa031

          SHA1

          80b342900097bec1ac99bab2ce9a03d1dee022d3

          SHA256

          1b0fb5ef32bdc020f2883ff32d5c2f01e79d192422ef8d790dd499a8198b6b6f

          SHA512

          b419f1c9061ac028590ae9890faa756ce830959eeb64108d73c3ed23cb31d5eda651e4af62e14cb1322d303c8faed5c8814c9beeeba7888188918cb8254e1bef

          Download Submit

        • memory/2796-46-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2796-45-0x0000016BCF8C0000-0x0000016BCF8C7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2796-51-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2852-82-0x0000022D14760000-0x0000022D14767000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2852-85-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3232-62-0x0000000140000000-0x0000000140149000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3232-65-0x000001AB78A50000-0x000001AB78A57000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3232-68-0x0000000140000000-0x0000000140149000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3588-14-0x0000000140000000-0x0000000140142000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3588-13-0x0000000140000000-0x0000000140142000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3588-10-0x0000000140000000-0x0000000140142000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3588-7-0x0000000140000000-0x0000000140142000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3588-6-0x0000000140000000-0x0000000140142000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3588-8-0x0000000140000000-0x0000000140142000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3588-9-0x0000000140000000-0x0000000140142000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3588-11-0x0000000140000000-0x0000000140142000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3588-12-0x0000000140000000-0x0000000140142000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3588-4-0x0000000007B20000-0x0000000007B21000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3588-23-0x0000000140000000-0x0000000140142000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3588-24-0x00007FFCD1ADA000-0x00007FFCD1ADB000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3588-25-0x0000000006D90000-0x0000000006D97000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3588-26-0x00007FFCD2DD0000-0x00007FFCD2DE0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3588-35-0x0000000140000000-0x0000000140142000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3920-0-0x000002365C0D0000-0x000002365C0D7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3920-38-0x0000000140000000-0x0000000140142000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3920-2-0x0000000140000000-0x0000000140142000-memory.dmp

          Filesize

          1.3MB

          Download