Overview

overview

10

Static

static

3

d8cf023eb8...18.dll

windows7-x64

10

d8cf023eb8...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    102s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-09-2024 18:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d8cf023eb8750f452b685ed59fe62820_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    d8cf023eb8750f452b685ed59fe62820

  • SHA1

    b4be377b765f4efbee22a39d3d55bdbf0556477e

  • SHA256

    cd1bd457f42d8afb53753b2e986ad3b7bfee9e0ba1bf97c3f71eda63433d77e4

  • SHA512

    41c72ff1cecea5ee4f4e80d3b5b15c6da227ab0b3c1ae884717e21eb22b38fe5430cef6421cbaa092bf5f137b47a35b4c1eb7cf91cd0e116880fdb8c656ae5f0

  • SSDEEP

    24576:DuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:t9cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\d8cf023eb8750f452b685ed59fe62820_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:3728
  • C:\Windows\system32\SystemPropertiesComputerName.exe
    C:\Windows\system32\SystemPropertiesComputerName.exe
    1⤵
      PID:3516
    • C:\Users\Admin\AppData\Local\udxZVqOWF\SystemPropertiesComputerName.exe
      C:\Users\Admin\AppData\Local\udxZVqOWF\SystemPropertiesComputerName.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:3168
    • C:\Windows\system32\BitLockerWizard.exe
      C:\Windows\system32\BitLockerWizard.exe
      1⤵
        PID:3716
      • C:\Users\Admin\AppData\Local\Irw\BitLockerWizard.exe
        C:\Users\Admin\AppData\Local\Irw\BitLockerWizard.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2904
      • C:\Windows\system32\SystemPropertiesAdvanced.exe
        C:\Windows\system32\SystemPropertiesAdvanced.exe
        1⤵
          PID:4984
        • C:\Users\Admin\AppData\Local\LXKdH\SystemPropertiesAdvanced.exe
          C:\Users\Admin\AppData\Local\LXKdH\SystemPropertiesAdvanced.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:3056

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Irw\BitLockerWizard.exe
          Filesize

          100KB

          MD5

          6d30c96f29f64b34bc98e4c81d9b0ee8

          SHA1

          4a3adc355f02b9c69bdbe391bfb01469dee15cf0

          SHA256

          7758227642702e645af5e84d1c0e5690e07687c8209072a2c5f79379299edf74

          SHA512

          25471b0ac7156d9ee9d12181020039bf551ba3efe252b656030c12d93b8db2648a18bdf762740f2a5cd8e43640e4bd4e8742310dea15823fc76b9e1c126876b8

          Download Submit

        • C:\Users\Admin\AppData\Local\Irw\FVEWIZ.dll
          Filesize

          1.2MB

          MD5

          605dd00ec460a5f8b83cb62bb58bc893

          SHA1

          8a75cf683b6ff1b4ba00168f4cab6c98d8ecec1e

          SHA256

          aa95c58ecb9d81ec9be0cdaefac33fc7a01a3491c9abdb3753e5c563e1091619

          SHA512

          72ffa31ae87f608447212a912e80a7a872fcf937f58425872efa77e7a93d6f045b1f28f8e7a1cd24fa542ff000712dff88fd8266535e7468ccedae67738c2562

          Download Submit

        • C:\Users\Admin\AppData\Local\LXKdH\SYSDM.CPL
          Filesize

          1.2MB

          MD5

          ca97210d04ee01a362a25bfdc7797488

          SHA1

          adfea556f88fe022b2237d59aed9c72e5994f7b2

          SHA256

          8b052f38088397c6e07cd1e42b4de1a3a566acab8b4f7a064418c286d70198f9

          SHA512

          b22bf127ab33d591f39de9b364f3a6f791eae77c05ac7350d545348c9af23da9ad41b5825172a732d65b2387cecefff60ac2b4ab0ba96ad62c0e452cc211f244

          Download Submit

        • C:\Users\Admin\AppData\Local\LXKdH\SystemPropertiesAdvanced.exe
          Filesize

          82KB

          MD5

          fa040b18d2d2061ab38cf4e52e753854

          SHA1

          b1b37124e9afd6c860189ce4d49cebbb2e4c57bc

          SHA256

          c61fa0f8c5d8d61110adbcceaa453a6c1d31255b3244dc7e3b605a4a931c245c

          SHA512

          511f5981bd2c446f1f3039f6674f972651512305630bd688b1ef159af36a23cb836b43d7010b132a86b5f4d6c46206057abd31600f1e7dc930cb32ed962298a4

          Download Submit

        • C:\Users\Admin\AppData\Local\udxZVqOWF\SYSDM.CPL
          Filesize

          1.2MB

          MD5

          f4486167022a87670395973d256d1747

          SHA1

          2132481ca0efae71ab3205bc22858b973a45a61d

          SHA256

          4e108f1eaa8655b3393ce972ac55d9223a19e3bcff976f3f612c4fcb7fae40a9

          SHA512

          a21033b126bc5ad3fcc0e3769a71aa95a7756e469d6c230919f4adc2ce9f39e420ec4054814522f675a2a7bc2b7494280311954c247a875ba56bb39ab6fd3fca

          Download Submit

        • C:\Users\Admin\AppData\Local\udxZVqOWF\SystemPropertiesComputerName.exe
          Filesize

          82KB

          MD5

          6711765f323289f5008a6a2a04b6f264

          SHA1

          d8116fdf73608b4b254ad83c74f2232584d24144

          SHA256

          bd3a97327326e2245938ec6099f20059b446ff0fe1c10b9317d15d1a1dd5331e

          SHA512

          438abd282d9d1c0e7e5db2ce027ff9522c3980278b32b2eae09c595884a8dcbfd5178bc5926b1d15f03174303382e13f5d5ecab9a5d8e31fc07ef39e66c012e8

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yfsfrqrlkk.lnk
          Filesize

          1KB

          MD5

          af5b43b1a1b08a23deea9c491d560493

          SHA1

          3c5ce60356b7f202ab16ff92c6cb09ae9fcfa772

          SHA256

          acc6aa7750088cfef90242825523c5aee9976e77e9ac60650abab2ad7836bec6

          SHA512

          500e4d4beb153ed55125beefb1100781746bdbf8b50a579ae8cef134e33de8308dd56b25ef4ca5c3f0f5ff0143acb8d0762b675bfd75bcbd4af3c8454afa2a81

          Download Submit

        • memory/2904-68-0x00007FFCB2EF0000-0x00007FFCB3021000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2904-62-0x0000013196340000-0x0000013196347000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3056-82-0x000001B4F53A0000-0x000001B4F53A7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3056-85-0x00007FFCB2EF0000-0x00007FFCB3021000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3168-51-0x00007FFCB2EF0000-0x00007FFCB3021000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3168-46-0x00007FFCB2EF0000-0x00007FFCB3021000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3168-45-0x0000013D68DB0000-0x0000013D68DB7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3488-29-0x00007FFCC22B0000-0x00007FFCC22C0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3488-16-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3488-8-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3488-7-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3488-6-0x00007FFCC0D3A000-0x00007FFCC0D3B000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3488-10-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3488-12-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3488-13-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3488-15-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3488-9-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3488-28-0x00000000083E0000-0x00000000083E7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3488-4-0x0000000008400000-0x0000000008401000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3488-35-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3488-24-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3488-14-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3488-11-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3728-0-0x00007FFCB3370000-0x00007FFCB34A0000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3728-38-0x00007FFCB3370000-0x00007FFCB34A0000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3728-3-0x0000026BAEA40000-0x0000026BAEA47000-memory.dmp

          Filesize

          28KB

          Download