Overview

overview

10

Static

static

3

d97f80ce2a...18.dll

windows7-x64

10

d97f80ce2a...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-09-2024 02:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d97f80ce2a0f7b494b57d1cbb0540816_JaffaCakes118.dll

  • Size

    988KB

  • MD5

    d97f80ce2a0f7b494b57d1cbb0540816

  • SHA1

    977f98ba04fb23584f8da01712f1bbc6c0737c3c

  • SHA256

    838304ff62d092eadc72ce5443f3e1a93cd10520de99a9bc9cd04376c205505c

  • SHA512

    e246b2d4d92262d6dfecbd755781b1655f816d2913ad1998491fb3062081adc400c4bcde7bcdb78c917ed7e5b0b97daf0769d56b1d414c90234f90372f58663f

  • SSDEEP

    24576:LVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:LV8hf6STw1ZlQauvzSq01ICe6zvm

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\d97f80ce2a0f7b494b57d1cbb0540816_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2512
  • C:\Windows\system32\BdeUISrv.exe
    C:\Windows\system32\BdeUISrv.exe
    1⤵
      PID:3392
    • C:\Users\Admin\AppData\Local\2C1Ffd6\BdeUISrv.exe
      C:\Users\Admin\AppData\Local\2C1Ffd6\BdeUISrv.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:384
    • C:\Windows\system32\MoUsoCoreWorker.exe
      C:\Windows\system32\MoUsoCoreWorker.exe
      1⤵
        PID:4256
      • C:\Users\Admin\AppData\Local\qxsH\MoUsoCoreWorker.exe
        C:\Users\Admin\AppData\Local\qxsH\MoUsoCoreWorker.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1240
      • C:\Windows\system32\BdeUISrv.exe
        C:\Windows\system32\BdeUISrv.exe
        1⤵
          PID:3980
        • C:\Users\Admin\AppData\Local\6fywtC\BdeUISrv.exe
          C:\Users\Admin\AppData\Local\6fywtC\BdeUISrv.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2676

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\2C1Ffd6\BdeUISrv.exe
          Filesize

          54KB

          MD5

          8595075667ff2c9a9f9e2eebc62d8f53

          SHA1

          c48b54e571f05d4e21d015bb3926c2129f19191a

          SHA256

          20b05c77f898be08737082e969b39f54fa39753c8c0a06142eb7ad5e0764a2db

          SHA512

          080dbcdd9234c07efe6cea4919ffa305fdc381ccebed9d1020dd6551b54e20e52387e62a344502fa4a85249defd0f9b506528b8dd34675bc9f51f664b8fc4d88

          Download Submit

        • C:\Users\Admin\AppData\Local\2C1Ffd6\WTSAPI32.dll
          Filesize

          990KB

          MD5

          20b13c8cf0209db6cba55806b16e2d0a

          SHA1

          d54ede2750354f6d4ac08ef012beee4fd19584ae

          SHA256

          7c0634b84ba0ccd1d42a6622a1a4e6bb332863a715cb5dcc8156553e711ff459

          SHA512

          61519902f41c511fad81555ed7ae9b0e22e5807d55b14da1a58909a1a6d0e0b2f00d1da32f4ae6ef43c1c681e03b6ad0fa8ca55fc027ea228cd834bf49e6ceac

          Download Submit

        • C:\Users\Admin\AppData\Local\6fywtC\WTSAPI32.dll
          Filesize

          990KB

          MD5

          efce20a990d9383b42e156286d35e83b

          SHA1

          8a2ca333b9b939d2608f719e3bbdf4b00a13a4d1

          SHA256

          f7a7d00dda62e26ebee32a950f104bb6ef1ab94a270364cd0f598170186ecb20

          SHA512

          5d2ae9b3ee33b12fd5c90759c493782a688821402fb6ad696d5f39f9a9c7f5b6bf77dcac6eda9ea56f4448f99af5225ffa2836bcf77b546a751c5aaa27f51c26

          Download Submit

        • C:\Users\Admin\AppData\Local\qxsH\MoUsoCoreWorker.exe
          Filesize

          1.6MB

          MD5

          47c6b45ff22b73caf40bb29392386ce3

          SHA1

          7e29a8d98fbb9b02d3d22e3576f4fd61ab50ffe9

          SHA256

          cbccb642725edb42e749e26ded68a16b3aa20e291a1a7793a2d4efebb75f99c0

          SHA512

          c919ab84a497616e7969d58c251f4e6efc337b41ef6956864b86d66ae1437294c124232fec54433eab3a6518ed529f8445dd0b23706b2f42f3fa42e69711f331

          Download Submit

        • C:\Users\Admin\AppData\Local\qxsH\XmlLite.dll
          Filesize

          988KB

          MD5

          5649f63fc0c0dfe5a1c55f2b61beb0bf

          SHA1

          b6dfca32df2966baf26ef421dbd6ffc60a84567c

          SHA256

          5ed923b8b46482560591990626fa9b0b8fb7dfe5bf483677c61db4def26a507d

          SHA512

          e53ade9c82df735cb53a2ed4ff8df2b7e9a53d67a59456b05e4a3b67ae9007beac596fe5157f9d6f22e7cd7e24091bb1c6502b38036f46bb9b29e037d3e24263

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Plbydas.lnk
          Filesize

          1KB

          MD5

          5f6c42e4c2a07434b0c9b7fc9b8161de

          SHA1

          0291c2190366eb84a00bcf22b0a466e13879604f

          SHA256

          a7c027c83d4bdacb4a29186f510fd578b3cb598ff831bdaee84a957a71f81e98

          SHA512

          ed054ec1686642a81986656eec3ef3fa2eebf49ea8346b5628cc22d77a36494cc53e93c82536dfac8e6b0fe0803d8c0b7a8dd77af839c26a795180426c598cd0

          Download Submit

        • memory/384-43-0x0000017149320000-0x0000017149327000-memory.dmp

          Filesize

          28KB

          Download

        • memory/384-44-0x0000000140000000-0x00000001400FD000-memory.dmp

          Filesize

          1012KB

          Download

        • memory/384-49-0x0000000140000000-0x00000001400FD000-memory.dmp

          Filesize

          1012KB

          Download

        • memory/1240-63-0x000002557DAA0000-0x000002557DAA7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1240-66-0x0000000140000000-0x00000001400FD000-memory.dmp

          Filesize

          1012KB

          Download

        • memory/2512-37-0x0000000140000000-0x00000001400FC000-memory.dmp

          Filesize

          1008KB

          Download

        • memory/2512-0-0x0000000140000000-0x00000001400FC000-memory.dmp

          Filesize

          1008KB

          Download

        • memory/2512-3-0x00007FFA16760000-0x00007FFA16782000-memory.dmp

          Filesize

          136KB

          Download

        • memory/2676-77-0x000001DAA4990000-0x000001DAA4997000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2676-83-0x0000000140000000-0x00000001400FD000-memory.dmp

          Filesize

          1012KB

          Download

        • memory/3440-34-0x0000000140000000-0x00000001400FC000-memory.dmp

          Filesize

          1008KB

          Download

        • memory/3440-8-0x0000000140000000-0x00000001400FC000-memory.dmp

          Filesize

          1008KB

          Download

        • memory/3440-9-0x0000000140000000-0x00000001400FC000-memory.dmp

          Filesize

          1008KB

          Download

        • memory/3440-10-0x0000000140000000-0x00000001400FC000-memory.dmp

          Filesize

          1008KB

          Download

        • memory/3440-11-0x0000000140000000-0x00000001400FC000-memory.dmp

          Filesize

          1008KB

          Download

        • memory/3440-12-0x0000000140000000-0x00000001400FC000-memory.dmp

          Filesize

          1008KB

          Download

        • memory/3440-14-0x0000000140000000-0x00000001400FC000-memory.dmp

          Filesize

          1008KB

          Download

        • memory/3440-24-0x0000000005680000-0x0000000005687000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3440-25-0x00007FFA18BF0000-0x00007FFA18C00000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3440-23-0x0000000140000000-0x00000001400FC000-memory.dmp

          Filesize

          1008KB

          Download

        • memory/3440-13-0x0000000140000000-0x00000001400FC000-memory.dmp

          Filesize

          1008KB

          Download

        • memory/3440-7-0x0000000140000000-0x00000001400FC000-memory.dmp

          Filesize

          1008KB

          Download

        • memory/3440-4-0x0000000008AA0000-0x0000000008AA1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3440-6-0x00007FFA17F5A000-0x00007FFA17F5B000-memory.dmp

          Filesize

          4KB

          Download