Overview

overview

10

Static

static

3

dd4291c04d...18.dll

windows7-x64

10

dd4291c04d...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-09-2024 23:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dd4291c04dcea049af1211bed4fbff12_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    dd4291c04dcea049af1211bed4fbff12

  • SHA1

    99c7c1882b1adbdca93d40b6d1bb670abe21cec0

  • SHA256

    16e713fc83ba72915d16505d5350d1ecc99f13b3cf71b714da0471a8272ce5b5

  • SHA512

    db7107eddb7b2291f936c3bbb3cf7a40239b6b4a041abad9707b5b0479bf6aa58d40be60647c01bd8ba05f8a7128f1d635cdaf8ebda70423e96a77f534a38339

  • SSDEEP

    24576:ruYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N0:19cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\dd4291c04dcea049af1211bed4fbff12_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:4708
  • C:\Windows\system32\EaseOfAccessDialog.exe
    C:\Windows\system32\EaseOfAccessDialog.exe
    1⤵
      PID:1260
    • C:\Users\Admin\AppData\Local\TCV\EaseOfAccessDialog.exe
      C:\Users\Admin\AppData\Local\TCV\EaseOfAccessDialog.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:4992
    • C:\Windows\system32\MoUsoCoreWorker.exe
      C:\Windows\system32\MoUsoCoreWorker.exe
      1⤵
        PID:552
      • C:\Users\Admin\AppData\Local\Gb45eiWb\MoUsoCoreWorker.exe
        C:\Users\Admin\AppData\Local\Gb45eiWb\MoUsoCoreWorker.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1176
      • C:\Windows\system32\tabcal.exe
        C:\Windows\system32\tabcal.exe
        1⤵
          PID:4892
        • C:\Users\Admin\AppData\Local\5SOzJxWnT\tabcal.exe
          C:\Users\Admin\AppData\Local\5SOzJxWnT\tabcal.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:4588

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\5SOzJxWnT\HID.DLL
          Filesize

          1.2MB

          MD5

          527e1910b0c2e6113d50404ffa6872b2

          SHA1

          76842967bb1d704a2ef1c622c4db80f4880f1a68

          SHA256

          e6634b64c91cd428967ce96766529130dcad14cdc8f228a8179595f654637889

          SHA512

          8673b218b18fbe27d61c80a297ffd79923972ef8cec246a9a89d34117c1a43d97ad0ed432a826d0c616968a2c7cd6ede3f6ac8a468d26df13c7a2d4cfb83b6ca

          Download Submit

        • C:\Users\Admin\AppData\Local\5SOzJxWnT\tabcal.exe
          Filesize

          84KB

          MD5

          40f4014416ff0cbf92a9509f67a69754

          SHA1

          1798ff7324724a32c810e2075b11c09b41e4fede

          SHA256

          f31b4c751dbca276446119ba775787c3eb032da72eabcd40ad96a55826a3f33c

          SHA512

          646dfe4cfe90d068c3da4c35f7053bb0f57687875a0f3469c0683e707306e6a42b0baca3e944d78f9be5c564bb0600202c32c223a770f89d3e2b07a24673c259

          Download Submit

        • C:\Users\Admin\AppData\Local\Gb45eiWb\MoUsoCoreWorker.exe
          Filesize

          1.6MB

          MD5

          47c6b45ff22b73caf40bb29392386ce3

          SHA1

          7e29a8d98fbb9b02d3d22e3576f4fd61ab50ffe9

          SHA256

          cbccb642725edb42e749e26ded68a16b3aa20e291a1a7793a2d4efebb75f99c0

          SHA512

          c919ab84a497616e7969d58c251f4e6efc337b41ef6956864b86d66ae1437294c124232fec54433eab3a6518ed529f8445dd0b23706b2f42f3fa42e69711f331

          Download Submit

        • C:\Users\Admin\AppData\Local\Gb45eiWb\XmlLite.dll
          Filesize

          1.2MB

          MD5

          199cb206a998e7a8581ffb078817d4a5

          SHA1

          040042a6004fa1db3896e0c0ef8b402b33d94c26

          SHA256

          10672581f33f3650ff408eb7b56dcc4204e18b5d49b0fad47e77ff2df1189afb

          SHA512

          84776427be4aeebe9396f6b15b3ac5d9ac0b5ddcfa306a6cea647ff9c1c4751d86519991616defd19de1ceaa1051b194b1fc7a2e8f96724825670ae800184bb0

          Download Submit

        • C:\Users\Admin\AppData\Local\TCV\EaseOfAccessDialog.exe
          Filesize

          123KB

          MD5

          e75ee992c1041341f709a517c8723c87

          SHA1

          471021260055eac0021f0abffa2d0ba77a2f380e

          SHA256

          0b1731562413eaa972b373cd7388c644a3059940ce67eb89668e4073f3e068dc

          SHA512

          48c3a8531df6bcc5077367cdf32af104c94cf7701118a85e8beabba2e9c4f511ae14e47b6d1b57d11a2bc1e8b4f6d5bacae27a8d16fcd09a8f9e0018f5a6370a

          Download Submit

        • C:\Users\Admin\AppData\Local\TCV\OLEACC.dll
          Filesize

          1.2MB

          MD5

          576bed2f0efe7c0d2857ba1487829643

          SHA1

          93797a74ab86135ea2a0db6569f3c1c9ae9f1327

          SHA256

          0910bd44b9728ac4e59c8b2bad89a170af666dd64b727838632e247bd1d5eb9f

          SHA512

          9d574eb05a779435ad076e70a846252c07cf786580ab6c88d008e83e4dd4977f8de79504a627d1c6d42248f719a15f1690fa3d99110441bc2364802bf190308b

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Plbydas.lnk
          Filesize

          1KB

          MD5

          262fffd570ec6bfb9d84053fa081efed

          SHA1

          7addb3fa2daf1804c056aa6fdd0307b7b33c7d8c

          SHA256

          3b4bae96f2549969245574267272ac7a89cec55d0f933f5c022cff88ae9755d6

          SHA512

          9db63fd1e4b79ebaf3b15f00dda740b21c41e0ce7b04d23115469cc9440d5d79fb91bd5e7b357f4cf4014700bd2e7b08339949613816904c0772bb75627862b8

          Download Submit

        • memory/1176-68-0x00007FFA8CF10000-0x00007FFA8D041000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1176-63-0x00007FFA8CF10000-0x00007FFA8D041000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1176-62-0x000001A8AEAD0000-0x000001A8AEAD7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3384-27-0x0000000008560000-0x0000000008567000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3384-24-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3384-11-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3384-10-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3384-9-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3384-8-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3384-7-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3384-35-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3384-6-0x00007FFAA9F7A000-0x00007FFAA9F7B000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3384-15-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3384-16-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3384-4-0x0000000008580000-0x0000000008581000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3384-13-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3384-14-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3384-12-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3384-29-0x00007FFAAA6F0000-0x00007FFAAA700000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4588-79-0x000001A25AD00000-0x000001A25AD07000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4588-85-0x00007FFA8CF10000-0x00007FFA8D041000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4708-0-0x00007FFA9B6A0000-0x00007FFA9B7D0000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4708-38-0x00007FFA9B6A0000-0x00007FFA9B7D0000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4708-3-0x0000027DDE840000-0x0000027DDE847000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4992-51-0x00007FFA8BD00000-0x00007FFA8BE31000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4992-45-0x00007FFA8BD00000-0x00007FFA8BE31000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4992-48-0x000001F332D00000-0x000001F332D07000-memory.dmp

          Filesize

          28KB

          Download