Overview

overview

10

Static

static

3

dbb016d718...18.dll

windows7-x64

10

dbb016d718...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    136s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-09-2024 02:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dbb016d718263e81da2ebf373f3f4f89_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    dbb016d718263e81da2ebf373f3f4f89

  • SHA1

    8e2717cb4a7925963cbbc31ef7601ca42596474a

  • SHA256

    2062fc2f0bab8aafd218ac4a32fe9800beed5f260675fff153d838dd2e4cbe3a

  • SHA512

    5176707394139ab0b29e06db3898b79364e88a6db95be18ac4607346aa241854f5280669810a14d858abf764414eb345b178a2877146ddb100df6b1837dd1fb4

  • SSDEEP

    24576:7VHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8R2:7V8hf6STw1ZlQauvzSq01ICe6zvmh

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\dbb016d718263e81da2ebf373f3f4f89_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:820
  • C:\Windows\system32\wlrmdr.exe
    C:\Windows\system32\wlrmdr.exe
    1⤵
      PID:2548
    • C:\Users\Admin\AppData\Local\FS65Kuo\wlrmdr.exe
      C:\Users\Admin\AppData\Local\FS65Kuo\wlrmdr.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:4816
    • C:\Windows\system32\wextract.exe
      C:\Windows\system32\wextract.exe
      1⤵
        PID:2280
      • C:\Users\Admin\AppData\Local\23aqSwtC\wextract.exe
        C:\Users\Admin\AppData\Local\23aqSwtC\wextract.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:4292
      • C:\Windows\system32\dwm.exe
        C:\Windows\system32\dwm.exe
        1⤵
          PID:1344
        • C:\Users\Admin\AppData\Local\3LZbKaC\dwm.exe
          C:\Users\Admin\AppData\Local\3LZbKaC\dwm.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1584

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\23aqSwtC\VERSION.dll
          Filesize

          1.2MB

          MD5

          f445cbe770db64ecce09ccebc02cbc6d

          SHA1

          b8553cd0cb25f08e00ec552869ae9edc5d2639c9

          SHA256

          ee8798fddb9ef306befeb0868de6096052a8d74fe831804e4c8db91fc1040efb

          SHA512

          fb2ea856904ef7f206ff9a8bc2c24c6916aaf53edc41cdbb889309bb82469cba05d243574f27bbb25f5e180d32673284b45aa01609145f52b85176e2d84f20f0

          Download Submit

        • C:\Users\Admin\AppData\Local\23aqSwtC\wextract.exe
          Filesize

          143KB

          MD5

          56e501e3e49cfde55eb1caabe6913e45

          SHA1

          ab2399cbf17dbee7b302bea49e40d4cee7caea76

          SHA256

          fbb6dc62abeeb222b49a63f43dc6eea96f3d7e9a8da55381c15d57a5d099f3e0

          SHA512

          2b536e86cbd8ab026529ba2c72c0fda97e9b6f0bc4fd96777024155852670cb41d17937cde372a44cdbad3e53b8cd3ef1a4a3ee9b34dfb3c2069822095f7a172

          Download Submit

        • C:\Users\Admin\AppData\Local\3LZbKaC\dwm.exe
          Filesize

          92KB

          MD5

          5c27608411832c5b39ba04e33d53536c

          SHA1

          f92f8b7439ce1de4c297046ed1d3ff9f20bc97af

          SHA256

          0ac827c9e35cdaa492ddd435079415805dcc276352112b040bcd34ef122cf565

          SHA512

          1fa25eabc08dff9ea25dfa7da310a677927c6344b76815696b0483f8860fa1469820ff15d88a78ed32f712d03003631d9aceaf9c9851de5dd40c1fc2a7bc1309

          Download Submit

        • C:\Users\Admin\AppData\Local\3LZbKaC\dxgi.dll
          Filesize

          1.2MB

          MD5

          89b51b6447d507889e4fcd60e8a641e2

          SHA1

          9da3fae8e9d72a9c7e0b3c9fbe03c4cf37e6b630

          SHA256

          c7b72ca64d998c2a35e695a0138529128588e4b5a7e25401ca9fec9c66e8aaec

          SHA512

          af1649c983c7c686e84629de7aa6b0f95c14a022fc6eaa421adbd132772d1f99e1713e009845a2aac2b886595e6c261375ea4a1bbdc116b948d346e1dcd8b2db

          Download Submit

        • C:\Users\Admin\AppData\Local\FS65Kuo\DUI70.dll
          Filesize

          1.4MB

          MD5

          b325574aa5cc52e557d083cecfd470ba

          SHA1

          17214fb768a22026b21a032782f0fb27b97db9b1

          SHA256

          0151f717210511e234ce0bbb59cfc463a48b3b6079534cb7516ae3986019bf93

          SHA512

          6e0a9829448e0727c4afe8864c9c6bb216c7a962e99abadf1dfb970830aba471477a79a1089bd6f4a4243c8745f8d4c68ea9fd89172d492f307dafb6fdfef0cf

          Download Submit

        • C:\Users\Admin\AppData\Local\FS65Kuo\wlrmdr.exe
          Filesize

          66KB

          MD5

          ef9bba7a637a11b224a90bf90a8943ac

          SHA1

          4747ec6efd2d41e049159249c2d888189bb33d1d

          SHA256

          2fda95aafb2e9284c730bf912b93f60a75b151941adc14445ed1e056140325b1

          SHA512

          4c1fdb8e4bf25546a2a33c95268593746f5ae2666ce36c6d9ba5833357f13720c4722231224e82308af8c156485a2c86ffd97e3093717a28d1300d3787ef1831

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Pvdelpvduyz.lnk
          Filesize

          1KB

          MD5

          4bfb7bdfa0bb6b36fee5756fae2a832e

          SHA1

          cf59ef144995731077500b217f859b60e5d3228e

          SHA256

          eac203b28710e24fdffe49083ee676eea73e9a8792b9cc60134b1850ae19e9e9

          SHA512

          56d1001e568628a2e4f7ec297417207543650b7053679163a9717910194eaf111494ed15a13ac25add9d6b233c136bc9282e053a458e02f30ae8d5fbc5aaf22c

          Download Submit

        • memory/820-0-0x00000285C0A40000-0x00000285C0A47000-memory.dmp

          Filesize

          28KB

          Download

        • memory/820-2-0x0000000140000000-0x000000014012F000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/820-37-0x0000000140000000-0x000000014012F000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1584-84-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3452-8-0x0000000140000000-0x000000014012F000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3452-28-0x00007FFFFA230000-0x00007FFFFA240000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3452-9-0x0000000140000000-0x000000014012F000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3452-11-0x0000000140000000-0x000000014012F000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3452-23-0x0000000140000000-0x000000014012F000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3452-12-0x0000000140000000-0x000000014012F000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3452-27-0x0000000007C00000-0x0000000007C07000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3452-13-0x0000000140000000-0x000000014012F000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3452-4-0x0000000007C40000-0x0000000007C41000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3452-5-0x00007FFFF8B6A000-0x00007FFFF8B6B000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3452-7-0x0000000140000000-0x000000014012F000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3452-34-0x0000000140000000-0x000000014012F000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3452-14-0x0000000140000000-0x000000014012F000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3452-10-0x0000000140000000-0x000000014012F000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4292-61-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4292-67-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4292-64-0x00000222C8B20000-0x00000222C8B27000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4816-50-0x0000000140000000-0x0000000140175000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/4816-44-0x0000000140000000-0x0000000140175000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/4816-47-0x0000020A38CE0000-0x0000020A38CE7000-memory.dmp

          Filesize

          28KB

          Download