Overview

overview

10

Static

static

3

e11bf282fd...18.dll

windows7-x64

10

e11bf282fd...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    102s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-09-2024 21:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e11bf282fd9be970031baf9797a1379a_JaffaCakes118.dll

  • Size

    991KB

  • MD5

    e11bf282fd9be970031baf9797a1379a

  • SHA1

    1f7d6162e6ded5db6199dfb1274c2849a0a48657

  • SHA256

    32e5d40ccc266ccfb480fce21f10220a42dcf29b437685b9355b013aa4df6e05

  • SHA512

    886a68d0ad35357c25dd0511d8a9b84eb06a46a499b7e6c28ab4a5300f0c31ae4a598456b6e49648db1b01beaaf76730536336a35f675d134af71ed1723e263b

  • SSDEEP

    24576:hVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:hV8hf6STw1ZlQauvzSq01ICe6zvm

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\e11bf282fd9be970031baf9797a1379a_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:4328
  • C:\Windows\system32\PresentationSettings.exe
    C:\Windows\system32\PresentationSettings.exe
    1⤵
      PID:3628
    • C:\Users\Admin\AppData\Local\mGloKwob\PresentationSettings.exe
      C:\Users\Admin\AppData\Local\mGloKwob\PresentationSettings.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:1896
    • C:\Windows\system32\CloudNotifications.exe
      C:\Windows\system32\CloudNotifications.exe
      1⤵
        PID:3120
      • C:\Users\Admin\AppData\Local\qxoc\CloudNotifications.exe
        C:\Users\Admin\AppData\Local\qxoc\CloudNotifications.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:5028
      • C:\Windows\system32\SystemPropertiesPerformance.exe
        C:\Windows\system32\SystemPropertiesPerformance.exe
        1⤵
          PID:1740
        • C:\Users\Admin\AppData\Local\IJrG4F1W\SystemPropertiesPerformance.exe
          C:\Users\Admin\AppData\Local\IJrG4F1W\SystemPropertiesPerformance.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:536

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\IJrG4F1W\SYSDM.CPL
          Filesize

          991KB

          MD5

          17ae2f6b0ec1f088655a87204eaf56e3

          SHA1

          80fb51a92636cf82b2395f11f8a716c820eb65f7

          SHA256

          7b6ebd8675fdc9b158d2758a67f4ac748b40f13e4a013b3c3c80777160b90dc3

          SHA512

          1bf6a0b174342021e88a8908e6ed16f9d719b0e87fc5311435c4ddb0ce48b351ef7ef3eab25076ac25317601c049a8ec386147d1524630f5699b0fa8ed142b7e

          Download Submit

        • C:\Users\Admin\AppData\Local\IJrG4F1W\SystemPropertiesPerformance.exe
          Filesize

          82KB

          MD5

          e4fbf7cab8669c7c9cef92205d2f2ffc

          SHA1

          adbfa782b7998720fa85678cc85863b961975e28

          SHA256

          b266318d45a4245556a2e39b763f2f11eca780969105f6f103e53dd0a492bb30

          SHA512

          c5c62578d04133352d6cb7b018df96a7b55c18d6111ab8bf2bfe232a3315a63b07047fa5b0b88551d152085776c66169b47566242c8c4c5e0333c55adc64e1b6

          Download Submit

        • C:\Users\Admin\AppData\Local\mGloKwob\PresentationSettings.exe
          Filesize

          219KB

          MD5

          790799a168c41689849310f6c15f98fa

          SHA1

          a5d213fc1c71a56de9441b2e35411d83770c01ec

          SHA256

          6e59ab1a0b4ac177dc3397a54afcf68fcea3c1ee72c33bd08c89f04a6dac64b8

          SHA512

          8153b79d4681f21ade7afe995841c386bff8e491ad347f8e7c287df5f9053cae7458e273339146d9a920ceaa2ba0f41cc793d7b2c0fa80efbb41477d39470866

          Download Submit

        • C:\Users\Admin\AppData\Local\mGloKwob\WINMM.dll
          Filesize

          996KB

          MD5

          a2aa1d5e23808d93c4c28307816363ea

          SHA1

          e2ecc5b0afb671c06e066f4f379fcb9a2a2025d0

          SHA256

          01c35f6521d953af88f1742044b2eff0110df62cac6ed47aa4aec184e9774817

          SHA512

          006b093cc6148455c06398754746a7fd8a461cf63c01804afb1c1a487e8fcd0da29ebc712af96c1864d8e89484696ecd78e0696c7d576ea860908ea27d3f8133

          Download Submit

        • C:\Users\Admin\AppData\Local\qxoc\CloudNotifications.exe
          Filesize

          59KB

          MD5

          b50dca49bc77046b6f480db6444c3d06

          SHA1

          cc9b38240b0335b1763badcceac37aa9ce547f9e

          SHA256

          96e7e1a3f0f4f6fc6bda3527ab8a739d6dfcab8e534aa7a02b023daebb3c0775

          SHA512

          2a0504ca336e86b92b2f5eff1c458ebd9df36c496331a7247ef0bb8b82eabd86ade7559ddb47ca4169e8365a97e80e5f1d3c1fc330364dea2450608bd692b1d3

          Download Submit

        • C:\Users\Admin\AppData\Local\qxoc\UxTheme.dll
          Filesize

          994KB

          MD5

          2954c93bef56704436d5e2be7d6a6489

          SHA1

          6dba178c3ba95727b2de6a39f815b9f851b6cfee

          SHA256

          6e87c0a2fa88bd7c1dac3890aca9fb91021d83318f6a37ef5c64404df536ac2b

          SHA512

          567445a78203ca8da3bc33a993e0fde80c22c537ad28a66775b49bfca237674229928dde224be629819ae6e743211c877bab3836bc672ff0649a6f05c141e1f5

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ahvhgxnkgdxqlh.lnk
          Filesize

          1KB

          MD5

          47754e8d7b3618548d1713f2b76cd653

          SHA1

          f376b4cd20e59cabbbc8b490248db8f0ee3cac87

          SHA256

          5205705bc5afe50eb4b4c33ba646dea0478007d56001c62ce50b89daed0a9f16

          SHA512

          0501dd24530f51649f122aca379fed86257ce139950c36ff503b83cb77273c1ccfd97d1dcec3e4d37bca87d6723da0305c0e3d54ad1a47b5eef120edc5c55976

          Download Submit

        • memory/536-84-0x0000000140000000-0x00000001400FD000-memory.dmp

          Filesize

          1012KB

          Download

        • memory/536-81-0x000001FA78E70000-0x000001FA78E77000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1896-50-0x0000000140000000-0x00000001400FE000-memory.dmp

          Filesize

          1016KB

          Download

        • memory/1896-45-0x0000000140000000-0x00000001400FE000-memory.dmp

          Filesize

          1016KB

          Download

        • memory/1896-44-0x00000169BB280000-0x00000169BB287000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3404-23-0x0000000140000000-0x00000001400FC000-memory.dmp

          Filesize

          1008KB

          Download

        • memory/3404-24-0x0000000007450000-0x0000000007457000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3404-9-0x0000000140000000-0x00000001400FC000-memory.dmp

          Filesize

          1008KB

          Download

        • memory/3404-8-0x0000000140000000-0x00000001400FC000-memory.dmp

          Filesize

          1008KB

          Download

        • memory/3404-11-0x0000000140000000-0x00000001400FC000-memory.dmp

          Filesize

          1008KB

          Download

        • memory/3404-12-0x0000000140000000-0x00000001400FC000-memory.dmp

          Filesize

          1008KB

          Download

        • memory/3404-14-0x0000000140000000-0x00000001400FC000-memory.dmp

          Filesize

          1008KB

          Download

        • memory/3404-10-0x0000000140000000-0x00000001400FC000-memory.dmp

          Filesize

          1008KB

          Download

        • memory/3404-34-0x0000000140000000-0x00000001400FC000-memory.dmp

          Filesize

          1008KB

          Download

        • memory/3404-25-0x00007FFCCF2F0000-0x00007FFCCF300000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3404-13-0x0000000140000000-0x00000001400FC000-memory.dmp

          Filesize

          1008KB

          Download

        • memory/3404-7-0x0000000140000000-0x00000001400FC000-memory.dmp

          Filesize

          1008KB

          Download

        • memory/3404-5-0x00007FFCCE8EA000-0x00007FFCCE8EB000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3404-4-0x0000000007D40000-0x0000000007D41000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4328-37-0x0000000140000000-0x00000001400FC000-memory.dmp

          Filesize

          1008KB

          Download

        • memory/4328-1-0x0000000140000000-0x00000001400FC000-memory.dmp

          Filesize

          1008KB

          Download

        • memory/4328-0-0x000002CFC22B0000-0x000002CFC22B7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/5028-67-0x0000000140000000-0x00000001400FD000-memory.dmp

          Filesize

          1012KB

          Download

        • memory/5028-64-0x00000216B47D0000-0x00000216B47D7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/5028-61-0x0000000140000000-0x00000001400FD000-memory.dmp

          Filesize

          1012KB

          Download