Overview

overview

10

Static

static

3

e090a110c9...18.dll

windows7-x64

10

e090a110c9...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-09-2024 16:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e090a110c92fd8946f94056dba3191a0_JaffaCakes118.dll

  • Size

    1.4MB

  • MD5

    e090a110c92fd8946f94056dba3191a0

  • SHA1

    e4d9a011c12ba06f3afbdad94c6d65459f98d479

  • SHA256

    9b35e8390d3620e3c5a99040ea4c5ad6e3ec02a165b5cf788ceec7f31a68a4a0

  • SHA512

    15c822a0530564d4c16d11428d5f3afe260881b4e7db6225b650b71ed20f20629c13e4edf7fd5cf806951b7c7a9a7afee680fbdcda3b5e477b8f078ff7b1308b

  • SSDEEP

    24576:CuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:K9cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\e090a110c92fd8946f94056dba3191a0_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:220
  • C:\Windows\system32\MusNotificationUx.exe
    C:\Windows\system32\MusNotificationUx.exe
    1⤵
      PID:4768
    • C:\Users\Admin\AppData\Local\0QBKbgfiv\MusNotificationUx.exe
      C:\Users\Admin\AppData\Local\0QBKbgfiv\MusNotificationUx.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2148
    • C:\Windows\system32\RecoveryDrive.exe
      C:\Windows\system32\RecoveryDrive.exe
      1⤵
        PID:684
      • C:\Users\Admin\AppData\Local\6so\RecoveryDrive.exe
        C:\Users\Admin\AppData\Local\6so\RecoveryDrive.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1688
      • C:\Windows\system32\DevicePairingWizard.exe
        C:\Windows\system32\DevicePairingWizard.exe
        1⤵
          PID:5048
        • C:\Users\Admin\AppData\Local\g0qdic\DevicePairingWizard.exe
          C:\Users\Admin\AppData\Local\g0qdic\DevicePairingWizard.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:4552

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\0QBKbgfiv\MusNotificationUx.exe
          Filesize

          615KB

          MD5

          869a214114a81712199f3de5d69d9aad

          SHA1

          be973e4188eff0d53fdf0e9360106e8ad946d89f

          SHA256

          405c2df9a36d7cfb5c8382c96f04792eb88c11a6cfa36b1d2ec3e0bec8d17361

          SHA512

          befcdeb8de6e68b9ee0bacd4cbc80f7393a0213d4039b239c98585e0cd5db1755c75559a62372374cbfb7132b6a7973ea9e6a31952e0e0ba007079c56e6d9012

          Download Submit

        • C:\Users\Admin\AppData\Local\0QBKbgfiv\XmlLite.dll
          Filesize

          1.4MB

          MD5

          032c4e6e643e0200a8b910d90ad03454

          SHA1

          d0a3bdf5e47a5fafa63a08507ba46dcbd219bb46

          SHA256

          64cc8c59d9957560d5d3615561f10bc9d9885b2a130338e00b8bde91967162d1

          SHA512

          12d73378880fb7e8165965cc892bac01273c8da29a30e885439d86dd4a8c436ddca43dd05f6d2e2c81a2327facbf92585b9dccd8e8a83f7119d098d24678b343

          Download Submit

        • C:\Users\Admin\AppData\Local\6so\ReAgent.dll
          Filesize

          1.4MB

          MD5

          0cc2873c2d076ee18c3925fd7fec0186

          SHA1

          6afdb70d8f35dad259a86271eec2b3f52305fe21

          SHA256

          4fdafb78a8c2def866e2b80f48515f76afb7a396b55bcc4e1faa179e5122ae7d

          SHA512

          f377291dbd14bb1a06b7e326c2a013ad4bcffd0a3fcb0c8f4efecc271919936a1ce2e2eb87c8db9bf2f891d14926db62fd7d5e9288c4066349eef1c8878b9a01

          Download Submit

        • C:\Users\Admin\AppData\Local\6so\RecoveryDrive.exe
          Filesize

          911KB

          MD5

          b9b3dc6f2eb89e41ff27400952602c74

          SHA1

          24ae07e0db3ace0809d08bbd039db3a9d533e81b

          SHA256

          630518cb2e4636f889d12c98fb2e6be4e579c5eeb86f88695d3f7fff3f5515c4

          SHA512

          7906954b881f1051a0c7f098e096bc28eddcc48643b8bf3134dd57b8c18d8beba4f9a0ac5d348de2f9b8ea607c3e9cb0e61d91e4f3ba1fefb02839f928e3e3fe

          Download Submit

        • C:\Users\Admin\AppData\Local\g0qdic\DevicePairingWizard.exe
          Filesize

          93KB

          MD5

          d0e40a5a0c7dad2d6e5040d7fbc37533

          SHA1

          b0eabbd37a97a1abcd90bd56394f5c45585699eb

          SHA256

          2adaf3a5d3fde149626e3fef0e943c7029a135c04688acf357b2d8d04c81981b

          SHA512

          1191c2efcadd53b74d085612025c44b6cd54dd69493632950e30ada650d5ed79e3468c138f389cd3bc21ea103059a63eb38d9d919a62d932a38830c93f57731f

          Download Submit

        • C:\Users\Admin\AppData\Local\g0qdic\MFC42u.dll
          Filesize

          1.4MB

          MD5

          ef98cb5c2a81cf425e648672498fd736

          SHA1

          6a09457c1c08519786babc94a716820920203124

          SHA256

          2991a3625093aac85c795eb31a66edfabfd3d18d75f0ba0f10ad8e5afda37be3

          SHA512

          f9e1763a7d9da96e14a8680b6d3fcca92075b269b04758215066d6d913663ba52f49c1323779c360442f86ebd6fbc6ea386705ee978b47f1eb60992be2625375

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Nszgn.lnk
          Filesize

          1KB

          MD5

          860d6f6e5de8b6484d6517c73ede3892

          SHA1

          1ebdd77d25926790b8c7fb1d06b45b583b23d4e2

          SHA256

          558ee04fb9ebd12b46df2a9429328d6daa6a500f239faf9180c3df6d40e4fd50

          SHA512

          52aef3187d110e16660246d9538e1027b5f3fd1a29caa9663de76f6e9c1dd3e7803549fe9d7decd019a1d84d5a21d07e2096f49830512821c9f803b8a1b050ec

          Download Submit

        • memory/220-41-0x00007FF9E2BF0000-0x00007FF9E2D5E000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/220-3-0x000001E913B10000-0x000001E913B17000-memory.dmp

          Filesize

          28KB

          Download

        • memory/220-1-0x00007FF9E2BF0000-0x00007FF9E2D5E000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1688-71-0x00007FF9D2970000-0x00007FF9D2ADF000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1688-65-0x00007FF9D2970000-0x00007FF9D2ADF000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1688-68-0x000001EDFB8E0000-0x000001EDFB8E7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2148-54-0x00007FF9D2A30000-0x00007FF9D2B9F000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/2148-49-0x00007FF9D2A30000-0x00007FF9D2B9F000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/2148-48-0x0000021F43E70000-0x0000021F43E77000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3464-36-0x0000000006C40000-0x0000000006C47000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3464-19-0x0000000140000000-0x000000014016E000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/3464-9-0x0000000140000000-0x000000014016E000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/3464-8-0x0000000140000000-0x000000014016E000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/3464-7-0x0000000140000000-0x000000014016E000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/3464-11-0x0000000140000000-0x000000014016E000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/3464-13-0x0000000140000000-0x000000014016E000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/3464-15-0x0000000140000000-0x000000014016E000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/3464-16-0x0000000140000000-0x000000014016E000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/3464-14-0x0000000140000000-0x000000014016E000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/3464-18-0x0000000140000000-0x000000014016E000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/3464-10-0x0000000140000000-0x000000014016E000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/3464-37-0x00007FF9F1450000-0x00007FF9F1460000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3464-38-0x0000000140000000-0x000000014016E000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/3464-27-0x0000000140000000-0x000000014016E000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/3464-17-0x0000000140000000-0x000000014016E000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/3464-12-0x0000000140000000-0x000000014016E000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/3464-6-0x00007FF9EF9FA000-0x00007FF9EF9FB000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3464-4-0x0000000006C60000-0x0000000006C61000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4552-82-0x00007FF9D2A20000-0x00007FF9D2B95000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/4552-88-0x00007FF9D2A20000-0x00007FF9D2B95000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/4552-85-0x000001F7BED30000-0x000001F7BED37000-memory.dmp

          Filesize

          28KB

          Download