Overview

overview

10

Static

static

3

e157bb91f2...18.dll

windows7-x64

10

e157bb91f2...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    136s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-09-2024 00:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e157bb91f2fe1d353eb5416732647237_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    e157bb91f2fe1d353eb5416732647237

  • SHA1

    89e00be7c80f2e9a47d4d40c578163dfb13da2ed

  • SHA256

    07467eba6149f24096c0c3e26ac1cdeac1fe9757de8eef09f7083561c56e3557

  • SHA512

    58f7e5943ce2110cf4cdaa3a5d28d3c60a4d28d0b0125ccd88f3ef0579c9fde66402921c4a5f5906426ba0614a4887b83fae04b1b4edc8b48f1a5273edf6398d

  • SSDEEP

    24576:buYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9NB:F9cKrUqZWLAcUZ

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\e157bb91f2fe1d353eb5416732647237_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:4928
  • C:\Windows\system32\rdpinput.exe
    C:\Windows\system32\rdpinput.exe
    1⤵
      PID:4812
    • C:\Users\Admin\AppData\Local\v37ZBJu0s\rdpinput.exe
      C:\Users\Admin\AppData\Local\v37ZBJu0s\rdpinput.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:3660
    • C:\Windows\system32\MoUsoCoreWorker.exe
      C:\Windows\system32\MoUsoCoreWorker.exe
      1⤵
        PID:4136
      • C:\Users\Admin\AppData\Local\IMLXs6\MoUsoCoreWorker.exe
        C:\Users\Admin\AppData\Local\IMLXs6\MoUsoCoreWorker.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:3736
      • C:\Windows\system32\BitLockerWizard.exe
        C:\Windows\system32\BitLockerWizard.exe
        1⤵
          PID:2744
        • C:\Users\Admin\AppData\Local\iFnR\BitLockerWizard.exe
          C:\Users\Admin\AppData\Local\iFnR\BitLockerWizard.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:3264

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\IMLXs6\MoUsoCoreWorker.exe
          Filesize

          1.6MB

          MD5

          47c6b45ff22b73caf40bb29392386ce3

          SHA1

          7e29a8d98fbb9b02d3d22e3576f4fd61ab50ffe9

          SHA256

          cbccb642725edb42e749e26ded68a16b3aa20e291a1a7793a2d4efebb75f99c0

          SHA512

          c919ab84a497616e7969d58c251f4e6efc337b41ef6956864b86d66ae1437294c124232fec54433eab3a6518ed529f8445dd0b23706b2f42f3fa42e69711f331

          Download Submit

        • C:\Users\Admin\AppData\Local\IMLXs6\XmlLite.dll
          Filesize

          1.2MB

          MD5

          cc1ab8b54428a47bbaecd327eb7d60f5

          SHA1

          07cd0d2115242a6da007c4f6c3c385b8507100ae

          SHA256

          8708806a9b31bf6dbd77b28c22cc983520d6e299820aaeaf949e0ae71284d791

          SHA512

          cce1fcaf41a9f4df5630ea4cf4cc85ddf197d459333199505bbf5463926c709fc16460a6d52b8c97a280c59f6fae391b05791e09f3d5a2c5a7c94a52c4ea054c

          Download Submit

        • C:\Users\Admin\AppData\Local\iFnR\BitLockerWizard.exe
          Filesize

          100KB

          MD5

          6d30c96f29f64b34bc98e4c81d9b0ee8

          SHA1

          4a3adc355f02b9c69bdbe391bfb01469dee15cf0

          SHA256

          7758227642702e645af5e84d1c0e5690e07687c8209072a2c5f79379299edf74

          SHA512

          25471b0ac7156d9ee9d12181020039bf551ba3efe252b656030c12d93b8db2648a18bdf762740f2a5cd8e43640e4bd4e8742310dea15823fc76b9e1c126876b8

          Download Submit

        • C:\Users\Admin\AppData\Local\iFnR\FVEWIZ.dll
          Filesize

          1.2MB

          MD5

          82b011d5aa4040fcca6cd2d3004c318f

          SHA1

          87a83eda8b32103a23c9b32593c2e39eccfbf80f

          SHA256

          28a09bc7e4f5afa018e023888f2bfc1e9c5bf875074c95441d21f889ecba1223

          SHA512

          7853e89851cbb4d788385aa0ded6e15665ffd2dafbd7730a32180c2a765d06389f80663269d7f51d1b2691d6d0292b8ca96d031194fee1f098259f6e096f51ca

          Download Submit

        • C:\Users\Admin\AppData\Local\v37ZBJu0s\WINSTA.dll
          Filesize

          1.2MB

          MD5

          29f9ee24be9d1478efe67bfb2b0d7429

          SHA1

          74ac80e8a4bd0ecfdf5cf7d331797be04cf52289

          SHA256

          bec0b281ceef394d4b22e167d45341b3db942414cdd279411786ed468b4d47b2

          SHA512

          58df4631600a4bcf47596bbc99f7c74815c26bdbf24228ee6882391fa9dc49793b74aa10b5cb60c4c648a129780d4c60c09186222541318bb82830d1a24d396b

          Download Submit

        • C:\Users\Admin\AppData\Local\v37ZBJu0s\rdpinput.exe
          Filesize

          180KB

          MD5

          bd99eeca92869f9a3084d689f335c734

          SHA1

          a2839f6038ea50a4456cd5c2a3ea003e7b77688c

          SHA256

          39bfb2214efeed47f4f5e50e6dff05541e29caeb27966520bdadd52c3d5e7143

          SHA512

          355433c3bbbaa3bcb849633d45713d8a7ac6f87a025732fbe83e259ec3a0cb4eabb18239df26609453f9fc6764c7276c5d0472f11cf12d15ef806aa7594d090e

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Sfbjsepzltomqmf.lnk
          Filesize

          1KB

          MD5

          369811f40f5dfecef9f16f1894e21a11

          SHA1

          ce232b3d4915c416fdf6a4fee33355f49d497ecd

          SHA256

          047add137c56839657ce235fc6b01ea43ae65d2e16589f46626fc54e188c146e

          SHA512

          8686d86b1eaf42f3ad63aef0f5f34c691ab1bba9d8a783dd79757fd76834947fea6e78951832ebc473a1b6b5ad9dfa71a630da44fdf0a0ce11ddd29a8a295ef6

          Download Submit

        • memory/3264-85-0x00007FFF42D60000-0x00007FFF42E91000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3264-82-0x00000266ECFD0000-0x00000266ECFD7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3428-27-0x0000000002870000-0x0000000002877000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3428-8-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3428-12-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3428-11-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3428-10-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3428-9-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3428-16-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3428-14-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3428-35-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3428-6-0x00007FFF5F72A000-0x00007FFF5F72B000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3428-24-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3428-4-0x0000000002890000-0x0000000002891000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3428-13-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3428-15-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3428-7-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3428-28-0x00007FFF60970000-0x00007FFF60980000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3660-46-0x00007FFF42D60000-0x00007FFF42E92000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3660-51-0x00007FFF42D60000-0x00007FFF42E92000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3660-45-0x00000203F3F20000-0x00000203F3F27000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3736-62-0x00007FFF42D60000-0x00007FFF42E91000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3736-65-0x00000146D1E90000-0x00000146D1E97000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3736-68-0x00007FFF42D60000-0x00007FFF42E91000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4928-0-0x00007FFF514A0000-0x00007FFF515D0000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4928-38-0x00007FFF514A0000-0x00007FFF515D0000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4928-3-0x00000298248F0000-0x00000298248F7000-memory.dmp

          Filesize

          28KB

          Download