Overview

overview

10

Static

static

3

e197f60b0d...18.dll

windows7-x64

10

e197f60b0d...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    133s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-09-2024 03:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e197f60b0db3189f6af916cf489f6cb3_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    e197f60b0db3189f6af916cf489f6cb3

  • SHA1

    f1679a5453809d4cf2de3ea04e5cdf3aab48a0ee

  • SHA256

    2556434fa80ac79faa55812f479fd1e14d0b7297d379f6935073bd5c6e25f693

  • SHA512

    cf709ff4cd7671fd69d7bea310269ff44f031c5cd98fae96bc1835716d3911ab03477e7945da13083dd905e9e385f43df2d0fad56db870f0fa75b3bf58e08fce

  • SSDEEP

    24576:buYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:F9cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\e197f60b0db3189f6af916cf489f6cb3_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:4560
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4376,i,11708048364682646792,608099842549576907,262144 --variations-seed-version --mojo-platform-channel-handle=4088 /prefetch:8
    1⤵
      PID:2228
    • C:\Windows\system32\bdechangepin.exe
      C:\Windows\system32\bdechangepin.exe
      1⤵
        PID:3552
      • C:\Users\Admin\AppData\Local\NhG\bdechangepin.exe
        C:\Users\Admin\AppData\Local\NhG\bdechangepin.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:3844
      • C:\Windows\system32\sdclt.exe
        C:\Windows\system32\sdclt.exe
        1⤵
          PID:2276
        • C:\Users\Admin\AppData\Local\bwB9jUZm\sdclt.exe
          C:\Users\Admin\AppData\Local\bwB9jUZm\sdclt.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:112
        • C:\Windows\system32\sdclt.exe
          C:\Windows\system32\sdclt.exe
          1⤵
            PID:4504
          • C:\Users\Admin\AppData\Local\nCsPGTfgZ\sdclt.exe
            C:\Users\Admin\AppData\Local\nCsPGTfgZ\sdclt.exe
            1⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Checks whether UAC is enabled
            PID:1424

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\NhG\DUI70.dll
            Filesize

            1.4MB

            MD5

            c3c6e1184c0ef209e8bb8785dc0fab62

            SHA1

            d680a97443583ff3160016e3858e2ca019d574de

            SHA256

            a88a07961f535165a2aab1eb1b107538126afa55542c155ec83afd547e017ad9

            SHA512

            b59bacc168ed36beefe4c4c13c82fc0f80e6f606199ecad97ef38a5d9cc121db6cbf7fb677917a3d1bc5259bd1f7161e6b73d140cef01d43227f1ca27c317aeb

            Download Submit

          • C:\Users\Admin\AppData\Local\NhG\bdechangepin.exe
            Filesize

            373KB

            MD5

            601a28eb2d845d729ddd7330cbae6fd6

            SHA1

            5cf9f6f9135c903d42a7756c638333db8621e642

            SHA256

            4d43f37576a0ebbaf97024cd5597d968ffe59c871b483554aea302dccb7253f6

            SHA512

            1687044612ceb705f79c806b176f885fd01449251b0097c2df70280b7d10a2b830ee30ac0f645a7e8d8067892f6562d933624de694295e22318863260222859d

            Download Submit

          • C:\Users\Admin\AppData\Local\bwB9jUZm\SPP.dll
            Filesize

            1.2MB

            MD5

            3081a4c282e99fd41240ed6a6f221d10

            SHA1

            610f2e642d35b97d9154d17da0ce90778b4f3a7f

            SHA256

            77ece80e69a022947a5625e2fa960c7c439d37d736fd1f3d95f13dbbc7b17fdd

            SHA512

            9070d70ef519bcec7e213fa760e1d023da9e739dc9fba3c13a25c4f3fb368dd83e7d91dfa22d2faf2d79e5914729bd622c650ffc9d0526f928dce9f57598a33f

            Download Submit

          • C:\Users\Admin\AppData\Local\bwB9jUZm\sdclt.exe
            Filesize

            1.2MB

            MD5

            e09d48f225e7abcab14ebd3b8a9668ec

            SHA1

            1c5b9322b51c09a407d182df481609f7cb8c425d

            SHA256

            efd238ea79b93d07852d39052f1411618c36e7597e8af0966c4a3223f0021dc3

            SHA512

            384d606b90c4803e5144b4de24edc537cb22dd59336a18a58d229500ed36aec92c8467cae6d3f326647bd044d8074931da553c7809727fb70227e99c257df0b4

            Download Submit

          • C:\Users\Admin\AppData\Local\nCsPGTfgZ\SPP.dll
            Filesize

            1.2MB

            MD5

            cc6a69f662cc91920dd3c95d905414aa

            SHA1

            c78655a807e7f9aea1350aa1df77faded20f2e20

            SHA256

            2598a60a7721514ab8ed0a7310391b47222390a1eaa80a0bb640176783bcd833

            SHA512

            5f779067aa8d74a4191631aaae4c2a395ca86227c1a9bf52a5b86356f1d182c3a4c85e7e041d6862b7e9c6d0ce29b12a3347e7a621d7b7cd9d2624e01f5a5223

            Download Submit

          • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Jmybglakcar.lnk
            Filesize

            974B

            MD5

            3b03c19b701f5c741e41f8e946797cd1

            SHA1

            c9ec3cf7dc560be9cfa211cf10c173076752de41

            SHA256

            80d73108ec85652b8a4a23eb926a6a5e9ac4affe55debd6889740bd8e82eadc4

            SHA512

            74bac881c0b3c167be0e6fb01af7f56d2f956d24d2eadccf0894851a438ee0519f19c31f3e2ca8ca318285487b64773fa441f5e4316ad7529a76016f5703893d

            Download Submit

          • memory/112-68-0x00007FF865FD0000-0x00007FF866101000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/112-62-0x00007FF865FD0000-0x00007FF866101000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/112-65-0x000001DD16890000-0x000001DD16897000-memory.dmp

            Filesize

            28KB

            Download

          • memory/1424-84-0x00007FF8660F0000-0x00007FF866221000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/1424-80-0x00007FF8660F0000-0x00007FF866221000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3460-24-0x0000000140000000-0x0000000140130000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3460-29-0x00007FF883BF0000-0x00007FF883C00000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3460-9-0x0000000140000000-0x0000000140130000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3460-14-0x0000000140000000-0x0000000140130000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3460-8-0x0000000140000000-0x0000000140130000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3460-7-0x0000000140000000-0x0000000140130000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3460-35-0x0000000140000000-0x0000000140130000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3460-4-0x00000000072F0000-0x00000000072F1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3460-12-0x0000000140000000-0x0000000140130000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3460-15-0x0000000140000000-0x0000000140130000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3460-6-0x00007FF881D1A000-0x00007FF881D1B000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3460-10-0x0000000140000000-0x0000000140130000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3460-13-0x0000000140000000-0x0000000140130000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3460-16-0x0000000140000000-0x0000000140130000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3460-11-0x0000000140000000-0x0000000140130000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3460-28-0x00000000072D0000-0x00000000072D7000-memory.dmp

            Filesize

            28KB

            Download

          • memory/3844-51-0x00007FF8660B0000-0x00007FF866226000-memory.dmp

            Filesize

            1.5MB

            Download

          • memory/3844-48-0x0000026EA3310000-0x0000026EA3317000-memory.dmp

            Filesize

            28KB

            Download

          • memory/3844-45-0x00007FF8660B0000-0x00007FF866226000-memory.dmp

            Filesize

            1.5MB

            Download

          • memory/4560-0-0x00007FF8748F0000-0x00007FF874A20000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/4560-38-0x00007FF8748F0000-0x00007FF874A20000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/4560-3-0x00000118BDE70000-0x00000118BDE77000-memory.dmp

            Filesize

            28KB

            Download