Overview

overview

10

Static

static

3

e2653dc54e...18.dll

windows7-x64

10

e2653dc54e...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-09-2024 11:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e2653dc54e2257c34dd7d16ae5f9d1b1_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    e2653dc54e2257c34dd7d16ae5f9d1b1

  • SHA1

    3de7fed00d1161d0e06c802a790932e9c5aa7cb8

  • SHA256

    86f7814d9e9ee52f35aa907f6a1a8da5afbedc5190cfbdc358c090c59a0bc7e5

  • SHA512

    812df21cd838255f041e17610c1b37069184fc0b217b8bd2cf7c6dded45ea41a2bdb9c4cdc507fba111905dc7563810663759fdcdd3b41d8257475c7d5b0d96f

  • SSDEEP

    24576:FuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:/9cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\e2653dc54e2257c34dd7d16ae5f9d1b1_JaffaCakes118.dll
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:3968
  • C:\Windows\system32\ie4uinit.exe
    C:\Windows\system32\ie4uinit.exe
    1⤵
      PID:3084
    • C:\Users\Admin\AppData\Local\aypNg\ie4uinit.exe
      C:\Users\Admin\AppData\Local\aypNg\ie4uinit.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:3112
    • C:\Windows\system32\SndVol.exe
      C:\Windows\system32\SndVol.exe
      1⤵
        PID:4060
      • C:\Users\Admin\AppData\Local\tbuIX\SndVol.exe
        C:\Users\Admin\AppData\Local\tbuIX\SndVol.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:4992
      • C:\Windows\system32\tabcal.exe
        C:\Windows\system32\tabcal.exe
        1⤵
          PID:3952
        • C:\Users\Admin\AppData\Local\fBH\tabcal.exe
          C:\Users\Admin\AppData\Local\fBH\tabcal.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2892

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\aypNg\VERSION.dll
          Filesize

          1.2MB

          MD5

          38f31fdbef4ed41ff8d2bbe7e4916fc5

          SHA1

          2b1c092783d661ecc8f01132a98e5ba23541b7b8

          SHA256

          3291e295e4862a4784883c91556610f32c54435813e0269b7db602aa26b1d974

          SHA512

          7cedb31b92000e85f42d06609e355db564c65f269fbab2a2fe4b453b90433eab4fd6d85bad8ec5d7280cc0eea3a8a115bad58ac8df985e49ca037ab87633fbeb

          Download Submit

        • C:\Users\Admin\AppData\Local\aypNg\ie4uinit.exe
          Filesize

          262KB

          MD5

          a2f0104edd80ca2c24c24356d5eacc4f

          SHA1

          8269b9fd9231f04ed47419bd565c69dc677fab56

          SHA256

          5d85c4d62cc26996826b9d96a9153f7e05a2260342bd913b3730610a1809203c

          SHA512

          e7bb87f9f6c82cb945b95f62695be98b3fa827a24fa8c4187fe836d4e7d3e7ae3b95101edd3c41d65f6cb684910f5954a67307d450072acd8d475212db094390

          Download Submit

        • C:\Users\Admin\AppData\Local\fBH\HID.DLL
          Filesize

          1.2MB

          MD5

          4fcc5f8ec2d138ca656c6cec5f0b44dc

          SHA1

          b1734dce62eb8ac7b14fc3e852424e48a832cbb8

          SHA256

          b6b391bd25eb1db16387cae97e96fb71803b79e0f8346d7cc1d5df3fab775e51

          SHA512

          0df7213ba6a9b85d59c062dd5cdd03385ab0d6f9ca7b4ceb14ee159d5133cd0a7ed8ca927613631c011d7109ad0610eeefeb51cee35c88c6f544295959348fea

          Download Submit

        • C:\Users\Admin\AppData\Local\fBH\tabcal.exe
          Filesize

          84KB

          MD5

          40f4014416ff0cbf92a9509f67a69754

          SHA1

          1798ff7324724a32c810e2075b11c09b41e4fede

          SHA256

          f31b4c751dbca276446119ba775787c3eb032da72eabcd40ad96a55826a3f33c

          SHA512

          646dfe4cfe90d068c3da4c35f7053bb0f57687875a0f3469c0683e707306e6a42b0baca3e944d78f9be5c564bb0600202c32c223a770f89d3e2b07a24673c259

          Download Submit

        • C:\Users\Admin\AppData\Local\tbuIX\SndVol.exe
          Filesize

          269KB

          MD5

          c5d939ac3f9d885c8355884199e36433

          SHA1

          b8f277549c23953e8683746e225e7af1c193ad70

          SHA256

          68b6ced01f5dfc2bc9556b005f4fff235a3d02449ad9f9e4de627c0e1424d605

          SHA512

          8488e7928e53085c00df096af2315490cd4b22ce2ce196b157dc0fbb820c5399a9dbd5dead40b24b99a4a32b6de66b4edc28339d7bacd9c1e7d5936604d1a4f0

          Download Submit

        • C:\Users\Admin\AppData\Local\tbuIX\dwmapi.dll
          Filesize

          1.2MB

          MD5

          9f9b467d0751dc545aa460ba155ae735

          SHA1

          f2a47033a38364b18062ea2cecb505ca6405baa4

          SHA256

          96addda9befe227aa0b229057b1e476a314dd99976e50dd419ab3293d703f52d

          SHA512

          869ffb2923692c4aef1ad4784d77eb627e3b70c37cdab54ba89dabf48c8de764d18fca91e0fe99809a4973f03a4b3629be3ba458f1b0be607938a6b3da4457a0

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Piobvoh.lnk
          Filesize

          1KB

          MD5

          12612384852df9e3ce38c6ab781f2143

          SHA1

          a6bc6ec2ea413d80d5f58b42a33774f6d378fe00

          SHA256

          c5318543581680247b41680529ad968c0e80f6c749dff2e98a78018733a58ac4

          SHA512

          2b0481b9b970c4924655ca7cb1d35eb757e9892adc601ce7422c76fff86db857bce201f8a9beb7606d7b99567d52528884a290112bed2e6993e6ec97b3df3dc0

          Download Submit

        • memory/2892-85-0x00007FFCFFC50000-0x00007FFCFFD87000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3112-52-0x00007FFCFFC50000-0x00007FFCFFD87000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3112-47-0x00007FFCFFC50000-0x00007FFCFFD87000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3112-46-0x000001BE05CC0000-0x000001BE05CC7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3436-35-0x0000000140000000-0x0000000140136000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3436-6-0x00007FFD1D3CA000-0x00007FFD1D3CB000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3436-10-0x0000000140000000-0x0000000140136000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3436-9-0x0000000140000000-0x0000000140136000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3436-8-0x0000000140000000-0x0000000140136000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3436-7-0x0000000140000000-0x0000000140136000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3436-12-0x0000000140000000-0x0000000140136000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3436-11-0x0000000140000000-0x0000000140136000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3436-14-0x0000000140000000-0x0000000140136000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3436-15-0x0000000140000000-0x0000000140136000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3436-16-0x0000000140000000-0x0000000140136000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3436-24-0x0000000140000000-0x0000000140136000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3436-28-0x0000000007A30000-0x0000000007A37000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3436-29-0x00007FFD1E6D0000-0x00007FFD1E6E0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3436-13-0x0000000140000000-0x0000000140136000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3436-4-0x0000000007A50000-0x0000000007A51000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3968-0-0x00000000022E0000-0x00000000022E7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3968-38-0x00007FFD10000000-0x00007FFD10136000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3968-2-0x00007FFD10000000-0x00007FFD10136000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4992-69-0x00007FFCFFC50000-0x00007FFCFFD87000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4992-63-0x000002D28AA20000-0x000002D28AA27000-memory.dmp

          Filesize

          28KB

          Download