Overview

overview

10

Static

static

3

e66310ce19...18.dll

windows7-x64

10

e66310ce19...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-09-2024 08:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e66310ce193bb89ced004896ce2abec0_JaffaCakes118.dll

  • Size

    986KB

  • MD5

    e66310ce193bb89ced004896ce2abec0

  • SHA1

    873677347b25d9bc2296a7c0308e4e6139139592

  • SHA256

    3c7d900f40f2d8d8a04b5e2d20279fd248a490df62ebdf7f3bdcbfeb7921844f

  • SHA512

    aaf6243e666eee429add8022acbf9bc6e10f54de0ddfeb9bcb661bf87ab1c92d65e61c8799e2dbed708a11a0a7a81e25585c11af04937a3b9da2ee76697841e8

  • SSDEEP

    24576:CVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:CV8hf6STw1ZlQauvzSq01ICe6zvm

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\e66310ce193bb89ced004896ce2abec0_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1196
  • C:\Windows\system32\wermgr.exe
    C:\Windows\system32\wermgr.exe
    1⤵
      PID:740
    • C:\Users\Admin\AppData\Local\PLfYjAE\wermgr.exe
      C:\Users\Admin\AppData\Local\PLfYjAE\wermgr.exe
      1⤵
      • Executes dropped EXE
      PID:736
    • C:\Windows\system32\usocoreworker.exe
      C:\Windows\system32\usocoreworker.exe
      1⤵
        PID:3112
      • C:\Users\Admin\AppData\Local\bgA9qg6\usocoreworker.exe
        C:\Users\Admin\AppData\Local\bgA9qg6\usocoreworker.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:5020
      • C:\Windows\system32\SystemPropertiesAdvanced.exe
        C:\Windows\system32\SystemPropertiesAdvanced.exe
        1⤵
          PID:4760
        • C:\Users\Admin\AppData\Local\rqq\SystemPropertiesAdvanced.exe
          C:\Users\Admin\AppData\Local\rqq\SystemPropertiesAdvanced.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:4072
        • C:\Windows\system32\bdechangepin.exe
          C:\Windows\system32\bdechangepin.exe
          1⤵
            PID:1904
          • C:\Users\Admin\AppData\Local\6VDDu\bdechangepin.exe
            C:\Users\Admin\AppData\Local\6VDDu\bdechangepin.exe
            1⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Checks whether UAC is enabled
            PID:2808

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\6VDDu\DUI70.dll
            Filesize

            1.2MB

            MD5

            61a82c498715f324f86f11a17794abad

            SHA1

            edc8012e4d18f5bd8e47175e058321411b4db290

            SHA256

            aa0d4c08e2595b93f7578d2cc84290ab0210a40d7af3614e66bd5dd97d1d04e4

            SHA512

            7c98ba5ed13835e302a14f7a314cc3b3d0fedead46322bcf3561996b0aeb03335f666d1c40911aea5578fb1e524de3ce93f60b5b52191d24fdb5bff7f74319cf

            Download Submit

          • C:\Users\Admin\AppData\Local\6VDDu\bdechangepin.exe
            Filesize

            373KB

            MD5

            601a28eb2d845d729ddd7330cbae6fd6

            SHA1

            5cf9f6f9135c903d42a7756c638333db8621e642

            SHA256

            4d43f37576a0ebbaf97024cd5597d968ffe59c871b483554aea302dccb7253f6

            SHA512

            1687044612ceb705f79c806b176f885fd01449251b0097c2df70280b7d10a2b830ee30ac0f645a7e8d8067892f6562d933624de694295e22318863260222859d

            Download Submit

          • C:\Users\Admin\AppData\Local\PLfYjAE\wermgr.exe
            Filesize

            223KB

            MD5

            f7991343cf02ed92cb59f394e8b89f1f

            SHA1

            573ad9af63a6a0ab9b209ece518fd582b54cfef5

            SHA256

            1c09759dcd31fdc81bcd6685438d7efb34e0229f1096bfd57d41ecfe614d07dc

            SHA512

            fa3cf314100f5340c7d0f6a70632a308fcadb4b48785753310a053a510169979a89637b8b4fedf4d3690db6b8b55146e323cad70d704c4e2ede4edff5284237d

            Download Submit

          • C:\Users\Admin\AppData\Local\bgA9qg6\XmlLite.dll
            Filesize

            986KB

            MD5

            9a6c902506127052171365f4dae82672

            SHA1

            c42e45fc281e7c7bc9eb5bb4ef2f29f30215a639

            SHA256

            c1e388b9bf813859459c94845eead118f83db7f1109b260f60936ce880377eb9

            SHA512

            cec22493dfc9fdabd35ae0c9d04ff1118dde171465bb9ceeec8ab25f0f18a08587bd3e0e8d04532d9f429ceba2ea15f4976c46852965703feaa575ed8ac9fd92

            Download Submit

          • C:\Users\Admin\AppData\Local\bgA9qg6\usocoreworker.exe
            Filesize

            1.3MB

            MD5

            2c5efb321aa64af37dedc6383ce3198e

            SHA1

            a06d7020dd43a57047a62bfb443091cd9de946ba

            SHA256

            0fb6688a32340036f3eaab4a09a82dee533bfb2ca266c36f6142083134de6f0e

            SHA512

            5448ea01b24af7444505bda80064849a2efcc459011d32879e021e836fd573c9b1b9d3b37291d3f53ff536c691ac13a545b12f318a16c8a367421986bbf002ed

            Download Submit

          • C:\Users\Admin\AppData\Local\rqq\SYSDM.CPL
            Filesize

            986KB

            MD5

            f3079258fc0cbb15c4ac16506da4146b

            SHA1

            d0b808e7a537308a1f38e5afbf50bfd18835725e

            SHA256

            a62cfe2705eec220cd2552579286e5f9ae19022be607c949f426687620884502

            SHA512

            8f2b0b3ab5b7e1555afad1f93f7937e81f16496b1685d202e42bc1433224cdc37aa8aa1f0fcf6d41abfb13671852bfb55f0de22570f8d3eec933f17ea217427d

            Download Submit

          • C:\Users\Admin\AppData\Local\rqq\SystemPropertiesAdvanced.exe
            Filesize

            82KB

            MD5

            fa040b18d2d2061ab38cf4e52e753854

            SHA1

            b1b37124e9afd6c860189ce4d49cebbb2e4c57bc

            SHA256

            c61fa0f8c5d8d61110adbcceaa453a6c1d31255b3244dc7e3b605a4a931c245c

            SHA512

            511f5981bd2c446f1f3039f6674f972651512305630bd688b1ef159af36a23cb836b43d7010b132a86b5f4d6c46206057abd31600f1e7dc930cb32ed962298a4

            Download Submit

          • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Mihblavoyj.lnk
            Filesize

            1KB

            MD5

            de0268c84875dfc40555ed82daf3868c

            SHA1

            069e2f8484913b962d813a7a680d4dc420d419bf

            SHA256

            5ef4a6757fd15ee04bdc30b8a3c600b94234584bf1d0720dc53b12b5fcf76ae3

            SHA512

            488957115ba86af59f648d54d24f25a1fedc0fa62d05f69315325b112d41fc732878607b220b004bf465573fcd11e76e587cbadc9b36377dbe7b7feadb69797e

            Download Submit

          • memory/1196-37-0x0000000140000000-0x00000001400FC000-memory.dmp

            Filesize

            1008KB

            Download

          • memory/1196-0-0x00000167F4080000-0x00000167F4087000-memory.dmp

            Filesize

            28KB

            Download

          • memory/1196-1-0x0000000140000000-0x00000001400FC000-memory.dmp

            Filesize

            1008KB

            Download

          • memory/2808-92-0x0000000140000000-0x0000000140142000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/2808-87-0x0000000140000000-0x0000000140142000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/2808-86-0x00000293CFD20000-0x00000293CFD27000-memory.dmp

            Filesize

            28KB

            Download

          • memory/3420-5-0x00007FFD9295A000-0x00007FFD9295B000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3420-12-0x0000000140000000-0x00000001400FC000-memory.dmp

            Filesize

            1008KB

            Download

          • memory/3420-8-0x0000000140000000-0x00000001400FC000-memory.dmp

            Filesize

            1008KB

            Download

          • memory/3420-23-0x0000000140000000-0x00000001400FC000-memory.dmp

            Filesize

            1008KB

            Download

          • memory/3420-27-0x00007FFD946D0000-0x00007FFD946E0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3420-24-0x0000000000D70000-0x0000000000D77000-memory.dmp

            Filesize

            28KB

            Download

          • memory/3420-14-0x0000000140000000-0x00000001400FC000-memory.dmp

            Filesize

            1008KB

            Download

          • memory/3420-11-0x0000000140000000-0x00000001400FC000-memory.dmp

            Filesize

            1008KB

            Download

          • memory/3420-10-0x0000000140000000-0x00000001400FC000-memory.dmp

            Filesize

            1008KB

            Download

          • memory/3420-7-0x0000000140000000-0x00000001400FC000-memory.dmp

            Filesize

            1008KB

            Download

          • memory/3420-13-0x0000000140000000-0x00000001400FC000-memory.dmp

            Filesize

            1008KB

            Download

          • memory/3420-9-0x0000000140000000-0x00000001400FC000-memory.dmp

            Filesize

            1008KB

            Download

          • memory/3420-4-0x0000000002C60000-0x0000000002C61000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3420-34-0x0000000140000000-0x00000001400FC000-memory.dmp

            Filesize

            1008KB

            Download

          • memory/4072-75-0x0000000140000000-0x00000001400FD000-memory.dmp

            Filesize

            1012KB

            Download

          • memory/4072-72-0x0000014535A80000-0x0000014535A87000-memory.dmp

            Filesize

            28KB

            Download

          • memory/5020-52-0x0000000140000000-0x00000001400FD000-memory.dmp

            Filesize

            1012KB

            Download

          • memory/5020-58-0x0000000140000000-0x00000001400FD000-memory.dmp

            Filesize

            1012KB

            Download

          • memory/5020-55-0x0000020318CB0000-0x0000020318CB7000-memory.dmp

            Filesize

            28KB

            Download