Overview

overview

10

Static

static

3

e69e1a73d6...18.dll

windows7-x64

10

e69e1a73d6...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-09-2024 10:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e69e1a73d6e6fb771bfe4de8e067f946_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    e69e1a73d6e6fb771bfe4de8e067f946

  • SHA1

    019a67e5cf84aab2e0e3f97e82c85e123e8541fe

  • SHA256

    cbe5154f2de0b6dff70341409f7f0a41e9c77853528736752887fa88187b828d

  • SHA512

    dab0fe1150f8e28dc1e2eece414fe0eb2a20b627164d460e80c0d01daa0c560824eaf371f50f00c94ea0e474e2de860eec3987fceba720c4237ea491e8c426f6

  • SSDEEP

    24576:3VHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL80t:3V8hf6STw1ZlQauvzSq01ICe6zvm

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 6 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\e69e1a73d6e6fb771bfe4de8e067f946_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2700
  • C:\Windows\system32\tabcal.exe
    C:\Windows\system32\tabcal.exe
    1⤵
      PID:1224
    • C:\Users\Admin\AppData\Local\xcapY\tabcal.exe
      C:\Users\Admin\AppData\Local\xcapY\tabcal.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:764
    • C:\Windows\system32\ie4uinit.exe
      C:\Windows\system32\ie4uinit.exe
      1⤵
        PID:4928
      • C:\Users\Admin\AppData\Local\ybRL322m\ie4uinit.exe
        C:\Users\Admin\AppData\Local\ybRL322m\ie4uinit.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:4032
      • C:\Windows\system32\LockScreenContentServer.exe
        C:\Windows\system32\LockScreenContentServer.exe
        1⤵
          PID:3588
        • C:\Users\Admin\AppData\Local\JZb4dwWkA\LockScreenContentServer.exe
          C:\Users\Admin\AppData\Local\JZb4dwWkA\LockScreenContentServer.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1380
        • C:\Windows\system32\SysResetErr.exe
          C:\Windows\system32\SysResetErr.exe
          1⤵
            PID:4088
          • C:\Users\Admin\AppData\Local\UNLQN\SysResetErr.exe
            C:\Users\Admin\AppData\Local\UNLQN\SysResetErr.exe
            1⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Checks whether UAC is enabled
            PID:4232

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\JZb4dwWkA\DUser.dll
            Filesize

            1.2MB

            MD5

            1960738da86bd19e7400078e5000a9ba

            SHA1

            e899a918a3cdd84a5880e1abdedf2a63786bdcf3

            SHA256

            ebaa35d000aee72bbbab510b719b3eb307d747e16ecd7f49049ae488501eef15

            SHA512

            eac0f29a9c594791354bc383851f9ae111eb60731f0c68657bcffaf5e8cc854b5b98b3bf9f9dcdadf158f797fe3c2014284bd66ea6e94de0d1900003a7134cd8

            Download Submit

          • C:\Users\Admin\AppData\Local\JZb4dwWkA\LockScreenContentServer.exe
            Filesize

            47KB

            MD5

            a0b7513c98cf46ca2cea3a567fec137c

            SHA1

            2307fc8e3fc620ea3c2fdc6248ad4658479ba995

            SHA256

            cb2278884f04fd34753f7a20e5865ef5fc4fa47c28df9ac14ad6e922713af8c6

            SHA512

            3928485a60ffa7f2d2b7d0be51863e1f8197578cfb397f1086a1ab5132843a23bbc4042b04b5d01fafad04878bd839161fa492d0cf1a6bac6be92023cdee3d15

            Download Submit

          • C:\Users\Admin\AppData\Local\UNLQN\DUI70.dll
            Filesize

            1.5MB

            MD5

            ea0ca8f75f6282c57f7d289e5bc6896a

            SHA1

            27ad20caa56668a0c5c78a8956305b98637aa4f5

            SHA256

            8254076aed8124e8eb8ea733223844cef1a9edc9320b214a0ffd21c99a846323

            SHA512

            d0be362358b66603c025a53035e830645a357a1ef04b02dc7bf9f872711bed7ccda2ae0cdfe408a55dc746ce4c1864f95628d0ba347250f3e5d61ba126e0c66b

            Download Submit

          • C:\Users\Admin\AppData\Local\UNLQN\SysResetErr.exe
            Filesize

            41KB

            MD5

            090c6f458d61b7ddbdcfa54e761b8b57

            SHA1

            c5a93e9d6eca4c3842156cc0262933b334113864

            SHA256

            a324e3ba7309164f215645a6db3e74ed35c7034cc07a011ebed2fa60fda4d9cd

            SHA512

            c9ef79397f3a843dcf2bcb5f761d90a4bdadb08e2ca85a35d8668cb13c308b275ed6aa2c8b9194a1f29964e0754ad05e89589025a0b670656386a8d448a1f542

            Download Submit

          • C:\Users\Admin\AppData\Local\xcapY\HID.DLL
            Filesize

            1.2MB

            MD5

            de6fa6ffdae6ebedba6ad6178074c4b4

            SHA1

            8391924388394695aae76ac4af311d003674d119

            SHA256

            e82288798ee8a597a375f1a6bfe71f1643ddd846b25c2269ba5c34c82be3724d

            SHA512

            f8d9107d9b48377c2dee028f7fd86e3f6441c91ca9f10a434f4148e67c2b0583e982dfed5e08d72dd4237125d8ef74c84165827c526860cfe9e9053701080479

            Download Submit

          • C:\Users\Admin\AppData\Local\xcapY\tabcal.exe
            Filesize

            84KB

            MD5

            40f4014416ff0cbf92a9509f67a69754

            SHA1

            1798ff7324724a32c810e2075b11c09b41e4fede

            SHA256

            f31b4c751dbca276446119ba775787c3eb032da72eabcd40ad96a55826a3f33c

            SHA512

            646dfe4cfe90d068c3da4c35f7053bb0f57687875a0f3469c0683e707306e6a42b0baca3e944d78f9be5c564bb0600202c32c223a770f89d3e2b07a24673c259

            Download Submit

          • C:\Users\Admin\AppData\Local\ybRL322m\VERSION.dll
            Filesize

            1.2MB

            MD5

            7e3368ef328e33bcd429e55ce708c743

            SHA1

            aa35d7f2f3c6c09711bcb79372e95c64d94d26b3

            SHA256

            3693ebda7f948c945b873ff6bf1ae053217f83f79f569e23f67d44bcf15719c1

            SHA512

            5b73f0137a731fcf77b77a3ac83d5c84675b820244e8a279ae9bdd94fa02288f41df91a10a597ff3c8eb680e94036d6a41c3b38b59e2f306661655c9bd92599c

            Download Submit

          • C:\Users\Admin\AppData\Local\ybRL322m\ie4uinit.exe
            Filesize

            262KB

            MD5

            a2f0104edd80ca2c24c24356d5eacc4f

            SHA1

            8269b9fd9231f04ed47419bd565c69dc677fab56

            SHA256

            5d85c4d62cc26996826b9d96a9153f7e05a2260342bd913b3730610a1809203c

            SHA512

            e7bb87f9f6c82cb945b95f62695be98b3fa827a24fa8c4187fe836d4e7d3e7ae3b95101edd3c41d65f6cb684910f5954a67307d450072acd8d475212db094390

            Download Submit

          • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wyfsbgf.lnk
            Filesize

            1KB

            MD5

            b0edfb2c1d99b8d2216c032264b08bd2

            SHA1

            7afd3d910af359a39a82d7ec218fffe6c1b0731f

            SHA256

            dafc9f70cf6ac33b97923193b2209e1df3bbdf51f786722a2c9bb4f973089cca

            SHA512

            f1c528f768dad666c2a465f28faef616f93f24619c4f979beb3822d28468d1d4416a1f1a95130ad01cde1709f89c8c8e0a3c8a8755168a4fe2d91194d3a6889a

            Download Submit

          • memory/764-52-0x0000000140000000-0x0000000140144000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/764-47-0x0000000140000000-0x0000000140144000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/764-46-0x000001CEF57E0000-0x000001CEF57E7000-memory.dmp

            Filesize

            28KB

            Download

          • memory/1380-76-0x000001C687BC0000-0x000001C687BC7000-memory.dmp

            Filesize

            28KB

            Download

          • memory/1380-73-0x0000000140000000-0x0000000140145000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/1380-79-0x0000000140000000-0x0000000140145000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/2700-39-0x0000000140000000-0x0000000140143000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/2700-1-0x00000252D9830000-0x00000252D9837000-memory.dmp

            Filesize

            28KB

            Download

          • memory/2700-0-0x0000000140000000-0x0000000140143000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/3456-29-0x0000000000850000-0x0000000000857000-memory.dmp

            Filesize

            28KB

            Download

          • memory/3456-36-0x0000000140000000-0x0000000140143000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/3456-11-0x0000000140000000-0x0000000140143000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/3456-12-0x0000000140000000-0x0000000140143000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/3456-13-0x0000000140000000-0x0000000140143000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/3456-14-0x0000000140000000-0x0000000140143000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/3456-16-0x0000000140000000-0x0000000140143000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/3456-25-0x0000000140000000-0x0000000140143000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/3456-9-0x0000000140000000-0x0000000140143000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/3456-10-0x0000000140000000-0x0000000140143000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/3456-30-0x00007FFE6E7B0000-0x00007FFE6E7C0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3456-15-0x0000000140000000-0x0000000140143000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/3456-7-0x0000000140000000-0x0000000140143000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/3456-5-0x00007FFE6DDCA000-0x00007FFE6DDCB000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3456-4-0x0000000000A10000-0x0000000000A11000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3456-8-0x0000000140000000-0x0000000140143000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/4232-95-0x0000000140000000-0x0000000140189000-memory.dmp

            Filesize

            1.5MB

            Download

          • memory/4232-90-0x0000000140000000-0x0000000140189000-memory.dmp

            Filesize

            1.5MB

            Download