Overview

overview

10

Static

static

3

e87adb12a4...18.dll

windows7-x64

10

e87adb12a4...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    18-09-2024 06:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e87adb12a4d0bf15245bbd0d65bb0cfc_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    e87adb12a4d0bf15245bbd0d65bb0cfc

  • SHA1

    56d12429ec379f1d6df251feb0ee6794ce410bed

  • SHA256

    3e42df93d811b179bcebf9e9cfc4402a2b4f7aa92665ee3725850d141c35be09

  • SHA512

    2244c10e117dcf2b1592e5e3bb513c3e0976d9765e4c924e82abe72c5948859a2819060d6bbcf6a67217abb7f81b1f1e7b2232e2ea6da6d082d67de61f81dd77

  • SSDEEP

    24576:9uYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:X9cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\e87adb12a4d0bf15245bbd0d65bb0cfc_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2828
  • C:\Windows\system32\BdeUISrv.exe
    C:\Windows\system32\BdeUISrv.exe
    1⤵
      PID:2596
    • C:\Users\Admin\AppData\Local\B5YU\BdeUISrv.exe
      C:\Users\Admin\AppData\Local\B5YU\BdeUISrv.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2708
    • C:\Windows\system32\fveprompt.exe
      C:\Windows\system32\fveprompt.exe
      1⤵
        PID:2716
      • C:\Users\Admin\AppData\Local\jO5mrXy8p\fveprompt.exe
        C:\Users\Admin\AppData\Local\jO5mrXy8p\fveprompt.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2504
      • C:\Windows\system32\Netplwiz.exe
        C:\Windows\system32\Netplwiz.exe
        1⤵
          PID:1356
        • C:\Users\Admin\AppData\Local\aW29IqrQ\Netplwiz.exe
          C:\Users\Admin\AppData\Local\aW29IqrQ\Netplwiz.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:632

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\B5YU\BdeUISrv.exe
          Filesize

          47KB

          MD5

          1da6b19be5d4949c868a264bc5e74206

          SHA1

          d5ee86ba03a03ef8c93d93accafe40461084c839

          SHA256

          00330a0e0eb1dbb6ee84997963f8e15c7c15c1df787f1c7f109609d7b31bd35c

          SHA512

          9cee858c55eb0852e5bad53a675a094ae591b46b07afe9fb4224cac32e0be577fe36c1ed3e9f6bda4d4eb0c924a773d00e3181cd97f07e24c6c68c70f2b002c6

          Download Submit

        • C:\Users\Admin\AppData\Local\B5YU\WTSAPI32.dll
          Filesize

          1.2MB

          MD5

          308519e53cdee9457a4e72249b87b15e

          SHA1

          a9c181e8d6b2c2f29705e2e38093f7c97c2ce703

          SHA256

          d3ff84a66230e45b0ceaee8ab9b59565dd5ac8c3c62e9f55489427da72d4a87f

          SHA512

          08b606a0ec95f6074289eb19ecc79ec0fc85fdb5b742348f1bd16f3c38d06a3c2eea62e6ad859139833a043821c4a3f65164f75d66f546cf66b9dcc106da6a83

          Download Submit

        • C:\Users\Admin\AppData\Local\aW29IqrQ\NETPLWIZ.dll
          Filesize

          1.2MB

          MD5

          570ab67a4d2b782cb00dcdf8e616c57f

          SHA1

          4ed39ccdc3f74b55a451068d6edd5e111f9fd8b9

          SHA256

          e392f9d8c2a68bae9aed6ebb6f7e0684a8e1cd849d28927ea1d7f410f6ef9548

          SHA512

          e998644f77f5d6f0a059229858f0e92327a0960117720c05970ba324177b0eac1771bf5abcec40e36c10445148508ba46ba5b3d0423e9cd4490d8fcea780d0e5

          Download Submit

        • C:\Users\Admin\AppData\Local\jO5mrXy8p\fveprompt.exe
          Filesize

          104KB

          MD5

          dc2c44a23b2cd52bd53accf389ae14b2

          SHA1

          e36c7b6f328aa2ab2f52478169c52c1916f04b5f

          SHA256

          7f5b19f2c6a94833196ee1929d48094889b33b504d73d3af88dd857ceaf67921

          SHA512

          ff083f74777a9cfc940d4e0cb55886397e27c85f867de9a5dd9ea2c2751d2a77bf75fe0734e424d9678c83e927788d07d0b3072024f7e5a9848c7ff1aa4090dc

          Download Submit

        • C:\Users\Admin\AppData\Local\jO5mrXy8p\slc.dll
          Filesize

          1.2MB

          MD5

          4555fefd10ca36b7d3a76fd2a9b294f7

          SHA1

          a5bd756fdeda6b5742e7f93fa071b8f7c8a72b9b

          SHA256

          4ba11723f88a82f51a1be8473636f39ace3b6514fa9e3ce925ccbf382ff5020c

          SHA512

          957584285fd6419df7c0277b9f72dc4fa7df80d7d2cc923f139069e15413fcf752402678494d54b32c30d302d23404c365094a9d07b8ee49c99c575825fde52e

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Lcuygmmobxhxaxh.lnk
          Filesize

          1KB

          MD5

          1317cd5d33f1072505fdc7b101bf2e90

          SHA1

          458e57d0066fad169dd64eddca97167d8f4f48df

          SHA256

          c7a33fb68d78325bf70026532039546409e04dc2b00e4a887941ff3a14978cc5

          SHA512

          fdfe5407c5e71107c52b003172055fd3b9ea10aa68e97c8c583c00d506b3e8a69726e63bd393ba4a514b88d9dba6e5bf2356bd42166a777dcdfcbeda3dcf4757

          Download Submit

        • \Users\Admin\AppData\Local\aW29IqrQ\Netplwiz.exe
          Filesize

          26KB

          MD5

          e43ec3c800d4c0716613392e81fba1d9

          SHA1

          37de6a235e978ecf3bb0fc2c864016c5b0134348

          SHA256

          636606415a85a16a7e6c5c8fcbdf35494991bce1c37dfc19c75ecb7ce12dc65c

          SHA512

          176c6d8b87bc5a9ca06698e2542ff34d474bcbbf21278390127981366eda89769bd9dd712f3b34f4dd8332a0b40ee0e609276400f16b51999471c8ff24522a08

          Download Submit

        • memory/632-96-0x000007FEF6070000-0x000007FEF61A1000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/632-90-0x0000000000290000-0x0000000000297000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1204-24-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-9-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-29-0x00000000773D0000-0x00000000773D2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1204-28-0x0000000077241000-0x0000000077242000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1204-16-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-15-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-14-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-13-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-12-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-37-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-36-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-4-0x0000000077136000-0x0000000077137000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1204-46-0x0000000077136000-0x0000000077137000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1204-5-0x0000000002E00000-0x0000000002E01000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1204-10-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-7-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-8-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-25-0x0000000002DE0000-0x0000000002DE7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1204-11-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2504-72-0x000007FEF6070000-0x000007FEF61A1000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2504-75-0x0000000000190000-0x0000000000197000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2504-78-0x000007FEF6070000-0x000007FEF61A1000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2708-60-0x000007FEF6950000-0x000007FEF6A81000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2708-54-0x0000000000110000-0x0000000000117000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2708-55-0x000007FEF6950000-0x000007FEF6A81000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2828-0-0x00000000001A0000-0x00000000001A7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2828-45-0x000007FEF6080000-0x000007FEF61B0000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2828-1-0x000007FEF6080000-0x000007FEF61B0000-memory.dmp

          Filesize

          1.2MB

          Download