Overview

overview

10

Static

static

3

f215b4fabb...18.dll

windows7-x64

10

f215b4fabb...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-09-2024 13:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f215b4fabb14768f115195da3c9dad3a_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    f215b4fabb14768f115195da3c9dad3a

  • SHA1

    8977086bad5f310504bf0c61f36f096f2cb7644b

  • SHA256

    c4a179d204f7bb7c4f82d2c0878c3f5cb9ca17fb519dd3b7447e4c3c5b327019

  • SHA512

    d88438ee561f9d21017f2099b915cf4b5fd4f03b58bf8b139b721b558f41f061b923e564c5fbb9570c5c1337b986810df91de4a7bb2b7dc160c5c5f6022681ca

  • SSDEEP

    24576:AuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9Nfpt:Q9cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\f215b4fabb14768f115195da3c9dad3a_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:3464
  • C:\Windows\system32\BitLockerWizard.exe
    C:\Windows\system32\BitLockerWizard.exe
    1⤵
      PID:5008
    • C:\Users\Admin\AppData\Local\3FJmnC\BitLockerWizard.exe
      C:\Users\Admin\AppData\Local\3FJmnC\BitLockerWizard.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:1512
    • C:\Windows\system32\wermgr.exe
      C:\Windows\system32\wermgr.exe
      1⤵
        PID:1928
      • C:\Users\Admin\AppData\Local\GfbU1gnuj\wermgr.exe
        C:\Users\Admin\AppData\Local\GfbU1gnuj\wermgr.exe
        1⤵
        • Executes dropped EXE
        PID:3904
      • C:\Windows\system32\MusNotificationUx.exe
        C:\Windows\system32\MusNotificationUx.exe
        1⤵
          PID:4300
        • C:\Users\Admin\AppData\Local\c3Ecgee\MusNotificationUx.exe
          C:\Users\Admin\AppData\Local\c3Ecgee\MusNotificationUx.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:4820
        • C:\Windows\system32\mfpmp.exe
          C:\Windows\system32\mfpmp.exe
          1⤵
            PID:1920
          • C:\Users\Admin\AppData\Local\Kh04Gb\mfpmp.exe
            C:\Users\Admin\AppData\Local\Kh04Gb\mfpmp.exe
            1⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Checks whether UAC is enabled
            PID:4312

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\3FJmnC\BitLockerWizard.exe
            Filesize

            100KB

            MD5

            6d30c96f29f64b34bc98e4c81d9b0ee8

            SHA1

            4a3adc355f02b9c69bdbe391bfb01469dee15cf0

            SHA256

            7758227642702e645af5e84d1c0e5690e07687c8209072a2c5f79379299edf74

            SHA512

            25471b0ac7156d9ee9d12181020039bf551ba3efe252b656030c12d93b8db2648a18bdf762740f2a5cd8e43640e4bd4e8742310dea15823fc76b9e1c126876b8

            Download Submit

          • C:\Users\Admin\AppData\Local\3FJmnC\FVEWIZ.dll
            Filesize

            1.2MB

            MD5

            84fbaee710d54dbcd8d1c46bc4c5569d

            SHA1

            7ffc2b902c67029becc0ae21de8984c4f334702f

            SHA256

            23cc6773304c8251b3dac52bdc472d3e798bdf737ae956c12f80ab642408b765

            SHA512

            945f183dd82da058176b26eb8f187fa978eade78864c6ba810d724346c7defa1fd86a3db1cdddfea8e56b2b99818a825f865c8dd42b5159f6be0d2c8ee8fdba0

            Download Submit

          • C:\Users\Admin\AppData\Local\GfbU1gnuj\wermgr.exe
            Filesize

            223KB

            MD5

            f7991343cf02ed92cb59f394e8b89f1f

            SHA1

            573ad9af63a6a0ab9b209ece518fd582b54cfef5

            SHA256

            1c09759dcd31fdc81bcd6685438d7efb34e0229f1096bfd57d41ecfe614d07dc

            SHA512

            fa3cf314100f5340c7d0f6a70632a308fcadb4b48785753310a053a510169979a89637b8b4fedf4d3690db6b8b55146e323cad70d704c4e2ede4edff5284237d

            Download Submit

          • C:\Users\Admin\AppData\Local\Kh04Gb\MFPlat.DLL
            Filesize

            1.2MB

            MD5

            ce5f6384ded5fc6dec1145cb7a26db12

            SHA1

            82cbcd1455337919556f6e73162a7d8156b0b487

            SHA256

            e4e6fbeeea43c8cecf8a995686c2ecc53635c5e9e14588a64e02473c0d0a31af

            SHA512

            51214e4de7a04a254d3cdab5cf3bd2252cab44fea191b50bcd008eb4959b3ca1adfa96f4c50d117ee4491b0e494043d7862d8d62b8138967b29fe5f9ccee445a

            Download Submit

          • C:\Users\Admin\AppData\Local\Kh04Gb\mfpmp.exe
            Filesize

            46KB

            MD5

            8f8fd1988973bac0c5244431473b96a5

            SHA1

            ce81ea37260d7cafe27612606cf044921ad1304c

            SHA256

            27287ac874cef86be03aee7b6d34fdc3bd208070ed20e44621a305865fb7579e

            SHA512

            a91179e1561168b3b58f5ca893bce425d35f4a02aec20ac3d6fb944f5eb3c06b0a1b9d9f3fb9ea87869d65671d2b89b4ae19acf794372bdbd27f5e9756c5a8ab

            Download Submit

          • C:\Users\Admin\AppData\Local\c3Ecgee\MusNotificationUx.exe
            Filesize

            615KB

            MD5

            869a214114a81712199f3de5d69d9aad

            SHA1

            be973e4188eff0d53fdf0e9360106e8ad946d89f

            SHA256

            405c2df9a36d7cfb5c8382c96f04792eb88c11a6cfa36b1d2ec3e0bec8d17361

            SHA512

            befcdeb8de6e68b9ee0bacd4cbc80f7393a0213d4039b239c98585e0cd5db1755c75559a62372374cbfb7132b6a7973ea9e6a31952e0e0ba007079c56e6d9012

            Download Submit

          • C:\Users\Admin\AppData\Local\c3Ecgee\XmlLite.dll
            Filesize

            1.2MB

            MD5

            9651386b648e1198a8e7ca4022725142

            SHA1

            62931ddd911ab71061680652f6652d692f5ef4f2

            SHA256

            4611ed8256796a3622ea3cad5474b9e424bff96c45834099a395ab96d3fc2db2

            SHA512

            4a0837bd253d6eb4960bc386a9055e39bbf63073a35b4745ae0ef602070bff46cf27576d8f2f6053ed6203aa481cd8a7e92c51230ab0be41d177215c8a86a61e

            Download Submit

          • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ahvhgxnkgdxqlh.lnk
            Filesize

            1KB

            MD5

            c631cb059060d0ea9953e9e54e17b21b

            SHA1

            293ccac25761a145ff7156c8e24ec14694866f59

            SHA256

            603459154ef789d6909bcdcf7c24713b5cb4be923e22e8921db88dc785f2242a

            SHA512

            a4a4c94cc701333945a21ec05214c306590262ea229a3ae3a72d2d3d778141e88f5b2e0b369e44f45480f9d0c1c1e73a016d5f2fed783111e36869ffb1a47571

            Download Submit

          • memory/1512-51-0x00007FFD530E0000-0x00007FFD53211000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/1512-46-0x00007FFD530E0000-0x00007FFD53211000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/1512-45-0x00000211CD200000-0x00000211CD207000-memory.dmp

            Filesize

            28KB

            Download

          • memory/3464-38-0x00007FFD629B0000-0x00007FFD62AE0000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3464-3-0x00000239632B0000-0x00000239632B7000-memory.dmp

            Filesize

            28KB

            Download

          • memory/3464-0-0x00007FFD629B0000-0x00007FFD62AE0000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3492-35-0x00007FFD71270000-0x00007FFD71280000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3492-12-0x0000000140000000-0x0000000140130000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3492-8-0x0000000140000000-0x0000000140130000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3492-7-0x0000000140000000-0x0000000140130000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3492-9-0x0000000140000000-0x0000000140130000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3492-10-0x0000000140000000-0x0000000140130000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3492-11-0x0000000140000000-0x0000000140130000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3492-16-0x0000000140000000-0x0000000140130000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3492-33-0x0000000000890000-0x0000000000897000-memory.dmp

            Filesize

            28KB

            Download

          • memory/3492-34-0x0000000140000000-0x0000000140130000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3492-24-0x0000000140000000-0x0000000140130000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3492-15-0x0000000140000000-0x0000000140130000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3492-13-0x0000000140000000-0x0000000140130000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3492-4-0x0000000002680000-0x0000000002681000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3492-6-0x00007FFD6F34A000-0x00007FFD6F34B000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3492-14-0x0000000140000000-0x0000000140130000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/4312-87-0x00000190D5C60000-0x00000190D5C67000-memory.dmp

            Filesize

            28KB

            Download

          • memory/4312-88-0x00007FFD530E0000-0x00007FFD53212000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/4312-91-0x00007FFD530E0000-0x00007FFD53212000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/4820-76-0x00007FFD530E0000-0x00007FFD53211000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/4820-73-0x000001ED4DCD0000-0x000001ED4DCD7000-memory.dmp

            Filesize

            28KB

            Download