Overview

overview

10

Static

static

3

f4dcda795d...18.dll

windows7-x64

10

f4dcda795d...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-09-2024 01:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f4dcda795d669eadc3e6aece306f5edd_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    f4dcda795d669eadc3e6aece306f5edd

  • SHA1

    11264496a75d446d6d6f443d8200caad04340ed9

  • SHA256

    1c173d1937e8af89b502f278fb6053f5a1823663ff45e9d9b174483c5d7b46df

  • SHA512

    93b7ade0fa90d5f7b0db616d79c498b43aeeb92de6e264c7908124c78f8b57cf5554e26ad36e7c08a36cf6c65207760eb60846c63e215dd3852226aa6d9ba165

  • SSDEEP

    24576:luYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9Nipt:f9cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\f4dcda795d669eadc3e6aece306f5edd_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:3112
  • C:\Windows\system32\rdpshell.exe
    C:\Windows\system32\rdpshell.exe
    1⤵
      PID:2216
    • C:\Users\Admin\AppData\Local\x9Gi\rdpshell.exe
      C:\Users\Admin\AppData\Local\x9Gi\rdpshell.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2444
    • C:\Windows\system32\MDMAppInstaller.exe
      C:\Windows\system32\MDMAppInstaller.exe
      1⤵
        PID:3472
      • C:\Users\Admin\AppData\Local\pel\MDMAppInstaller.exe
        C:\Users\Admin\AppData\Local\pel\MDMAppInstaller.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2328
      • C:\Windows\system32\PresentationSettings.exe
        C:\Windows\system32\PresentationSettings.exe
        1⤵
          PID:388
        • C:\Users\Admin\AppData\Local\L1EPN\PresentationSettings.exe
          C:\Users\Admin\AppData\Local\L1EPN\PresentationSettings.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1884

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\L1EPN\PresentationSettings.exe
          Filesize

          219KB

          MD5

          790799a168c41689849310f6c15f98fa

          SHA1

          a5d213fc1c71a56de9441b2e35411d83770c01ec

          SHA256

          6e59ab1a0b4ac177dc3397a54afcf68fcea3c1ee72c33bd08c89f04a6dac64b8

          SHA512

          8153b79d4681f21ade7afe995841c386bff8e491ad347f8e7c287df5f9053cae7458e273339146d9a920ceaa2ba0f41cc793d7b2c0fa80efbb41477d39470866

          Download Submit

        • C:\Users\Admin\AppData\Local\L1EPN\WINMM.dll
          Filesize

          1.2MB

          MD5

          d639e1cb206ad18e3475fff5cfd04acf

          SHA1

          e8706db05051cd1be76415c038ae2741008e372b

          SHA256

          1240fc04f5c9279655f19f588f16b2406b559a654d0efa5c225c4ecd36c9b6b5

          SHA512

          25455723c6a14a3dd661a77daf411b146ff0710466313adf39ac83108cb9cec0d460328ef5a888226661039f942e4837f69e7f0dafc09e06e13ac07d369912df

          Download Submit

        • C:\Users\Admin\AppData\Local\pel\MDMAppInstaller.exe
          Filesize

          151KB

          MD5

          30e978cc6830b04f1e7ed285cccaa746

          SHA1

          e915147c17e113c676c635e2102bbff90fb7aa52

          SHA256

          dc821931f63117962e2266acd3266e86bf8116d4a14b3adbebfade1d40b84766

          SHA512

          331923fa479f71c4c80b0e86ea238628666f95b6cf61cf4d741ae4a27ea2b8c636864dfac543d14599b4873f3b2ab397d07c4e4c17aca3f3b4e5871e24e50214

          Download Submit

        • C:\Users\Admin\AppData\Local\pel\WTSAPI32.dll
          Filesize

          1.2MB

          MD5

          8714b53cac2c5adcbb4b3b4abb3d4bd9

          SHA1

          0a19eaad1d23017e657bbe7c533ab6fd9562a2f3

          SHA256

          5c79ec51eb686f4055f20ae2ab1f3d48bab57f20108fbe0afc8a869ff1d66714

          SHA512

          953f391dc01ed9c5551a5a1d92a95051b5c319fa05f2cf205ac4507661213d98d0da66d6efabb52ec4cedb266d721e9d4ec0407aef521528938574777f7152ae

          Download Submit

        • C:\Users\Admin\AppData\Local\x9Gi\dwmapi.dll
          Filesize

          1.2MB

          MD5

          69f72333f1732138b7c8b79f3793543f

          SHA1

          aac47a955572572e69f757fff6e7618371a1b1f0

          SHA256

          ec8953a88a2e962053db4bb194a8da5e24383460b4c6b80216351bc87a9f9b10

          SHA512

          6b7671f630d20d65a161e88e8de34c777dba3dbc5f28f3172e13f7140b0b5798af37780e03ac329188b6b582305e99c3a76ea5023aac2527f78b8b73ed5ee656

          Download Submit

        • C:\Users\Admin\AppData\Local\x9Gi\rdpshell.exe
          Filesize

          468KB

          MD5

          428066713f225bb8431340fa670671d4

          SHA1

          47f6878ff33317c3fc09c494df729a463bda174c

          SHA256

          da6c395a2018d3439ad580a19e6a1ca5ff29ef9074411ee9f9f1b0a6365dfebd

          SHA512

          292aad2762ae4dc519c69411aa114a29894f60ffac103813db4946f2fac4f5a166f66523c421529d6847c0882d8ab467392ee8da1e3a4fca0d6d4e6ebda5b737

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Mihblavoyj.lnk
          Filesize

          1KB

          MD5

          7b763148fc19efbd49532e5b308eedf4

          SHA1

          ddbcf37ecee2f684dd96dd1c358ecac3fe10fc31

          SHA256

          ff9b0b7661bee93dfb3120f475730a8585bbc0f0c23beb56c1bf351d0d2ee510

          SHA512

          15a37be197b814f0d3323fc6287c8f6cb54e7377ad90b5b4d13314f355695d2bd350aae701203e164356427f7fb04f86942185448754e6bbe0f5c17e7277dab4

          Download Submit

        • memory/1884-79-0x00007FF920750000-0x00007FF920882000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1884-82-0x000002EBEE040000-0x000002EBEE047000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1884-85-0x00007FF920750000-0x00007FF920882000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2328-68-0x00007FF920900000-0x00007FF920A31000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2328-62-0x0000026A6F770000-0x0000026A6F777000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2444-51-0x00007FF920900000-0x00007FF920A31000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2444-45-0x00007FF920900000-0x00007FF920A31000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2444-48-0x0000025E034D0000-0x0000025E034D7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3112-0-0x000001CD84AC0000-0x000001CD84AC7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3112-38-0x00007FF92FE80000-0x00007FF92FFB0000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3112-1-0x00007FF92FE80000-0x00007FF92FFB0000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3388-27-0x0000000000740000-0x0000000000747000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3388-35-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3388-7-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3388-8-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3388-9-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3388-10-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3388-11-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3388-12-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3388-15-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3388-16-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3388-28-0x00007FF93E990000-0x00007FF93E9A0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3388-24-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3388-14-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3388-13-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3388-4-0x0000000002990000-0x0000000002991000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3388-5-0x00007FF93D63A000-0x00007FF93D63B000-memory.dmp

          Filesize

          4KB

          Download