Overview

overview

10

Static

static

3

f85ef19bb0...18.dll

windows7-x64

10

f85ef19bb0...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-09-2024 12:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f85ef19bb03d5ca288b7b6aa1077168c_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    f85ef19bb03d5ca288b7b6aa1077168c

  • SHA1

    abfb99abb75dbdaa00e7b3827c22817180c3a016

  • SHA256

    3a5d69c3a2b52ad6d2eb5c1471ca4e93fbb17cae1bc33972a67c2aedda09581f

  • SHA512

    0a4d9fdc3ab4694f6ce9ef3dc5251d1f048a60bdf73ccde4e6e00c6074fa4ba69ead7aaa0c63ebdc83ce00a453c935c8a4b4f1953f709dfcd8d57be10e42e485

  • SSDEEP

    24576:QuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:A9cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\f85ef19bb03d5ca288b7b6aa1077168c_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:4112
  • C:\Windows\system32\CloudNotifications.exe
    C:\Windows\system32\CloudNotifications.exe
    1⤵
      PID:4740
    • C:\Users\Admin\AppData\Local\c2FJj\CloudNotifications.exe
      C:\Users\Admin\AppData\Local\c2FJj\CloudNotifications.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:976
    • C:\Windows\system32\unregmp2.exe
      C:\Windows\system32\unregmp2.exe
      1⤵
        PID:2976
      • C:\Users\Admin\AppData\Local\0wfN6\unregmp2.exe
        C:\Users\Admin\AppData\Local\0wfN6\unregmp2.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:5084
      • C:\Windows\system32\rdpinput.exe
        C:\Windows\system32\rdpinput.exe
        1⤵
          PID:808
        • C:\Users\Admin\AppData\Local\mue945JOV\rdpinput.exe
          C:\Users\Admin\AppData\Local\mue945JOV\rdpinput.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:3020

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\0wfN6\VERSION.dll
          Filesize

          1.2MB

          MD5

          047e3208a8dba203cdab274bcb0169b8

          SHA1

          54dbf045eca173f10bd997499b6a03340570b1f7

          SHA256

          af33de1b1e10a08951590d526df4f812bfcce7ce9a5b326ea2fa059f14dd2253

          SHA512

          16ed44456c576d633cf5c4554a9c86089b63ceeff4bb29f27c8bda8d501079a979281c8b771c87a5da712e889c29c2d93cb309b2d49fcfa7673a6c975739fbae

          Download Submit

        • C:\Users\Admin\AppData\Local\0wfN6\unregmp2.exe
          Filesize

          259KB

          MD5

          a6fc8ce566dec7c5873cb9d02d7b874e

          SHA1

          a30040967f75df85a1e3927bdce159b102011a61

          SHA256

          21f41fea24dddc8a32f902af7b0387a53a745013429d8fd3f5fa6916eadc839d

          SHA512

          f83e17dd305eb1bc24cca1f197e2440f9b501eafb9c9d44ede7c88b1520030a87d059bdcb8eadeac1eaedabcbc4fe50206821965d73f0f6671e27edd55c01cbc

          Download Submit

        • C:\Users\Admin\AppData\Local\c2FJj\CloudNotifications.exe
          Filesize

          59KB

          MD5

          b50dca49bc77046b6f480db6444c3d06

          SHA1

          cc9b38240b0335b1763badcceac37aa9ce547f9e

          SHA256

          96e7e1a3f0f4f6fc6bda3527ab8a739d6dfcab8e534aa7a02b023daebb3c0775

          SHA512

          2a0504ca336e86b92b2f5eff1c458ebd9df36c496331a7247ef0bb8b82eabd86ade7559ddb47ca4169e8365a97e80e5f1d3c1fc330364dea2450608bd692b1d3

          Download Submit

        • C:\Users\Admin\AppData\Local\c2FJj\UxTheme.dll
          Filesize

          1.2MB

          MD5

          d1659179a796b03dd04a85181b0590e2

          SHA1

          b9323b15aa2392d9037733e298bf5f238db3a038

          SHA256

          b2d15a0efa1abc63578486df4b46a3c86d69f8970f70ab0f4028bd74be1f260a

          SHA512

          441010bb0ebbf78d7a85ca111ef827d00480479c32426f2acd33ea1a4b6308e4121e1b31f43ef8d94cb44d27fa714771a4fd7c278cb99e25a6c6df5d65a4c397

          Download Submit

        • C:\Users\Admin\AppData\Local\mue945JOV\WINSTA.dll
          Filesize

          1.2MB

          MD5

          ec343b2a92a8a82b3285659a684c6c7e

          SHA1

          c81f072b5e4535cad293c782627c8151e64c632a

          SHA256

          265aa6f0200f338d56502c41b338f3ba328c9a2d7b0c14bae395274361ffbe4d

          SHA512

          38ef10d02b520d8fdf1244addad2edd1ca1f7a6f1d9078d2d080739639b13a26aa02386652a65e4964ac6a19be9fe0b81b93c582b142a4ce4260efa704359898

          Download Submit

        • C:\Users\Admin\AppData\Local\mue945JOV\rdpinput.exe
          Filesize

          180KB

          MD5

          bd99eeca92869f9a3084d689f335c734

          SHA1

          a2839f6038ea50a4456cd5c2a3ea003e7b77688c

          SHA256

          39bfb2214efeed47f4f5e50e6dff05541e29caeb27966520bdadd52c3d5e7143

          SHA512

          355433c3bbbaa3bcb849633d45713d8a7ac6f87a025732fbe83e259ec3a0cb4eabb18239df26609453f9fc6764c7276c5d0472f11cf12d15ef806aa7594d090e

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wyfsbgf.lnk
          Filesize

          991B

          MD5

          ba34620bb7dc75b9798ac856b4c3b85d

          SHA1

          944cafe2a733635b6b68b40caec912508eb30bee

          SHA256

          bda017851bf2afd03b3dd7ca584c03743b675d0fb2bf6a785b6a39af58183a6d

          SHA512

          5b344eaa52a6f1635c374e7bce8c2cc747737e8400fc7c25b42ae282cb8201c1498751772b821f5589a812601f73e12cedfd6255a75f543b0b9c7a6d45337dee

          Download Submit

        • memory/976-52-0x00007FF95AAC0000-0x00007FF95ABF2000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/976-46-0x00007FF95AAC0000-0x00007FF95ABF2000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/976-49-0x0000011A2EB80000-0x0000011A2EB87000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3020-80-0x0000018B1A420000-0x0000018B1A427000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3020-81-0x00007FF95AAC0000-0x00007FF95ABF3000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3020-86-0x00007FF95AAC0000-0x00007FF95ABF3000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3476-29-0x00000000026B0000-0x00000000026B7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3476-36-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3476-9-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3476-8-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3476-25-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3476-7-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3476-4-0x0000000002D80000-0x0000000002D81000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3476-12-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3476-13-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3476-15-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3476-16-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3476-17-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3476-6-0x00007FF97817A000-0x00007FF97817B000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3476-30-0x00007FF978990000-0x00007FF9789A0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3476-10-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3476-14-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3476-11-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4112-0-0x000002057BA60000-0x000002057BA67000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4112-39-0x00007FF969D00000-0x00007FF969E31000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4112-1-0x00007FF969D00000-0x00007FF969E31000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/5084-69-0x00007FF95AAC0000-0x00007FF95ABF2000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/5084-66-0x000001ADC8FE0000-0x000001ADC8FE7000-memory.dmp

          Filesize

          28KB

          Download