Overview

overview

10

Static

static

3

fba5b46899...18.dll

windows7-x64

10

fba5b46899...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-09-2024 06:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fba5b46899374a9f66e4a2dcfa9cb2fc_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    fba5b46899374a9f66e4a2dcfa9cb2fc

  • SHA1

    81fb319d0b6337c09cc8a4503da5c27b4e5d31fa

  • SHA256

    383d9d2d0d8121f36b0c1274c3f168237eda7d4dc593a555871f67474c48ba6d

  • SHA512

    e854de2c6b0af464e43c04d7d2f1b3a8d9aacf84409dc52bfa6fb7c6130c26c6197ee466dcfb88402c3d1fd22bb65093b9369f130e892610bf51007e8104d022

  • SSDEEP

    24576:7yTonNVlKTt/Q5ECvVP7hpJMvjtKpvPf9+m6kLRqgSyI:7yWRKTt/QlPVp3h9

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\fba5b46899374a9f66e4a2dcfa9cb2fc_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:4236
  • C:\Windows\system32\wlrmdr.exe
    C:\Windows\system32\wlrmdr.exe
    1⤵
      PID:3256
    • C:\Users\Admin\AppData\Local\WATkkqG\wlrmdr.exe
      C:\Users\Admin\AppData\Local\WATkkqG\wlrmdr.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:4100
    • C:\Windows\system32\psr.exe
      C:\Windows\system32\psr.exe
      1⤵
        PID:2492
      • C:\Users\Admin\AppData\Local\t2rSu\psr.exe
        C:\Users\Admin\AppData\Local\t2rSu\psr.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:5100
      • C:\Windows\system32\mmc.exe
        C:\Windows\system32\mmc.exe
        1⤵
          PID:1484
        • C:\Users\Admin\AppData\Local\Yb6cngRLv\mmc.exe
          C:\Users\Admin\AppData\Local\Yb6cngRLv\mmc.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:764

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\WATkkqG\DUI70.dll
          Filesize

          1.4MB

          MD5

          795761635358af3330f57a50394e50dd

          SHA1

          edd921a1dd768933909c09ddc2bab61e9323a4a5

          SHA256

          e033d45e0b82eb4cfe30f0797e2f397d47485c987e28e935caa96221a8c7b059

          SHA512

          d266fb2e0b46746c16df439cc1c3c2a07dc706ac8b4f42c8f8aeb6c288997a08a7b8dd4d4292980eeb83c0f74e76919f3ad555eae98606baced7f8638513032d

          Download Submit

        • C:\Users\Admin\AppData\Local\WATkkqG\wlrmdr.exe
          Filesize

          66KB

          MD5

          ef9bba7a637a11b224a90bf90a8943ac

          SHA1

          4747ec6efd2d41e049159249c2d888189bb33d1d

          SHA256

          2fda95aafb2e9284c730bf912b93f60a75b151941adc14445ed1e056140325b1

          SHA512

          4c1fdb8e4bf25546a2a33c95268593746f5ae2666ce36c6d9ba5833357f13720c4722231224e82308af8c156485a2c86ffd97e3093717a28d1300d3787ef1831

          Download Submit

        • C:\Users\Admin\AppData\Local\Yb6cngRLv\UxTheme.dll
          Filesize

          1.2MB

          MD5

          439528ce1be3d026d0eb88929244b51f

          SHA1

          bdb7c0ca7a3c5ed375670cdd27512493cd725f16

          SHA256

          3d56c5ce326ae71061186bc62bd69faa5265fab191647414d08a2a378d9efea0

          SHA512

          1cebe7137d94ee191a38d0d10cda407dc7a83b51653820e43d127d1053c76afcddba2825cfeee5471ebd6526cc91630e996548f53bd3f6d89ad5e982b3577401

          Download Submit

        • C:\Users\Admin\AppData\Local\Yb6cngRLv\mmc.exe
          Filesize

          1.8MB

          MD5

          8c86b80518406f14a4952d67185032d6

          SHA1

          9269f1fbcf65fefbc88a2e239519c21efe0f6ba5

          SHA256

          895eef1eda5700a425934ae3782d4741dfefb7deafa53891bde490150187b98a

          SHA512

          1bbdaa3ae8b5716ad2bd517055533e286ddb8a6c23cbc7aa602143dbb1ae132b513088ab61527c49737c554269c51416cceb80206ac8128ac6b003f1864eb099

          Download Submit

        • C:\Users\Admin\AppData\Local\t2rSu\XmlLite.dll
          Filesize

          1.2MB

          MD5

          39b37fd565fbdc9dffdf599e12446ef2

          SHA1

          36c98e62e90dfdc550d2f199cc427b14bacae021

          SHA256

          c3e71b39808404cfe294f5140c2c471a5bc0d8203a79688eed23703584d09d98

          SHA512

          394059f6120c3504f65f5162f60caa45a1a95b0ccbb063e8adb4235716024f0bd39ff6985667276dc2f1194981b8b3976cdc47f823ebdb17fde30f24be4b7004

          Download Submit

        • C:\Users\Admin\AppData\Local\t2rSu\psr.exe
          Filesize

          232KB

          MD5

          ad53ead5379985081b7c3f1f357e545a

          SHA1

          6f5aa32c1d15fbf073558fadafd046d97b60184e

          SHA256

          4f0144f0e3e721b44babbf41b513942e4117f730546105480571f9c8fce56a1f

          SHA512

          433098bd74c34fbadfa447ef45cfa9dc076aef4cf7f2a0a6fe79d5e67f2504eebe8aa31fc1b7a4c5eeb20ede2c5485f75ad0fd77b4ecba3d68ca63313e6f6ea0

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ahvhgxnkgdxqlh.lnk
          Filesize

          1KB

          MD5

          66b4f32b2af18f4f6484bc11672fd0d3

          SHA1

          5b4b9ed5f3c6afed2b640dd3c5f5cc344ab9ecc7

          SHA256

          aea54c7431e8459999c2463e2b02d393474be17b6e152ce305c3987640a494ee

          SHA512

          681939a07e85295d66b70d25fa3d7677b5c2a505be1df2a23eb4edf58571103ed786bd9d1550382c48638774d2ab0bf16ec264263ee23040c06397c30ec9e7b8

          Download Submit

        • memory/764-84-0x0000000140000000-0x0000000140132000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/764-88-0x0000000000B60000-0x0000000000B67000-memory.dmp

          Filesize

          28KB

          Download

        • memory/764-90-0x0000000140000000-0x0000000140132000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3500-36-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3500-16-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3500-11-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3500-10-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3500-13-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3500-25-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3500-9-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3500-8-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3500-14-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3500-12-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3500-29-0x00000000010D0000-0x00000000010D7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3500-4-0x0000000002FF0000-0x0000000002FF1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3500-5-0x00007FFE9B3EA000-0x00007FFE9B3EB000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3500-7-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3500-15-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3500-30-0x00007FFE9CCD0000-0x00007FFE9CCE0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4100-46-0x0000000140000000-0x0000000140177000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/4100-54-0x0000000140000000-0x0000000140177000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/4100-49-0x0000000140000000-0x0000000140177000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/4100-50-0x000001F431E60000-0x000001F431E67000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4236-39-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4236-1-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4236-3-0x0000020376EC0000-0x0000020376EC7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/5100-66-0x0000015505B10000-0x0000015505B17000-memory.dmp

          Filesize

          28KB

          Download

        • memory/5100-67-0x0000000140000000-0x0000000140132000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/5100-72-0x0000000140000000-0x0000000140132000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/5100-65-0x0000000140000000-0x0000000140132000-memory.dmp

          Filesize

          1.2MB

          Download