Overview

overview

10

Static

static

3

35402b3c98...18.dll

windows7-x64

10

35402b3c98...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-10-2024 14:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    35402b3c982a44a776ba3dd4be28b519_JaffaCakes118.dll

  • Size

    1.3MB

  • MD5

    35402b3c982a44a776ba3dd4be28b519

  • SHA1

    7a274533a4fea0f23671f61e6b81ad52495a86cb

  • SHA256

    95fbd267e006535acc4bd1284e17c966f7862332aa3978e7008db0113e339616

  • SHA512

    713ba3d9c712d64be42845d5b15c0014e3db2025eba7efb8ea977b4e68fa61d85afc006f1afeeed5f2fed61d33fd24fe2e22c112cbf83e99d1cf48b110eaba25

  • SSDEEP

    12288:sdMIwS97wJs6tSKDXEabXaC+jhc1S8XXk7CZzHsZH9dq0T:eMIJxSDX3bqjhcfHk7MzH6z

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 10 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\35402b3c982a44a776ba3dd4be28b519_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:804
  • C:\Windows\system32\wextract.exe
    C:\Windows\system32\wextract.exe
    1⤵
      PID:4396
    • C:\Users\Admin\AppData\Local\A01D0O\wextract.exe
      C:\Users\Admin\AppData\Local\A01D0O\wextract.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:5088
    • C:\Windows\system32\PasswordOnWakeSettingFlyout.exe
      C:\Windows\system32\PasswordOnWakeSettingFlyout.exe
      1⤵
        PID:1072
      • C:\Users\Admin\AppData\Local\54kh9g\PasswordOnWakeSettingFlyout.exe
        C:\Users\Admin\AppData\Local\54kh9g\PasswordOnWakeSettingFlyout.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:864
      • C:\Windows\system32\slui.exe
        C:\Windows\system32\slui.exe
        1⤵
          PID:3576
        • C:\Users\Admin\AppData\Local\OMb\slui.exe
          C:\Users\Admin\AppData\Local\OMb\slui.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:3880

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\54kh9g\DUI70.dll
          Filesize

          1.6MB

          MD5

          a35cecab1f72ea6899220619a37af29c

          SHA1

          43379ff74426f0850be48c2f0496d6d77a305f41

          SHA256

          444b30665cd7f314d84b4ff9c14498f27f097f36fb3c95a74f0e029a983270ea

          SHA512

          49d83d81585f5a6365f7cde08ff4347516fe2039a99f01685f842e46fa7ab86139e406117c6e1fa3ec32e1963b7b5cade7c940a4cf9668f5f3d67c08651ca3e3

          Download Submit

        • C:\Users\Admin\AppData\Local\54kh9g\PasswordOnWakeSettingFlyout.exe
          Filesize

          44KB

          MD5

          591a98c65f624c52882c2b238d6cd4c4

          SHA1

          c960d08c19d777069cf265dcc281807fbd8502d7

          SHA256

          5e6ed524c955fb1ea3e24f132987143da3ec81db5041a0edcfa7bf3ac790eb06

          SHA512

          1999f23c90d85857461f8ddc5342470296f6939a654ac015780c2977f293c1f799fc992462f3d4d9181c97ab960db3291b85ea7c0537edcb57755706b20b6074

          Download Submit

        • C:\Users\Admin\AppData\Local\A01D0O\VERSION.dll
          Filesize

          1.3MB

          MD5

          3b696239856f5e81e8ca857f8fad81f4

          SHA1

          4027f7e1a613432b15a46dca6095f97cea5a3679

          SHA256

          3ae32b9c5c43c09c9b4fb62725276a920e5c86743690316543d62512f0f515a3

          SHA512

          3cfb9e1eb594cfdbcd13089a51d7c192a2d7e16250e646d484183da47356881fbaa30a6fd1efe57f3d543cbab1d8add6dbb44dbea99b542ddeab36a057b74fe4

          Download Submit

        • C:\Users\Admin\AppData\Local\A01D0O\wextract.exe
          Filesize

          143KB

          MD5

          56e501e3e49cfde55eb1caabe6913e45

          SHA1

          ab2399cbf17dbee7b302bea49e40d4cee7caea76

          SHA256

          fbb6dc62abeeb222b49a63f43dc6eea96f3d7e9a8da55381c15d57a5d099f3e0

          SHA512

          2b536e86cbd8ab026529ba2c72c0fda97e9b6f0bc4fd96777024155852670cb41d17937cde372a44cdbad3e53b8cd3ef1a4a3ee9b34dfb3c2069822095f7a172

          Download Submit

        • C:\Users\Admin\AppData\Local\OMb\WTSAPI32.dll
          Filesize

          1.3MB

          MD5

          290b65452dae2678a771c310a2f7daf2

          SHA1

          19e707821883096ec9a636675bdeef34fe03a7e3

          SHA256

          cc9aa350c470d26df8f9d3a609f8eaf97b6995d0c8d950a3e7daf53d3c892fd6

          SHA512

          4d74f77b66cac4466f2f0674433e07d7b33e9f4f47da6fdda1d886623adc9e664cb565f51665c2dc424f8f766805296ef52809f5c0f4bd0c7cd626362cb30b20

          Download Submit

        • C:\Users\Admin\AppData\Local\OMb\slui.exe
          Filesize

          534KB

          MD5

          eb725ea35a13dc18eac46aa81e7f2841

          SHA1

          c0b3304c970324952e18c4a51073e3bdec73440b

          SHA256

          25e7624d469a592934ab8c509d12c153c2799e604c2a4b8a83650a7268577dff

          SHA512

          39192a1fad29654b3769f007298eff049d0688a3cb51390833ec563f44f9931cd3f6f8693db37b649b061b5aab379b166c15dade56d0fc414375243320375b26

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Eswctkc.lnk
          Filesize

          1KB

          MD5

          ab98c194cf9b20ac6c016b422f9687de

          SHA1

          5a797852ccd5f6df778c40868a8abd3002e41ffe

          SHA256

          b7da194340990c318267668dd2e2d7a867b32107b0072556c10f20af3e75ff36

          SHA512

          cebdc1aea0931d8f17dd74d8b09795f3e14555ebdbec3f2a3f0e63662384a91126be6c2fb6b656ba8d0e2227962682adda53d8dd5a835484d3053c16b1a41976

          Download Submit

        • memory/804-3-0x0000017B05E90000-0x0000017B05E97000-memory.dmp

          Filesize

          28KB

          Download

        • memory/804-2-0x0000000140000000-0x000000014014D000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/804-57-0x0000000140000000-0x000000014014D000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/804-0-0x0000000140000000-0x000000014014D000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/864-89-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/864-82-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/864-84-0x0000000140000000-0x0000000140193000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/864-85-0x00000222142D0000-0x00000222142D7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3468-20-0x0000000140000000-0x000000014014D000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3468-11-0x0000000140000000-0x000000014014D000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3468-42-0x0000000140000000-0x000000014014D000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3468-32-0x0000000140000000-0x000000014014D000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3468-31-0x0000000140000000-0x000000014014D000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3468-29-0x0000000140000000-0x000000014014D000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3468-30-0x0000000140000000-0x000000014014D000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3468-28-0x0000000140000000-0x000000014014D000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3468-27-0x0000000140000000-0x000000014014D000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3468-26-0x0000000140000000-0x000000014014D000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3468-24-0x0000000140000000-0x000000014014D000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3468-22-0x0000000140000000-0x000000014014D000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3468-21-0x0000000140000000-0x000000014014D000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3468-44-0x00007FF8401A0000-0x00007FF8401B0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3468-19-0x0000000140000000-0x000000014014D000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3468-18-0x0000000140000000-0x000000014014D000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3468-17-0x0000000140000000-0x000000014014D000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3468-16-0x0000000140000000-0x000000014014D000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3468-14-0x0000000140000000-0x000000014014D000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3468-13-0x0000000140000000-0x000000014014D000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3468-12-0x0000000140000000-0x000000014014D000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3468-43-0x0000000000F90000-0x0000000000F97000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3468-10-0x0000000140000000-0x000000014014D000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3468-9-0x0000000140000000-0x000000014014D000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3468-54-0x0000000140000000-0x000000014014D000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3468-8-0x0000000140000000-0x000000014014D000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3468-33-0x0000000140000000-0x000000014014D000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3468-25-0x0000000140000000-0x000000014014D000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3468-6-0x00007FF83E37A000-0x00007FF83E37B000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3468-4-0x0000000002CD0000-0x0000000002CD1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3468-45-0x00007FF840190000-0x00007FF8401A0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3468-34-0x0000000140000000-0x000000014014D000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3468-23-0x0000000140000000-0x000000014014D000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3468-7-0x0000000140000000-0x000000014014D000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3468-15-0x0000000140000000-0x000000014014D000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3880-100-0x0000000140000000-0x000000014014E000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3880-101-0x00000287A90E0000-0x00000287A90E7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3880-107-0x0000000140000000-0x000000014014E000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/5088-67-0x0000000140000000-0x000000014014E000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/5088-65-0x0000000140000000-0x000000014014E000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/5088-66-0x000001EF243A0000-0x000001EF243A7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/5088-71-0x0000000140000000-0x000000014014E000-memory.dmp

          Filesize

          1.3MB

          Download