Overview

overview

10

Static

static

3

35a49d0b8e...18.dll

windows7-x64

10

35a49d0b8e...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-10-2024 16:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    35a49d0b8e5d1748ef8ed60d646e62b0_JaffaCakes118.dll

  • Size

    1.1MB

  • MD5

    35a49d0b8e5d1748ef8ed60d646e62b0

  • SHA1

    4556bb402441ff4ed307b75c4fc54596f78cbd15

  • SHA256

    bad0daeaf20a474f44a060b49aa175aec0145a1a1765881426e1e6781f22b543

  • SHA512

    7bd08faa1a6eb6b5843f78c40d70c4488f1f997c3b099287142c54af0d1d35a57073946ed7700fe832b129599fff895824ba1efea55cde58adeaa668be090b54

  • SSDEEP

    12288:PdMIwS97wJs6tSKDXEabXaC+jhc1S8XXk7CZzHsZH9dq0Ty:VMIJxSDX3bqjhcfHk7MzH6z

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 8 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\35a49d0b8e5d1748ef8ed60d646e62b0_JaffaCakes118.dll
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:1088
  • C:\Windows\system32\BitLockerWizardElev.exe
    C:\Windows\system32\BitLockerWizardElev.exe
    1⤵
      PID:1808
    • C:\Users\Admin\AppData\Local\9hXAq\BitLockerWizardElev.exe
      C:\Users\Admin\AppData\Local\9hXAq\BitLockerWizardElev.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:3468
    • C:\Windows\system32\rdpclip.exe
      C:\Windows\system32\rdpclip.exe
      1⤵
        PID:4060
      • C:\Users\Admin\AppData\Local\G9j\rdpclip.exe
        C:\Users\Admin\AppData\Local\G9j\rdpclip.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:3436
      • C:\Windows\system32\SppExtComObj.Exe
        C:\Windows\system32\SppExtComObj.Exe
        1⤵
          PID:1448
        • C:\Users\Admin\AppData\Local\4wHD\SppExtComObj.Exe
          C:\Users\Admin\AppData\Local\4wHD\SppExtComObj.Exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1184

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\4wHD\ACTIVEDS.dll
          Filesize

          1.1MB

          MD5

          d8ecf4cda75a0ebf2d6e30a8f7e70a41

          SHA1

          83c75c0552254c4dde3020aa3a4720f0aaff119f

          SHA256

          2ec864719a691dd1796866d7b0d0b2871339ecb99a3426ba5f0dfac47eab3949

          SHA512

          331cb349aed879f2a1b2bad32d7025c8d3a84bad1c88c0202b68670238256ae7c560b76904318cde8e46d553dfaa1fcbe3001325ed7736ff48f7fe53d589a538

          Download Submit

        • C:\Users\Admin\AppData\Local\4wHD\SppExtComObj.Exe
          Filesize

          559KB

          MD5

          728a78909aa69ca0e976e94482350700

          SHA1

          6508dfcbf37df25cae8ae68cf1fcd4b78084abb7

          SHA256

          2a6581576305771044f07ea0fef27f77859996dbf66c2017e938f90bfc1e010c

          SHA512

          22bf985e71afa58a1365cc733c0aa03dabd4b44e7c6a136eb5f9b870db14470201b4ef88a19fa3864af6c44e79e1a01d6f8806062d9d4861ba7dac77d82074f1

          Download Submit

        • C:\Users\Admin\AppData\Local\9hXAq\BitLockerWizardElev.exe
          Filesize

          100KB

          MD5

          8ac5a3a20cf18ae2308c64fd707eeb81

          SHA1

          31f2f0bdc2eb3e0d2a6cd626ea8ed71262865544

          SHA256

          803eb37617d450704766cb167dc9766e82102a94940a26a988ad26ab8be3f2f5

          SHA512

          85d0e28e4bffec709f26b2f0d20eb76373134af43bcaa70b97a03efa273b77dd4fbd4f6ee026774ce4029ab5a983aea057111efcd234ab1686a9bd0f7202748b

          Download Submit

        • C:\Users\Admin\AppData\Local\9hXAq\FVEWIZ.dll
          Filesize

          1.1MB

          MD5

          d27c5c62513a615ea61697dd1d361754

          SHA1

          8bb3087ea360efe40e23f3a0e838042d01931112

          SHA256

          55b934aeae356e66ac5f7972b3c5d06daf52209baf00884b2bab5ad6166506fd

          SHA512

          ba7b0f315fc0d0a7fc6ad71d18595d5e0d4108532347674ecb20396d64d1e1f08bd467111084dd5db5a537eebd4dd9623a189e3360493bebac5ab4a18ddd0445

          Download Submit

        • C:\Users\Admin\AppData\Local\G9j\dwmapi.dll
          Filesize

          1.1MB

          MD5

          4a2d8c65ce538816a7f1cc15dd1a5790

          SHA1

          25317333fa82a7c804b7de2ff0f345dabdfc7255

          SHA256

          ae0450e1135b24f96274aaa88f5581c5a5d200f8933d9078c8a6189685c4b919

          SHA512

          49e67b51059d1ea822f768f568acade3369f93b71f7d252ba33f7a64ca37d1d78d45d4b6d46a93bc47db4f3c2103b8af0a45b9dbf4d3546379806436ecdc9401

          Download Submit

        • C:\Users\Admin\AppData\Local\G9j\rdpclip.exe
          Filesize

          446KB

          MD5

          a52402d6bd4e20a519a2eeec53332752

          SHA1

          129f2b6409395ef877b9ca39dd819a2703946a73

          SHA256

          9d5be181d9309dea98039d2ce619afe745fc8a9a1b1c05cf860b3620b5203308

          SHA512

          632dda67066cff2b940f27e3f409e164684994a02bda57d74e958c462b9a0963e922be4a487c06126cecc9ef34d34913ef8315524bf8422f83c0c135b8af924e

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Zcgcwwxuxxxcbkn.lnk
          Filesize

          1KB

          MD5

          e547d9abf159afa56ea8193a08d3ce17

          SHA1

          e428ec5910a5ce92099186ceac75fa0867b62dbe

          SHA256

          f1fbdf983abd9a444f46db8d01ecae044e2e924ff399ad931b33f104d886d202

          SHA512

          e81ec763ddc2f248fab6315b491b61cabb3f57a2098c40e295baaaed7304174e79044b48b1062df71def72c7917297a6de5fdc29f314480b0d31d46a59df6590

          Download Submit

        • memory/1088-54-0x0000000140000000-0x0000000140115000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1088-1-0x0000000140000000-0x0000000140115000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1088-0-0x00000000009F0000-0x00000000009F7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1184-96-0x000002D090A40000-0x000002D090A47000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1184-101-0x0000000140000000-0x0000000140116000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3436-85-0x0000000140000000-0x0000000140116000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3436-82-0x000001D08E8E0000-0x000001D08E8E7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3440-30-0x0000000140000000-0x0000000140115000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3440-7-0x0000000140000000-0x0000000140115000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3440-26-0x0000000140000000-0x0000000140115000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3440-25-0x0000000140000000-0x0000000140115000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3440-24-0x0000000140000000-0x0000000140115000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3440-23-0x0000000140000000-0x0000000140115000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3440-22-0x0000000140000000-0x0000000140115000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3440-21-0x0000000140000000-0x0000000140115000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3440-20-0x0000000140000000-0x0000000140115000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3440-18-0x0000000140000000-0x0000000140115000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3440-17-0x0000000140000000-0x0000000140115000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3440-15-0x0000000140000000-0x0000000140115000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3440-14-0x0000000140000000-0x0000000140115000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3440-13-0x0000000140000000-0x0000000140115000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3440-12-0x0000000140000000-0x0000000140115000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3440-29-0x0000000140000000-0x0000000140115000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3440-11-0x0000000140000000-0x0000000140115000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3440-9-0x0000000140000000-0x0000000140115000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3440-8-0x0000000140000000-0x0000000140115000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3440-27-0x0000000140000000-0x0000000140115000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3440-31-0x0000000140000000-0x0000000140115000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3440-16-0x0000000140000000-0x0000000140115000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3440-10-0x0000000140000000-0x0000000140115000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3440-6-0x0000000140000000-0x0000000140115000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3440-55-0x0000000140000000-0x0000000140115000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3440-32-0x0000000140000000-0x0000000140115000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3440-33-0x0000000140000000-0x0000000140115000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3440-4-0x0000000002660000-0x0000000002661000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3440-3-0x00007FF815FBA000-0x00007FF815FBB000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3440-19-0x0000000140000000-0x0000000140115000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3440-42-0x00000000006F0000-0x00000000006F7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3440-43-0x0000000140000000-0x0000000140115000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3440-44-0x00007FF8167E0000-0x00007FF8167F0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3440-45-0x00007FF8167D0000-0x00007FF8167E0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3440-34-0x0000000140000000-0x0000000140115000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3440-28-0x0000000140000000-0x0000000140115000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3468-69-0x0000000140000000-0x0000000140116000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3468-65-0x0000000140000000-0x0000000140116000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3468-64-0x0000016880F80000-0x0000016880F87000-memory.dmp

          Filesize

          28KB

          Download