Overview

overview

10

Static

static

3

c141b9a07b...18.dll

windows7-x64

10

c141b9a07b...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-12-2024 06:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c141b9a07b0399778d5fec3ef4752733_JaffaCakes118.dll

  • Size

    808KB

  • MD5

    c141b9a07b0399778d5fec3ef4752733

  • SHA1

    160d66bde8bb5c86a215373c547503c3f9b8ee59

  • SHA256

    0d13f2263bec1f51944342a3480bd51290abf1d96b31bdaad78202ead85bf179

  • SHA512

    f83207a62afd8425f98943f7346a8517ca3f2e05863ae5c90d9bcc1004df19201a9ea27c68eedbe3422a5634804b0cddb83560a2354988fff2a5e341f0d84ba4

  • SSDEEP

    12288:8dMIwS97wJs6tSKDXEabXaC+jhc1S8XXk7CZzHsZH9dq0T:OMIJxSDX3bqjhcfHk7MzH6z

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex family
    dridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 9 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\c141b9a07b0399778d5fec3ef4752733_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2040
  • C:\Windows\system32\msdt.exe
    C:\Windows\system32\msdt.exe
    1⤵
      PID:1808
    • C:\Users\Admin\AppData\Local\IhAayQu0H\msdt.exe
      C:\Users\Admin\AppData\Local\IhAayQu0H\msdt.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:1728
    • C:\Windows\system32\EhStorAuthn.exe
      C:\Windows\system32\EhStorAuthn.exe
      1⤵
        PID:4588
      • C:\Users\Admin\AppData\Local\vh6NHsB\EhStorAuthn.exe
        C:\Users\Admin\AppData\Local\vh6NHsB\EhStorAuthn.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2248
      • C:\Windows\system32\rdpshell.exe
        C:\Windows\system32\rdpshell.exe
        1⤵
          PID:3720
        • C:\Users\Admin\AppData\Local\nz8C\rdpshell.exe
          C:\Users\Admin\AppData\Local\nz8C\rdpshell.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:3824

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\IhAayQu0H\msdt.exe
          Filesize

          421KB

          MD5

          992c3f0cc8180f2f51156671e027ae75

          SHA1

          942ec8c2ccfcacd75a1cd86cbe8873aee5115e29

          SHA256

          6859d1b5d1beaa2985b298f3fcee67f0aac747687a9dec2b4376585e99e9756f

          SHA512

          1f1b8d39e29274cfc87a9ef1510adb9c530086a421c121523376731c8933c6e234e9146310d3767ce888a8dce7a5713221f4d25e5b7b6398d06ae2be2b99eadf

          Download Submit

        • C:\Users\Admin\AppData\Local\IhAayQu0H\wer.dll
          Filesize

          816KB

          MD5

          fcd5dfcb39be974b55225863a4909c98

          SHA1

          ca490062d1f3831524e04f639f540a8d421e9b1a

          SHA256

          a048954641c17dc4566710c4d6a2b507f57a6899263f02095e57799e6fcab22f

          SHA512

          70bc091fb5912a23adf4cf3839bc0a763d3fb4082f8ba515a81e6f92bd8634ad6156bc3f08b8af8b8628b92bb6da5dc83306fd1c15048616dc9d8e255c3bdf69

          Download Submit

        • C:\Users\Admin\AppData\Local\nz8C\dwmapi.dll
          Filesize

          812KB

          MD5

          b824169be7bac6affecbaba42b8bdb7c

          SHA1

          8b6ba411b235edeeba25d6acf87c84285a3a5066

          SHA256

          df8b7e306a7d09d43e3447db17dbace5092099d27c6b3315f9fd8d5e06f85d09

          SHA512

          0867589a92d206fd67adae82e23475f498639059c22fba68e53f680cea7727fcf9e77ef23e9fbcbe714212409367ab2e9dcc8cba10bb40509ef1d175b83eccdb

          Download Submit

        • C:\Users\Admin\AppData\Local\nz8C\rdpshell.exe
          Filesize

          468KB

          MD5

          428066713f225bb8431340fa670671d4

          SHA1

          47f6878ff33317c3fc09c494df729a463bda174c

          SHA256

          da6c395a2018d3439ad580a19e6a1ca5ff29ef9074411ee9f9f1b0a6365dfebd

          SHA512

          292aad2762ae4dc519c69411aa114a29894f60ffac103813db4946f2fac4f5a166f66523c421529d6847c0882d8ab467392ee8da1e3a4fca0d6d4e6ebda5b737

          Download Submit

        • C:\Users\Admin\AppData\Local\vh6NHsB\EhStorAuthn.exe
          Filesize

          128KB

          MD5

          d45618e58303edb4268a6cca5ec99ecc

          SHA1

          1f8049fc5ea8b57bb68e19fb55cb9dc1e18e9513

          SHA256

          d527323643be9df4d174c3169c6f2c7854a59b781654bcaebd154cb51fb4219c

          SHA512

          5d7ae663dcfedfaf00836dc018131851e5a40778bd582b417b9f0bbd4bb6d1b2eb8f37f7f5a01cd2beed78b6037ef6eb2a3290248d5e901173b1407990a202bd

          Download Submit

        • C:\Users\Admin\AppData\Local\vh6NHsB\UxTheme.dll
          Filesize

          812KB

          MD5

          ce4671c68666a68c9da82f63641fa238

          SHA1

          72a5aa0572910eb5e99afa01a7838022dbd5de29

          SHA256

          cf5accd5346c62ed5eef91bb3b4e45f37ece6dab9c4cc1efbe2c1316a6a78326

          SHA512

          89fc2cf14e8d36196e0e4744b69da62975ded99583ccc15558d581f8803506d7f47d34cf156e493edd69284b17e7e0c15cb8dd1037959e3958ccfeb90a678ccc

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ybgihhkn.lnk
          Filesize

          733B

          MD5

          9101b829838708695e3538ca9ee7b4da

          SHA1

          48bb7dbe123853426f51c11c43ffe0b85fa6301b

          SHA256

          58f10867f5ba0b5cb5e4a9383ee2b800907f4928d61fbed1234e40f2d732cb7d

          SHA512

          3a474c75a0e9d2024c28c74cca0de6a9aa3f8d8c6fda3bf94762ce29a6837dfab11b2485e7fb04c278c4648fbbc98b0fc535c569a2abffbfde11eab8dd68a222

          Download Submit

        • memory/1728-68-0x0000000140000000-0x00000001400CC000-memory.dmp

          Filesize

          816KB

          Download

        • memory/1728-65-0x000001A191D00000-0x000001A191D07000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1728-63-0x0000000140000000-0x00000001400CC000-memory.dmp

          Filesize

          816KB

          Download

        • memory/2040-56-0x0000000140000000-0x00000001400CA000-memory.dmp

          Filesize

          808KB

          Download

        • memory/2040-0-0x0000000140000000-0x00000001400CA000-memory.dmp

          Filesize

          808KB

          Download

        • memory/2040-2-0x000002338E680000-0x000002338E687000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2248-80-0x0000000140000000-0x00000001400CB000-memory.dmp

          Filesize

          812KB

          Download

        • memory/2248-79-0x000001BB920D0000-0x000001BB920D7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2248-84-0x0000000140000000-0x00000001400CB000-memory.dmp

          Filesize

          812KB

          Download

        • memory/3492-30-0x0000000140000000-0x00000001400CA000-memory.dmp

          Filesize

          808KB

          Download

        • memory/3492-7-0x0000000140000000-0x00000001400CA000-memory.dmp

          Filesize

          808KB

          Download

        • memory/3492-25-0x0000000140000000-0x00000001400CA000-memory.dmp

          Filesize

          808KB

          Download

        • memory/3492-24-0x0000000140000000-0x00000001400CA000-memory.dmp

          Filesize

          808KB

          Download

        • memory/3492-23-0x0000000140000000-0x00000001400CA000-memory.dmp

          Filesize

          808KB

          Download

        • memory/3492-20-0x0000000140000000-0x00000001400CA000-memory.dmp

          Filesize

          808KB

          Download

        • memory/3492-19-0x0000000140000000-0x00000001400CA000-memory.dmp

          Filesize

          808KB

          Download

        • memory/3492-18-0x0000000140000000-0x00000001400CA000-memory.dmp

          Filesize

          808KB

          Download

        • memory/3492-17-0x0000000140000000-0x00000001400CA000-memory.dmp

          Filesize

          808KB

          Download

        • memory/3492-16-0x0000000140000000-0x00000001400CA000-memory.dmp

          Filesize

          808KB

          Download

        • memory/3492-14-0x0000000140000000-0x00000001400CA000-memory.dmp

          Filesize

          808KB

          Download

        • memory/3492-13-0x0000000140000000-0x00000001400CA000-memory.dmp

          Filesize

          808KB

          Download

        • memory/3492-12-0x0000000140000000-0x00000001400CA000-memory.dmp

          Filesize

          808KB

          Download

        • memory/3492-9-0x0000000140000000-0x00000001400CA000-memory.dmp

          Filesize

          808KB

          Download

        • memory/3492-8-0x0000000140000000-0x00000001400CA000-memory.dmp

          Filesize

          808KB

          Download

        • memory/3492-33-0x0000000140000000-0x00000001400CA000-memory.dmp

          Filesize

          808KB

          Download

        • memory/3492-21-0x0000000140000000-0x00000001400CA000-memory.dmp

          Filesize

          808KB

          Download

        • memory/3492-10-0x0000000140000000-0x00000001400CA000-memory.dmp

          Filesize

          808KB

          Download

        • memory/3492-11-0x0000000140000000-0x00000001400CA000-memory.dmp

          Filesize

          808KB

          Download

        • memory/3492-26-0x0000000140000000-0x00000001400CA000-memory.dmp

          Filesize

          808KB

          Download

        • memory/3492-6-0x0000000140000000-0x00000001400CA000-memory.dmp

          Filesize

          808KB

          Download

        • memory/3492-27-0x0000000140000000-0x00000001400CA000-memory.dmp

          Filesize

          808KB

          Download

        • memory/3492-28-0x0000000140000000-0x00000001400CA000-memory.dmp

          Filesize

          808KB

          Download

        • memory/3492-29-0x0000000140000000-0x00000001400CA000-memory.dmp

          Filesize

          808KB

          Download

        • memory/3492-31-0x0000000140000000-0x00000001400CA000-memory.dmp

          Filesize

          808KB

          Download

        • memory/3492-41-0x0000000001000000-0x0000000001007000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3492-42-0x0000000140000000-0x00000001400CA000-memory.dmp

          Filesize

          808KB

          Download

        • memory/3492-43-0x00007FFA46780000-0x00007FFA46790000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3492-53-0x0000000140000000-0x00000001400CA000-memory.dmp

          Filesize

          808KB

          Download

        • memory/3492-44-0x00007FFA46770000-0x00007FFA46780000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3492-32-0x0000000140000000-0x00000001400CA000-memory.dmp

          Filesize

          808KB

          Download

        • memory/3492-22-0x0000000140000000-0x00000001400CA000-memory.dmp

          Filesize

          808KB

          Download

        • memory/3492-15-0x0000000140000000-0x00000001400CA000-memory.dmp

          Filesize

          808KB

          Download

        • memory/3492-3-0x0000000002F70000-0x0000000002F71000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3492-5-0x00007FFA45EFA000-0x00007FFA45EFB000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3824-100-0x0000000140000000-0x00000001400CB000-memory.dmp

          Filesize

          812KB

          Download

        • memory/3824-97-0x000001D73BC70000-0x000001D73BC77000-memory.dmp

          Filesize

          28KB

          Download