Overview

overview

10

Static

static

3

4de1802eee...18.dll

windows7-x64

10

4de1802eee...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    17-05-2024 01:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4de1802eeeb526cee64cf6946d1bdc4a_JaffaCakes118.dll

  • Size

    994KB

  • MD5

    4de1802eeeb526cee64cf6946d1bdc4a

  • SHA1

    79f7ba91361abcca592416d8b408c83249b40547

  • SHA256

    e167ea16a662e535c35f519dc669ea9ce70c91bff456e0fd6738fb62ea42fb2c

  • SHA512

    11ede8d741dd2a7ee9c3d32800ac88a8075bf4b9dce83ede1f9285bb5b9acf80455564428d9f1599d505b2e8a8e7fa1bcef5983a2675e2ff7d0eb6a6b44fbbd6

  • SSDEEP

    24576:dVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:dV8hf6STw1ZlQauvzSq01ICe6zvm

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\4de1802eeeb526cee64cf6946d1bdc4a_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2420
  • C:\Windows\system32\slui.exe
    C:\Windows\system32\slui.exe
    1⤵
      PID:2472
    • C:\Users\Admin\AppData\Local\B38zovd\slui.exe
      C:\Users\Admin\AppData\Local\B38zovd\slui.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2784
    • C:\Windows\system32\mmc.exe
      C:\Windows\system32\mmc.exe
      1⤵
        PID:2480
      • C:\Users\Admin\AppData\Local\Hrmk\mmc.exe
        C:\Users\Admin\AppData\Local\Hrmk\mmc.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2524
      • C:\Windows\system32\tcmsetup.exe
        C:\Windows\system32\tcmsetup.exe
        1⤵
          PID:1444
        • C:\Users\Admin\AppData\Local\uyE30p\tcmsetup.exe
          C:\Users\Admin\AppData\Local\uyE30p\tcmsetup.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2440

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Initial Access

        Execution

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Privilege Escalation

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Query Registry

        1
        T1012

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Resource Development

        Reconnaissance

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\B38zovd\slc.dll
          Filesize

          995KB

          MD5

          370e136fd73f1a5fa8bee39fb2473ce6

          SHA1

          5f80221b29e926b1a75182d431a223c8890a4c98

          SHA256

          ab69fbb72dccc0c38552c580dd6561c9977da99458de7ef1ae2a7901b035a03e

          SHA512

          769ccae85683e75b55545e789b18dbde5d0682c41eea3f822585548ffa7008fdf7649cef2bc7bccee109456c5ceac3605bb31e13f8976f3eceb61c556fc41dad

          Download Submit
        • C:\Users\Admin\AppData\Local\Hrmk\UxTheme.dll
          Filesize

          996KB

          MD5

          1603bd60b136e0ccf3052f1828fbf72d

          SHA1

          f2e89719a2330060ffcf6e35aaeb8e52b9588bd9

          SHA256

          da435f2949c32006264fd310a3d8d4793e70e8cc8321e751cde6e9eabc0dec0f

          SHA512

          7c4614283ed2a2d986032c7cf9aa4845d151c36ac92f3e4d144ed0b75c3df881c3b54020b1ea4871b5d43165f07585f336e42c804e884a1747b9177f97c73eee

          Download Submit
        • C:\Users\Admin\AppData\Local\uyE30p\TAPI32.dll
          Filesize

          1002KB

          MD5

          d6772a5261849a58dda86a7760a598da

          SHA1

          87796c230bbe98cb7ab5955e60ffc3296592107e

          SHA256

          26a962eae9bd5b948c22a10eeefb31cab9d78f1f5ee6c5b9dbe24bb7985fc9bb

          SHA512

          7523d5c94b859a37a435051ac46368a3f6ea3773c41635ad8f5d310064529a3984d82a89fb1f2256bf35fb1c9a7779dbc7fa45ee1ed53048786c374f88b99817

          Download Submit
        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Gemerzbimpg.lnk
          Filesize

          1KB

          MD5

          2f6eabe1ef0503304576b0df0cedff19

          SHA1

          868628adc12b9f49ae9acabdcbc7b23ba38274e5

          SHA256

          774f2efabbb18b2f12c447b1ce48fc7329af934c6884721e2a0908b09b79ce2b

          SHA512

          8533f947c5ada60d141f47806557915540665f97395fc83dac8c8a659da56be1479697e3699a6b401081dafe6955aed191fa086594132367c4fc9c1d5f1aec05

          Download Submit
        • \Users\Admin\AppData\Local\B38zovd\slui.exe
          Filesize

          341KB

          MD5

          c5ce5ce799387e82b7698a0ee5544a6d

          SHA1

          ed37fdb169bb539271c117d3e8a5f14fd8df1c0d

          SHA256

          34aa7ca0ea833263a6883827e161a5c218576c5ad97e0ce386fad4250676b42c

          SHA512

          79453b45e1f38d164ee3dbc232f774ff121d4394c22783140f5c8c722f184a69f499f2fb9621bdb28f565065b791883526e1a1d4abef9df82289613c2ce97a5c

          Download Submit
        • \Users\Admin\AppData\Local\Hrmk\mmc.exe
          Filesize

          2.0MB

          MD5

          9fea051a9585f2a303d55745b4bf63aa

          SHA1

          f5dc12d658402900a2b01af2f018d113619b96b8

          SHA256

          b212e59e4c7fe77f6f189138d9d8b151e50eb83a35d6eadfb1e4bb0b4262c484

          SHA512

          beba79f0b6710929871fbdf378d3c0a41f230ac30cbfa87173f7b77c35e06425f48db42ed3b16d5d9bcb7ef0098dffcd0d2947da8fb7ec1136ea62205f1afc76

          Download Submit
        • \Users\Admin\AppData\Local\uyE30p\tcmsetup.exe
          Filesize

          15KB

          MD5

          0b08315da0da7f9f472fbab510bfe7b8

          SHA1

          33ba48fd980216becc532466a5ff8476bec0b31c

          SHA256

          e19556bb7aa39bbd5f0d568a95aec0b3af18dda438cc5737f945243b24d106e7

          SHA512

          c30501546efe2b0c003ef87ac381e901c69ddfc6791c6a5102cff3a07f56555d94995a4413b93036821aa214fc31501fa87eb519e1890ef75b2ec497983ffd58

          Download Submit
        • memory/1184-36-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/1184-13-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/1184-25-0x0000000076E31000-0x0000000076E32000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1184-24-0x0000000002D90000-0x0000000002D97000-memory.dmp
          Filesize

          28KB

          Download
        • memory/1184-23-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/1184-12-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/1184-11-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/1184-10-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/1184-9-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/1184-4-0x0000000076C26000-0x0000000076C27000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1184-35-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/1184-5-0x0000000002DE0000-0x0000000002DE1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1184-14-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/1184-28-0x0000000076FC0000-0x0000000076FC2000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1184-8-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/1184-7-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/1184-63-0x0000000076C26000-0x0000000076C27000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2420-44-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/2420-1-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/2420-3-0x0000000000120000-0x0000000000127000-memory.dmp
          Filesize

          28KB

          Download
        • memory/2440-89-0x0000000140000000-0x00000001400FF000-memory.dmp
          Filesize

          1020KB

          Download
        • memory/2440-92-0x00000000000A0000-0x00000000000A7000-memory.dmp
          Filesize

          28KB

          Download
        • memory/2440-95-0x0000000140000000-0x00000001400FF000-memory.dmp
          Filesize

          1020KB

          Download
        • memory/2524-71-0x0000000000180000-0x0000000000187000-memory.dmp
          Filesize

          28KB

          Download
        • memory/2524-77-0x0000000140000000-0x00000001400FE000-memory.dmp
          Filesize

          1016KB

          Download
        • memory/2784-58-0x0000000140000000-0x00000001400FE000-memory.dmp
          Filesize

          1016KB

          Download
        • memory/2784-55-0x00000000001B0000-0x00000000001B7000-memory.dmp
          Filesize

          28KB

          Download
        • memory/2784-52-0x0000000140000000-0x00000001400FE000-memory.dmp
          Filesize

          1016KB

          Download