Overview

overview

10

Static

static

3

4de1802eee...18.dll

windows7-x64

10

4de1802eee...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-05-2024 01:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4de1802eeeb526cee64cf6946d1bdc4a_JaffaCakes118.dll

  • Size

    994KB

  • MD5

    4de1802eeeb526cee64cf6946d1bdc4a

  • SHA1

    79f7ba91361abcca592416d8b408c83249b40547

  • SHA256

    e167ea16a662e535c35f519dc669ea9ce70c91bff456e0fd6738fb62ea42fb2c

  • SHA512

    11ede8d741dd2a7ee9c3d32800ac88a8075bf4b9dce83ede1f9285bb5b9acf80455564428d9f1599d505b2e8a8e7fa1bcef5983a2675e2ff7d0eb6a6b44fbbd6

  • SSDEEP

    24576:dVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:dV8hf6STw1ZlQauvzSq01ICe6zvm

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\4de1802eeeb526cee64cf6946d1bdc4a_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:4688
  • C:\Windows\system32\cmstp.exe
    C:\Windows\system32\cmstp.exe
    1⤵
      PID:2800
    • C:\Users\Admin\AppData\Local\XPcnJFHOY\cmstp.exe
      C:\Users\Admin\AppData\Local\XPcnJFHOY\cmstp.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:4348
    • C:\Windows\system32\RecoveryDrive.exe
      C:\Windows\system32\RecoveryDrive.exe
      1⤵
        PID:4460
      • C:\Users\Admin\AppData\Local\cCnkr\RecoveryDrive.exe
        C:\Users\Admin\AppData\Local\cCnkr\RecoveryDrive.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:3812
      • C:\Windows\system32\wbengine.exe
        C:\Windows\system32\wbengine.exe
        1⤵
          PID:3364
        • C:\Users\Admin\AppData\Local\XVU\wbengine.exe
          C:\Users\Admin\AppData\Local\XVU\wbengine.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1720

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Initial Access

        Execution

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Privilege Escalation

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Query Registry

        1
        T1012

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Resource Development

        Reconnaissance

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\XPcnJFHOY\VERSION.dll
          Filesize

          995KB

          MD5

          87d91faea4e81d9f28a03277ca691111

          SHA1

          478cc35381b33ad25f771fac8792c5dbb6de678e

          SHA256

          0e11009a7db215cb6eac978a481ad5ad21f422087bafd7b61fc5e2eb5a0c229a

          SHA512

          e6c2ab09d087aa4466332a7297122b6845a735ce7c2c2ada785591e17000a555295c52797d5b7d73069730d0712a9761d0e8fab3274b09938ffde1df296ae57f

          Download Submit
        • C:\Users\Admin\AppData\Local\XPcnJFHOY\cmstp.exe
          Filesize

          96KB

          MD5

          4cc43fe4d397ff79fa69f397e016df52

          SHA1

          8fd6cf81ad40c9b123cd75611860a8b95c72869c

          SHA256

          f2d3905ee38b2b5c0b724d582f14eb1db7621ffb8f3826df686a20784341614c

          SHA512

          851ef9fa5a03ec8b9fea0094c6e4bfa0b9e71cee3412ee86b2dfc34682aa5fb6455fefe7fc0092b711956d7c880cf8a5761b63ee990aa8e72f3473086ac0f157

          Download Submit
        • C:\Users\Admin\AppData\Local\XVU\SPP.dll
          Filesize

          994KB

          MD5

          54a2ace00d82c7b5a988e1af75a600ec

          SHA1

          884cc24de799c44b97ea3b267454ce511829db33

          SHA256

          06b39e58d8957937afaeab2818338ce595808aa5f1c9bf86db5e8d8793894722

          SHA512

          5b76db9e2486d58faf37de755c1d6b6010256ff666e464dc987c25cd8a9c64255b1239202ef343dea480bc906ce5c684f13fbbb8d4fb459f83b38cf0ffdc579f

          Download Submit
        • C:\Users\Admin\AppData\Local\XVU\wbengine.exe
          Filesize

          1.5MB

          MD5

          17270a354a66590953c4aac1cf54e507

          SHA1

          715babcc8e46b02ac498f4f06df7937904d9798d

          SHA256

          9954394b43783061f9290706320cc65597c29176d5b8e7a26fa1d6b3536832b4

          SHA512

          6be0ba6be84d01ab47f5a4ca98a6b940c43bd2d1e1a273d41c3e88aca47da11d932024b007716d1a6ffe6cee396b0e3e6971ab2afc293e72472f2e61c17b2a89

          Download Submit
        • C:\Users\Admin\AppData\Local\cCnkr\ReAgent.dll
          Filesize

          996KB

          MD5

          15f6adae87013aa0cf7c3d9fe66255a4

          SHA1

          90efbc1294a0eff99a729223f6ccc7b243ceb438

          SHA256

          14bc3adb79291d84915a6e6aa1a0cfcceee234e4b8da26eb4b7b82676d512b5a

          SHA512

          b21d9716a6b785ed5b9e9f36b3ea882e14d0149b10746ed733db8f97b5f28e15f58c7db53cc0654e9dac3d56eef79a67d57b6e02a9064ae99b1b4a6c239783d7

          Download Submit
        • C:\Users\Admin\AppData\Local\cCnkr\RecoveryDrive.exe
          Filesize

          911KB

          MD5

          b9b3dc6f2eb89e41ff27400952602c74

          SHA1

          24ae07e0db3ace0809d08bbd039db3a9d533e81b

          SHA256

          630518cb2e4636f889d12c98fb2e6be4e579c5eeb86f88695d3f7fff3f5515c4

          SHA512

          7906954b881f1051a0c7f098e096bc28eddcc48643b8bf3134dd57b8c18d8beba4f9a0ac5d348de2f9b8ea607c3e9cb0e61d91e4f3ba1fefb02839f928e3e3fe

          Download Submit
        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Zgbuverbplpthj.lnk
          Filesize

          1KB

          MD5

          b29c5216ead50ccea39d78efccfd8a8e

          SHA1

          e34ab9d63d445504c1d3a11cd93abe9038a0d53e

          SHA256

          5bf32e2da5042a1402768d25f94d9d03def86e229478df16e1610485e5426d71

          SHA512

          021eb74ec096113272941b80f678b8f5a670dc6a612b54d01cd17da800241a7a794a9d5487ffeeb4fb3e61031ccc7320392d80fb3c5d059b37f5b3aa5b655831

          Download Submit
        • memory/1720-84-0x0000000140000000-0x00000001400FE000-memory.dmp
          Filesize

          1016KB

          Download
        • memory/3388-8-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/3388-7-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/3388-13-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/3388-11-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/3388-10-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/3388-9-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/3388-4-0x00000000023D0000-0x00000000023D1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3388-22-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/3388-6-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/3388-31-0x0000000000550000-0x0000000000557000-memory.dmp
          Filesize

          28KB

          Download
        • memory/3388-34-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/3388-30-0x00007FFA14D2A000-0x00007FFA14D2B000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3388-12-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/3388-32-0x00007FFA16BB0000-0x00007FFA16BC0000-memory.dmp
          Filesize

          64KB

          Download
        • memory/3812-68-0x0000000140000000-0x00000001400FE000-memory.dmp
          Filesize

          1016KB

          Download
        • memory/3812-62-0x0000019E2D190000-0x0000019E2D197000-memory.dmp
          Filesize

          28KB

          Download
        • memory/4348-45-0x0000000140000000-0x00000001400FE000-memory.dmp
          Filesize

          1016KB

          Download
        • memory/4348-51-0x0000000140000000-0x00000001400FE000-memory.dmp
          Filesize

          1016KB

          Download
        • memory/4348-48-0x0000021F826B0000-0x0000021F826B7000-memory.dmp
          Filesize

          28KB

          Download
        • memory/4688-37-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/4688-0-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/4688-3-0x000001F394C10000-0x000001F394C17000-memory.dmp
          Filesize

          28KB

          Download