Overview

overview

10

Static

static

3

6d0edb0962...18.dll

windows7-x64

10

6d0edb0962...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-05-2024 02:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6d0edb09621edea7ddd4aba369632419_JaffaCakes118.dll

  • Size

    991KB

  • MD5

    6d0edb09621edea7ddd4aba369632419

  • SHA1

    90b7eb49388e711347ea0b7541141e6f1c35b4b3

  • SHA256

    2ea3c486674229c106c14ef49ebd4b2757963d866c102e90403c3e20fdb69365

  • SHA512

    e1be1ee0a45ec79c86751f6ba8f608ff98ca0475758bd28b74e6fabf9ce76f5b1f9d26012419e6547557dc93b6e752403a7415a1f59a6dc188391175bbe4dfe6

  • SSDEEP

    24576:yVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:yV8hf6STw1ZlQauvzSq01ICe6zvm

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\6d0edb09621edea7ddd4aba369632419_JaffaCakes118.dll
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:1992
  • C:\Windows\system32\quickassist.exe
    C:\Windows\system32\quickassist.exe
    1⤵
      PID:4812
    • C:\Users\Admin\AppData\Local\kN7\quickassist.exe
      C:\Users\Admin\AppData\Local\kN7\quickassist.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:3492
    • C:\Windows\system32\EhStorAuthn.exe
      C:\Windows\system32\EhStorAuthn.exe
      1⤵
        PID:4844
      • C:\Users\Admin\AppData\Local\yf8L\EhStorAuthn.exe
        C:\Users\Admin\AppData\Local\yf8L\EhStorAuthn.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:3296
      • C:\Windows\system32\ProximityUxHost.exe
        C:\Windows\system32\ProximityUxHost.exe
        1⤵
          PID:4308
        • C:\Users\Admin\AppData\Local\9smg\ProximityUxHost.exe
          C:\Users\Admin\AppData\Local\9smg\ProximityUxHost.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1368

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Initial Access

        Execution

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Privilege Escalation

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Query Registry

        1
        T1012

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Resource Development

        Reconnaissance

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\9smg\ProximityUxHost.exe
          Filesize

          263KB

          MD5

          9ea326415b83d77295c70a35feb75577

          SHA1

          f8fc6a4f7f97b242f35066f61d305e278155b8a8

          SHA256

          192bfde77bf280e48f92d1eceacdc7ec4bf31cda46f7d577c7d7c3ec3ac89d8f

          SHA512

          2b1943600f97abcd18778101e33eac00c2bd360a3eff62fef65f668a084d8fa38c3bbdedfc6c2b7e8410aa7c9c3df2734705dc502b4754259121adc9198c3692

          Download Submit
        • C:\Users\Admin\AppData\Local\9smg\WINMM.dll
          Filesize

          996KB

          MD5

          ea6e45fa0159bd10d6f6761b0b4a6363

          SHA1

          86bc737630f495c9389877f02ae44b4fd1e79cd3

          SHA256

          b570ea377f6eb2138b53811aaef335cdba7df4a5772a4f648a3a151de2164af8

          SHA512

          838946d39a258c879fe278aafcbf913a9a44a3266407620d0f22c57f997c5e0454df4f00c8a4dc2e12004fd80397b50cdf9f99552fd05c7ba8c94f4921989f32

          Download Submit
        • C:\Users\Admin\AppData\Local\kN7\UxTheme.dll
          Filesize

          994KB

          MD5

          ca696435bc7434e0393cc96656ca24ec

          SHA1

          acebca4ce3133e562252727c6e7fd5f5bea8bd06

          SHA256

          721dd874861fa7f7d6df3d55a4d283c012180a1739adec3e255925c56d779308

          SHA512

          0ef36d51e9f3593ff3728f05d2cc4ea6f9a51a9304eaf20442c389e2e02a876a906bae9de7a6fada385e8f19a58753c578dab3c4c91525a9a1c45f125fc493ec

          Download Submit
        • C:\Users\Admin\AppData\Local\kN7\quickassist.exe
          Filesize

          665KB

          MD5

          d1216f9b9a64fd943539cc2b0ddfa439

          SHA1

          6fad9aeb7780bdfd88a9a5a73b35b3e843605e6c

          SHA256

          c1e8fda00da574e8759ba262d76b6edc1d5f4a80620730ef0be7527e0d803db2

          SHA512

          c5fd7d81d1d478056fcbed0ba887ce551832f0104e7c31753c3c8760b4d63f38324f74e996684042acc8f9682fce8a8c85172741a868257e87d5e0f988c4e567

          Download Submit
        • C:\Users\Admin\AppData\Local\yf8L\EhStorAuthn.exe
          Filesize

          128KB

          MD5

          d45618e58303edb4268a6cca5ec99ecc

          SHA1

          1f8049fc5ea8b57bb68e19fb55cb9dc1e18e9513

          SHA256

          d527323643be9df4d174c3169c6f2c7854a59b781654bcaebd154cb51fb4219c

          SHA512

          5d7ae663dcfedfaf00836dc018131851e5a40778bd582b417b9f0bbd4bb6d1b2eb8f37f7f5a01cd2beed78b6037ef6eb2a3290248d5e901173b1407990a202bd

          Download Submit
        • C:\Users\Admin\AppData\Local\yf8L\UxTheme.dll
          Filesize

          994KB

          MD5

          7db221526ddd7b39d716193a7b62a9a4

          SHA1

          e5ff7161fb846203bfcb9e4e938d565783a62f24

          SHA256

          668489ad0ca293d8941a00ac65cd3d8551810c080c70596c2f6c0eb9f9dd87ff

          SHA512

          ed2842209fc6168f629472df41308bec2f1196314c1eb141cf3afb9d4e062064c91d86243a26939aa67be3fff03b731371949039318baa15a0f767a68912f3b7

          Download Submit
        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Oabtankaq.lnk
          Filesize

          1KB

          MD5

          9a73ac0f6a2d177115860fa4cb266ed0

          SHA1

          a852dab79c8aa7a70a4324e3c99f29de910e39af

          SHA256

          e34b3bb554a8445111ac3df5a7a278cd4e7ac653a514d33955f6b7004b269deb

          SHA512

          58ce8513f5ecf4c8d185fae363a80c7f146b18db087cce0395d6276452fe23577366ccd4783f0e9d6fe7d8e89528f02814dd58e386bf22dd10219098a4ef85a2

          Download Submit
        • memory/1368-78-0x0000000140000000-0x00000001400FE000-memory.dmp
          Filesize

          1016KB

          Download
        • memory/1368-83-0x0000000140000000-0x00000001400FE000-memory.dmp
          Filesize

          1016KB

          Download
        • memory/1992-0-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/1992-3-0x0000000000D80000-0x0000000000D87000-memory.dmp
          Filesize

          28KB

          Download
        • memory/1992-37-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/3296-67-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/3296-64-0x000002179D660000-0x000002179D667000-memory.dmp
          Filesize

          28KB

          Download
        • memory/3420-7-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/3420-28-0x00007FFB38A70000-0x00007FFB38A80000-memory.dmp
          Filesize

          64KB

          Download
        • memory/3420-8-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/3420-9-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/3420-10-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/3420-6-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/3420-12-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/3420-34-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/3420-11-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/3420-13-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/3420-22-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/3420-26-0x00007FFB37DFA000-0x00007FFB37DFB000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3420-27-0x0000000002AE0000-0x0000000002AE7000-memory.dmp
          Filesize

          28KB

          Download
        • memory/3420-4-0x0000000002CA0000-0x0000000002CA1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3492-50-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/3492-47-0x00000223E2B30000-0x00000223E2B37000-memory.dmp
          Filesize

          28KB

          Download
        • memory/3492-45-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download