Overview

overview

10

Static

static

3

7596189221...18.dll

windows7-x64

10

7596189221...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-05-2024 13:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7596189221cc1444abc71fd71e5b14c4_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    7596189221cc1444abc71fd71e5b14c4

  • SHA1

    f69891c14dd3c9a5c3a8d5f68140ba66e0d54978

  • SHA256

    c374dfc39dd2bf0ef434458bbfd67713b224790ac0555d7f9e27707a8951d6cf

  • SHA512

    1e586b41eb3a757536d61bab08e319959980b2a8502e4d86b75cb443acd0287014ab39363ede54924bac2618cf1e617ea876d05ac3b13a8a46315a1291dfda3a

  • SSDEEP

    24576:FVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:FV8hf6STw1ZlQauvzSq01ICe6zvm

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\7596189221cc1444abc71fd71e5b14c4_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2816
  • C:\Windows\system32\recdisc.exe
    C:\Windows\system32\recdisc.exe
    1⤵
      PID:3984
    • C:\Users\Admin\AppData\Local\0p0u8\recdisc.exe
      C:\Users\Admin\AppData\Local\0p0u8\recdisc.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:3340
    • C:\Windows\system32\tcmsetup.exe
      C:\Windows\system32\tcmsetup.exe
      1⤵
        PID:432
      • C:\Users\Admin\AppData\Local\O32V\tcmsetup.exe
        C:\Users\Admin\AppData\Local\O32V\tcmsetup.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1884
      • C:\Windows\system32\bdechangepin.exe
        C:\Windows\system32\bdechangepin.exe
        1⤵
          PID:3352
        • C:\Users\Admin\AppData\Local\cAgFPW5I\bdechangepin.exe
          C:\Users\Admin\AppData\Local\cAgFPW5I\bdechangepin.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:4300

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Initial Access

        Execution

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Privilege Escalation

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Query Registry

        1
        T1012

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Resource Development

        Reconnaissance

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\0p0u8\ReAgent.dll
          Filesize

          1.2MB

          MD5

          2ff7fbc8a98106cc32e3c8270faf62ad

          SHA1

          6fb61a54dc6d6df6e17aed85b68aa398daeed3c0

          SHA256

          0f5dc3ad737ac9bcfe2e7fd62a51d88dab576dc6721190bf55e969717f87a28a

          SHA512

          cf21d4e5acf9a350c4cdcea06eeab9ad9e97f6fbac8cc6fa38214b0f973f6d5eb71afba4c92720b9563219e425d89adc7bc8cddf36645ad011a5b93f611b3bfc

          Download Submit
        • C:\Users\Admin\AppData\Local\0p0u8\recdisc.exe
          Filesize

          193KB

          MD5

          18afee6824c84bf5115bada75ff0a3e7

          SHA1

          d10f287a7176f57b3b2b315a5310d25b449795aa

          SHA256

          0787b37cf197595b8149ffe3784f9c59eacde3616011f185513ff5c075a5ac4e

          SHA512

          517356165b401dbebf15437d3b17746aef5a6a4cc62a0afe45966abc92b4cf377eee4514a36ee28b1e88e55a22a2f8a6c997df45971e7f354b66ac7d9e141845

          Download Submit
        • C:\Users\Admin\AppData\Local\O32V\TAPI32.dll
          Filesize

          1.2MB

          MD5

          77eb13927b545476f835efa21d230a0a

          SHA1

          eabf8cc470b5a1a4cfa0e0774d84ae8d5b3e6ce1

          SHA256

          3d5f76a32ca0afc4815a6bd6a7d77fe27ecee79c98345a57a6ee4c89c89235c4

          SHA512

          81ac5af30de55be24913c54449aa8c2d35fd0b409c3ac7db289d75f9fd4a391d5bdf3ced5d76af4467640b45a2b7eaf05fdc914c8a70e2848c85e0353632fc37

          Download Submit
        • C:\Users\Admin\AppData\Local\O32V\tcmsetup.exe
          Filesize

          16KB

          MD5

          58f3b915b9ae7d63431772c2616b0945

          SHA1

          6346e837da3b0f551becb7cac6d160e3063696e9

          SHA256

          e243501ba2ef7a6f04f51410bb916faffe0ec23450a4d030ce6bfe747e544b39

          SHA512

          7b09192af460c502d1a94989a0d06191c8c7a058ce3a4541e3f45960a1e12529d0cdaff9da3d5bacfdceed57aeb6dc9a159c6c0a95675c438f99bf7e418c6dc5

          Download Submit
        • C:\Users\Admin\AppData\Local\cAgFPW5I\DUI70.dll
          Filesize

          1.5MB

          MD5

          43a5648997c20b6b41a275ee61d74177

          SHA1

          6e957aea4343d3efcc6dc6c3017e2a3171c6001b

          SHA256

          2427682fd5df901e15e3f3ac4e0d94b23da6cfb14efbadd10476c9fd1308c314

          SHA512

          98afb22840a33e845990e77f522e5982978133227289f200ed375bab91f4ff3cb8c0307ae62d77c0bd469bfc91a50ee0827892cdaec02e95350670b2af689b39

          Download Submit
        • C:\Users\Admin\AppData\Local\cAgFPW5I\bdechangepin.exe
          Filesize

          373KB

          MD5

          601a28eb2d845d729ddd7330cbae6fd6

          SHA1

          5cf9f6f9135c903d42a7756c638333db8621e642

          SHA256

          4d43f37576a0ebbaf97024cd5597d968ffe59c871b483554aea302dccb7253f6

          SHA512

          1687044612ceb705f79c806b176f885fd01449251b0097c2df70280b7d10a2b830ee30ac0f645a7e8d8067892f6562d933624de694295e22318863260222859d

          Download Submit
        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Arcabpqqvo.lnk
          Filesize

          1KB

          MD5

          6fc23575edc9d55b9cbf158f4c79e9dc

          SHA1

          4b31262800e2a1f1a416226fa4ca8ab25c6f58f9

          SHA256

          29a4ff10b6c93c5ad2aff8d87e78d3b1b6ae613d1ddf0121f42735b580651e9f

          SHA512

          ec34d93fa925c5e2af9c1722f7c073ee93377c1a3946d0a3329549dcbeb5f796c55bca115ace1597c292497a76962a6eb4b1553f9002aab51c153435ab5521b8

          Download Submit
        • memory/1884-69-0x0000000140000000-0x0000000140146000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1884-63-0x0000000140000000-0x0000000140146000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1884-66-0x0000016AE7EB0000-0x0000016AE7EB7000-memory.dmp
          Filesize

          28KB

          Download
        • memory/2816-3-0x0000022AC38D0000-0x0000022AC38D7000-memory.dmp
          Filesize

          28KB

          Download
        • memory/2816-39-0x0000000140000000-0x0000000140144000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/2816-1-0x0000000140000000-0x0000000140144000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3340-52-0x0000000140000000-0x0000000140145000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3340-49-0x000001B273D50000-0x000001B273D57000-memory.dmp
          Filesize

          28KB

          Download
        • memory/3340-46-0x0000000140000000-0x0000000140145000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3456-30-0x00007FFF85070000-0x00007FFF85080000-memory.dmp
          Filesize

          64KB

          Download
        • memory/3456-28-0x0000000008210000-0x0000000008217000-memory.dmp
          Filesize

          28KB

          Download
        • memory/3456-9-0x0000000140000000-0x0000000140144000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3456-10-0x0000000140000000-0x0000000140144000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3456-11-0x0000000140000000-0x0000000140144000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3456-13-0x0000000140000000-0x0000000140144000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3456-14-0x0000000140000000-0x0000000140144000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3456-15-0x0000000140000000-0x0000000140144000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3456-16-0x0000000140000000-0x0000000140144000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3456-7-0x0000000140000000-0x0000000140144000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3456-36-0x0000000140000000-0x0000000140144000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3456-25-0x0000000140000000-0x0000000140144000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3456-12-0x0000000140000000-0x0000000140144000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3456-8-0x0000000140000000-0x0000000140144000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3456-4-0x0000000008230000-0x0000000008231000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3456-6-0x00007FFF8452A000-0x00007FFF8452B000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4300-80-0x0000000140000000-0x000000014018A000-memory.dmp
          Filesize

          1.5MB

          Download
        • memory/4300-86-0x0000000140000000-0x000000014018A000-memory.dmp
          Filesize

          1.5MB

          Download
        • memory/4300-83-0x0000018A8CB20000-0x0000018A8CB27000-memory.dmp
          Filesize

          28KB

          Download