Overview

overview

10

Static

static

3

a206030ef4...18.dll

windows7-x64

10

a206030ef4...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    93s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-06-2024 19:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a206030ef4a2be9cb767a15d62722e09_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    a206030ef4a2be9cb767a15d62722e09

  • SHA1

    0385df49ad9737c157449e23c94077063ac761ca

  • SHA256

    810703d8679c42fdc80712f3c968b5391fec1a07e64fb62f32ca480fa6517703

  • SHA512

    302f3951ed1e68c72ed7a4dc2248da465b0a64c5bc6decb310cca78b182bf44bbd4531176806a1cc55dced86ff41fe232940a05dbaeb6c0f0f18e92dd50a3c70

  • SSDEEP

    24576:KVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL81:KV8hf6STw1ZlQauvzSq01ICe6zvmG

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\a206030ef4a2be9cb767a15d62722e09_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:5020
  • C:\Windows\system32\Utilman.exe
    C:\Windows\system32\Utilman.exe
    1⤵
      PID:5068
    • C:\Users\Admin\AppData\Local\qi6Vo3TI0\Utilman.exe
      C:\Users\Admin\AppData\Local\qi6Vo3TI0\Utilman.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:1652
    • C:\Windows\system32\BitLockerWizard.exe
      C:\Windows\system32\BitLockerWizard.exe
      1⤵
        PID:3380
      • C:\Users\Admin\AppData\Local\KcPMcLBK\BitLockerWizard.exe
        C:\Users\Admin\AppData\Local\KcPMcLBK\BitLockerWizard.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:4300
      • C:\Windows\system32\ApplicationFrameHost.exe
        C:\Windows\system32\ApplicationFrameHost.exe
        1⤵
          PID:2200
        • C:\Users\Admin\AppData\Local\Mo0KQrz\ApplicationFrameHost.exe
          C:\Users\Admin\AppData\Local\Mo0KQrz\ApplicationFrameHost.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:776

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Initial Access

        Execution

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Privilege Escalation

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Query Registry

        1
        T1012

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Resource Development

        Reconnaissance

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\KcPMcLBK\BitLockerWizard.exe
          Filesize

          100KB

          MD5

          6d30c96f29f64b34bc98e4c81d9b0ee8

          SHA1

          4a3adc355f02b9c69bdbe391bfb01469dee15cf0

          SHA256

          7758227642702e645af5e84d1c0e5690e07687c8209072a2c5f79379299edf74

          SHA512

          25471b0ac7156d9ee9d12181020039bf551ba3efe252b656030c12d93b8db2648a18bdf762740f2a5cd8e43640e4bd4e8742310dea15823fc76b9e1c126876b8

          Download Submit
        • C:\Users\Admin\AppData\Local\KcPMcLBK\FVEWIZ.dll
          Filesize

          1.2MB

          MD5

          4011258dba1b7494b18a4619d248ead8

          SHA1

          a1acd176d3314325e2d0d152491df8b63068010b

          SHA256

          2141b23f070e6ad63820e218a303d875c0e031526d873d57df2aeb76f7a077af

          SHA512

          97f40c35278de7d5952d6e99b1b048b9f8864f5d2da419a2df5234629d7950a9cf9e02b62da254fe7eb01fd9b4708d1aebaef9d672098c2966f3519740c095a0

          Download Submit
        • C:\Users\Admin\AppData\Local\Mo0KQrz\ApplicationFrameHost.exe
          Filesize

          76KB

          MD5

          d58a8a987a8dafad9dc32a548cc061e7

          SHA1

          f79fc9e0ab066cad530b949c2153c532a5223156

          SHA256

          cf58e424b86775e6f2354291052126a646f842fff811b730714dfbbd8ebc71a4

          SHA512

          93df28b65af23a5f82124ba644e821614e2e2074c98dbb2bd7319d1dfe9e2179b9d660d7720913c79a8e7b2f8560440789ad5e170b9d94670589885060c14265

          Download Submit
        • C:\Users\Admin\AppData\Local\Mo0KQrz\dxgi.dll
          Filesize

          1.2MB

          MD5

          65ccc9dac11555ea4c78dd3c2843bd72

          SHA1

          98430c06976c93f5ad5c870ed9d070dbce4be9f9

          SHA256

          445851c1900dfa768cec2307e1474fc88bb4365812959316d9fdec441a92f3af

          SHA512

          96152d991b04e9d2ccd76eaca175ffc6f613d5745a2cde7fb4a0febaf02a1237fed7cc761b8f9a2f9adf601be8c3981531ed9f57a21fe986c6a586ca39360eb0

          Download Submit
        • C:\Users\Admin\AppData\Local\qi6Vo3TI0\DUser.dll
          Filesize

          1.2MB

          MD5

          c80eb48c715172735cee88cbf895350d

          SHA1

          c9e4da0e642338e0bd92a9fe3567a5b5b20319e9

          SHA256

          6048f0fc5cd0c8e844bd1ee344b878b3a7687d10d8193a6ab5257addcb9fd6e2

          SHA512

          112bdf4e1fa9d08aed0ec6239cd58cbb9c5803a5bacce51ec0baea41b69838a9a43aa676ca85c2d2a8db8eff02b0dc04a53ce56e9549c8c1fed60c9a1c77bc9a

          Download Submit
        • C:\Users\Admin\AppData\Local\qi6Vo3TI0\Utilman.exe
          Filesize

          123KB

          MD5

          a117edc0e74ab4770acf7f7e86e573f7

          SHA1

          5ceffb1a5e05e52aafcbc2d44e1e8445440706f3

          SHA256

          b5bc4fce58403ea554691db678e6c8c448310fe59990990f0e37cd4357567d37

          SHA512

          72883f794ff585fe7e86e818d4d8c54fa9781cab6c3fac6f6956f58a016a91f676e70d14691cbe054ae7b7469c6b4783152fbb694e92b940d9e3595fe3f41d97

          Download Submit
        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Jbphew.lnk
          Filesize

          1KB

          MD5

          86cc1cb1dd0038550a85fb8de96c8a33

          SHA1

          b5d93b0783e63f42c849b5fa54c5428b6c8af754

          SHA256

          e4f98b0165b6a477ad0c02853ce9aa70ac89eeb410895c3cbd956d090bc0519c

          SHA512

          f4fd2b377cb8960b0f922670283d2a525fff6d808a8bd28ae68c2619fc3b3e112abc6d78d47a1acd20271191b7273d2c2d2d77c11fa0121dd498909132f4ce01

          Download Submit
        • memory/776-86-0x0000000140000000-0x0000000140144000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/776-83-0x000002A02B130000-0x000002A02B137000-memory.dmp
          Filesize

          28KB

          Download
        • memory/1652-52-0x0000000140000000-0x0000000140145000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1652-49-0x00000209E5560000-0x00000209E5567000-memory.dmp
          Filesize

          28KB

          Download
        • memory/1652-46-0x0000000140000000-0x0000000140145000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3536-34-0x0000000000560000-0x0000000000567000-memory.dmp
          Filesize

          28KB

          Download
        • memory/3536-13-0x0000000140000000-0x0000000140143000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3536-9-0x0000000140000000-0x0000000140143000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3536-7-0x0000000140000000-0x0000000140143000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3536-15-0x0000000140000000-0x0000000140143000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3536-6-0x0000000140000000-0x0000000140143000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3536-10-0x0000000140000000-0x0000000140143000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3536-11-0x0000000140000000-0x0000000140143000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3536-12-0x0000000140000000-0x0000000140143000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3536-8-0x0000000140000000-0x0000000140143000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3536-33-0x00007FFA0D5CA000-0x00007FFA0D5CB000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3536-4-0x0000000000B60000-0x0000000000B61000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3536-35-0x00007FFA0D7D0000-0x00007FFA0D7E0000-memory.dmp
          Filesize

          64KB

          Download
        • memory/3536-36-0x0000000140000000-0x0000000140143000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3536-24-0x0000000140000000-0x0000000140143000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3536-14-0x0000000140000000-0x0000000140143000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/4300-69-0x0000000140000000-0x0000000140144000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/4300-66-0x000001D026500000-0x000001D026507000-memory.dmp
          Filesize

          28KB

          Download
        • memory/4300-63-0x0000000140000000-0x0000000140144000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/5020-39-0x0000000140000000-0x0000000140143000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/5020-1-0x0000000140000000-0x0000000140143000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/5020-0-0x000001C174A40000-0x000001C174A47000-memory.dmp
          Filesize

          28KB

          Download