Overview

overview

10

Static

static

3

ecf41eed01...18.dll

windows7-x64

10

ecf41eed01...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    11-04-2024 08:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ecf41eed01b51896a22420497a67777d_JaffaCakes118.dll

  • Size

    2.9MB

  • MD5

    ecf41eed01b51896a22420497a67777d

  • SHA1

    1c960b966c49ce5f8c30676469f5ba470e3d1706

  • SHA256

    57f113bc0d460ba8e1749e7f6adce5d8c895516b193bbe9ae6395e26e8b9273e

  • SHA512

    205ce72c7fca3bd646995d2a5ffad654e2f91516a1f729fd9b06aace74bddda06a95b50c000edcc57678072fed18eabfbefd165a7c552fe2cffdbf48c63824c2

  • SSDEEP

    12288:7VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:afP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\ecf41eed01b51896a22420497a67777d_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2040
  • C:\Windows\system32\SystemPropertiesPerformance.exe
    C:\Windows\system32\SystemPropertiesPerformance.exe
    1⤵
      PID:2608
    • C:\Users\Admin\AppData\Local\OSWR\SystemPropertiesPerformance.exe
      C:\Users\Admin\AppData\Local\OSWR\SystemPropertiesPerformance.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:704
    • C:\Windows\system32\msconfig.exe
      C:\Windows\system32\msconfig.exe
      1⤵
        PID:2196
      • C:\Users\Admin\AppData\Local\6qieOD\msconfig.exe
        C:\Users\Admin\AppData\Local\6qieOD\msconfig.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1640
      • C:\Windows\system32\rdpinit.exe
        C:\Windows\system32\rdpinit.exe
        1⤵
          PID:2728
        • C:\Users\Admin\AppData\Local\mBKVNsg3Y\rdpinit.exe
          C:\Users\Admin\AppData\Local\mBKVNsg3Y\rdpinit.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1508

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Initial Access

        Execution

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Privilege Escalation

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Query Registry

        1
        T1012

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Resource Development

        Reconnaissance

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\OSWR\SYSDM.CPL
          Filesize

          2.9MB

          MD5

          3499cd77eed5b1ac44a103930ab767bd

          SHA1

          0d3af1fb5692598ced3a49cc0757856c773f86e6

          SHA256

          c2b3f3cd3d2d97205107299f4ea96764bf8d0cdf7c925a710cc490594e25e50b

          SHA512

          b8db7df8cfeaaf563f7d7a43a176b480d4e97b79712055900da97cc3439d87b26d7833524cbe272443841988bd00adb82a7bec73bdf8cb59a5429208e62f946a

          Download Submit
        • C:\Users\Admin\AppData\Local\mBKVNsg3Y\slc.dll
          Filesize

          2.9MB

          MD5

          f8803841456366ab4292657cda4f02ca

          SHA1

          76ce514cc985c706c4da2ddc15f3cbc5c1a47075

          SHA256

          1700105c28227306c182b22767f58299c4bd24f71f5421959f5a6e1b7c893a77

          SHA512

          e2f7a533d93f5319d7edda12006cab26e8dd9081bb78a267251e3d1ec86df1cba8b5795078bc28bd8bffa8740f54a21a3f5985fddc8b47f156b93b86baf96709

          Download Submit
        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Sufsomsdbcivkn.lnk
          Filesize

          1KB

          MD5

          2aec0b1b32ae9a6fb70384caf5b9ac29

          SHA1

          9a8c277daa24ad36ef15ea0ec07de8e9b7ed9239

          SHA256

          48c3fa06a416f13d2fa2fb1e4021fea26df830e9dc42ba38833def9bf47232af

          SHA512

          f913fcae4c2a3314c12ea6db3c00e4560106026e12c0a836556b004be81a20cff82d971317c35af375c8e8a42b952cabc8c83dcefa610ec26f99460a15d94cb7

          Download Submit
        • \Users\Admin\AppData\Local\6qieOD\MFC42u.dll
          Filesize

          2.9MB

          MD5

          35b8cf5ea414c4a7d23be84ed28f23c5

          SHA1

          72c971d51899379fe754247bdc948e35915fe974

          SHA256

          1cecaf859aade9e4ca3d4db8d74c8a6b8a66302b6f7b2231f8d91c9e77691985

          SHA512

          80b4c566bb91e720434e73702cceb82fe7cf46750b6db85ea8035b7ca0689f124c5e9cf00f2f395bc0fe9695e38791fdf22cf4e1034ccef222978093cd7b5ef3

          Download Submit
        • \Users\Admin\AppData\Local\6qieOD\msconfig.exe
          Filesize

          293KB

          MD5

          e19d102baf266f34592f7c742fbfa886

          SHA1

          c9c9c45b7e97bb7a180064d0a1962429f015686d

          SHA256

          f3c8bb430f9c33e6caf06aaebde17b7fddcc55e8bb36cec2b9379038f1fca0b1

          SHA512

          1b9f1880dd3c26ae790b8eead641e73264f90dc7aa2645acc530aad20ad9d247db613e1725282c85bca98c4428ac255752a4f5c9b2a97f90908b7fe4167bb283

          Download Submit
        • \Users\Admin\AppData\Local\OSWR\SystemPropertiesPerformance.exe
          Filesize

          80KB

          MD5

          870726cdcc241a92785572628b89cc07

          SHA1

          63d47cc4fe9beb75862add1abca1d8ae8235710a

          SHA256

          1ab77fa1ee0cbe59ca185c228c3c11abeba2b2008a162c91a06d3c40542e7fc6

          SHA512

          89b961c2a2716fe0800e54e0206c8b349a26f1bc2a463ec9bd12f3ab22bfcb13e6402b4c20ddcf284d838a3c66e73335af8f6dc4554d76646382e387242c6f72

          Download Submit
        • \Users\Admin\AppData\Local\mBKVNsg3Y\rdpinit.exe
          Filesize

          174KB

          MD5

          664e12e0ea009cc98c2b578ff4983c62

          SHA1

          27b302c0108851ac6cc37e56590dd9074b09c3c9

          SHA256

          00bd9c3c941a5a9b4fc8594d7b985f5f1ac48f0ba7495a728b8fa42b4b48a332

          SHA512

          f5eee4e924dcc3cf5e82eff36543e9d0e9c17dc2272b403cf30f8d2da42312821f5566249a98a952f5441b1f0d6d61a86b5c5198bc598d65ea9d4fb35822505d

          Download Submit
        • memory/704-107-0x0000000000100000-0x0000000000107000-memory.dmp
          Filesize

          28KB

          Download
        • memory/1280-50-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/1280-23-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/1280-20-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/1280-21-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/1280-19-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/1280-18-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/1280-17-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/1280-16-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/1280-22-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/1280-27-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/1280-26-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/1280-25-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/1280-24-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/1280-48-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/1280-29-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/1280-28-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/1280-33-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/1280-34-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/1280-32-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/1280-31-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/1280-30-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/1280-35-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/1280-42-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/1280-43-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/1280-47-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/1280-40-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/1280-39-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/1280-38-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/1280-37-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/1280-36-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/1280-4-0x0000000076C26000-0x0000000076C27000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1280-51-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/1280-52-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/1280-15-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/1280-41-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/1280-46-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/1280-45-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/1280-44-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/1280-54-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/1280-53-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/1280-49-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/1280-60-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/1280-61-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/1280-59-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/1280-58-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/1280-57-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/1280-56-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/1280-55-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/1280-63-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/1280-62-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/1280-64-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/1280-65-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/1280-70-0x0000000002A70000-0x0000000002A77000-memory.dmp
          Filesize

          28KB

          Download
        • memory/1280-79-0x0000000076E31000-0x0000000076E32000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1280-80-0x0000000076F90000-0x0000000076F92000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1280-7-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/1280-9-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/1280-10-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/1280-11-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/1280-12-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/1280-5-0x0000000002A60000-0x0000000002A61000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1280-13-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/1280-14-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/1280-143-0x0000000076C26000-0x0000000076C27000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1640-125-0x00000000001F0000-0x00000000001F7000-memory.dmp
          Filesize

          28KB

          Download
        • memory/2040-0-0x0000000000120000-0x0000000000127000-memory.dmp
          Filesize

          28KB

          Download
        • memory/2040-1-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/2040-8-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download