Overview

overview

10

Static

static

3

ecf41eed01...18.dll

windows7-x64

10

ecf41eed01...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-04-2024 08:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ecf41eed01b51896a22420497a67777d_JaffaCakes118.dll

  • Size

    2.9MB

  • MD5

    ecf41eed01b51896a22420497a67777d

  • SHA1

    1c960b966c49ce5f8c30676469f5ba470e3d1706

  • SHA256

    57f113bc0d460ba8e1749e7f6adce5d8c895516b193bbe9ae6395e26e8b9273e

  • SHA512

    205ce72c7fca3bd646995d2a5ffad654e2f91516a1f729fd9b06aace74bddda06a95b50c000edcc57678072fed18eabfbefd165a7c552fe2cffdbf48c63824c2

  • SSDEEP

    12288:7VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:afP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\ecf41eed01b51896a22420497a67777d_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2572
  • C:\Windows\system32\SysResetErr.exe
    C:\Windows\system32\SysResetErr.exe
    1⤵
      PID:1636
    • C:\Users\Admin\AppData\Local\y80e\SysResetErr.exe
      C:\Users\Admin\AppData\Local\y80e\SysResetErr.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:688
    • C:\Windows\system32\sessionmsg.exe
      C:\Windows\system32\sessionmsg.exe
      1⤵
        PID:4088
      • C:\Users\Admin\AppData\Local\XuvDQMCK\sessionmsg.exe
        C:\Users\Admin\AppData\Local\XuvDQMCK\sessionmsg.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:4588
      • C:\Windows\system32\phoneactivate.exe
        C:\Windows\system32\phoneactivate.exe
        1⤵
          PID:4912
        • C:\Users\Admin\AppData\Local\jMxPPBik\phoneactivate.exe
          C:\Users\Admin\AppData\Local\jMxPPBik\phoneactivate.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:3684

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Initial Access

        Execution

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Privilege Escalation

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Query Registry

        1
        T1012

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Resource Development

        Reconnaissance

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\XuvDQMCK\DUser.dll
          Filesize

          2.9MB

          MD5

          044da909479745fad833cbceddf14be6

          SHA1

          f29b5a0e1efa65f8134057ef836a240ded2561ed

          SHA256

          cd53f5f2e1c4956937d09742da7cea8dd648008762e6c3068f3a58efd72e231f

          SHA512

          42780d8df01422dc80ccc4b11d9709a8d0e8011a10fcc335ef187de6a968992ba3451104bf611bcbf72b26c2b87de1985b8035b07f42d8446d2de11bc17cc2c0

          Download Submit
        • C:\Users\Admin\AppData\Local\XuvDQMCK\sessionmsg.exe
          Filesize

          85KB

          MD5

          480f710806b68dfe478ca1ec7d7e79cc

          SHA1

          b4fc97fed2dbff9c4874cb65ede7b50699db37cd

          SHA256

          2416cd4aa577dbb2f8790a61e36fbab2b30bff81a4e1f67a5151c2fec29585bc

          SHA512

          29d3d234ebc45049a533b6a91b246ac043a56b9af67276aaf493b014ae34d73000f99a6b0c0b85d2dfb7fba54811cf8bbdfd167a9eed01a8617b7f05bf2971db

          Download Submit
        • C:\Users\Admin\AppData\Local\jMxPPBik\SLC.dll
          Filesize

          2.9MB

          MD5

          5a24a380511d4f7e38c16357c3d11bd0

          SHA1

          b4e3e28dc2e51e9d147896cf37ea994865a6a76f

          SHA256

          b7ca1d0e15b97880cea0b016ca6633be8ae3f5dc694cf9f7583d90fed4e2010d

          SHA512

          55eafd3e8aff59773824706aa1c3b0e04f87a0658a9b7ab5fdc411de3783dcd01356353df93f29d8c71666074f13a8eb74d23d852f4b666f6cd217dfe918dfe4

          Download Submit
        • C:\Users\Admin\AppData\Local\jMxPPBik\phoneactivate.exe
          Filesize

          107KB

          MD5

          32c31f06e0b68f349f68afdd08e45f3d

          SHA1

          e4b642f887e2c1d76b6b4777ade91e3cb3b9e27c

          SHA256

          cea83eb34233fed5ebeef8745c7c581a8adbefbcfc0e30e2d30a81000c821017

          SHA512

          fe61764b471465b164c9c2202ed349605117d57ceb0eca75acf8bda44e8744c115767ee0caed0b7feb70ba37b477d00805b3fdf0d0fa879dd4c8e3c1dc1c0d26

          Download Submit
        • C:\Users\Admin\AppData\Local\y80e\DUI70.dll
          Filesize

          3.2MB

          MD5

          bc8f118b257d3bc4f14e0b149ab53975

          SHA1

          22ebb4f31e4a2d737c271f72a9fee7ecf0f7b23e

          SHA256

          30341dcab0ab1f70aebd9e2337ae039ec99d4c4b0ea646a1ba8aeacc89384677

          SHA512

          bd555b524ef520123e0e07855b795730237d1255c6935c49d5b142d5c526235cf4a8f91730830ebfc64eba8405a0592f0cfa4f0c9366ccf7d9fd37f0b99525f3

          Download Submit
        • C:\Users\Admin\AppData\Local\y80e\SysResetErr.exe
          Filesize

          41KB

          MD5

          090c6f458d61b7ddbdcfa54e761b8b57

          SHA1

          c5a93e9d6eca4c3842156cc0262933b334113864

          SHA256

          a324e3ba7309164f215645a6db3e74ed35c7034cc07a011ebed2fa60fda4d9cd

          SHA512

          c9ef79397f3a843dcf2bcb5f761d90a4bdadb08e2ca85a35d8668cb13c308b275ed6aa2c8b9194a1f29964e0754ad05e89589025a0b670656386a8d448a1f542

          Download Submit
        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Qielivq.lnk
          Filesize

          1KB

          MD5

          557c262accc0aa9d77fc802d40480e4f

          SHA1

          939c8d3afbecf0daf3b5c54c474079608c9aac67

          SHA256

          107cf7b60e5f917b2e09c620d6010a908429566afa28bf84224b532edbdab14e

          SHA512

          6fa950514ffce79de8c4905bd0a54fbf4998b3635a6a10e2e47305f3b59020a0fedadfcb8582873492d19647206297d24770d70da65a4f1c7e23cdc57d65b3e5

          Download Submit
        • memory/688-100-0x00000217A31A0000-0x00000217A31A7000-memory.dmp
          Filesize

          28KB

          Download
        • memory/2572-0-0x000001540C7F0000-0x000001540C7F7000-memory.dmp
          Filesize

          28KB

          Download
        • memory/2572-1-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/2572-8-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/3504-35-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/3504-41-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/3504-12-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/3504-13-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/3504-14-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/3504-15-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/3504-16-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/3504-17-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/3504-18-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/3504-19-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/3504-20-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/3504-21-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/3504-22-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/3504-23-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/3504-24-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/3504-25-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/3504-26-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/3504-27-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/3504-29-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/3504-28-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/3504-30-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/3504-32-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/3504-31-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/3504-33-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/3504-34-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/3504-11-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/3504-36-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/3504-37-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/3504-38-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/3504-39-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/3504-40-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/3504-7-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/3504-42-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/3504-43-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/3504-44-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/3504-45-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/3504-46-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/3504-47-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/3504-48-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/3504-50-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/3504-49-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/3504-51-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/3504-53-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/3504-54-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/3504-52-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/3504-55-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/3504-58-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/3504-56-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/3504-57-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/3504-59-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/3504-60-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/3504-62-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/3504-61-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/3504-63-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/3504-10-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/3504-65-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/3504-64-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/3504-71-0x0000000000F60000-0x0000000000F67000-memory.dmp
          Filesize

          28KB

          Download
        • memory/3504-79-0x00007FFF93D60000-0x00007FFF93D70000-memory.dmp
          Filesize

          64KB

          Download
        • memory/3504-5-0x00007FFF91E3A000-0x00007FFF91E3B000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3504-9-0x0000000140000000-0x00000001402E1000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/3504-4-0x0000000000FB0000-0x0000000000FB1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3684-133-0x00000268E0060000-0x00000268E0067000-memory.dmp
          Filesize

          28KB

          Download
        • memory/4588-116-0x000001E0B7930000-0x000001E0B7937000-memory.dmp
          Filesize

          28KB

          Download