Overview

overview

10

Static

static

3

f5bdf9e867...18.dll

windows7-x64

10

f5bdf9e867...18.dll

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    17-04-2024 12:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f5bdf9e867392a9fdd068bc4b5193e01_JaffaCakes118.dll

  • Size

    1.7MB

  • MD5

    f5bdf9e867392a9fdd068bc4b5193e01

  • SHA1

    2d78042993f6369a0cfeba80c85fce40c046617f

  • SHA256

    f989c27ef773e62ae146234b5b26601b7f4db4b87abc476dc13efceecbea46af

  • SHA512

    10bc1b07b6d7013c3a524738c25983b057b229434199d0feecfca6f17672c0bbf759edc89d7f2c297003d475e919bb00ab954083df7c6ea1e4779660bb8843bd

  • SSDEEP

    12288:7VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:afP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\f5bdf9e867392a9fdd068bc4b5193e01_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2196
  • C:\Windows\system32\rdpinit.exe
    C:\Windows\system32\rdpinit.exe
    1⤵
      PID:2976
    • C:\Users\Admin\AppData\Local\6DaiAg\rdpinit.exe
      C:\Users\Admin\AppData\Local\6DaiAg\rdpinit.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2556
    • C:\Windows\system32\raserver.exe
      C:\Windows\system32\raserver.exe
      1⤵
        PID:2724
      • C:\Users\Admin\AppData\Local\Es4vX1\raserver.exe
        C:\Users\Admin\AppData\Local\Es4vX1\raserver.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1508
      • C:\Windows\system32\DevicePairingWizard.exe
        C:\Windows\system32\DevicePairingWizard.exe
        1⤵
          PID:2692
        • C:\Users\Admin\AppData\Local\qVMOb\DevicePairingWizard.exe
          C:\Users\Admin\AppData\Local\qVMOb\DevicePairingWizard.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2768

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Initial Access

        Execution

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Privilege Escalation

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Query Registry

        1
        T1012

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Resource Development

        Reconnaissance

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\6DaiAg\WTSAPI32.dll
          Filesize

          1.7MB

          MD5

          710a762d1a6973d9c7770c99bcc5312c

          SHA1

          1ea4d21581e38a8fc910a742b651cd2f010af49d

          SHA256

          ddf11c2c469df8aff64473473820ba44a70fe7f51dd72a809972af4989ce304e

          SHA512

          c9e5325f6cd8de94ec7e418544c186aa4d68e7f809caa91d2d7319993b0cd41a89b01b7722b114e137a914f9853b9850ab51f31a6fa4992428333dc3545542fb

          Download Submit
        • C:\Users\Admin\AppData\Local\qVMOb\MFC42u.dll
          Filesize

          1.7MB

          MD5

          4a5efdf5f5d7d613ee7319b536244b06

          SHA1

          7b83f9d7b1823452698c7166866c022d01643dc0

          SHA256

          ca96ed52d8433bc0a435957d11e00656840652867b5df289d0473e422c2cf97f

          SHA512

          85013128e76cdeb17584bc37b43d44cc093aa42edd144c513f33085e27abaee7ead867efe17199172a93b10d1360752b5198dd39b7643177c5478e666b970e5f

          Download Submit
        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Aqrvnhd.lnk
          Filesize

          1KB

          MD5

          9f4825b8effd2d4f31bd154d4eb16ceb

          SHA1

          3b91cc389825eaea461288bddd2b20593a5907af

          SHA256

          4cf1fdbf1b6d381d65f6997156ffad18e45a5add528e0a7c375bbcb89c1833dc

          SHA512

          7cacc30af387716d51be6fe570b6cfcb6a0329d1d91cf69587aebac798ec710da485dd32bccada4662b84e5cb704c7f48e2a683d5c909227924a3d9ad7ec0a60

          Download Submit
        • \Users\Admin\AppData\Local\6DaiAg\rdpinit.exe
          Filesize

          174KB

          MD5

          664e12e0ea009cc98c2b578ff4983c62

          SHA1

          27b302c0108851ac6cc37e56590dd9074b09c3c9

          SHA256

          00bd9c3c941a5a9b4fc8594d7b985f5f1ac48f0ba7495a728b8fa42b4b48a332

          SHA512

          f5eee4e924dcc3cf5e82eff36543e9d0e9c17dc2272b403cf30f8d2da42312821f5566249a98a952f5441b1f0d6d61a86b5c5198bc598d65ea9d4fb35822505d

          Download Submit
        • \Users\Admin\AppData\Local\Es4vX1\WTSAPI32.dll
          Filesize

          1.7MB

          MD5

          6a185dc09513c58cd27598de02286971

          SHA1

          9d40e43f7839f80e2274caafc88c1673b1f30a93

          SHA256

          3835c873e9bc33ce37de7464a7220306e8a368e63445d83296ef79601bb5eafb

          SHA512

          0c2ca9fa471dcb68268267d1713f16402b7ab65e9c26031cf5aa336605224c50408d7b0c0290c5be4324794ac309ec30e70fae0df15b452d7661368616216c15

          Download Submit
        • \Users\Admin\AppData\Local\Es4vX1\raserver.exe
          Filesize

          123KB

          MD5

          cd0bc0b6b8d219808aea3ecd4e889b19

          SHA1

          9f8f4071ce2484008e36fdfd963378f4ebad703f

          SHA256

          16abc530c0367df1ad631f09e14c565cf99561949aa14acc533cd54bf8a5e22c

          SHA512

          84291ea3fafb38ef96817d5fe4a972475ef8ea24a4353568029e892fa8e15cf8e8f6ef4ff567813cd3b38092f0db4577d9dccb22be755eebdd4f77e623dc80ac

          Download Submit
        • \Users\Admin\AppData\Local\qVMOb\DevicePairingWizard.exe
          Filesize

          73KB

          MD5

          9728725678f32e84575e0cd2d2c58e9b

          SHA1

          dd9505d3548f08e5198a8d6ba6bcd60b1da86d5c

          SHA256

          d95d3aa065a657c354244e3d9d4dc62673dc36c1bed60650fade7d128ddab544

          SHA512

          a5d22240450e7b659cba507f9abe7e6d861e9712ca2335ea5ceb69e3557362b00f5d02bf84c3a6fed82a09eda555866dcab43741ad9c6db96e1e302ef2363377

          Download Submit
        • memory/1356-17-0x0000000140000000-0x00000001401A8000-memory.dmp
          Filesize

          1.7MB

          Download
        • memory/1356-11-0x0000000140000000-0x00000001401A8000-memory.dmp
          Filesize

          1.7MB

          Download
        • memory/1356-26-0x0000000140000000-0x00000001401A8000-memory.dmp
          Filesize

          1.7MB

          Download
        • memory/1356-28-0x0000000140000000-0x00000001401A8000-memory.dmp
          Filesize

          1.7MB

          Download
        • memory/1356-30-0x0000000140000000-0x00000001401A8000-memory.dmp
          Filesize

          1.7MB

          Download
        • memory/1356-32-0x0000000140000000-0x00000001401A8000-memory.dmp
          Filesize

          1.7MB

          Download
        • memory/1356-34-0x0000000002A60000-0x0000000002A67000-memory.dmp
          Filesize

          28KB

          Download
        • memory/1356-31-0x0000000140000000-0x00000001401A8000-memory.dmp
          Filesize

          1.7MB

          Download
        • memory/1356-29-0x0000000140000000-0x00000001401A8000-memory.dmp
          Filesize

          1.7MB

          Download
        • memory/1356-40-0x0000000140000000-0x00000001401A8000-memory.dmp
          Filesize

          1.7MB

          Download
        • memory/1356-27-0x0000000140000000-0x00000001401A8000-memory.dmp
          Filesize

          1.7MB

          Download
        • memory/1356-25-0x0000000140000000-0x00000001401A8000-memory.dmp
          Filesize

          1.7MB

          Download
        • memory/1356-24-0x0000000140000000-0x00000001401A8000-memory.dmp
          Filesize

          1.7MB

          Download
        • memory/1356-42-0x00000000779A0000-0x00000000779A2000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1356-41-0x0000000077841000-0x0000000077842000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1356-22-0x0000000140000000-0x00000001401A8000-memory.dmp
          Filesize

          1.7MB

          Download
        • memory/1356-21-0x0000000140000000-0x00000001401A8000-memory.dmp
          Filesize

          1.7MB

          Download
        • memory/1356-20-0x0000000140000000-0x00000001401A8000-memory.dmp
          Filesize

          1.7MB

          Download
        • memory/1356-18-0x0000000140000000-0x00000001401A8000-memory.dmp
          Filesize

          1.7MB

          Download
        • memory/1356-129-0x0000000077636000-0x0000000077637000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1356-15-0x0000000140000000-0x00000001401A8000-memory.dmp
          Filesize

          1.7MB

          Download
        • memory/1356-14-0x0000000140000000-0x00000001401A8000-memory.dmp
          Filesize

          1.7MB

          Download
        • memory/1356-12-0x0000000140000000-0x00000001401A8000-memory.dmp
          Filesize

          1.7MB

          Download
        • memory/1356-23-0x0000000140000000-0x00000001401A8000-memory.dmp
          Filesize

          1.7MB

          Download
        • memory/1356-10-0x0000000140000000-0x00000001401A8000-memory.dmp
          Filesize

          1.7MB

          Download
        • memory/1356-8-0x0000000140000000-0x00000001401A8000-memory.dmp
          Filesize

          1.7MB

          Download
        • memory/1356-4-0x0000000077636000-0x0000000077637000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1356-51-0x0000000140000000-0x00000001401A8000-memory.dmp
          Filesize

          1.7MB

          Download
        • memory/1356-54-0x0000000140000000-0x00000001401A8000-memory.dmp
          Filesize

          1.7MB

          Download
        • memory/1356-19-0x0000000140000000-0x00000001401A8000-memory.dmp
          Filesize

          1.7MB

          Download
        • memory/1356-16-0x0000000140000000-0x00000001401A8000-memory.dmp
          Filesize

          1.7MB

          Download
        • memory/1356-5-0x0000000002A80000-0x0000000002A81000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1356-60-0x0000000140000000-0x00000001401A8000-memory.dmp
          Filesize

          1.7MB

          Download
        • memory/1356-9-0x0000000140000000-0x00000001401A8000-memory.dmp
          Filesize

          1.7MB

          Download
        • memory/1356-13-0x0000000140000000-0x00000001401A8000-memory.dmp
          Filesize

          1.7MB

          Download
        • memory/1508-93-0x0000000140000000-0x00000001401A9000-memory.dmp
          Filesize

          1.7MB

          Download
        • memory/1508-90-0x0000000000380000-0x0000000000387000-memory.dmp
          Filesize

          28KB

          Download
        • memory/2196-7-0x0000000140000000-0x00000001401A8000-memory.dmp
          Filesize

          1.7MB

          Download
        • memory/2196-0-0x0000000140000000-0x00000001401A8000-memory.dmp
          Filesize

          1.7MB

          Download
        • memory/2196-1-0x0000000000110000-0x0000000000117000-memory.dmp
          Filesize

          28KB

          Download
        • memory/2556-75-0x0000000140000000-0x00000001401A9000-memory.dmp
          Filesize

          1.7MB

          Download
        • memory/2556-70-0x0000000000100000-0x0000000000107000-memory.dmp
          Filesize

          28KB

          Download
        • memory/2556-69-0x0000000140000000-0x00000001401A9000-memory.dmp
          Filesize

          1.7MB

          Download
        • memory/2768-105-0x0000000140000000-0x00000001401AF000-memory.dmp
          Filesize

          1.7MB

          Download
        • memory/2768-110-0x0000000140000000-0x00000001401AF000-memory.dmp
          Filesize

          1.7MB

          Download