Overview

overview

10

Static

static

3

036e3859b6...18.dll

windows7-x64

10

036e3859b6...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    27-04-2024 14:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    036e3859b663301f666bc11f9655bc86_JaffaCakes118.dll

  • Size

    989KB

  • MD5

    036e3859b663301f666bc11f9655bc86

  • SHA1

    e1442aa7e7415fda529f1ed0d4845558d00354f7

  • SHA256

    729d4b47c771bb857a969a80d6fb82302896584a8c0a69fdcd6171489365008f

  • SHA512

    b1d001e641959a11195726aa12f2f4b810867ad003dd0eeb9c55a3479b1ae7e15b9e3142a2713abf758d3e5f7f20326af77d31cf5b573d28a62373513d945b50

  • SSDEEP

    24576:JVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:JV8hf6STw1ZlQauvzSq01ICe6zvm

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\036e3859b663301f666bc11f9655bc86_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1968
  • C:\Windows\system32\PresentationSettings.exe
    C:\Windows\system32\PresentationSettings.exe
    1⤵
      PID:2412
    • C:\Users\Admin\AppData\Local\g5w3CmkM\PresentationSettings.exe
      C:\Users\Admin\AppData\Local\g5w3CmkM\PresentationSettings.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2428
    • C:\Windows\system32\msdtc.exe
      C:\Windows\system32\msdtc.exe
      1⤵
        PID:2708
      • C:\Users\Admin\AppData\Local\GSQNr\msdtc.exe
        C:\Users\Admin\AppData\Local\GSQNr\msdtc.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2704
      • C:\Windows\system32\SystemPropertiesRemote.exe
        C:\Windows\system32\SystemPropertiesRemote.exe
        1⤵
          PID:1368
        • C:\Users\Admin\AppData\Local\RkT0\SystemPropertiesRemote.exe
          C:\Users\Admin\AppData\Local\RkT0\SystemPropertiesRemote.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1496

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Initial Access

        Execution

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Privilege Escalation

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Query Registry

        1
        T1012

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Resource Development

        Reconnaissance

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\GSQNr\VERSION.dll
          Filesize

          990KB

          MD5

          a95669b93c95736cf7b4fb25dda16ef4

          SHA1

          f7eb698563940b7c94f82c652bd78cff8af70f3f

          SHA256

          e16614bd2fd0f55562629a7e1ae4190e5001be6496a7d69f6e46f83488362c21

          SHA512

          c5a1e51c6f37e9d14738ca4864e65ac8e0bcd456ab43eb5d20f327d305ad3f3338fe3fee1f7096a3056a465b883bc280f93d959161e9cf88312b2cd4461125f3

          Download Submit
        • C:\Users\Admin\AppData\Local\RkT0\SYSDM.CPL
          Filesize

          990KB

          MD5

          030ba8e86f34b2495869500d0aa64c6f

          SHA1

          15eefe7036d8bd0cda386acdbb6442cebd2844a2

          SHA256

          ca396a4d7e05157fceb6e3217b0aecbee6e72e5a118591b36905de9456736b32

          SHA512

          2647774fcaae3dd9f9ddb8f8db35fc810b5a9bc84e0d295c0648e82b3f4e38d4cf54ab07ed2ff16ec645d9dee5391011c439638e940caad49865dca331549402

          Download Submit
        • C:\Users\Admin\AppData\Local\g5w3CmkM\WINMM.dll
          Filesize

          994KB

          MD5

          ba6327ff71f90bb5a1576b53ebafcafa

          SHA1

          4fc622a96e2b8ddb07a145718dd178aa58e373f8

          SHA256

          8c4b0e3cb770339551a871a02c51d990141b7f1010a276023a0ed1ad178ee32a

          SHA512

          83ab48c744623d3490e0ca42d7933cc9e23fc77382c1982de5d723e5b3d377d0407cd14cd4b196a8a1c4f19eed1b89e1308d76c4039703600cfc858547ca8dbf

          Download Submit
        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Xwtifesqpwfy.lnk
          Filesize

          1KB

          MD5

          810f27f203d3a7e5a2d528aa65777f00

          SHA1

          962419d826fff038d7f8bd896461abfdd3220e2b

          SHA256

          3b032ce497222b01e980baf4edf7034dcb4ea9943b04be2a9e83725b6333544a

          SHA512

          6d6ba3ff2c6594be260b2d8e767a9b32e460a8a2c907bf0b0c447c27da418c59940124e2036d36e73453ba38cabc72129ba47e175b23d28b5a13333706d55065

          Download Submit
        • \Users\Admin\AppData\Local\GSQNr\msdtc.exe
          Filesize

          138KB

          MD5

          de0ece52236cfa3ed2dbfc03f28253a8

          SHA1

          84bbd2495c1809fcd19b535d41114e4fb101466c

          SHA256

          2fbbec4cacb5161f68d7c2935852a5888945ca0f107cf8a1c01f4528ce407de3

          SHA512

          69386134667626c60c99d941c8ab52f8e5235e3897b5af76965572287afd5dcd42b8207a520587844a57a268e4decb3f3c550e5b7a06230ee677dc5e40c50bb3

          Download Submit
        • \Users\Admin\AppData\Local\RkT0\SystemPropertiesRemote.exe
          Filesize

          80KB

          MD5

          d0d7ac869aa4e179da2cc333f0440d71

          SHA1

          e7b9a58f5bfc1ec321f015641a60978c0c683894

          SHA256

          5762e1570de6ca4ff4254d03c8f6e572f3b9c065bf5c78fd5a9ea3769c33818a

          SHA512

          1808b10dc85f8755a0074d1ea00794b46b4254573b6862c2813a89ca171ad94f95262e8b59a8f9a596c9bd6a724f440a14a813eab93aa140e818ee97af106db7

          Download Submit
        • \Users\Admin\AppData\Local\g5w3CmkM\PresentationSettings.exe
          Filesize

          172KB

          MD5

          a6f8d318f6041334889481b472000081

          SHA1

          b8cf08ec17b30c8811f2514246fcdff62731dd58

          SHA256

          208b94fd66a6ce266c3195f87029a41a0622fff47f2a5112552cb087adbb1258

          SHA512

          60f70fa8a19e6ea6f08f4907dd7fede3665ad3f2e013d49f6649442ea5871a967b9a53ec4d3328a06cb83b69be1b7af1bb14bf122b568bd1f8432ee1d0bfee69

          Download Submit
        • memory/1176-26-0x0000000077040000-0x0000000077042000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1176-14-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/1176-25-0x0000000076EB1000-0x0000000076EB2000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1176-24-0x0000000002E40000-0x0000000002E47000-memory.dmp
          Filesize

          28KB

          Download
        • memory/1176-12-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/1176-11-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/1176-10-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/1176-9-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/1176-23-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/1176-35-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/1176-36-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/1176-4-0x0000000076DA6000-0x0000000076DA7000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1176-13-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/1176-5-0x0000000002E30000-0x0000000002E31000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1176-70-0x0000000076DA6000-0x0000000076DA7000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1176-7-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/1176-8-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/1496-94-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/1968-0-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/1968-44-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/1968-3-0x00000000001A0000-0x00000000001A7000-memory.dmp
          Filesize

          28KB

          Download
        • memory/2428-58-0x0000000140000000-0x00000001400FE000-memory.dmp
          Filesize

          1016KB

          Download
        • memory/2428-55-0x0000000000110000-0x0000000000117000-memory.dmp
          Filesize

          28KB

          Download
        • memory/2428-52-0x0000000140000000-0x00000001400FE000-memory.dmp
          Filesize

          1016KB

          Download
        • memory/2704-71-0x0000000000290000-0x0000000000297000-memory.dmp
          Filesize

          28KB

          Download
        • memory/2704-72-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/2704-77-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download