Overview

overview

10

Static

static

3

12c053b6a3...18.dll

windows7-x64

10

12c053b6a3...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    100s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-05-2024 12:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    12c053b6a3b757d92ee5f63164376485_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    12c053b6a3b757d92ee5f63164376485

  • SHA1

    1a8139740f376f7f328ca8f253a2e3febf637f5e

  • SHA256

    d7f0e30e4f02bdda1c4bc20ab34b51529ca36fa239a19de5b608ba284c77945c

  • SHA512

    bf4e5fb030353a18052d3873dcef9e5f204323669ef79c070892f6b2b7e5a5db03bd23910dc74b28e9fe6815e6c8403b28611e39e3882e4acdcb868c63e87b53

  • SSDEEP

    24576:FVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:FV8hf6STw1ZlQauvzSq01ICe6zvm

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\12c053b6a3b757d92ee5f63164376485_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:3864
  • C:\Windows\system32\wusa.exe
    C:\Windows\system32\wusa.exe
    1⤵
      PID:4792
    • C:\Users\Admin\AppData\Local\22D34W\wusa.exe
      C:\Users\Admin\AppData\Local\22D34W\wusa.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2156
    • C:\Windows\system32\sigverif.exe
      C:\Windows\system32\sigverif.exe
      1⤵
        PID:3532
      • C:\Users\Admin\AppData\Local\0SajlNyJ\sigverif.exe
        C:\Users\Admin\AppData\Local\0SajlNyJ\sigverif.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2040
      • C:\Windows\system32\psr.exe
        C:\Windows\system32\psr.exe
        1⤵
          PID:1348
        • C:\Users\Admin\AppData\Local\1lSb9\psr.exe
          C:\Users\Admin\AppData\Local\1lSb9\psr.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:4864

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Initial Access

        Execution

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Privilege Escalation

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Query Registry

        1
        T1012

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Resource Development

        Reconnaissance

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\0SajlNyJ\VERSION.dll
          Filesize

          1.2MB

          MD5

          33bbeee4acee90e1b95161e6166d0a8f

          SHA1

          38d2d7dd49ad753762baf55cc50210ada6544350

          SHA256

          1433a48d434dea6081723ad016fbff3581348978ad74b7695524705b64710f2a

          SHA512

          eefa1aca6e59a64f79d398cbf13f19b0a64ad0206d86b5f48e3e45e0aa49bfe3b0e94dbcff46fb12f6fdbc72ab13666a15460d577efc53f0d8a42f6b444e9bf5

          Download Submit
        • C:\Users\Admin\AppData\Local\0SajlNyJ\sigverif.exe
          Filesize

          77KB

          MD5

          2151a535274b53ba8a728e542cbc07a8

          SHA1

          a2304c0f2616a7d12298540dce459dd9ccf07443

          SHA256

          064de47877b00dc35886e829a697e4adb3d3cfdf294ddba13b6009a0f415b1bd

          SHA512

          e6fd520ee1bd80a5fe8a7c2ae6446dcaabd4e335a602c36356f85305abef751b7dffa7eaac1ec13c105ccd8c3e9070bd32ed4b14bc8a9e52dc5f47b936d69a9f

          Download Submit
        • C:\Users\Admin\AppData\Local\1lSb9\XmlLite.dll
          Filesize

          1.2MB

          MD5

          fdee8388d9cd87649f48984a3031b899

          SHA1

          d3c98fca65ed77c12d8bcddd43863eec2e87caec

          SHA256

          8b865155c520e384cce803110edb69930cb0bca582ac278539aca1b5e027c0f7

          SHA512

          000e8d05b98f6e729d0851bf5b09875074a53e629e60ad10694cf1004fbe2751e3e84d1ef2b7f57826c205db015285fd8f0096d3f5969cf7d10c94811935c709

          Download Submit
        • C:\Users\Admin\AppData\Local\1lSb9\psr.exe
          Filesize

          232KB

          MD5

          ad53ead5379985081b7c3f1f357e545a

          SHA1

          6f5aa32c1d15fbf073558fadafd046d97b60184e

          SHA256

          4f0144f0e3e721b44babbf41b513942e4117f730546105480571f9c8fce56a1f

          SHA512

          433098bd74c34fbadfa447ef45cfa9dc076aef4cf7f2a0a6fe79d5e67f2504eebe8aa31fc1b7a4c5eeb20ede2c5485f75ad0fd77b4ecba3d68ca63313e6f6ea0

          Download Submit
        • C:\Users\Admin\AppData\Local\22D34W\dpx.dll
          Filesize

          1.2MB

          MD5

          03eeb101454e583a39099cb8c899e52a

          SHA1

          452f95aba812e1ff730846e88f9e724188c5ea83

          SHA256

          dcd40424b719eabd5fb8842076cccc273ed51c7ad2c7fecc80942d1b829df4de

          SHA512

          543d94d7d4b0bb81ace7c444e3156b03b66e75470684596e7d0fbd8faf02afe3e8c2713ef20fa47470d0e9837006e08b142610ec4698fc16132f5013564c6926

          Download Submit
        • C:\Users\Admin\AppData\Local\22D34W\wusa.exe
          Filesize

          309KB

          MD5

          e43499ee2b4cf328a81bace9b1644c5d

          SHA1

          b2b55641f2799e3fdb3bea709c9532017bbac59d

          SHA256

          3e30230bbf3ceee3e58162b61eed140e9616210833a6ad7df3e106bc7492d2fb

          SHA512

          04823764520871f9202d346b08a194bdd5f5929db6d5c2f113911f84aece7471c8d3bd2c4256119a303dbe18a0c055dbc5034d80b1f27a43744104544731f52b

          Download Submit
        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Rnysjhcczxaxza.lnk
          Filesize

          1KB

          MD5

          058cd1d9720c5b5c48bcff6f9ad5f0a9

          SHA1

          0dfee552db272415ea84d559d53cfd1507056b61

          SHA256

          6b2328e6a0358679f988aa25f02045d675d43f23994a9e2f6a7a40a2c44c1ea3

          SHA512

          105f865d2d078db4ec9b8a9cf992d386580e4a169c187077532b6f908425cd45238aeb0353461601e109572ebd7d8c10bf20fd7270cde1c2eb907f6ee3345ee4

          Download Submit
        • memory/2040-68-0x0000000140000000-0x0000000140143000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/2040-62-0x0000024DBAE70000-0x0000024DBAE77000-memory.dmp
          Filesize

          28KB

          Download
        • memory/2156-51-0x0000000140000000-0x0000000140143000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/2156-45-0x0000000140000000-0x0000000140143000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/2156-48-0x0000012A5B290000-0x0000012A5B297000-memory.dmp
          Filesize

          28KB

          Download
        • memory/3428-28-0x00000000010B0000-0x00000000010B7000-memory.dmp
          Filesize

          28KB

          Download
        • memory/3428-14-0x0000000140000000-0x0000000140142000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3428-9-0x0000000140000000-0x0000000140142000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3428-8-0x0000000140000000-0x0000000140142000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3428-35-0x0000000140000000-0x0000000140142000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3428-6-0x00007FFCB039A000-0x00007FFCB039B000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3428-11-0x0000000140000000-0x0000000140142000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3428-12-0x0000000140000000-0x0000000140142000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3428-13-0x0000000140000000-0x0000000140142000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3428-15-0x0000000140000000-0x0000000140142000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3428-7-0x0000000140000000-0x0000000140142000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3428-29-0x00007FFCB1930000-0x00007FFCB1940000-memory.dmp
          Filesize

          64KB

          Download
        • memory/3428-24-0x0000000140000000-0x0000000140142000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3428-10-0x0000000140000000-0x0000000140142000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3428-4-0x00000000030D0000-0x00000000030D1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3864-1-0x0000000140000000-0x0000000140142000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3864-38-0x0000000140000000-0x0000000140142000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3864-3-0x0000014E7C0F0000-0x0000014E7C0F7000-memory.dmp
          Filesize

          28KB

          Download
        • memory/4864-82-0x000001C518930000-0x000001C518937000-memory.dmp
          Filesize

          28KB

          Download
        • memory/4864-85-0x0000000140000000-0x0000000140143000-memory.dmp
          Filesize

          1.3MB

          Download