Overview

overview

10

Static

static

3

1a284e601d...18.dll

windows7-x64

10

1a284e601d...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    06-05-2024 01:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1a284e601d4b39b13a2c1ea67fe0433b_JaffaCakes118.dll

  • Size

    986KB

  • MD5

    1a284e601d4b39b13a2c1ea67fe0433b

  • SHA1

    396f1bbc283017fe8a3df5bd487d2731e7fe347f

  • SHA256

    3b7790a2520c63e35ddae8ac5a3aed6c09b16a1a3506d414c6aedfc65cba9b34

  • SHA512

    eb7ffe8c4f1da82e188214ed7af8ddd518afb30173cf058ac6ff54176f357fb95f629f36965342b5791dd5b85a82d5a9c8965866f480e356c4adba156f1d3386

  • SSDEEP

    24576:dVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:dV8hf6STw1ZlQauvzSq01ICe6zvm

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\1a284e601d4b39b13a2c1ea67fe0433b_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2060
  • C:\Windows\system32\icardagt.exe
    C:\Windows\system32\icardagt.exe
    1⤵
      PID:2520
    • C:\Users\Admin\AppData\Local\saer\icardagt.exe
      C:\Users\Admin\AppData\Local\saer\icardagt.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2568
    • C:\Windows\system32\wbengine.exe
      C:\Windows\system32\wbengine.exe
      1⤵
        PID:2288
      • C:\Users\Admin\AppData\Local\uY1Ux\wbengine.exe
        C:\Users\Admin\AppData\Local\uY1Ux\wbengine.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:500
      • C:\Windows\system32\taskmgr.exe
        C:\Windows\system32\taskmgr.exe
        1⤵
          PID:2696
        • C:\Users\Admin\AppData\Local\U1GT7oq\taskmgr.exe
          C:\Users\Admin\AppData\Local\U1GT7oq\taskmgr.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2812

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Initial Access

        Execution

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Privilege Escalation

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Query Registry

        1
        T1012

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Resource Development

        Reconnaissance

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\saer\VERSION.dll
          Filesize

          986KB

          MD5

          8be573546ae6967fb6da27b05a6c6d9a

          SHA1

          a80263920f6d7beb096159367d6425fedb7ec7a8

          SHA256

          73650d7af752a6aae47ddd4b05cfd5075c51810d11cd638ddd132ac46382803c

          SHA512

          660afdb2035cfcf871d7302148c2918f5ca83f5f5604f7f02596d7c324413599bcf308755dadda4c408814e43d8047094ebc29b43ae68a9594546bd89f2c2d55

          Download Submit
        • C:\Users\Admin\AppData\Local\uY1Ux\wbengine.exe
          Filesize

          1.4MB

          MD5

          78f4e7f5c56cb9716238eb57da4b6a75

          SHA1

          98b0b9db6ec5961dbb274eff433a8bc21f7e557b

          SHA256

          46a4e78ce5f2a4b26f4e9c3ff04a99d9b727a82ac2e390a82a1611c3f6e0c9af

          SHA512

          1a24ea71624dbbca188ee3b4812e09bc42e7d38ceac02b69940d7693475c792685a23141c8faa85a87ab6aace3f951c1a81facb610d757ac6df37cf2aa65ccd2

          Download Submit
        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Omdqupblcei.lnk
          Filesize

          1KB

          MD5

          07b3057fed334276e586bd5e7d4e2f15

          SHA1

          2f7a154d9fc5002d3d480260afabb60766b81ae6

          SHA256

          f45e228c0660239ef1e854ed29d3f5095201178417ea3cdaac5da08e058d8b9a

          SHA512

          5bd77d59f8b009a964bc74ab0d3e5be03d99d7de52f5b0761bc9054462b89e6e3f35f44951f63aeffffe644700387179d4f5ab904bdcc690834f88948bd335d7

          Download Submit
        • \Users\Admin\AppData\Local\U1GT7oq\Secur32.dll
          Filesize

          989KB

          MD5

          d4155b71404c14f20881a5d034a6bfad

          SHA1

          34e8984f4a897fe6c5db78ad8ce3f3b2295b9a91

          SHA256

          4e1b13043cfc10d1659d76d95758de1ac4282d8f3f6104ace7d01d9684ea4edf

          SHA512

          e0d6fce0bf04954e8017b1e8e2ae4f483bb8987f1ac774cc399b20ebd3bf33484fe0b185bbd7319bd2081e2f015bef525407415f84ca4f9f688ad0da60aa90af

          Download Submit
        • \Users\Admin\AppData\Local\U1GT7oq\taskmgr.exe
          Filesize

          251KB

          MD5

          09f7401d56f2393c6ca534ff0241a590

          SHA1

          e8b4d84a28e5ea17272416ec45726964fdf25883

          SHA256

          6766717b8afafe46b5fd66c7082ccce6b382cbea982c73cb651e35dc8187ace1

          SHA512

          7187a27cd32c1b295c74e36e1b6148a31d602962448b18395a44a721d17daa7271d0cd198edb2ed05ace439746517ffb1bcc11c7f682e09b025c950ea7b83192

          Download Submit
        • \Users\Admin\AppData\Local\saer\icardagt.exe
          Filesize

          1.3MB

          MD5

          2fe97a3052e847190a9775431292a3a3

          SHA1

          43edc451ac97365600391fa4af15476a30423ff6

          SHA256

          473d17e571d6947ce93103454f1e9fe27136403125152b97acb6cad5cc2a9ac7

          SHA512

          93ed1f9ef6fb256b53df9c6f2ce03301c0d3a0ef49c3f0604872653e4ba3fce369256f50604dd8386f543e1ea9231f5700213e683d3ea9af9e4d6c427a19117a

          Download Submit
        • \Users\Admin\AppData\Local\uY1Ux\XmlLite.dll
          Filesize

          986KB

          MD5

          e40436f61113c15f054d633473c44fc5

          SHA1

          405d46fb002d9a793ff9550c89b12c96ec8f1a4e

          SHA256

          d8a247fe416c22a1e1d294378b07569648b199b9f63ed5c741fdcd5618ab554d

          SHA512

          2be38608b69fa0ab9bd11bce41e4a802a7f69a813bcb629344c2f9ff8a2e326be3a6f04f21eb2745c753c29792d1603c2ba23730d9785197c1740398f1f5fcaf

          Download Submit
        • memory/500-74-0x00000000000A0000-0x00000000000A7000-memory.dmp
          Filesize

          28KB

          Download
        • memory/500-76-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/1204-13-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/1204-23-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/1204-10-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/1204-9-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/1204-8-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/1204-26-0x0000000077AF0000-0x0000000077AF2000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1204-25-0x0000000077961000-0x0000000077962000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1204-35-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/1204-39-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/1204-4-0x0000000077856000-0x0000000077857000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1204-12-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/1204-5-0x0000000003CA0000-0x0000000003CA1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1204-73-0x0000000077856000-0x0000000077857000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1204-7-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/1204-24-0x0000000002D10000-0x0000000002D17000-memory.dmp
          Filesize

          28KB

          Download
        • memory/1204-14-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/1204-11-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/2060-0-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/2060-44-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/2060-3-0x00000000001A0000-0x00000000001A7000-memory.dmp
          Filesize

          28KB

          Download
        • memory/2568-58-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/2568-55-0x0000000000200000-0x0000000000207000-memory.dmp
          Filesize

          28KB

          Download
        • memory/2568-52-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/2812-94-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download