Overview

overview

10

Static

static

3

3173e2551f...18.dll

windows7-x64

10

3173e2551f...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    10-05-2024 22:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3173e2551fd79567f5818bb1f1d98c79_JaffaCakes118.dll

  • Size

    991KB

  • MD5

    3173e2551fd79567f5818bb1f1d98c79

  • SHA1

    2db6358760c912f1c724445878b12a6873ad30e0

  • SHA256

    3f812c9450e03e319c53151a7d187d9e5627779c631dcce038b480bad6bcf144

  • SHA512

    701c4c5e2be7e92a0c50d0c5eb7393164b4295fcfe4a32947302ed70b54f5ec714d5b8ca64752783d768b7797b87ec1604a96bbfa1ed536d9e0a5f8b5cb8bc1a

  • SSDEEP

    24576:SVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:SV8hf6STw1ZlQauvzSq01ICe6zvm

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\3173e2551fd79567f5818bb1f1d98c79_JaffaCakes118.dll
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:2868
  • C:\Windows\system32\rdpclip.exe
    C:\Windows\system32\rdpclip.exe
    1⤵
      PID:2456
    • C:\Users\Admin\AppData\Local\bnBEz\rdpclip.exe
      C:\Users\Admin\AppData\Local\bnBEz\rdpclip.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2412
    • C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
      C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
      1⤵
        PID:2392
      • C:\Users\Admin\AppData\Local\ik3uuCW7Y\SystemPropertiesDataExecutionPrevention.exe
        C:\Users\Admin\AppData\Local\ik3uuCW7Y\SystemPropertiesDataExecutionPrevention.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2324
      • C:\Windows\system32\spinstall.exe
        C:\Windows\system32\spinstall.exe
        1⤵
          PID:2396
        • C:\Users\Admin\AppData\Local\nOLiDs\spinstall.exe
          C:\Users\Admin\AppData\Local\nOLiDs\spinstall.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2676

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Initial Access

        Execution

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Privilege Escalation

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Query Registry

        1
        T1012

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Resource Development

        Reconnaissance

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\bnBEz\WINSTA.dll
          Filesize

          996KB

          MD5

          4435c4a9f55a357859f31a2a84b012ec

          SHA1

          69e90a891efc4dd97d9e41bbe6975f20c27b13da

          SHA256

          0f77d5d86c8cc7500ca63cecdb2d20b9734124665c1e982e12e67cd6cdf6d3d1

          SHA512

          7fe444d1497b4efeb639c5a0da0fd34992d3c1fe0ec43b2f188f99092936a720949f560d1c11c585ef8dfaea51ac9ac24de94ae789a39fa08c099b86fd28c3d3

          Download Submit
        • C:\Users\Admin\AppData\Local\bnBEz\rdpclip.exe
          Filesize

          206KB

          MD5

          25d284eb2f12254c001afe9a82575a81

          SHA1

          cf131801fdd5ec92278f9e0ae62050e31c6670a5

          SHA256

          837e0d864c474956c0d9d4e7ae5f884007f19b7f420db9afcf0d266aefa6608b

          SHA512

          7b4f208fa1681a0a139577ebc974e7acfc85e3c906a674e111223783460585eb989cb6b38f215d79f89e747a0e9224d90e1aa43e091d2042edb8bac7b27b968b

          Download Submit
        • C:\Users\Admin\AppData\Local\ik3uuCW7Y\SYSDM.CPL
          Filesize

          991KB

          MD5

          4612082c93a9384a4b2df1e308d8bc8a

          SHA1

          a5703538705397dc021cec2307a6335ecf7b28b2

          SHA256

          2d0b02f380c7e4e048fccd00fb52a61da195f17973f1feea368ee2b14682d020

          SHA512

          e17d6c1251cf2f44c1a1ba6be6c5567b3f248efbc0482f6f0fe0441a254b99331610b368f44d180f3d7f86ed09b7ee566ff744a259e53933c1eecf0bd60beed6

          Download Submit
        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dgsmy.lnk
          Filesize

          1KB

          MD5

          bf5fd3d84159902a08a8f32233c6b78c

          SHA1

          d5576abb06f8256cb245b195d9be81c3283ce3d0

          SHA256

          09a11b262e620c58bd9b3f2bab66783d352f026c7ffa85c38df3884bb21114b4

          SHA512

          4604a8a02461f9a17b69323bf651b5215348f852aafabb569e13e345207ab8465dbf4ae0162c267661d95a682bcde1d78430da2f49f5811c3edfa729c121d140

          Download Submit
        • \Users\Admin\AppData\Local\ik3uuCW7Y\SystemPropertiesDataExecutionPrevention.exe
          Filesize

          80KB

          MD5

          e43ff7785fac643093b3b16a9300e133

          SHA1

          a30688e84c0b0a22669148fe87680b34fcca2fba

          SHA256

          c8e1b3ecce673035a934d65b25c43ec23416f5bbf52d772e24e48e6fd3e77e9b

          SHA512

          61260999bb57817dea2d404bcf093820679e597298c752d38db181fe9963b5fa47e070d6a3c7c970905035b396389bb02946b44869dc8b9560acc419b065999a

          Download Submit
        • \Users\Admin\AppData\Local\nOLiDs\spinstall.exe
          Filesize

          584KB

          MD5

          29c1d5b330b802efa1a8357373bc97fe

          SHA1

          90797aaa2c56fc2a667c74475996ea1841bc368f

          SHA256

          048bd22abf158346ab991a377cc6e9d2b20b4d73ccee7656c96a41f657e7be7f

          SHA512

          66f4f75a04340a1dd55dfdcc3ff1103ea34a55295f56c12e88d38d1a41e5be46b67c98bd66ac9f878ce79311773e374ed2bce4dd70e8bb5543e4ec1dd56625ee

          Download Submit
        • \Users\Admin\AppData\Local\nOLiDs\wer.dll
          Filesize

          994KB

          MD5

          9ef60235aabf8942fc76faed98da3da4

          SHA1

          0ad96353f5edb7ef8e90d1b81ea4e4f7e40e26c6

          SHA256

          c6ed38d35e4303e6d699ae65a80275dcc05495b70a3fb3134f0f41938d49dc7b

          SHA512

          f5341bdad7a35a4b9613c517d1b993671bf395bd7c0064a79d3c310987f5c53c0f820d8273cecf131f15470042376fe9fb8e82534d9f422f63ad2d79d967d3f5

          Download Submit
        • memory/1192-27-0x0000000077820000-0x0000000077822000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1192-15-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/1192-12-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/1192-11-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/1192-10-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/1192-9-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/1192-8-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/1192-14-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/1192-7-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/1192-4-0x0000000077486000-0x0000000077487000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1192-36-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/1192-37-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/1192-5-0x0000000002220000-0x0000000002221000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1192-13-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/1192-26-0x0000000077691000-0x0000000077692000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1192-25-0x0000000002200000-0x0000000002207000-memory.dmp
          Filesize

          28KB

          Download
        • memory/1192-24-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/1192-53-0x0000000077486000-0x0000000077487000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2324-72-0x0000000140000000-0x00000001400FE000-memory.dmp
          Filesize

          1016KB

          Download
        • memory/2324-77-0x0000000140000000-0x00000001400FE000-memory.dmp
          Filesize

          1016KB

          Download
        • memory/2412-60-0x0000000140000000-0x00000001400FF000-memory.dmp
          Filesize

          1020KB

          Download
        • memory/2412-54-0x00000000000F0000-0x00000000000F7000-memory.dmp
          Filesize

          28KB

          Download
        • memory/2412-55-0x0000000140000000-0x00000001400FF000-memory.dmp
          Filesize

          1020KB

          Download
        • memory/2676-94-0x0000000140000000-0x00000001400FE000-memory.dmp
          Filesize

          1016KB

          Download
        • memory/2868-45-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/2868-1-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/2868-0-0x0000000000120000-0x0000000000127000-memory.dmp
          Filesize

          28KB

          Download