Overview

overview

10

Static

static

3

2e41aa5a63...18.dll

windows7-x64

10

2e41aa5a63...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    10-05-2024 08:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2e41aa5a63fd65eeec06fb0a3f6f0f74_JaffaCakes118.dll

  • Size

    990KB

  • MD5

    2e41aa5a63fd65eeec06fb0a3f6f0f74

  • SHA1

    35aab120500000294092906bc18b9932f94341a5

  • SHA256

    9254cc93684a65329fc8c16f8e8ed6efb8414660f3091c9926d92d594e159e5e

  • SHA512

    16f5661d173f6c376c73f38586ae7f059f501f00e518b66cb34f4a0a646db956251b63734061636f12dffb0283636c99d00b4a96086f768eacb1a992c6fd0016

  • SSDEEP

    24576:pVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:pV8hf6STw1ZlQauvzSq01ICe6zvm

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\2e41aa5a63fd65eeec06fb0a3f6f0f74_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1700
  • C:\Windows\system32\rdpshell.exe
    C:\Windows\system32\rdpshell.exe
    1⤵
      PID:2624
    • C:\Users\Admin\AppData\Local\6V6s8\rdpshell.exe
      C:\Users\Admin\AppData\Local\6V6s8\rdpshell.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2520
    • C:\Windows\system32\eudcedit.exe
      C:\Windows\system32\eudcedit.exe
      1⤵
        PID:2720
      • C:\Users\Admin\AppData\Local\cwr\eudcedit.exe
        C:\Users\Admin\AppData\Local\cwr\eudcedit.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2796
      • C:\Windows\system32\dialer.exe
        C:\Windows\system32\dialer.exe
        1⤵
          PID:2528
        • C:\Users\Admin\AppData\Local\ElA4I\dialer.exe
          C:\Users\Admin\AppData\Local\ElA4I\dialer.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1696

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Initial Access

        Execution

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Privilege Escalation

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Query Registry

        1
        T1012

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Resource Development

        Reconnaissance

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\6V6s8\WINSTA.dll
          Filesize

          995KB

          MD5

          cc93cd0244f5953ae5d9504ab354978d

          SHA1

          a970cc6144bc0882aec938da7155a469f06cd01e

          SHA256

          e8e73e0d1e88143bbc1cb8adff3dbe4628e3eeb2e71b3d72f3a63c122dbb5e1d

          SHA512

          a6bd826d2ea3b90e00f3eb1125b1bddd41f438e286adf6b566971641669f2b5ada0bafd54180c9be2df8533975ca931e2ad86862af000ed1bd384eda696f80cf

          Download Submit
        • C:\Users\Admin\AppData\Local\ElA4I\TAPI32.dll
          Filesize

          998KB

          MD5

          4ad65274f413ef6a6c48d9f8c3aed836

          SHA1

          743376e6d2bcc6ad527a606ed5f07eaf6a38e085

          SHA256

          e1b34ca517554adc9f26cba09153c2eafeff93c73db2ed7a2eed248bf910364f

          SHA512

          ea414c687cb4e17045667a76b498e5b47c43e31d0cf1d5e802d8dabc0775c113d72f64e85c833f5b5c6e01456b64f61e5d4353a88306b8e37126519b50beca70

          Download Submit
        • C:\Users\Admin\AppData\Local\cwr\MFC42u.dll
          Filesize

          1017KB

          MD5

          e0f131a0b4ec5a872a20ee7fb303d610

          SHA1

          1c8e1e01dd63fdf34288d37794f2f89d4cd05a13

          SHA256

          767dda3451fce6d35cd429f70d272bf0a5d4013102bb4f5b9c01681d94429e02

          SHA512

          ee51f7cfcb452554cca32f2024a3c250931a73a448ff52f2e5f6cf2e4a6de9c9fa8e0c8ca035f5ac4e25c33f37c11ca0d34925abb6c2c7ffedaccb291d25472a

          Download Submit
        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Tkjddllshxzvy.lnk
          Filesize

          1KB

          MD5

          292ee8dc7c5a491bd7913c9600d156c1

          SHA1

          c46a44ac6b733974d74e2a549b8d74cbaa9bf433

          SHA256

          6440b44cdc222bf50476c85e26d60933c192c1658e2c9637d6e57f272fd05388

          SHA512

          e7513d0ba6e7f8bf9cdf815338c2f45f0fab7beee6775f9728526b19536f9cd3eb05c9a4b4fb68bba5e47d869035747f1e2c0a8254ea94d9b0cb533245eac1bc

          Download Submit
        • \Users\Admin\AppData\Local\6V6s8\rdpshell.exe
          Filesize

          292KB

          MD5

          a62dfcea3a58ba8fcf32f831f018fe3f

          SHA1

          75f7690b19866f2c2b3dd3bfdff8a1c6fa8e958b

          SHA256

          f8346a44f12e5b1ca6beaae5fbdf5f7f494ba204379c21d1875b03ba6da6152e

          SHA512

          9a3df5be95017c23ab144302d2275654e86193e2cd94957d5f72bda3cb171ec2a6da14e6631a7fd4fd053b4529f4083aa287ada57484ad0ee01a8e5b2b54c603

          Download Submit
        • \Users\Admin\AppData\Local\ElA4I\dialer.exe
          Filesize

          34KB

          MD5

          46523e17ee0f6837746924eda7e9bac9

          SHA1

          d6b2a9cc6bd3588fa9804ada5197afda6a9e034b

          SHA256

          23d8a6a1d847a324c556c30e10c8f63c2004aeb42ac3f5a5ca362077f1517382

          SHA512

          c7117c3778650864e685bd89df599d7cdd9319d757344ddc7cfd9403d6673964127f6ff0c5ac48455fd3097af31a6ff09173f85dfa7be2d25f395cdf3692bb9a

          Download Submit
        • \Users\Admin\AppData\Local\cwr\eudcedit.exe
          Filesize

          351KB

          MD5

          35e397d6ca8407b86d8a7972f0c90711

          SHA1

          6b39830003906ef82442522d22b80460c03f6082

          SHA256

          1f64118bdc3515e8e9fce6ad182f6d0c8a6528d638fedb4901a6152cde4c7cde

          SHA512

          71b0c4ac120e5841308b0c19718bdc28366b0d79c8177091328ef5421392b9ee5e4758816ffb8c0977f178e1b33ed064f64781eaf7d6952878dc8aea402f035e

          Download Submit
        • memory/1204-26-0x0000000077401000-0x0000000077402000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1204-11-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/1204-25-0x0000000002970000-0x0000000002977000-memory.dmp
          Filesize

          28KB

          Download
        • memory/1204-12-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/1204-10-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/1204-24-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/1204-15-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/1204-13-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/1204-27-0x0000000077590000-0x0000000077592000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1204-4-0x00000000772F6000-0x00000000772F7000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1204-37-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/1204-36-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/1204-5-0x0000000002990000-0x0000000002991000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1204-14-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/1204-9-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/1204-71-0x00000000772F6000-0x00000000772F7000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1204-8-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/1204-7-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/1696-89-0x0000000000190000-0x0000000000197000-memory.dmp
          Filesize

          28KB

          Download
        • memory/1696-95-0x0000000140000000-0x00000001400FF000-memory.dmp
          Filesize

          1020KB

          Download
        • memory/1700-45-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/1700-0-0x0000000001D00000-0x0000000001D07000-memory.dmp
          Filesize

          28KB

          Download
        • memory/1700-1-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/2520-59-0x0000000140000000-0x00000001400FF000-memory.dmp
          Filesize

          1020KB

          Download
        • memory/2520-54-0x0000000140000000-0x00000001400FF000-memory.dmp
          Filesize

          1020KB

          Download
        • memory/2520-53-0x0000000000110000-0x0000000000117000-memory.dmp
          Filesize

          28KB

          Download
        • memory/2796-72-0x0000000140000000-0x0000000140104000-memory.dmp
          Filesize

          1.0MB

          Download
        • memory/2796-77-0x0000000140000000-0x0000000140104000-memory.dmp
          Filesize

          1.0MB

          Download