Overview

overview

10

Static

static

3

390a10d9dd...18.dll

windows7-x64

10

390a10d9dd...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    12-05-2024 07:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    390a10d9dd8696c4e65bccab37765595_JaffaCakes118.dll

  • Size

    1012KB

  • MD5

    390a10d9dd8696c4e65bccab37765595

  • SHA1

    ea431bf6ae141df4983d8085f76d96df8dbbf3c6

  • SHA256

    8eca4d43a12f1fd21b5f43dbd6db31229c7e4eddbb21c3f1492ac0af27a27268

  • SHA512

    b65bca41907ec81c3840bcad087c1bdb11bec6a1498d3be8d6331a9af785a9e6836b8adbb57789c6f856f6d92fedb1422411d2e55d71a3344cb8832917d26b7e

  • SSDEEP

    24576:lVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:lV8hf6STw1ZlQauvzSq01ICe6zvm

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\390a10d9dd8696c4e65bccab37765595_JaffaCakes118.dll
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:2380
  • C:\Windows\system32\rdpinit.exe
    C:\Windows\system32\rdpinit.exe
    1⤵
      PID:1676
    • C:\Users\Admin\AppData\Local\7pD\rdpinit.exe
      C:\Users\Admin\AppData\Local\7pD\rdpinit.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2468
    • C:\Windows\system32\notepad.exe
      C:\Windows\system32\notepad.exe
      1⤵
        PID:2848
      • C:\Users\Admin\AppData\Local\9wOMLzD\notepad.exe
        C:\Users\Admin\AppData\Local\9wOMLzD\notepad.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2860
      • C:\Windows\system32\DisplaySwitch.exe
        C:\Windows\system32\DisplaySwitch.exe
        1⤵
          PID:2796
        • C:\Users\Admin\AppData\Local\PCo5\DisplaySwitch.exe
          C:\Users\Admin\AppData\Local\PCo5\DisplaySwitch.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2128

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\7pD\WTSAPI32.dll
          Filesize

          1014KB

          MD5

          585a9851e04759ab036e0156ae9d81f1

          SHA1

          f771d96b91137916cf5caf20e80f10aa51adee6c

          SHA256

          96fdac1b6981b65114155f42473e547d3cf8a97836f09fcce67a886fcc06f972

          SHA512

          f46246e2781842d20898520c73dd8b3ec3cfbe39d705f8a59ea4b310b4e1d9b87da8823a63abec0ab83dfec1aab94374fa34c9f0df585d446abb1a4587e5b9dc

          Download Submit

        • C:\Users\Admin\AppData\Local\9wOMLzD\VERSION.dll
          Filesize

          1013KB

          MD5

          1e992b8eefa3d43642f6d0e429c6888b

          SHA1

          b3fcc485d2d9579ef820663a091882c96e062f12

          SHA256

          06cb594f58e7749a53ad4cd969095d4f25a5a13cc38fb06cbabc03d93c4cb8b0

          SHA512

          0d3f48353f6052e29b61b5ed0ec268b7e59182278e2e9ce68ef5c80bf37c48d2324a599286d9829ba9307d37d0d4617aa155fd50e951da743189927c17ff1e5f

          Download Submit

        • C:\Users\Admin\AppData\Local\PCo5\slc.dll
          Filesize

          1014KB

          MD5

          cf4f6f3015e3c47c34497fda90f06856

          SHA1

          a7014ae37d718627cb2bab3df73c502eeb92b482

          SHA256

          afa33d4b67fa22c8dd99fe5d5f1ee832c8e3c82c4b1e0baf08b047e277ffaf7f

          SHA512

          0eb04a1cdd08f9617095d897a79c873c003c3d9e6b7044ece4914aa5fe471c855a555aacb4dd654d07a57381df8e72844918493d3b345571940c10f9092d77b4

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Tkjddllshxzvy.lnk
          Filesize

          948B

          MD5

          006f109be53479d43fa668a83af81495

          SHA1

          82ea4d7e6acc0b45e599ab39e41e25467ec75c4e

          SHA256

          fbce4ef72e4c023c932f941b5585af0b216740bb5d105466e069f7e8fb22c6ce

          SHA512

          77ccc6e8f4988d3e27b10cbfd00b5967721f55183dae734a44c6d9911cf334fdfb93a8c37546bd66bb5b271585ce2b0eb6c01c3a9c7d775ceaa4f71c58ceef33

          Download Submit

        • \Users\Admin\AppData\Local\7pD\rdpinit.exe
          Filesize

          174KB

          MD5

          664e12e0ea009cc98c2b578ff4983c62

          SHA1

          27b302c0108851ac6cc37e56590dd9074b09c3c9

          SHA256

          00bd9c3c941a5a9b4fc8594d7b985f5f1ac48f0ba7495a728b8fa42b4b48a332

          SHA512

          f5eee4e924dcc3cf5e82eff36543e9d0e9c17dc2272b403cf30f8d2da42312821f5566249a98a952f5441b1f0d6d61a86b5c5198bc598d65ea9d4fb35822505d

          Download Submit

        • \Users\Admin\AppData\Local\9wOMLzD\notepad.exe
          Filesize

          189KB

          MD5

          f2c7bb8acc97f92e987a2d4087d021b1

          SHA1

          7eb0139d2175739b3ccb0d1110067820be6abd29

          SHA256

          142e1d688ef0568370c37187fd9f2351d7ddeda574f8bfa9b0fa4ef42db85aa2

          SHA512

          2f37a2e503cffbd7c05c7d8a125b55368ce11aad5b62f17aaac7aaf3391a6886fa6a0fd73223e9f30072419bf5762a8af7958e805a52d788ba41f61eb084bfe8

          Download Submit

        • \Users\Admin\AppData\Local\PCo5\DisplaySwitch.exe
          Filesize

          517KB

          MD5

          b795e6138e29a37508285fc31e92bd78

          SHA1

          d0fe0c38c7c61adbb77e58d48b96cd4bf98ecd4a

          SHA256

          01a9733871baa8518092bade3fce62dcca14cdf6fc55b98218253580b38d7659

          SHA512

          8312174a77bab5fef7c4e9efff66c43d3515b02f5766ed1d3b9bd0abb3d7344a9a22cbac228132098428c122293d2b1898b3a2d75f5e4247b1dcb9aa9c7913b1

          Download Submit

        • memory/1256-37-0x0000000140000000-0x0000000140102000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/1256-8-0x0000000140000000-0x0000000140102000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/1256-13-0x0000000140000000-0x0000000140102000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/1256-12-0x0000000140000000-0x0000000140102000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/1256-11-0x0000000140000000-0x0000000140102000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/1256-10-0x0000000140000000-0x0000000140102000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/1256-26-0x0000000077160000-0x0000000077162000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1256-25-0x0000000076FD1000-0x0000000076FD2000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1256-24-0x00000000024B0000-0x00000000024B7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1256-4-0x0000000076DC6000-0x0000000076DC7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1256-35-0x0000000140000000-0x0000000140102000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/1256-5-0x00000000024D0000-0x00000000024D1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1256-14-0x0000000140000000-0x0000000140102000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/1256-23-0x0000000140000000-0x0000000140102000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/1256-7-0x0000000140000000-0x0000000140102000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/1256-9-0x0000000140000000-0x0000000140102000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/1256-63-0x0000000076DC6000-0x0000000076DC7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2128-94-0x0000000140000000-0x0000000140103000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/2380-44-0x0000000140000000-0x0000000140102000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/2380-3-0x00000000003D0000-0x00000000003D7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2380-0-0x0000000140000000-0x0000000140102000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/2468-58-0x0000000140000000-0x0000000140103000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/2468-55-0x0000000000190000-0x0000000000197000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2468-52-0x0000000140000000-0x0000000140103000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/2860-71-0x00000000001A0000-0x00000000001A7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2860-77-0x0000000140000000-0x0000000140103000-memory.dmp

          Filesize

          1.0MB

          Download