Overview

overview

10

Static

static

3

3c561335b8...18.dll

windows7-x64

10

3c561335b8...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    13-05-2024 19:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3c561335b84b1b6ec405b90307df1495_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    3c561335b84b1b6ec405b90307df1495

  • SHA1

    96c6d79ab3982f5598a8883a46d3605f79bdcc2f

  • SHA256

    04cf75d0e0684e29799390a40209ee9a357fcd561af47662b26dee8954a31bcb

  • SHA512

    9424214f2ae46ae5e5b99f728872ac203554b1004c1aa2f4664cc36cb7f521b953a96783e86e243d4bae42f1099e5669858557568e0c980366d5231fa4fd0793

  • SSDEEP

    24576:WVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:WV8hf6STw1ZlQauvzSq01ICe6zvm

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\3c561335b84b1b6ec405b90307df1495_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1676
  • C:\Windows\system32\FXSCOVER.exe
    C:\Windows\system32\FXSCOVER.exe
    1⤵
      PID:2708
    • C:\Users\Admin\AppData\Local\TuXc5ghi\FXSCOVER.exe
      C:\Users\Admin\AppData\Local\TuXc5ghi\FXSCOVER.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2448
    • C:\Windows\system32\FXSCOVER.exe
      C:\Windows\system32\FXSCOVER.exe
      1⤵
        PID:624
      • C:\Users\Admin\AppData\Local\iIsuk8u\FXSCOVER.exe
        C:\Users\Admin\AppData\Local\iIsuk8u\FXSCOVER.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2504
      • C:\Windows\system32\DevicePairingWizard.exe
        C:\Windows\system32\DevicePairingWizard.exe
        1⤵
          PID:2800
        • C:\Users\Admin\AppData\Local\QI8\DevicePairingWizard.exe
          C:\Users\Admin\AppData\Local\QI8\DevicePairingWizard.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:308

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Initial Access

        Execution

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Privilege Escalation

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Query Registry

        1
        T1012

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Resource Development

        Reconnaissance

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\QI8\MFC42u.dll
          Filesize

          1.3MB

          MD5

          14f8d91d4232b1ab1dd5dabacabc3286

          SHA1

          3bad9baf1c1d5f4854fcffde87489ce10007eb03

          SHA256

          2982addbb642dcd86e24db6bb14e8ddf1aea8731d84fb040b678459c338157e0

          SHA512

          04cec42235000c9a38e73f5b455063f28415125c1ab9fbbf66373005be4f7eecda266cb5bd17844fee61842c6cfdced79a7ee91ee6f6a762896a39ef49959b72

          Download Submit
        • C:\Users\Admin\AppData\Local\TuXc5ghi\MFC42u.dll
          Filesize

          1.3MB

          MD5

          22cb0c4d284de72ff56320515960cbe8

          SHA1

          931c6bb628b49ad504c0828ab711e25ca087706e

          SHA256

          b6577d5cb6d772732f0f4795fed9472835387cc8607a6a615cf9751872ed9261

          SHA512

          04d1277d9012751e73055ed7efeb3792db39f36e8b4c6cc23e05b7e298b639169f651356d303220f58375710a33252c701440eb00b1f04886da2f76b053ea426

          Download Submit
        • C:\Users\Admin\AppData\Local\iIsuk8u\MFC42u.dll
          Filesize

          1.3MB

          MD5

          4f5d0223839a54944f07e88a29ebb9cb

          SHA1

          8363d3a807ef6c2c21d72a098d9fd9a4d9848d03

          SHA256

          5dbca427891514719df22cef512d1cf80077c5a0c3fe1f75a4dab33b7c894b45

          SHA512

          08b57953f5e626561af403f74bb0d42eb7437c06c3b02ae78d3d0aa09f7ab4f791adebd44d162b8678ef076e8831ec7d88b0c9af31521fae330654009d1772f5

          Download Submit
        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Mewsro.lnk
          Filesize

          1KB

          MD5

          9c3358a453c04e313b8e510bf5d99b8d

          SHA1

          8337f6e3316bbee0451df47ce6ff7f6f6ce58329

          SHA256

          70b21af50a30340cbf60c7e501a86f71a35f7ae547ff0adff4641491ea99e858

          SHA512

          d53edb809b6d4404ca647d21deea3a893fa40338e014bb92ab9eb8f798b5843832433abaa0d8c66157a433f6513845663bcfa847f8a29246351af3ff8baeb400

          Download Submit
        • \Users\Admin\AppData\Local\QI8\DevicePairingWizard.exe
          Filesize

          73KB

          MD5

          9728725678f32e84575e0cd2d2c58e9b

          SHA1

          dd9505d3548f08e5198a8d6ba6bcd60b1da86d5c

          SHA256

          d95d3aa065a657c354244e3d9d4dc62673dc36c1bed60650fade7d128ddab544

          SHA512

          a5d22240450e7b659cba507f9abe7e6d861e9712ca2335ea5ceb69e3557362b00f5d02bf84c3a6fed82a09eda555866dcab43741ad9c6db96e1e302ef2363377

          Download Submit
        • \Users\Admin\AppData\Local\TuXc5ghi\FXSCOVER.exe
          Filesize

          261KB

          MD5

          5e2c61be8e093dbfe7fc37585be42869

          SHA1

          ed46cda4ece3ef187b0cf29ca843a6c6735af6c0

          SHA256

          3d1719c1caa5d6b0358830a30713c43a9710fbf7bcedca20815be54d24aa9121

          SHA512

          90bf180c8f6e3d0286a19fcd4727f23925a39c90113db979e1b4bbf8f0491471ad26c877a6e2cf49638b14050d952a9ee02a3c1293129843ec6bba01bc325d0b

          Download Submit
        • memory/308-96-0x0000000140000000-0x0000000140149000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/308-93-0x0000000000080000-0x0000000000087000-memory.dmp
          Filesize

          28KB

          Download
        • memory/1180-36-0x0000000140000000-0x0000000140142000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1180-8-0x0000000140000000-0x0000000140142000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1180-14-0x0000000140000000-0x0000000140142000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1180-27-0x0000000077B80000-0x0000000077B82000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1180-24-0x0000000140000000-0x0000000140142000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1180-26-0x00000000779F1000-0x00000000779F2000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1180-25-0x0000000002DD0000-0x0000000002DD7000-memory.dmp
          Filesize

          28KB

          Download
        • memory/1180-13-0x0000000140000000-0x0000000140142000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1180-4-0x00000000777E6000-0x00000000777E7000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1180-10-0x0000000140000000-0x0000000140142000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1180-37-0x0000000140000000-0x0000000140142000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1180-5-0x0000000002DF0000-0x0000000002DF1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1180-12-0x0000000140000000-0x0000000140142000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1180-15-0x0000000140000000-0x0000000140142000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1180-7-0x0000000140000000-0x0000000140142000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1180-11-0x0000000140000000-0x0000000140142000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1180-9-0x0000000140000000-0x0000000140142000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1180-64-0x00000000777E6000-0x00000000777E7000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1676-45-0x0000000140000000-0x0000000140142000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1676-3-0x00000000003A0000-0x00000000003A7000-memory.dmp
          Filesize

          28KB

          Download
        • memory/1676-1-0x0000000140000000-0x0000000140142000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/2448-59-0x0000000140000000-0x0000000140149000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/2448-54-0x0000000140000000-0x0000000140149000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/2448-53-0x0000000000200000-0x0000000000207000-memory.dmp
          Filesize

          28KB

          Download
        • memory/2504-72-0x0000000000270000-0x0000000000277000-memory.dmp
          Filesize

          28KB

          Download
        • memory/2504-78-0x0000000140000000-0x0000000140149000-memory.dmp
          Filesize

          1.3MB

          Download