Overview

overview

10

Static

static

3

54af4213db...18.dll

windows7-x64

10

54af4213db...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    18-05-2024 12:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    54af4213db5f39efc01549040d6bd451_JaffaCakes118.dll

  • Size

    994KB

  • MD5

    54af4213db5f39efc01549040d6bd451

  • SHA1

    0d8faf654805116aba476def35902b5c4f9ac363

  • SHA256

    5af0a2900c62e7719bab11ff2e1b919266722b295b68e36c7112d036cc15afb5

  • SHA512

    8e3608df45d882c57400e9f1497a8f9e9be57a519626ff72c28c40c7833c915beb5544b06f4b34217b3c0c0f7b2696bbf72ff78a7182a3e7247ee81055b57b4d

  • SSDEEP

    24576:dVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:dV8hf6STw1ZlQauvzSq01ICe6zvm

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\54af4213db5f39efc01549040d6bd451_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1152
  • C:\Windows\system32\sigverif.exe
    C:\Windows\system32\sigverif.exe
    1⤵
      PID:2640
    • C:\Users\Admin\AppData\Local\rEWC6Yq\sigverif.exe
      C:\Users\Admin\AppData\Local\rEWC6Yq\sigverif.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2532
    • C:\Windows\system32\recdisc.exe
      C:\Windows\system32\recdisc.exe
      1⤵
        PID:2676
      • C:\Users\Admin\AppData\Local\JN6\recdisc.exe
        C:\Users\Admin\AppData\Local\JN6\recdisc.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2516
      • C:\Windows\system32\SystemPropertiesPerformance.exe
        C:\Windows\system32\SystemPropertiesPerformance.exe
        1⤵
          PID:2848
        • C:\Users\Admin\AppData\Local\SlJ\SystemPropertiesPerformance.exe
          C:\Users\Admin\AppData\Local\SlJ\SystemPropertiesPerformance.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:3008

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Initial Access

        Execution

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Privilege Escalation

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Query Registry

        1
        T1012

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Resource Development

        Reconnaissance

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\JN6\SPP.dll
          Filesize

          994KB

          MD5

          ba80b2a55a9b87658c7a0690a7cea9ff

          SHA1

          8468d992dbbc06262dd97361d7ec9b933c9e64c0

          SHA256

          4aafcc83276426bc375f1cfe6f9a450f1dfdccd95cb4b29935da5f79bc86f832

          SHA512

          88244b3601e4ffb2bc1c541ec84f6ca78176b0393f2a8fa4c8b3ac6e7da59875b5f1c10f034574e0bbd20b46347c120f7d82e828cdc2a88bbb92480b3c80e340

          Download Submit
        • C:\Users\Admin\AppData\Local\SlJ\SYSDM.CPL
          Filesize

          994KB

          MD5

          76018ca0d005d923493cc4027b0b908d

          SHA1

          ca296a598698021d631ef72e36901562fa4ae6e9

          SHA256

          fd665b3cf7e7abc3b4911a6e6acd69c665dc78dd0c470c5288900fcc93b37c82

          SHA512

          91c4b02b8851b80a21aad9639cbf1df81569dcbb0d25c0c79d067cfe6dbcc3e0769fff8598adb9482281817c9e49e3130b6b1f3844cb6fcc8a94d13adce66638

          Download Submit
        • C:\Users\Admin\AppData\Local\rEWC6Yq\VERSION.dll
          Filesize

          994KB

          MD5

          d9d44294818b9a9ebd8cfc3d1f8f22e8

          SHA1

          6b1bd72fb66fceec6fc54cd59b67dc6e70eb31e9

          SHA256

          02197eb039599d15f31273d9f5b98abfe5f86c8b9af1a19f49f796de2bb2582c

          SHA512

          97b43ac4e762413e1fa7c92f300e2555960bac3a3208e39198fffdb7de9642509f2137716b72cf58e3945933451af02a161106d2effaf8b04e02b4fddf2626fd

          Download Submit
        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dgsmy.lnk
          Filesize

          1KB

          MD5

          f410f8dad0d30de4055405a2e9c0a4a0

          SHA1

          d069c2737600b1af1209f87307f996aa0b8744dc

          SHA256

          23b7c36f87420ee3850f40940cabc4e2db7cdc89fea0dd62c815b463355eacb6

          SHA512

          001e0a887303e5edf366ed086ce7b8523cd4a2037d1c77a6c745010c4545a3d56c867b844dbe1a667823e7a8a28283aecb02a4a7b426ec963be9d6d3b0e98318

          Download Submit
        • \Users\Admin\AppData\Local\JN6\recdisc.exe
          Filesize

          232KB

          MD5

          f3b306179f1840c0813dc6771b018358

          SHA1

          dec7ce3c13f7a684cb52ae6007c99cf03afef005

          SHA256

          dcaeb590394b42d180e23e3cef4dd135513395b026e0ed489aec49848b85b8f0

          SHA512

          9f9ec4c2ca6373bd738bf415d059f3536390e46e5b0a560e9ee1b190407a6d0f481c38664c51b834a9e72d8878f71c3c19e427e3a6b5ca4ec6b02d1156eb9ef4

          Download Submit
        • \Users\Admin\AppData\Local\SlJ\SystemPropertiesPerformance.exe
          Filesize

          80KB

          MD5

          870726cdcc241a92785572628b89cc07

          SHA1

          63d47cc4fe9beb75862add1abca1d8ae8235710a

          SHA256

          1ab77fa1ee0cbe59ca185c228c3c11abeba2b2008a162c91a06d3c40542e7fc6

          SHA512

          89b961c2a2716fe0800e54e0206c8b349a26f1bc2a463ec9bd12f3ab22bfcb13e6402b4c20ddcf284d838a3c66e73335af8f6dc4554d76646382e387242c6f72

          Download Submit
        • \Users\Admin\AppData\Local\rEWC6Yq\sigverif.exe
          Filesize

          73KB

          MD5

          e8e95ae5534553fc055051cee99a7f55

          SHA1

          4e0f668849fd546edd083d5981ed685d02a68df4

          SHA256

          9e107fd99892d08b15c223ac17c49af75a4cbca41b5e939bb91c9dca9f0d0bec

          SHA512

          5d3c32d136a264b6d2cfba4602e4d8f75e55ba0e199e0e81d7a515c34d8b9237db29647c10ab79081173010ff8e2c6a59b652c0a9cfa796433aed2d200f02da6

          Download Submit
        • memory/1152-38-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/1152-1-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/1152-0-0x0000000000110000-0x0000000000117000-memory.dmp
          Filesize

          28KB

          Download
        • memory/1368-12-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/1368-64-0x0000000077A66000-0x0000000077A67000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1368-8-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/1368-29-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/1368-28-0x0000000077D00000-0x0000000077D02000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1368-30-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/1368-27-0x0000000077B71000-0x0000000077B72000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1368-24-0x0000000002230000-0x0000000002237000-memory.dmp
          Filesize

          28KB

          Download
        • memory/1368-11-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/1368-13-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/1368-23-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/1368-4-0x0000000077A66000-0x0000000077A67000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1368-5-0x0000000002B10000-0x0000000002B11000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1368-7-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/1368-14-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/1368-10-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/1368-9-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/2516-70-0x0000000140000000-0x00000001400FE000-memory.dmp
          Filesize

          1016KB

          Download
        • memory/2532-50-0x0000000140000000-0x00000001400FE000-memory.dmp
          Filesize

          1016KB

          Download
        • memory/2532-47-0x0000000140000000-0x00000001400FE000-memory.dmp
          Filesize

          1016KB

          Download
        • memory/2532-46-0x0000000000190000-0x0000000000197000-memory.dmp
          Filesize

          28KB

          Download
        • memory/3008-82-0x0000000000270000-0x0000000000277000-memory.dmp
          Filesize

          28KB

          Download
        • memory/3008-88-0x0000000140000000-0x00000001400FE000-memory.dmp
          Filesize

          1016KB

          Download