Overview

overview

10

Static

static

3

607eb12155...18.dll

windows7-x64

10

607eb12155...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    20-05-2024 18:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    607eb1215586e6a11411e324c2172f2e_JaffaCakes118.dll

  • Size

    990KB

  • MD5

    607eb1215586e6a11411e324c2172f2e

  • SHA1

    1f678077270f6c682a875589060123ad3eedebeb

  • SHA256

    7dd7b193fae1ce9d142851e38ff19d708c6da88d4be7ed02407fad768020e631

  • SHA512

    5e3de8f8ba5534f0788240f03033c3ed37b778602485f22e65a44ab17aadfa791dd79af327d91fcfaeea12993d4f3c3c70c2430babc8148975d8c92b035e03df

  • SSDEEP

    24576:rVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:rV8hf6STw1ZlQauvzSq01ICe6zvm

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\607eb1215586e6a11411e324c2172f2e_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2220
  • C:\Windows\system32\PresentationSettings.exe
    C:\Windows\system32\PresentationSettings.exe
    1⤵
      PID:2536
    • C:\Users\Admin\AppData\Local\MPsRTIK\PresentationSettings.exe
      C:\Users\Admin\AppData\Local\MPsRTIK\PresentationSettings.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:1552
    • C:\Windows\system32\BitLockerWizard.exe
      C:\Windows\system32\BitLockerWizard.exe
      1⤵
        PID:2100
      • C:\Users\Admin\AppData\Local\VHV\BitLockerWizard.exe
        C:\Users\Admin\AppData\Local\VHV\BitLockerWizard.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1948
      • C:\Windows\system32\Utilman.exe
        C:\Windows\system32\Utilman.exe
        1⤵
          PID:2960
        • C:\Users\Admin\AppData\Local\T9z\Utilman.exe
          C:\Users\Admin\AppData\Local\T9z\Utilman.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:3064

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Initial Access

        Execution

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Privilege Escalation

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Query Registry

        1
        T1012

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Resource Development

        Reconnaissance

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\MPsRTIK\WINMM.dll
          Filesize

          995KB

          MD5

          58f68a0f6a210a276563fb97094db175

          SHA1

          dad8e36f129d09b50ed03cbb654aafe57d3c8cba

          SHA256

          a0c3c7b34f583fbad17d1b3c26355799cfcdddd7123a0fb95cdd31c54dc500c7

          SHA512

          90a259f36fff74c224b088f576adc12f082788ea52a87c4e6536382c32b5c2d73135617a22213f58af84229feace28523f93d691c0b5fb5f99b6f49de011fa0d

          Download Submit
        • C:\Users\Admin\AppData\Local\T9z\DUI70.dll
          Filesize

          1.2MB

          MD5

          450e5aa1780cd6fb8ea42abf7f427b27

          SHA1

          9ade881c6742aec4dc0de809ee2521cfa856686c

          SHA256

          e1435ddcf17d710f9ff57c05d257eba4d91fd47b679bd7b174fd89d7b859d980

          SHA512

          64cea865a14f7bc3a2ab514b3fc7bec2e1d5c0c3f0d2a865871fd702cd0bb18720d3379c73581bc62a5376ebc4f12ae3456318fbb1e43610617c57c2a1cf7ce4

          Download Submit
        • C:\Users\Admin\AppData\Local\VHV\FVEWIZ.dll
          Filesize

          992KB

          MD5

          b96376b38ba3073e6413a04c0bdca5ad

          SHA1

          24a8c6359e067afe6d69b406662f9c6b32ec895d

          SHA256

          860a12563728112d734731b976eeabdd812602263b96464f681c2f02bdb7046b

          SHA512

          65bc6db99de67e0042bf80d707f56cb3e8fa480e926bccf6cd05c7faaea6892edd27960136fcff940e0827a153b7b8b3cc1ef8512041404644cde50ad0145328

          Download Submit
        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Mewsro.lnk
          Filesize

          1KB

          MD5

          48d99721dab4bc6be81e6def368ae926

          SHA1

          cfc0c09fecaa324b51bdc275035c3b9a6868a7eb

          SHA256

          76897d569f019a5af8bb7ab4415a97e905cedbcb30d9f441b15ef4db4beff02a

          SHA512

          47bec076f2bb59c2193d530ddcebc8ea3f7a1d87a1146cc80d6416d4cbc2ce6d5fd50dbd95325b145763c6ff820227e4df2c3fda13cb386916a454b74f9ed703

          Download Submit
        • \Users\Admin\AppData\Local\MPsRTIK\PresentationSettings.exe
          Filesize

          172KB

          MD5

          a6f8d318f6041334889481b472000081

          SHA1

          b8cf08ec17b30c8811f2514246fcdff62731dd58

          SHA256

          208b94fd66a6ce266c3195f87029a41a0622fff47f2a5112552cb087adbb1258

          SHA512

          60f70fa8a19e6ea6f08f4907dd7fede3665ad3f2e013d49f6649442ea5871a967b9a53ec4d3328a06cb83b69be1b7af1bb14bf122b568bd1f8432ee1d0bfee69

          Download Submit
        • \Users\Admin\AppData\Local\T9z\Utilman.exe
          Filesize

          1.3MB

          MD5

          32c5ee55eadfc071e57851e26ac98477

          SHA1

          8f8d0aee344e152424143da49ce2c7badabb8f9d

          SHA256

          7ca90616e68bc851f14658a366d80f21ddb7a7dd8a866049e54651158784a9ea

          SHA512

          e0943efa81f3087c84a5909c72a436671ee8cc3cc80154901430e83ec7966aac800ad4b26f4a174a0071da617c0982ceda584686c6e2056e1a83e864aca6c975

          Download Submit
        • \Users\Admin\AppData\Local\VHV\BitLockerWizard.exe
          Filesize

          98KB

          MD5

          08a761595ad21d152db2417d6fdb239a

          SHA1

          d84c1bc2e8c9afce9fb79916df9bca169f93a936

          SHA256

          ec0b9e5f29a43f9db44fa76b85701058f26776ab974044c1d4741591b74d0620

          SHA512

          8b07828e9c0edf09277f89294b8e1a54816f6f3d1fe132b3eb70370b81feb82d056ec31566793bd6f451725f79c3b4aeedb15a83216115e00943e0c19cab37c9

          Download Submit
        • memory/1204-37-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/1204-12-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/1204-23-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/1204-13-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/1204-10-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/1204-9-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/1204-8-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/1204-25-0x0000000077581000-0x0000000077582000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1204-26-0x0000000077710000-0x0000000077712000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1204-4-0x0000000077476000-0x0000000077477000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1204-35-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/1204-5-0x0000000002E90000-0x0000000002E91000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1204-14-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/1204-24-0x0000000002E70000-0x0000000002E77000-memory.dmp
          Filesize

          28KB

          Download
        • memory/1204-7-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/1204-11-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/1204-63-0x0000000077476000-0x0000000077477000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1552-55-0x0000000000110000-0x0000000000117000-memory.dmp
          Filesize

          28KB

          Download
        • memory/1552-58-0x0000000140000000-0x00000001400FF000-memory.dmp
          Filesize

          1020KB

          Download
        • memory/1552-52-0x0000000140000000-0x00000001400FF000-memory.dmp
          Filesize

          1020KB

          Download
        • memory/1948-71-0x0000000140000000-0x00000001400FE000-memory.dmp
          Filesize

          1016KB

          Download
        • memory/1948-76-0x0000000140000000-0x00000001400FE000-memory.dmp
          Filesize

          1016KB

          Download
        • memory/2220-44-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/2220-1-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/2220-3-0x00000000001A0000-0x00000000001A7000-memory.dmp
          Filesize

          28KB

          Download
        • memory/3064-88-0x0000000000390000-0x0000000000397000-memory.dmp
          Filesize

          28KB

          Download
        • memory/3064-89-0x0000000140000000-0x0000000140131000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/3064-94-0x0000000140000000-0x0000000140131000-memory.dmp
          Filesize

          1.2MB

          Download