Overview

overview

10

Static

static

3

6460847e42...18.dll

windows7-x64

10

6460847e42...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    21/05/2024, 18:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6460847e42c5eabeb93e67fece6128f7_JaffaCakes118.dll

  • Size

    990KB

  • MD5

    6460847e42c5eabeb93e67fece6128f7

  • SHA1

    196bd51b56ce2588c0a91e164585f34e0939c4d7

  • SHA256

    297c7231333dfd8841dd8c37626db80a13c92a61552feb5a8891cceddd5699c2

  • SHA512

    2d169daa0f73627fe19d537389497e6b5c98fb0dedfb28851a72fcaaaf5525662b5a5cdf85d7f92f72ad287f7eaf3e167363c4a132e52439e5ce808009636bd2

  • SSDEEP

    24576:hVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:hV8hf6STw1ZlQauvzSq01ICe6zvm

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\6460847e42c5eabeb93e67fece6128f7_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1648
  • C:\Windows\system32\dwm.exe
    C:\Windows\system32\dwm.exe
    1⤵
      PID:2664
    • C:\Users\Admin\AppData\Local\NiH7\dwm.exe
      C:\Users\Admin\AppData\Local\NiH7\dwm.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2500
    • C:\Windows\system32\fveprompt.exe
      C:\Windows\system32\fveprompt.exe
      1⤵
        PID:1324
      • C:\Users\Admin\AppData\Local\eaenLR\fveprompt.exe
        C:\Users\Admin\AppData\Local\eaenLR\fveprompt.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1800
      • C:\Windows\system32\BitLockerWizardElev.exe
        C:\Windows\system32\BitLockerWizardElev.exe
        1⤵
          PID:1836
        • C:\Users\Admin\AppData\Local\9oQtQO\BitLockerWizardElev.exe
          C:\Users\Admin\AppData\Local\9oQtQO\BitLockerWizardElev.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2376

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\9oQtQO\FVEWIZ.dll
          Filesize

          992KB

          MD5

          7c907bf7678f96c049b3096d138c5270

          SHA1

          3546b0f2e890a29ed57e09f02992979048223fdc

          SHA256

          2e1b2df37dcfcd728fd7c9640fb2c13d71dee39df647f87e0a9fe7de6b323279

          SHA512

          e64107e3c22b69b478e5c779c9e0e73114acbf55d62bc76b9d446d5d8075b3c6f8a2e81e3e292273369c543ba201b161e1e6347fae08bce584f8b67300d99f5d

          Download Submit

        • C:\Users\Admin\AppData\Local\NiH7\UxTheme.dll
          Filesize

          993KB

          MD5

          7518351b0ed7c98bd68ea7fdde0bce38

          SHA1

          891a873b818fea98f40a24d9e45172355b00241c

          SHA256

          32f6a7ee2b03ac6e871d2456c305de80ce6ec6eb172de9a1306499ba8c42f3b6

          SHA512

          8ad3ab2c6e88293485d19b5e4ba4c4cc4bfc0acb79534dd8772a87edea2bd593c31645323891d91d8db93cbd265f8cdca4c153420e09e8fb2ace7f919c12db5d

          Download Submit

        • C:\Users\Admin\AppData\Local\eaenLR\slc.dll
          Filesize

          992KB

          MD5

          5831e474979b007d8f92590eb184d949

          SHA1

          a3c00574c827625db577dbecf666d25b6a3e6427

          SHA256

          83a6f464134f4b28ac3720749de15814e725cd6ca15112a6bb741979c0a0428f

          SHA512

          31b7be3abfcfabe5051b132f5734e5e404284f88f071a2d45a037f0cca0b7ea0bcf076d41455cdeffe82d00fcc59ef5dbb4b69cd3768c963537059c1d5a86b7b

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Pclfpjzoauil.lnk
          Filesize

          1KB

          MD5

          2cda9cc787cf91474be69ef972646c36

          SHA1

          013b37d71cb329ab886f2271c09ef7eb2fd3b9ca

          SHA256

          7f262bdf09cfc9b755a5ff62c4d23943cc5adc4c8bf536229afa23f9d7677810

          SHA512

          6c65550f35437d07aebffa4ef5e0ec91dba888f397727b4aae0108d248c9e8fadab1e4c3695f9b985dedbbeadbd255de412d72d1e6331e4bc4a22b9e1f458fd0

          Download Submit

        • \Users\Admin\AppData\Local\9oQtQO\BitLockerWizardElev.exe
          Filesize

          98KB

          MD5

          73f13d791e36d3486743244f16875239

          SHA1

          ed5ec55dbc6b3bda505f0a4c699c257c90c02020

          SHA256

          2483d2f0ad481005cca081a86a07be9060bc6d4769c4570f92ad96fa325be9b8

          SHA512

          911a7b532312d50cc5e7f6a046d46ab5b322aa17ce59a40477173ea50f000a95db45f169f4ea3574e3e00ae4234b9f8363ac79329d683c14ebee1d423e6e43af

          Download Submit

        • \Users\Admin\AppData\Local\NiH7\dwm.exe
          Filesize

          117KB

          MD5

          f162d5f5e845b9dc352dd1bad8cef1bc

          SHA1

          35bc294b7e1f062ef5cb5fa1bd3fc942a3e37ae2

          SHA256

          8a7b7528db30ab123b060d8e41954d95913c07bb40cdae32e97f9edb0baf79c7

          SHA512

          7077e800453a4564a24af022636a2f6547bdae2c9c6f4ed080d0c98415ecc4fbf538109cbebd456e321b9b74a00613d647b63998e31925fbd841fc9d4613e851

          Download Submit

        • \Users\Admin\AppData\Local\eaenLR\fveprompt.exe
          Filesize

          104KB

          MD5

          dc2c44a23b2cd52bd53accf389ae14b2

          SHA1

          e36c7b6f328aa2ab2f52478169c52c1916f04b5f

          SHA256

          7f5b19f2c6a94833196ee1929d48094889b33b504d73d3af88dd857ceaf67921

          SHA512

          ff083f74777a9cfc940d4e0cb55886397e27c85f867de9a5dd9ea2c2751d2a77bf75fe0734e424d9678c83e927788d07d0b3072024f7e5a9848c7ff1aa4090dc

          Download Submit

        • memory/1188-35-0x0000000140000000-0x00000001400FC000-memory.dmp

          Filesize

          1008KB

          Download

        • memory/1188-14-0x0000000140000000-0x00000001400FC000-memory.dmp

          Filesize

          1008KB

          Download

        • memory/1188-25-0x0000000076DD1000-0x0000000076DD2000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1188-23-0x0000000140000000-0x00000001400FC000-memory.dmp

          Filesize

          1008KB

          Download

        • memory/1188-13-0x0000000140000000-0x00000001400FC000-memory.dmp

          Filesize

          1008KB

          Download

        • memory/1188-12-0x0000000140000000-0x00000001400FC000-memory.dmp

          Filesize

          1008KB

          Download

        • memory/1188-11-0x0000000140000000-0x00000001400FC000-memory.dmp

          Filesize

          1008KB

          Download

        • memory/1188-10-0x0000000140000000-0x00000001400FC000-memory.dmp

          Filesize

          1008KB

          Download

        • memory/1188-9-0x0000000140000000-0x00000001400FC000-memory.dmp

          Filesize

          1008KB

          Download

        • memory/1188-4-0x0000000076BC6000-0x0000000076BC7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1188-36-0x0000000140000000-0x00000001400FC000-memory.dmp

          Filesize

          1008KB

          Download

        • memory/1188-5-0x0000000002550000-0x0000000002551000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1188-24-0x0000000002530000-0x0000000002537000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1188-28-0x0000000076F60000-0x0000000076F62000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1188-8-0x0000000140000000-0x00000001400FC000-memory.dmp

          Filesize

          1008KB

          Download

        • memory/1188-7-0x0000000140000000-0x00000001400FC000-memory.dmp

          Filesize

          1008KB

          Download

        • memory/1188-60-0x0000000076BC6000-0x0000000076BC7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1648-44-0x0000000140000000-0x00000001400FC000-memory.dmp

          Filesize

          1008KB

          Download

        • memory/1648-0-0x0000000140000000-0x00000001400FC000-memory.dmp

          Filesize

          1008KB

          Download

        • memory/1648-3-0x00000000003A0000-0x00000000003A7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1800-71-0x0000000000120000-0x0000000000127000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1800-74-0x0000000140000000-0x00000001400FD000-memory.dmp

          Filesize

          1012KB

          Download

        • memory/2376-89-0x0000000000110000-0x0000000000117000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2376-92-0x0000000140000000-0x00000001400FD000-memory.dmp

          Filesize

          1012KB

          Download

        • memory/2500-57-0x0000000140000000-0x00000001400FD000-memory.dmp

          Filesize

          1012KB

          Download

        • memory/2500-55-0x00000000000A0000-0x00000000000A7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2500-52-0x0000000140000000-0x00000001400FD000-memory.dmp

          Filesize

          1012KB

          Download