Overview

overview

10

Static

static

3

64ad7b6b4c...18.dll

windows7-x64

10

64ad7b6b4c...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/05/2024, 20:36

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    64ad7b6b4c821bc0f138e23a3ae8f98e_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    64ad7b6b4c821bc0f138e23a3ae8f98e

  • SHA1

    ff738b1f5284c28bdb0a2d5223ac0d6f05a47c44

  • SHA256

    4892d89738704f770fbfa938a4007eba643a13c62f68585489c950f12322f778

  • SHA512

    22021b36d63b082c6c7931d32153b4bc1d57756b3c950cdfd61be659b6d0a3920c5bff65a295fe4014e9940b6467bc2f99aaab9f1fa4302bb10964440416a60b

  • SSDEEP

    24576:lVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:lV8hf6STw1ZlQauvzSq01ICe6zvm

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\64ad7b6b4c821bc0f138e23a3ae8f98e_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1564
  • C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\sppsvc.exe
    1⤵
      PID:1308
    • C:\Users\Admin\AppData\Local\5z2Z\sppsvc.exe
      C:\Users\Admin\AppData\Local\5z2Z\sppsvc.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:1340
    • C:\Windows\system32\wbengine.exe
      C:\Windows\system32\wbengine.exe
      1⤵
        PID:2340
      • C:\Users\Admin\AppData\Local\3xhOBki0e\wbengine.exe
        C:\Users\Admin\AppData\Local\3xhOBki0e\wbengine.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:4720
      • C:\Windows\system32\sppsvc.exe
        C:\Windows\system32\sppsvc.exe
        1⤵
          PID:3112
        • C:\Users\Admin\AppData\Local\NQf\sppsvc.exe
          C:\Users\Admin\AppData\Local\NQf\sppsvc.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:3928

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\3xhOBki0e\SPP.dll
                Filesize

                1.2MB

                MD5

                1543ed89f9acdfbfdab94042664ec408

                SHA1

                e22c62f65e185b6fa725da612c3c2360f83ec1fc

                SHA256

                eaf84c67d9f56fe5c88f3a7e69581ffc4e5d8c629656b9376c9358d5534ff961

                SHA512

                39694c27e6cb18cccac3abe984c934164d8f356ad94e216f65309a447edf4275fe34550383ffa5ab7bbdfdce639d6f4df98c6462e0c516ad6c8f20fd4574c15f

                Download Submit

              • C:\Users\Admin\AppData\Local\3xhOBki0e\wbengine.exe
                Filesize

                1.5MB

                MD5

                17270a354a66590953c4aac1cf54e507

                SHA1

                715babcc8e46b02ac498f4f06df7937904d9798d

                SHA256

                9954394b43783061f9290706320cc65597c29176d5b8e7a26fa1d6b3536832b4

                SHA512

                6be0ba6be84d01ab47f5a4ca98a6b940c43bd2d1e1a273d41c3e88aca47da11d932024b007716d1a6ffe6cee396b0e3e6971ab2afc293e72472f2e61c17b2a89

                Download Submit

              • C:\Users\Admin\AppData\Local\5z2Z\XmlLite.dll
                Filesize

                1.2MB

                MD5

                377f12f68b5618cfa497cd4ca425efbe

                SHA1

                0192c526e5e03ff546605e9519509a0be8ca63ea

                SHA256

                02e0f1255aec389121ea89c42c563f6b560484fe5da606deb4c2dc078bec4a04

                SHA512

                97aea90dd06beaeedf5bcf2df76ae41f778fbd3adcb5408739dbc94e7d1d42e3ab40871446fe9e6ff66bd5b5274a018b41d21bfc083db2bc58d7cc44cbc530cb

                Download Submit

              • C:\Users\Admin\AppData\Local\5z2Z\sppsvc.exe
                Filesize

                4.4MB

                MD5

                ec6cef0a81f167668e18fa32f1606fce

                SHA1

                6d56837a388ae5573a38a439cee16e6dde5b4de8

                SHA256

                82c59a2f606ebf1a8a0de16be150600ac63ad8351c6bf3952c27a70257cb70f8

                SHA512

                f40b37675329ca7875d958b4b0019082548a563ada217c7431c2ca5c7f93957b242f095f7f04bcdd6240b97ea99e89bfe3a003f97c43366d00a93768fef7b4c5

                Download Submit

              • C:\Users\Admin\AppData\Local\NQf\XmlLite.dll
                Filesize

                1.2MB

                MD5

                d9e55f16afe6290bce369d7ad4c0663c

                SHA1

                fd1d97293c14da41a0da29b2111e36274925832a

                SHA256

                0b8f76c1994f6927714f8d8361e0e4b01313834e07c556b220effa2a019a52af

                SHA512

                234b93d88e79cd84799064100c00faeabd6984cda16b2a5487ab531bd70662ba8e440c6736e2efb54a2e25bb2f39e776dfc835b3641903a6dc368a883d8a37e0

                Download Submit

              • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Arcabpqqvo.lnk
                Filesize

                1KB

                MD5

                08d9434ab438889fdef0355e15e5d805

                SHA1

                034c71f0b3f87ffa413e46355ac96c063433760f

                SHA256

                5330b7ff458b8e11525845c9379e8dc4af2b243ab172740f7fbfcac75b324417

                SHA512

                0959c9f36bddfa05156a719669c64554a4735023acbbeab9b417e51a7d98d7efcfeeac1acbfef32a2eaeb2ecf8d155c5390a77dd8bb14924ce4abff599296a84

                Download Submit

              • memory/1340-52-0x0000000140000000-0x0000000140143000-memory.dmp

                Filesize

                1.3MB

                Download

              • memory/1340-46-0x0000000140000000-0x0000000140143000-memory.dmp

                Filesize

                1.3MB

                Download

              • memory/1340-49-0x000001D903560000-0x000001D903567000-memory.dmp

                Filesize

                28KB

                Download

              • memory/1564-1-0x0000000140000000-0x0000000140142000-memory.dmp

                Filesize

                1.3MB

                Download

              • memory/1564-38-0x0000000140000000-0x0000000140142000-memory.dmp

                Filesize

                1.3MB

                Download

              • memory/1564-3-0x00007FFF17340000-0x00007FFF17A7F000-memory.dmp

                Filesize

                7.2MB

                Download

              • memory/1564-39-0x00007FFF17340000-0x00007FFF17A7F000-memory.dmp

                Filesize

                7.2MB

                Download

              • memory/3516-35-0x0000000140000000-0x0000000140142000-memory.dmp

                Filesize

                1.3MB

                Download

              • memory/3516-30-0x00007FFF192D0000-0x00007FFF192E0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/3516-24-0x0000000140000000-0x0000000140142000-memory.dmp

                Filesize

                1.3MB

                Download

              • memory/3516-14-0x0000000140000000-0x0000000140142000-memory.dmp

                Filesize

                1.3MB

                Download

              • memory/3516-9-0x0000000140000000-0x0000000140142000-memory.dmp

                Filesize

                1.3MB

                Download

              • memory/3516-10-0x0000000140000000-0x0000000140142000-memory.dmp

                Filesize

                1.3MB

                Download

              • memory/3516-11-0x0000000140000000-0x0000000140142000-memory.dmp

                Filesize

                1.3MB

                Download

              • memory/3516-12-0x0000000140000000-0x0000000140142000-memory.dmp

                Filesize

                1.3MB

                Download

              • memory/3516-29-0x0000000001370000-0x0000000001377000-memory.dmp

                Filesize

                28KB

                Download

              • memory/3516-8-0x0000000140000000-0x0000000140142000-memory.dmp

                Filesize

                1.3MB

                Download

              • memory/3516-15-0x0000000140000000-0x0000000140142000-memory.dmp

                Filesize

                1.3MB

                Download

              • memory/3516-13-0x0000000140000000-0x0000000140142000-memory.dmp

                Filesize

                1.3MB

                Download

              • memory/3516-7-0x0000000140000000-0x0000000140142000-memory.dmp

                Filesize

                1.3MB

                Download

              • memory/3516-6-0x00007FFF190CA000-0x00007FFF190CB000-memory.dmp

                Filesize

                4KB

                Download

              • memory/3516-4-0x0000000003190000-0x0000000003191000-memory.dmp

                Filesize

                4KB

                Download

              • memory/3928-85-0x0000000140000000-0x0000000140143000-memory.dmp

                Filesize

                1.3MB

                Download

              • memory/4720-69-0x0000000140000000-0x0000000140143000-memory.dmp

                Filesize

                1.3MB

                Download

              • memory/4720-66-0x000001FEABA20000-0x000001FEABA27000-memory.dmp

                Filesize

                28KB

                Download