Overview

overview

10

Static

static

3

6546ef01ad...18.dll

windows7-x64

10

6546ef01ad...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-05-2024 00:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6546ef01ad7cf5ea8767ca35e0a9497d_JaffaCakes118.dll

  • Size

    989KB

  • MD5

    6546ef01ad7cf5ea8767ca35e0a9497d

  • SHA1

    8302c377caccf0332af3c94ef45217a929b61110

  • SHA256

    c9d45c41ecba0e13d08bea6b3393cf730d02482f0923b754a2ab72b9ea9ee361

  • SHA512

    135fc8029dfdcd91fd5ec72b65a8fdd2a240f0627116530cc6fc878045dbce0c92f96d78f2b6faa645a98ae0f3024261199369b59a7b2bd6cb72210172362b24

  • SSDEEP

    24576:xVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:xV8hf6STw1ZlQauvzSq01ICe6zvm

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\6546ef01ad7cf5ea8767ca35e0a9497d_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1928
  • C:\Windows\system32\DevicePairingWizard.exe
    C:\Windows\system32\DevicePairingWizard.exe
    1⤵
      PID:2780
    • C:\Users\Admin\AppData\Local\KdJ\DevicePairingWizard.exe
      C:\Users\Admin\AppData\Local\KdJ\DevicePairingWizard.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:1532
    • C:\Windows\system32\usocoreworker.exe
      C:\Windows\system32\usocoreworker.exe
      1⤵
        PID:2736
      • C:\Users\Admin\AppData\Local\x9a71Jl\usocoreworker.exe
        C:\Users\Admin\AppData\Local\x9a71Jl\usocoreworker.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1140
      • C:\Windows\system32\DevicePairingWizard.exe
        C:\Windows\system32\DevicePairingWizard.exe
        1⤵
          PID:3844
        • C:\Users\Admin\AppData\Local\Kkr\DevicePairingWizard.exe
          C:\Users\Admin\AppData\Local\Kkr\DevicePairingWizard.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:4396

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Initial Access

        Execution

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Privilege Escalation

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Query Registry

        1
        T1012

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Resource Development

        Reconnaissance

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\KdJ\DevicePairingWizard.exe
          Filesize

          93KB

          MD5

          d0e40a5a0c7dad2d6e5040d7fbc37533

          SHA1

          b0eabbd37a97a1abcd90bd56394f5c45585699eb

          SHA256

          2adaf3a5d3fde149626e3fef0e943c7029a135c04688acf357b2d8d04c81981b

          SHA512

          1191c2efcadd53b74d085612025c44b6cd54dd69493632950e30ada650d5ed79e3468c138f389cd3bc21ea103059a63eb38d9d919a62d932a38830c93f57731f

          Download Submit
        • C:\Users\Admin\AppData\Local\KdJ\MFC42u.dll
          Filesize

          1017KB

          MD5

          f8a837f8231f97647297cc829cf76d95

          SHA1

          dfda36f911424ea3c949f12a523a3d839c03c842

          SHA256

          eb89b0c2b6f7cfd8fedbf3195ffcc005983b3416bac494bd4682bec1e948d265

          SHA512

          7e251a1f74172dd24b586486484a5c4e0e794d1c569a75f615c00714240df4149c23d248d9ea6729ad010dbed8d719dabc1cfe77cd998ea7edadf641ba6b8c10

          Download Submit
        • C:\Users\Admin\AppData\Local\Kkr\MFC42u.dll
          Filesize

          1017KB

          MD5

          780d8805de8478d785e962d8e4931138

          SHA1

          4c61b874065a1cc30038faf85b01fcc2e993ae80

          SHA256

          bb96dba2669a6e66c900496b656b3561ecc8e4f68862ee4559df144093d10298

          SHA512

          6d512792b0d8fd316df3b7a7a523131ad5845422712e49a92ad0ae4fcf0f6d2615bd5c4814547324d1fb5d7d4b095848d755326fe7466ffeccfa91d94afd875b

          Download Submit
        • C:\Users\Admin\AppData\Local\x9a71Jl\XmlLite.dll
          Filesize

          990KB

          MD5

          b2e10e5549d54a22223791935f73274a

          SHA1

          32221e7e4c7e330d4d525c863c26f8e049cb9abe

          SHA256

          598e1b33ebcb12931f73043b2223847bfc81f49c48d5105f58a2eba34bc70942

          SHA512

          22df0929376968da24a1507a5381c3a5310fa880c6b4917e46167d4e3e4dbc4ae3a2c359fc116f0ef3850befe2b35bbde6c8fcbf95cb5381c0fbdf24043a2c06

          Download Submit
        • C:\Users\Admin\AppData\Local\x9a71Jl\usocoreworker.exe
          Filesize

          1.3MB

          MD5

          2c5efb321aa64af37dedc6383ce3198e

          SHA1

          a06d7020dd43a57047a62bfb443091cd9de946ba

          SHA256

          0fb6688a32340036f3eaab4a09a82dee533bfb2ca266c36f6142083134de6f0e

          SHA512

          5448ea01b24af7444505bda80064849a2efcc459011d32879e021e836fd573c9b1b9d3b37291d3f53ff536c691ac13a545b12f318a16c8a367421986bbf002ed

          Download Submit
        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Arcabpqqvo.lnk
          Filesize

          1KB

          MD5

          f31bc833c57e9ec79111b9b2d26c6eb5

          SHA1

          efde5dc829dda4df9d61be4b479cdee060ee2298

          SHA256

          283557db95a7a7755fb50eb24c068d3146da2c5a600d55328f59b2c01dbe3440

          SHA512

          f03147ee4252415a8c2b3c01b74db50f223cbbf5c740a73ef47daf665331c3bcac09f13416bf14d1d3b8f9deef1a49fde286b89a9830f9f52436528b6e49842b

          Download Submit
        • memory/1140-64-0x0000028A82980000-0x0000028A82987000-memory.dmp
          Filesize

          28KB

          Download
        • memory/1140-61-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/1140-67-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/1532-50-0x0000000140000000-0x0000000140103000-memory.dmp
          Filesize

          1.0MB

          Download
        • memory/1532-47-0x0000014A85930000-0x0000014A85937000-memory.dmp
          Filesize

          28KB

          Download
        • memory/1532-44-0x0000000140000000-0x0000000140103000-memory.dmp
          Filesize

          1.0MB

          Download
        • memory/1928-0-0x000001AF3BE20000-0x000001AF3BE27000-memory.dmp
          Filesize

          28KB

          Download
        • memory/1928-37-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/1928-2-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/3440-34-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/3440-31-0x00007FFA62A7A000-0x00007FFA62A7B000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3440-13-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/3440-7-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/3440-8-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/3440-10-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/3440-11-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/3440-6-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/3440-32-0x00000000008C0000-0x00000000008C7000-memory.dmp
          Filesize

          28KB

          Download
        • memory/3440-33-0x00007FFA63A10000-0x00007FFA63A20000-memory.dmp
          Filesize

          64KB

          Download
        • memory/3440-22-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/3440-12-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/3440-9-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/3440-4-0x0000000002720000-0x0000000002721000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4396-84-0x0000000140000000-0x0000000140103000-memory.dmp
          Filesize

          1.0MB

          Download
        • memory/4396-81-0x0000022D3EF40000-0x0000022D3EF47000-memory.dmp
          Filesize

          28KB

          Download