Overview

overview

10

Static

static

3

6a4e5486af...18.dll

windows7-x64

10

6a4e5486af...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    23-05-2024 08:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6a4e5486af546391e45412c333bbe6c8_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    6a4e5486af546391e45412c333bbe6c8

  • SHA1

    b93d409fc83ab378bba92cd0c6ca012cfd821f95

  • SHA256

    80b2c8b6a99129cf3c8de8ab7b21f4cb2c6f0dc9569b58aa1416d7a9057a314f

  • SHA512

    b8cdf8bc9b75c7cf3567106b5585ebda71503bbed0f664b7422214d76252158fde10508909e6511e2c35ecdd7e691c285219282402812a855e4bbf9432fae144

  • SSDEEP

    24576:mVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8at:mV8hf6STw1ZlQauvzSq01ICe6zvm

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\6a4e5486af546391e45412c333bbe6c8_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2864
  • C:\Windows\system32\rdpshell.exe
    C:\Windows\system32\rdpshell.exe
    1⤵
      PID:2760
    • C:\Users\Admin\AppData\Local\fu6ZE\rdpshell.exe
      C:\Users\Admin\AppData\Local\fu6ZE\rdpshell.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2744
    • C:\Windows\system32\sethc.exe
      C:\Windows\system32\sethc.exe
      1⤵
        PID:1028
      • C:\Users\Admin\AppData\Local\rncYQG\sethc.exe
        C:\Users\Admin\AppData\Local\rncYQG\sethc.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:632
      • C:\Windows\system32\msinfo32.exe
        C:\Windows\system32\msinfo32.exe
        1⤵
          PID:2484
        • C:\Users\Admin\AppData\Local\we3J\msinfo32.exe
          C:\Users\Admin\AppData\Local\we3J\msinfo32.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:548

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\fu6ZE\WTSAPI32.dll
          Filesize

          1.2MB

          MD5

          3dc53dc35e4c8644f327958e9976bada

          SHA1

          5331af8167fcfd8c885384d022a476ed4639e14d

          SHA256

          621235d3eb527fa6ee8058da8c34b559d886496e5cc423461a3c021db7c2cee9

          SHA512

          d5a64cb4703eabd6c4cc095139f5168c49321ce09cc8bd6363444fb9d5fd19a24fc2cd40058bf0d5ffee642fccf5a37544fa2b23624d40278847d38c2f1036c9

          Download Submit

        • C:\Users\Admin\AppData\Local\rncYQG\OLEACC.dll
          Filesize

          1.2MB

          MD5

          9c88b9824b239044ec7bf21dbf6d4987

          SHA1

          93a90d70e7ecc02f2d47afb1cc671706d7476fd8

          SHA256

          14c8d93facfbd8553276d2b0ec8da348825f451c06d1a72f8d79c8bea8aa4421

          SHA512

          8260c35a00a220cd6cf81a838fe9f7616ddd4d5f0abd335544c866a6ced0f14e5e8b3c566d45682e6fd079947b6bddf49942d0580409cf8361b20059893e44ad

          Download Submit

        • C:\Users\Admin\AppData\Local\we3J\MFC42u.dll
          Filesize

          1.3MB

          MD5

          f799468ca150e7571eecd9467e700949

          SHA1

          9c20f8f9bd8cef5d4a59044ac75c7088210da4ec

          SHA256

          64d890ec451c45635032910c9ca5b355e90d6c9f15efe28c68ae19722c4f2408

          SHA512

          9dddbed213b413b00410bfa7f8eb8b9842cde6ff16b0639bee9ceb5ec675a66d3856e172813baccecf3a847f7d2989250cc87e47becc54e5fc981368b87b6a0a

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Tkjddllshxzvy.lnk
          Filesize

          1KB

          MD5

          2a2d3317348b014ac69d6197ea87b8ec

          SHA1

          05ff1db444b0d529de6f5a117dcb6d572f4c6463

          SHA256

          dba3ecea5762ffaade2b8606bdbb0d4779da48a028ea233edf9d243a1138816e

          SHA512

          f986fadf6bd1c4681e80a36aa9c3652da00c4315e69c15dddb35089584a49a1e81a9c36148dcca357262de7d2b819f1ce08fb51b55678d45bddb72c509ebbe75

          Download Submit

        • \Users\Admin\AppData\Local\fu6ZE\rdpshell.exe
          Filesize

          292KB

          MD5

          a62dfcea3a58ba8fcf32f831f018fe3f

          SHA1

          75f7690b19866f2c2b3dd3bfdff8a1c6fa8e958b

          SHA256

          f8346a44f12e5b1ca6beaae5fbdf5f7f494ba204379c21d1875b03ba6da6152e

          SHA512

          9a3df5be95017c23ab144302d2275654e86193e2cd94957d5f72bda3cb171ec2a6da14e6631a7fd4fd053b4529f4083aa287ada57484ad0ee01a8e5b2b54c603

          Download Submit

        • \Users\Admin\AppData\Local\rncYQG\sethc.exe
          Filesize

          272KB

          MD5

          3bcb70da9b5a2011e01e35ed29a3f3f3

          SHA1

          9daecb1ee5d7cbcf46ee154dd642fcd993723a9b

          SHA256

          dd94bf73f0e3652b76cfb774b419ceaa2082bc7f30cc34e28dfa51952fa9ccb5

          SHA512

          69d231132f488fd7033349f232db1207f88f1d5cb84f5422adf0dd5fb7b373dada8fdfac7760b8845e5aab00a7ae56f24d66bbb8aa70c3c8de6ec5c31982b4df

          Download Submit

        • \Users\Admin\AppData\Local\we3J\msinfo32.exe
          Filesize

          370KB

          MD5

          d291620d4c51c5f5ffa62ccdc52c5c13

          SHA1

          2081c97f15b1c2a2eadce366baf3c510da553cc7

          SHA256

          76e959dd7db31726c040d46cfa86b681479967aea36db5f625e80bd36422e8ae

          SHA512

          75f9bcce4c596dae1f4d78e13d9d53b0c31988d2170c3d9f5db352b8c8a1c8ca58f4a002b30a4b328b8f4769008b750b8a1c9fda44a582e11c3adc38345c334b

          Download Submit

        • memory/548-97-0x0000000140000000-0x000000014014A000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/548-94-0x0000000000390000-0x0000000000397000-memory.dmp

          Filesize

          28KB

          Download

        • memory/548-92-0x0000000140000000-0x000000014014A000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/632-79-0x0000000140000000-0x0000000140144000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/632-73-0x0000000000440000-0x0000000000447000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1196-26-0x0000000002E10000-0x0000000002E17000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1196-15-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1196-14-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1196-12-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1196-11-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1196-9-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1196-37-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1196-38-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1196-4-0x0000000077466000-0x0000000077467000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1196-25-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1196-28-0x0000000077800000-0x0000000077802000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1196-5-0x0000000002E30000-0x0000000002E31000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1196-8-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1196-7-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1196-65-0x0000000077466000-0x0000000077467000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1196-27-0x0000000077671000-0x0000000077672000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1196-16-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1196-13-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1196-10-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2744-60-0x0000000140000000-0x0000000140144000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2744-54-0x0000000140000000-0x0000000140144000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2744-57-0x0000000000190000-0x0000000000197000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2864-0-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2864-46-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2864-3-0x00000000001B0000-0x00000000001B7000-memory.dmp

          Filesize

          28KB

          Download