Overview

overview

10

Static

static

3

a13f7f0d72...18.dll

windows7-x64

10

a13f7f0d72...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    12-06-2024 16:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a13f7f0d72b6bd47eca1422df6227d36_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    a13f7f0d72b6bd47eca1422df6227d36

  • SHA1

    38dcf9b51fd87e88a508e91c4e46906d612ef050

  • SHA256

    e8d148be0eda983cddc2216ca6ce0e6deeb783cfcab645d9911801b52d0b07ef

  • SHA512

    ac93d5d89f0b145c4b20c4ba9f3c42aca4a46fda925c19aaf772a28f0106fc38829d242d4fd9366ba63d2d33122f4640471f51c1327f0863df2562a0d99743e9

  • SSDEEP

    24576:3VHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:3V8hf6STw1ZlQauvzSq01ICe6zvm

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\a13f7f0d72b6bd47eca1422df6227d36_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1736
  • C:\Windows\system32\wbengine.exe
    C:\Windows\system32\wbengine.exe
    1⤵
      PID:2632
    • C:\Users\Admin\AppData\Local\aB5nd\wbengine.exe
      C:\Users\Admin\AppData\Local\aB5nd\wbengine.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2804
    • C:\Windows\system32\wisptis.exe
      C:\Windows\system32\wisptis.exe
      1⤵
        PID:2580
      • C:\Users\Admin\AppData\Local\AgBgvb6Q\wisptis.exe
        C:\Users\Admin\AppData\Local\AgBgvb6Q\wisptis.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2684
      • C:\Windows\system32\wusa.exe
        C:\Windows\system32\wusa.exe
        1⤵
          PID:2724
        • C:\Users\Admin\AppData\Local\EYKw\wusa.exe
          C:\Users\Admin\AppData\Local\EYKw\wusa.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2712

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Initial Access

        Execution

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Privilege Escalation

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Query Registry

        1
        T1012

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Resource Development

        Reconnaissance

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\AgBgvb6Q\OLEACC.dll
          Filesize

          1.2MB

          MD5

          214eb64b76849efbe5e699340e40dcc6

          SHA1

          a2d1f07caf2c4968299788b184f3c0a8d5b921ca

          SHA256

          d83eb07e420f68bf54ee189b2d65c77add46ca4c2b6bbf17d3985908cb34492b

          SHA512

          820d0a7f0ecf1124d06b350a7248fe2cedcd86a177637d7c3ade4e67aaa9adb4d7f839af9bd369c4a543ffce0c1aa0f8f046151973c60a29b8a534956de5bfc0

          Download Submit
        • C:\Users\Admin\AppData\Local\EYKw\WTSAPI32.dll
          Filesize

          1.2MB

          MD5

          0ef2cfae56df796237576c1e4aaf4260

          SHA1

          d74e98566e64c8621a7fea6aa06187b67ade715c

          SHA256

          a7cf07a3e3854d8c73a845b25c943f3600a88ddf914ee52984cbef1dfd485564

          SHA512

          4e34ee2cf50d6cce430d424371b4d4025560cb495510c00ecce82d4cecfb88d53887169caf1399056e835712896c3fb687a86a1e3b5cb4fcae62034a74d29587

          Download Submit
        • C:\Users\Admin\AppData\Local\aB5nd\XmlLite.dll
          Filesize

          1.2MB

          MD5

          faf277bef8f032d2594958c9df12337b

          SHA1

          1c04f41eed8c77811edcd4513579a70ec02cf968

          SHA256

          9e21c5e5f7d4df7ec12a776159f23b356704b996210e7f3e36763cfb7fd02953

          SHA512

          1d89fdb89bc7c6efb627bf8c04bdfcb49a48717995c13ea4d862c3f03b7a72c90433b83feec2bf5b70ed61c4c8811e2ed1bd33c8ec033d661d5feae1c7723c02

          Download Submit
        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Gemerzbimpg.lnk
          Filesize

          1KB

          MD5

          443fe2244a53a9bd4e3710361e9c140b

          SHA1

          598fd515f8117b3fa15f1965e370daaa36fd34bf

          SHA256

          f948214bc198de8c1a4e2d4ec46ed0c5c3cd0999b6af02a2d98c08c03ecfb8d0

          SHA512

          f13e9570ad9e833223617e29e5e9a50e487aaef07173b901e2158db5a6020ba63da1b14866efc2c38a033661a3e1d28e457e8b02b8d63ddd0ede0879785a9add

          Download Submit
        • \Users\Admin\AppData\Local\AgBgvb6Q\wisptis.exe
          Filesize

          396KB

          MD5

          02e20372d9d6d28e37ba9704edc90b67

          SHA1

          d7d18ba0df95c3507bf20be8d72e25c5d11ab40c

          SHA256

          3338129ddf6fb53d6e743c10bc39ec372d9b2c39c607cbe8a71cff929f854144

          SHA512

          bcad8894614dcfc1429be04829c217e7c8ac3c40ea3927073de3421d96d9815739ee1b84f0200eb18b3b8406b972bd934204b7b31638c9fe7c297fb201ed4200

          Download Submit
        • \Users\Admin\AppData\Local\EYKw\wusa.exe
          Filesize

          300KB

          MD5

          c15b3d813f4382ade98f1892350f21c7

          SHA1

          a45c5abc6751bc8b9041e5e07923fa4fc1b4542b

          SHA256

          8f067da98eb3ea9f1db2f0063ff54e07d992fbf051779b467e222639be4127e3

          SHA512

          6d028fe81fe45d0ef291741513ecf939e412912647347d4d5bad89571f33e1084dc0fd26eb7313c7191f938c3f50243f453e2690e2475fc3f5539a20c2ff2f3c

          Download Submit
        • \Users\Admin\AppData\Local\aB5nd\wbengine.exe
          Filesize

          1.4MB

          MD5

          78f4e7f5c56cb9716238eb57da4b6a75

          SHA1

          98b0b9db6ec5961dbb274eff433a8bc21f7e557b

          SHA256

          46a4e78ce5f2a4b26f4e9c3ff04a99d9b727a82ac2e390a82a1611c3f6e0c9af

          SHA512

          1a24ea71624dbbca188ee3b4812e09bc42e7d38ceac02b69940d7693475c792685a23141c8faa85a87ab6aace3f951c1a81facb610d757ac6df37cf2aa65ccd2

          Download Submit
        • memory/1208-21-0x0000000002560000-0x0000000002567000-memory.dmp
          Filesize

          28KB

          Download
        • memory/1208-16-0x0000000140000000-0x0000000140143000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1208-4-0x00000000779B6000-0x00000000779B7000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1208-15-0x0000000140000000-0x0000000140143000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1208-13-0x0000000140000000-0x0000000140143000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1208-12-0x0000000140000000-0x0000000140143000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1208-28-0x0000000077D50000-0x0000000077D52000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1208-27-0x0000000077BC1000-0x0000000077BC2000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1208-11-0x0000000140000000-0x0000000140143000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1208-10-0x0000000140000000-0x0000000140143000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1208-9-0x0000000140000000-0x0000000140143000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1208-37-0x0000000140000000-0x0000000140143000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1208-39-0x0000000140000000-0x0000000140143000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1208-5-0x0000000002580000-0x0000000002581000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1208-14-0x0000000140000000-0x0000000140143000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1208-26-0x0000000140000000-0x0000000140143000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1208-73-0x00000000779B6000-0x00000000779B7000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1208-8-0x0000000140000000-0x0000000140143000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1208-7-0x0000000140000000-0x0000000140143000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1736-46-0x0000000140000000-0x0000000140143000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1736-1-0x0000000140000000-0x0000000140143000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1736-0-0x0000000000120000-0x0000000000127000-memory.dmp
          Filesize

          28KB

          Download
        • memory/2684-74-0x00000000002A0000-0x00000000002A7000-memory.dmp
          Filesize

          28KB

          Download
        • memory/2684-78-0x0000000140000000-0x0000000140144000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/2712-88-0x0000000000110000-0x0000000000117000-memory.dmp
          Filesize

          28KB

          Download
        • memory/2712-94-0x0000000140000000-0x0000000140144000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/2804-60-0x0000000140000000-0x0000000140144000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/2804-55-0x0000000140000000-0x0000000140144000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/2804-54-0x0000000000130000-0x0000000000137000-memory.dmp
          Filesize

          28KB

          Download