Overview

overview

10

Static

static

3

6c520ed936...18.dll

windows7-x64

10

6c520ed936...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    24/07/2024, 18:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6c520ed93654e6369dcf1ef50efee865_JaffaCakes118.dll

  • Size

    836KB

  • MD5

    6c520ed93654e6369dcf1ef50efee865

  • SHA1

    1e8ae55c1e4fd4c0cdcdc7f07dcb3bdc58e2d1c0

  • SHA256

    ded7d0db8eaae0010cffb8fd3713ecbc1af523fe04414a324f367abda4e3d02a

  • SHA512

    84e1fb30bf653a8d3b7258b1b632fd7283f462107fae614690b499f5e609c812e770615441870970bd3d15ccaffe12be52c417895204cddad835ab8049997a0b

  • SSDEEP

    12288:1dMIwS97wJs6tSKDXEabXaC+jhc1S8XXk7CZzHsZH9dq0T:bMIJxSDX3bqjhcfHk7MzH6z

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 8 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\6c520ed93654e6369dcf1ef50efee865_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2116
  • C:\Windows\system32\icardagt.exe
    C:\Windows\system32\icardagt.exe
    1⤵
      PID:2728
    • C:\Users\Admin\AppData\Local\BecJfd09R\icardagt.exe
      C:\Users\Admin\AppData\Local\BecJfd09R\icardagt.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2464
    • C:\Windows\system32\cmstp.exe
      C:\Windows\system32\cmstp.exe
      1⤵
        PID:2920
      • C:\Users\Admin\AppData\Local\4Pr0EJso\cmstp.exe
        C:\Users\Admin\AppData\Local\4Pr0EJso\cmstp.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2848
      • C:\Windows\system32\VaultSysUi.exe
        C:\Windows\system32\VaultSysUi.exe
        1⤵
          PID:2908
        • C:\Users\Admin\AppData\Local\swIOK\VaultSysUi.exe
          C:\Users\Admin\AppData\Local\swIOK\VaultSysUi.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1688

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\4Pr0EJso\VERSION.dll
          Filesize

          840KB

          MD5

          33988d01f49afc80f815271da961588c

          SHA1

          035f2c1e9c5cb337fcdf1ef453b06a62a45a1ac6

          SHA256

          4932ab9921187fa474e8831b94290c08fed655fffb71a1e065c0a072e74314b2

          SHA512

          fb8f654b89edc956e6d98447fd03cfce8817825f20ff3c77691414237174f86069920c14838c1703842d0a2850cb0b54a663d69ac3a68b5a28eecfa0bc14dc92

          Download Submit

        • C:\Users\Admin\AppData\Local\BecJfd09R\VERSION.dll
          Filesize

          840KB

          MD5

          20d3a7bae9cecbe480be36f98922e0ae

          SHA1

          dffff4abed3a0b7860b60e5077042d15c7b07c88

          SHA256

          814f75fa881ff4ded950c2f466ce6869d774433aef60b4145733b0a57ffc8ae6

          SHA512

          3ee64ef7440b0bb0d430e8b8daad6a573466c5ba702df2ae9326e4c8950a7a3ab2aa9f2ef1b9ff8e7ced681a9a8cd1c8564f5c4f50e8ec90514a6d69433e358d

          Download Submit

        • C:\Users\Admin\AppData\Local\swIOK\VaultSysUi.exe
          Filesize

          39KB

          MD5

          f40ef105d94350d36c799ee23f7fec0f

          SHA1

          ee3a5cfe8b807e1c1718a27eb97fa134360816e3

          SHA256

          eeb3f79be414b81f4eb8167390641787f14a033414533fb8de651c2247d054b2

          SHA512

          f16bcca6f6cecbdae117d5a41de7e86a6d9dfdfa2ce8c75ebff10d097083c106e7f9d030debed8cb20fdd71815a8aa7723a1d3c68b38ec382e55370331c594a1

          Download Submit

        • C:\Users\Admin\AppData\Local\swIOK\credui.dll
          Filesize

          840KB

          MD5

          d763d3fe5115c51720ae5511cf10ed6c

          SHA1

          9ef22dcbcaa996718705318308066dd091e60fe0

          SHA256

          7124392e71f7639fbc933e719a63299420cba2d0cd6966e84f0f9d7b8f9c46c4

          SHA512

          64f4a8adb0df9d7321bc71beeac5f8e50eeed84d12ad72aa09f2631798298c5f4f5e0d82c075a4c5e11eaacfa08a638fb6fa74661c94a3aa6d38d7df86191e5c

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Mityoyoyxpr.lnk
          Filesize

          945B

          MD5

          3d7c1a1a2147372c1065e20db37ccb2b

          SHA1

          2305a3ea63f0acf7ff04ce69a58438c70a60c63c

          SHA256

          803ac945d83ae4ba03f24bd46ce7571c778f5edea15976854fe85fe3d2bd6ec8

          SHA512

          b19014fdfedf8039068a8ae61443145050031f7b38ba0a72cb18344baa78610184b44470a0a38f61df10846f37597c0d1f3a5ba947fe647eba3dcfe3a46945f5

          Download Submit

        • \Users\Admin\AppData\Local\4Pr0EJso\cmstp.exe
          Filesize

          90KB

          MD5

          74c6da5522f420c394ae34b2d3d677e3

          SHA1

          ba135738ef1fb2f4c2c6c610be2c4e855a526668

          SHA256

          51d298b1a8a2d00d5c608c52dba0655565d021e9798ee171d7fa92cc0de729a6

          SHA512

          bfd76b1c3e677292748f88bf595bfef0b536eb22f2583b028cbf08f6ae4eda1aa3787c4e892aad12b7681fc2363f99250430a0e7019a7498e24db391868e787a

          Download Submit

        • \Users\Admin\AppData\Local\BecJfd09R\icardagt.exe
          Filesize

          1.3MB

          MD5

          2fe97a3052e847190a9775431292a3a3

          SHA1

          43edc451ac97365600391fa4af15476a30423ff6

          SHA256

          473d17e571d6947ce93103454f1e9fe27136403125152b97acb6cad5cc2a9ac7

          SHA512

          93ed1f9ef6fb256b53df9c6f2ce03301c0d3a0ef49c3f0604872653e4ba3fce369256f50604dd8386f543e1ea9231f5700213e683d3ea9af9e4d6c427a19117a

          Download Submit

        • memory/1240-32-0x0000000140000000-0x00000001400D1000-memory.dmp

          Filesize

          836KB

          Download

        • memory/1240-27-0x0000000140000000-0x00000001400D1000-memory.dmp

          Filesize

          836KB

          Download

        • memory/1240-9-0x0000000140000000-0x00000001400D1000-memory.dmp

          Filesize

          836KB

          Download

        • memory/1240-10-0x0000000140000000-0x00000001400D1000-memory.dmp

          Filesize

          836KB

          Download

        • memory/1240-14-0x0000000140000000-0x00000001400D1000-memory.dmp

          Filesize

          836KB

          Download

        • memory/1240-13-0x0000000140000000-0x00000001400D1000-memory.dmp

          Filesize

          836KB

          Download

        • memory/1240-12-0x0000000140000000-0x00000001400D1000-memory.dmp

          Filesize

          836KB

          Download

        • memory/1240-11-0x0000000140000000-0x00000001400D1000-memory.dmp

          Filesize

          836KB

          Download

        • memory/1240-30-0x0000000140000000-0x00000001400D1000-memory.dmp

          Filesize

          836KB

          Download

        • memory/1240-47-0x0000000140000000-0x00000001400D1000-memory.dmp

          Filesize

          836KB

          Download

        • memory/1240-46-0x00000000024B0000-0x00000000024B7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1240-49-0x00000000772D0000-0x00000000772D2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1240-48-0x00000000772A0000-0x00000000772A2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1240-59-0x0000000140000000-0x00000001400D1000-memory.dmp

          Filesize

          836KB

          Download

        • memory/1240-58-0x0000000140000000-0x00000001400D1000-memory.dmp

          Filesize

          836KB

          Download

        • memory/1240-38-0x0000000140000000-0x00000001400D1000-memory.dmp

          Filesize

          836KB

          Download

        • memory/1240-37-0x0000000140000000-0x00000001400D1000-memory.dmp

          Filesize

          836KB

          Download

        • memory/1240-36-0x0000000140000000-0x00000001400D1000-memory.dmp

          Filesize

          836KB

          Download

        • memory/1240-35-0x0000000140000000-0x00000001400D1000-memory.dmp

          Filesize

          836KB

          Download

        • memory/1240-34-0x0000000140000000-0x00000001400D1000-memory.dmp

          Filesize

          836KB

          Download

        • memory/1240-33-0x0000000140000000-0x00000001400D1000-memory.dmp

          Filesize

          836KB

          Download

        • memory/1240-8-0x0000000140000000-0x00000001400D1000-memory.dmp

          Filesize

          836KB

          Download

        • memory/1240-31-0x0000000140000000-0x00000001400D1000-memory.dmp

          Filesize

          836KB

          Download

        • memory/1240-29-0x0000000140000000-0x00000001400D1000-memory.dmp

          Filesize

          836KB

          Download

        • memory/1240-28-0x0000000140000000-0x00000001400D1000-memory.dmp

          Filesize

          836KB

          Download

        • memory/1240-17-0x0000000140000000-0x00000001400D1000-memory.dmp

          Filesize

          836KB

          Download

        • memory/1240-26-0x0000000140000000-0x00000001400D1000-memory.dmp

          Filesize

          836KB

          Download

        • memory/1240-25-0x0000000140000000-0x00000001400D1000-memory.dmp

          Filesize

          836KB

          Download

        • memory/1240-24-0x0000000140000000-0x00000001400D1000-memory.dmp

          Filesize

          836KB

          Download

        • memory/1240-23-0x0000000140000000-0x00000001400D1000-memory.dmp

          Filesize

          836KB

          Download

        • memory/1240-22-0x0000000140000000-0x00000001400D1000-memory.dmp

          Filesize

          836KB

          Download

        • memory/1240-21-0x0000000140000000-0x00000001400D1000-memory.dmp

          Filesize

          836KB

          Download

        • memory/1240-20-0x0000000140000000-0x00000001400D1000-memory.dmp

          Filesize

          836KB

          Download

        • memory/1240-19-0x0000000140000000-0x00000001400D1000-memory.dmp

          Filesize

          836KB

          Download

        • memory/1240-18-0x0000000140000000-0x00000001400D1000-memory.dmp

          Filesize

          836KB

          Download

        • memory/1240-16-0x0000000140000000-0x00000001400D1000-memory.dmp

          Filesize

          836KB

          Download

        • memory/1240-15-0x0000000140000000-0x00000001400D1000-memory.dmp

          Filesize

          836KB

          Download

        • memory/1240-3-0x0000000076F36000-0x0000000076F37000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1240-4-0x00000000024D0000-0x00000000024D1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1240-7-0x0000000140000000-0x00000001400D1000-memory.dmp

          Filesize

          836KB

          Download

        • memory/1240-93-0x0000000076F36000-0x0000000076F37000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1240-6-0x0000000140000000-0x00000001400D1000-memory.dmp

          Filesize

          836KB

          Download

        • memory/1688-114-0x0000000000170000-0x0000000000177000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2116-67-0x0000000140000000-0x00000001400D1000-memory.dmp

          Filesize

          836KB

          Download

        • memory/2116-2-0x0000000000190000-0x0000000000197000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2116-0-0x0000000140000000-0x00000001400D1000-memory.dmp

          Filesize

          836KB

          Download

        • memory/2464-79-0x0000000140000000-0x00000001400D2000-memory.dmp

          Filesize

          840KB

          Download

        • memory/2464-76-0x0000000140000000-0x00000001400D2000-memory.dmp

          Filesize

          840KB

          Download

        • memory/2848-94-0x0000000000180000-0x0000000000187000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2848-97-0x0000000140000000-0x00000001400D2000-memory.dmp

          Filesize

          840KB

          Download