Overview

overview

10

Static

static

3

2659ed2cb4...18.dll

windows7-x64

10

2659ed2cb4...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    28-07-2024 21:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2659ed2cb4afab7a842b055f23ffd340_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    2659ed2cb4afab7a842b055f23ffd340

  • SHA1

    509080204bd698f75f5096799f1bc7c13ecf79d9

  • SHA256

    26d370fac05289d2d7895acb5ab970e500769b0fff27e5807a0edf36a662926f

  • SHA512

    5819c6ffcd8b7ae10b2d7f5694eff3d1d19645273ae29d161e0a6ab975fa33b8d75268292c5d257c77172202afa38179127d46d1592c9ff7667523acc2186a1e

  • SSDEEP

    24576:euYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:e9cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\2659ed2cb4afab7a842b055f23ffd340_JaffaCakes118.dll
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:2336
  • C:\Windows\system32\SystemPropertiesRemote.exe
    C:\Windows\system32\SystemPropertiesRemote.exe
    1⤵
      PID:2720
    • C:\Users\Admin\AppData\Local\4Hcr5Ab\SystemPropertiesRemote.exe
      C:\Users\Admin\AppData\Local\4Hcr5Ab\SystemPropertiesRemote.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2740
    • C:\Windows\system32\Netplwiz.exe
      C:\Windows\system32\Netplwiz.exe
      1⤵
        PID:2512
      • C:\Users\Admin\AppData\Local\1lggHc\Netplwiz.exe
        C:\Users\Admin\AppData\Local\1lggHc\Netplwiz.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2548
      • C:\Windows\system32\FXSCOVER.exe
        C:\Windows\system32\FXSCOVER.exe
        1⤵
          PID:1868
        • C:\Users\Admin\AppData\Local\CXD\FXSCOVER.exe
          C:\Users\Admin\AppData\Local\CXD\FXSCOVER.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2584

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\1lggHc\NETPLWIZ.dll
          Filesize

          1.2MB

          MD5

          95842ec71242fa17ac8347a684b7e6e9

          SHA1

          f96ce4e1f31a2e5fe22ec07dcb12bf08f671834a

          SHA256

          ce6e7408fddde24d8ebf17588a44ee8b3a8ec3480a12586b79c6ae52606e5b5c

          SHA512

          5f71c108e158372936acd9c9ba5ead118c1e55d0dce1871e3984cd4e5f48dc0d1686d42490d80f05000acfc09d8701766dde72b21136a1cfd33016daffa8f3d3

          Download Submit

        • C:\Users\Admin\AppData\Local\1lggHc\Netplwiz.exe
          Filesize

          26KB

          MD5

          e43ec3c800d4c0716613392e81fba1d9

          SHA1

          37de6a235e978ecf3bb0fc2c864016c5b0134348

          SHA256

          636606415a85a16a7e6c5c8fcbdf35494991bce1c37dfc19c75ecb7ce12dc65c

          SHA512

          176c6d8b87bc5a9ca06698e2542ff34d474bcbbf21278390127981366eda89769bd9dd712f3b34f4dd8332a0b40ee0e609276400f16b51999471c8ff24522a08

          Download Submit

        • C:\Users\Admin\AppData\Local\4Hcr5Ab\SYSDM.CPL
          Filesize

          1.2MB

          MD5

          e26fc4dd510e8da154418cb4a76277bc

          SHA1

          26960f0588931ccced0312b4674efef77c8ec329

          SHA256

          eb14288548b71bdf2d0a56e06c287c6a9ccf7ae0a067f60c45c8ca000d0a63df

          SHA512

          da60748be249bc03be77f4f5468b8b1745d95953f656e5c763f926bf59786d4d9f1308cfd5df6f748085c3ffa1c90519b5bcc1985f9b684fec9b9a5dd3a36e19

          Download Submit

        • C:\Users\Admin\AppData\Local\4Hcr5Ab\SystemPropertiesRemote.exe
          Filesize

          80KB

          MD5

          d0d7ac869aa4e179da2cc333f0440d71

          SHA1

          e7b9a58f5bfc1ec321f015641a60978c0c683894

          SHA256

          5762e1570de6ca4ff4254d03c8f6e572f3b9c065bf5c78fd5a9ea3769c33818a

          SHA512

          1808b10dc85f8755a0074d1ea00794b46b4254573b6862c2813a89ca171ad94f95262e8b59a8f9a596c9bd6a724f440a14a813eab93aa140e818ee97af106db7

          Download Submit

        • C:\Users\Admin\AppData\Local\CXD\FXSCOVER.exe
          Filesize

          261KB

          MD5

          5e2c61be8e093dbfe7fc37585be42869

          SHA1

          ed46cda4ece3ef187b0cf29ca843a6c6735af6c0

          SHA256

          3d1719c1caa5d6b0358830a30713c43a9710fbf7bcedca20815be54d24aa9121

          SHA512

          90bf180c8f6e3d0286a19fcd4727f23925a39c90113db979e1b4bbf8f0491471ad26c877a6e2cf49638b14050d952a9ee02a3c1293129843ec6bba01bc325d0b

          Download Submit

        • C:\Users\Admin\AppData\Local\CXD\MFC42u.dll
          Filesize

          1.2MB

          MD5

          bdfc173d1b0bc38a7a2c514890345b4b

          SHA1

          0a40866695085af0114cc945c0cd29b3dab67688

          SHA256

          1e917e24174a884455f6d1bf7531ceb17dbdd5d215381f80a71b74128560d647

          SHA512

          7d2d55ed34a57568a650729aef79dd6bf075193ec160990db93647e1b86a1d5f008c82424b6b9cc333622b2c6ac55f36c7448363f2f6214352471e8f933f2838

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ewnqrlgibmqii.lnk
          Filesize

          1KB

          MD5

          d5409ed5135f2e64493aa14d33e25cfc

          SHA1

          29613055704a8622dc379c5aafbf6e63083e2f57

          SHA256

          9de1f37d38b7eb240048ba2c69e38e598dd8808229ec1f4390d4bb5046f8f0b6

          SHA512

          d876d5aa7890a4f2fbd59a9e3b501f4dddd505518576c031d9360118ea035cb4f7c5bc9aef07e67e28d57163e93ff7cca64a217bd09cc2d881fc58ce74fb0fd6

          Download Submit

        • memory/1188-13-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1188-15-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1188-4-0x0000000077966000-0x0000000077967000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1188-12-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1188-11-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1188-10-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1188-9-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1188-8-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1188-7-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1188-26-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1188-30-0x0000000077C00000-0x0000000077C02000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1188-29-0x0000000077A71000-0x0000000077A72000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1188-37-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1188-38-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1188-5-0x0000000002DF0000-0x0000000002DF1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1188-14-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1188-23-0x0000000002DD0000-0x0000000002DD7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1188-75-0x0000000077966000-0x0000000077967000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1188-17-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1188-16-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2336-46-0x000007FEF7120000-0x000007FEF7251000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2336-3-0x00000000000C0000-0x00000000000C7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2336-0-0x000007FEF7120000-0x000007FEF7251000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2548-76-0x0000000000190000-0x0000000000197000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2548-72-0x000007FEF6910000-0x000007FEF6A42000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2548-79-0x000007FEF6910000-0x000007FEF6A42000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2584-91-0x0000000000080000-0x0000000000087000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2584-93-0x000007FEF6910000-0x000007FEF6A48000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2584-97-0x000007FEF6910000-0x000007FEF6A48000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2740-60-0x000007FEF7180000-0x000007FEF72B2000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2740-57-0x0000000000290000-0x0000000000297000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2740-54-0x000007FEF7180000-0x000007FEF72B2000-memory.dmp

          Filesize

          1.2MB

          Download