Overview

overview

10

Static

static

3

2876b93cb2...18.dll

windows7-x64

10

2876b93cb2...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    28-07-2024 22:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2876b93cb21d6a2221e6ceb50411d4fd_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    2876b93cb21d6a2221e6ceb50411d4fd

  • SHA1

    3c10977925549acc722bcfe64e152a1d14d7ebf4

  • SHA256

    39703d228241e44be2c2f4034de7002b590f762a909948a58fd48de07f007abb

  • SHA512

    9e510ef96855375a0d0584a5031814397e404bc45daaa4c355de332e7675fca77bcbb4ac8263d821d512e114348ebb4bd1c74f2f2891aefbcf9fc4d5e269355d

  • SSDEEP

    24576:XuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9Na:Z9cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\2876b93cb21d6a2221e6ceb50411d4fd_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2416
  • C:\Windows\system32\sdclt.exe
    C:\Windows\system32\sdclt.exe
    1⤵
      PID:2864
    • C:\Users\Admin\AppData\Local\jjcoh\sdclt.exe
      C:\Users\Admin\AppData\Local\jjcoh\sdclt.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2992
    • C:\Windows\system32\ComputerDefaults.exe
      C:\Windows\system32\ComputerDefaults.exe
      1⤵
        PID:2528
      • C:\Users\Admin\AppData\Local\f9KBYjIuk\ComputerDefaults.exe
        C:\Users\Admin\AppData\Local\f9KBYjIuk\ComputerDefaults.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1680
      • C:\Windows\system32\wscript.exe
        C:\Windows\system32\wscript.exe
        1⤵
          PID:1760
        • C:\Users\Admin\AppData\Local\dO26b6\wscript.exe
          C:\Users\Admin\AppData\Local\dO26b6\wscript.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1516

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\dO26b6\VERSION.dll
          Filesize

          1.2MB

          MD5

          0c6c416ddb679485a08c4035a26308da

          SHA1

          315186945564817ced31ad43c3e3786c9f12150e

          SHA256

          93df266dcb8ed9279186dae251f38999036fc20e92439d90c5a242d7f900a449

          SHA512

          57316b4b016a91ac63555d08ac1eb9c863dd463032d3c0ff1cce1864ef63eb9336ec9913704d428dcb16193d7a3aef4f8144ca71dd4b9e3db9a7dce098789433

          Download Submit

        • C:\Users\Admin\AppData\Local\f9KBYjIuk\appwiz.cpl
          Filesize

          1.2MB

          MD5

          99ff0de80b940921117bc47bdb4ed6e1

          SHA1

          e604cd5d1d29941f708187d5a42f677d2d427d54

          SHA256

          8222b56b7bc178e535a199de6ce21a1bf37d0519e7641cb198c8db4d68a4afd6

          SHA512

          ffcdabaf242564bcfd4e59555a936910008c1b1d391b74780bb92fce9e5a7f61d52c1cdf9859effc7eaad4d1c20114a0ea4fd18ecdbb1ecf42dc00c2c8f1bae0

          Download Submit

        • C:\Users\Admin\AppData\Local\jjcoh\Secur32.dll
          Filesize

          1.2MB

          MD5

          02d2321ff7baccd989270bc23ba44db9

          SHA1

          6577373be014a9581cd2a2ca0599573a81ccbe78

          SHA256

          337f62b41eb0e56c545cae7248b5fa9054c29d6d690ddf9fe3e390a35fd2ab0a

          SHA512

          b7c1b8e0380fe717ad235af565fff30cdb529f8bd34a41c740f3ae7a2d27c5ae3f24e89ac6d93f3a1154167b0cd3553ccbaea3d11f0daa39f5d392cf5451fd0b

          Download Submit

        • C:\Users\Admin\AppData\Local\jjcoh\sdclt.exe
          Filesize

          1.2MB

          MD5

          cdebd55ffbda3889aa2a8ce52b9dc097

          SHA1

          4b3cbfff5e57fa0cb058e93e445e3851063646cf

          SHA256

          61bd24487c389fc2b939ce000721677cc173bde0edcafccff81069bbd9987bfd

          SHA512

          2af69742e90d3478ae0a770b2630bfdc469077311c1f755f941825399b9a411e3d8d124126f59b01049456cddc01b237a3114847f1fe53f9e7d1a97e4ba36f13

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dwxzrb.lnk
          Filesize

          718B

          MD5

          4959ee8ee8e66daabf92e6e38993864a

          SHA1

          20323008b1985f75672f9aba046f929bc82ca0ba

          SHA256

          64e900160675f33873c6cfb038b0cec8229e3ee3bde6f5c22a8a8a318712a14c

          SHA512

          cc9896dd9e9b9eb65ea45861607ea9f1e5a3cef5945694bb3ff55f437119f8dfed2fb687f32d12bd7e4635433ceb8dcef7597e67e8e289b159097529505117e3

          Download Submit

        • \Users\Admin\AppData\Local\dO26b6\wscript.exe
          Filesize

          165KB

          MD5

          8886e0697b0a93c521f99099ef643450

          SHA1

          851bd390bf559e702b8323062dbeb251d9f2f6f7

          SHA256

          d73f7ee4e6e992a618d02580bdbf4fd6ba7c683d110928001092f4073341e95f

          SHA512

          fc4a176f49a69c5600c427af72d3d274cfeacef48612b18cda966c3b4dda0b9d59c0fe8114d5ed8e0fec780744346e2cd503d1fd15c0c908908d067214b9d837

          Download Submit

        • \Users\Admin\AppData\Local\f9KBYjIuk\ComputerDefaults.exe
          Filesize

          36KB

          MD5

          86bd981f55341273753ac42ea200a81e

          SHA1

          14fe410efc9aeb0a905b984ac27719ff0dd10ea7

          SHA256

          40b194be2bad2d3d4d1b69f9aec2853c8b663130810a11607ff72a9e3a06d5b3

          SHA512

          49bb6d4bf7a9356fadde7f6165af6973630827d28b69db10ad477a84d98b08fb82e4daae777166e1ddddb5b5efcdf634e4e9bd34b255dae87462ba32e8bba143

          Download Submit

        • memory/1204-29-0x00000000778B0000-0x00000000778B2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1204-9-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-4-0x0000000077616000-0x0000000077617000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1204-26-0x0000000077721000-0x0000000077722000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1204-15-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-14-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-13-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-12-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-11-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-10-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-36-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-25-0x0000000002DF0000-0x0000000002DF7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1204-37-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-5-0x0000000002E10000-0x0000000002E11000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1204-16-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-24-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-8-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-7-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-64-0x0000000077616000-0x0000000077617000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1516-96-0x0000000000090000-0x0000000000097000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1516-99-0x000007FEF6540000-0x000007FEF6671000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1680-72-0x0000000000390000-0x0000000000397000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1680-73-0x000007FEF6540000-0x000007FEF6671000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1680-78-0x000007FEF6540000-0x000007FEF6671000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2416-45-0x000007FEF6550000-0x000007FEF6680000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2416-3-0x0000000000130000-0x0000000000137000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2416-0-0x000007FEF6550000-0x000007FEF6680000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2992-59-0x000007FEF6E50000-0x000007FEF6F81000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2992-54-0x000007FEF6E50000-0x000007FEF6F81000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2992-53-0x00000000003A0000-0x00000000003A7000-memory.dmp

          Filesize

          28KB

          Download