Overview

overview

10

Static

static

3

09e345e038...18.dll

windows7-x64

10

09e345e038...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    20s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    28-07-2024 04:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    09e345e03852dce614f9eca73b61b1a1_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    09e345e03852dce614f9eca73b61b1a1

  • SHA1

    2aa0419cefd28af7e97a89d912ba3c4375897881

  • SHA256

    394fcd54556c7c74118515fe23a2b666ea648ad9ee152a82fa8eefa200ccf4a6

  • SHA512

    65b8f72e0d80f61882a384d50d4ce7698c5a04d39986449c6b064bbd06baa68a370211a1ca1c2aff235c8597cfbcd9a6b6b011e7833806d48616e30b3a7d1ecc

  • SSDEEP

    24576:LuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:V9cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\09e345e03852dce614f9eca73b61b1a1_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1072
  • C:\Windows\system32\iexpress.exe
    C:\Windows\system32\iexpress.exe
    1⤵
      PID:2940
    • C:\Users\Admin\AppData\Local\SN1k\iexpress.exe
      C:\Users\Admin\AppData\Local\SN1k\iexpress.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2636
    • C:\Windows\system32\wusa.exe
      C:\Windows\system32\wusa.exe
      1⤵
        PID:2664
      • C:\Users\Admin\AppData\Local\Ey5\wusa.exe
        C:\Users\Admin\AppData\Local\Ey5\wusa.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2056
      • C:\Windows\system32\Dxpserver.exe
        C:\Windows\system32\Dxpserver.exe
        1⤵
          PID:2964
        • C:\Users\Admin\AppData\Local\DOAKL4G37\Dxpserver.exe
          C:\Users\Admin\AppData\Local\DOAKL4G37\Dxpserver.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:568

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\DOAKL4G37\XmlLite.dll
          Filesize

          1.2MB

          MD5

          e21d0b7be241ae16ebe5e0d1ac4738d1

          SHA1

          e9b959a0bd2abbfcbd5822a4f7515f80dcbfdb28

          SHA256

          3edfc492fbc205ff798d57c7497c585eb76d517cc7683de0c0bce2a794feeeac

          SHA512

          eb22ab1eac95ba78270fe2ebf468b9cc40b9abde0fb71f9551be75beb29fb0785048f3c654dc6d7a282fee152e6cbb30db9f53739a12c4519041e33ca3356fdb

          Download Submit

        • C:\Users\Admin\AppData\Local\Ey5\dpx.dll
          Filesize

          1.2MB

          MD5

          9a2264bac37753c0b3cdeca9de0462e8

          SHA1

          a19ef9c6602c9ff6ed20e68010204b304467ba87

          SHA256

          db2c2f87223aeeb3a2da9df0e033f701c6d0afb53c892cd0efe403eea517ea6a

          SHA512

          7bd918383f4f5ed513d94d5268f6dbe9fea6c5728581e87e9022e885fffa71c7f1ed01b6f87847612acc28e5316269af1f38be6d2b1296fea9c122c4bdd6deed

          Download Submit

        • C:\Users\Admin\AppData\Local\SN1k\VERSION.dll
          Filesize

          1.2MB

          MD5

          dfcb6cbe1f584fd3166abdf1244f40d9

          SHA1

          b713e4e159dbadcb556b9ff42fb561c5e7d6000b

          SHA256

          774eca53ad3fb4528b604e58ba5148d7d3917cae2227d53642e4a51bfd26aa54

          SHA512

          93e18db4e99e44cd9f7003d7f51f617bc5ee3853fd13612ff7378459c44d7bbbb88110912171c7f88b42303159a8745b24711e9881fa796e9693bbf7d0fb5604

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Rinzzkcfiw.lnk
          Filesize

          1KB

          MD5

          5903a987047c7f09d3c90d29837cdbdc

          SHA1

          cd41c24269163b46afb30fd62bb9d6be79bb92f0

          SHA256

          9d867682b3348467c72e9add070e9ddadebe2ed48754b04edb342c3c0cd4a3a7

          SHA512

          9e4013f1757b629aee38aca6afc635fbac31a514129922f5a0f5382004c97282ce35c4c4efee6e8ee0800be4627ef60395fe908a99347bcc5f48829a545aa82b

          Download Submit

        • \Users\Admin\AppData\Local\DOAKL4G37\Dxpserver.exe
          Filesize

          259KB

          MD5

          4d38389fb92e43c77a524fd96dbafd21

          SHA1

          08014e52f6894cad4f1d1e6fc1a703732e9acd19

          SHA256

          070bc95c486c15d2edc3548ba416dc9565ead401cb03a0472f719fb55ac94e73

          SHA512

          02d8d130cff2b8de15139d309e1cd74a2148bb786fd749e5f22775d45e193b0f75adf40274375cabce33576480ff20456f25172d29a034cd134b8084d40a67ba

          Download Submit

        • \Users\Admin\AppData\Local\Ey5\wusa.exe
          Filesize

          300KB

          MD5

          c15b3d813f4382ade98f1892350f21c7

          SHA1

          a45c5abc6751bc8b9041e5e07923fa4fc1b4542b

          SHA256

          8f067da98eb3ea9f1db2f0063ff54e07d992fbf051779b467e222639be4127e3

          SHA512

          6d028fe81fe45d0ef291741513ecf939e412912647347d4d5bad89571f33e1084dc0fd26eb7313c7191f938c3f50243f453e2690e2475fc3f5539a20c2ff2f3c

          Download Submit

        • \Users\Admin\AppData\Local\SN1k\iexpress.exe
          Filesize

          163KB

          MD5

          46fd16f9b1924a2ea8cd5c6716cc654f

          SHA1

          99284bc91cf829e9602b4b95811c1d72977700b6

          SHA256

          9f993a1f6a133fa8375eab99bf1710471dd13ef177ef713acf8921fb4ff565a3

          SHA512

          52c91043f514f3f8ce07f8e60357786eb7236fcf6cdcccca0dd76000b9a23d6b138cebcdec53b01823cb2313ec850fc7bece326ec01d44ed33f4052b789b7629

          Download Submit

        • memory/568-95-0x000007FEF7190000-0x000007FEF72C1000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1072-45-0x000007FEF71A0000-0x000007FEF72D0000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1072-1-0x000007FEF71A0000-0x000007FEF72D0000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1072-0-0x0000000000290000-0x0000000000297000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1216-25-0x0000000002790000-0x0000000002797000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1216-16-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1216-13-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1216-12-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1216-9-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1216-26-0x0000000076DB1000-0x0000000076DB2000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1216-27-0x0000000076F40000-0x0000000076F42000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1216-37-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1216-36-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1216-14-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1216-24-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1216-15-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1216-53-0x0000000076CA6000-0x0000000076CA7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1216-4-0x0000000076CA6000-0x0000000076CA7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1216-5-0x00000000027C0000-0x00000000027C1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1216-8-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1216-11-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1216-10-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1216-7-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2056-73-0x000007FEF7190000-0x000007FEF72C1000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2056-78-0x000007FEF7190000-0x000007FEF72C1000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2056-72-0x00000000000F0000-0x00000000000F7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2636-60-0x000007FEFA950000-0x000007FEFAA81000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2636-55-0x000007FEFA950000-0x000007FEFAA81000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2636-54-0x0000000000080000-0x0000000000087000-memory.dmp

          Filesize

          28KB

          Download