Overview

overview

10

Static

static

3

1452f13dc5...18.dll

windows7-x64

10

1452f13dc5...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    28/07/2024, 10:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1452f13dc50be7b78017d4984f0b98c2_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    1452f13dc50be7b78017d4984f0b98c2

  • SHA1

    df176b802a4a5c9d9bad302c5116b7688c219859

  • SHA256

    3fd4e602beb3bc04479f55c761c27cb0ef1d8011db499266eb6615d75d53c067

  • SHA512

    af5e290af613a833236deb680d3bff9be6cfc60a71f0581edc7b15351cf385c79d5053366e39597030334dc6a3d7a62f32cc01ace478b9640c4fa4fdc28e5d4b

  • SSDEEP

    24576:yuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:a9cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\1452f13dc50be7b78017d4984f0b98c2_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1472
  • C:\Windows\system32\Dxpserver.exe
    C:\Windows\system32\Dxpserver.exe
    1⤵
      PID:2240
    • C:\Users\Admin\AppData\Local\xynJo\Dxpserver.exe
      C:\Users\Admin\AppData\Local\xynJo\Dxpserver.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2556
    • C:\Windows\system32\raserver.exe
      C:\Windows\system32\raserver.exe
      1⤵
        PID:2384
      • C:\Users\Admin\AppData\Local\bob\raserver.exe
        C:\Users\Admin\AppData\Local\bob\raserver.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2420
      • C:\Windows\system32\mblctr.exe
        C:\Windows\system32\mblctr.exe
        1⤵
          PID:1992
        • C:\Users\Admin\AppData\Local\R7AazwY\mblctr.exe
          C:\Users\Admin\AppData\Local\R7AazwY\mblctr.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1856

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\R7AazwY\UxTheme.dll
          Filesize

          1.2MB

          MD5

          66dcc48d05a7fb4930f9da682a7cd0f4

          SHA1

          8018924ef9185579e0bf63a17047fc3c98d308db

          SHA256

          8aa46384c816d8be67a2c234419c8c9f129816c0724c2d9c3ddfc479f3f7ed2b

          SHA512

          593baed5a4b2f659edcc305ad0428ae1b9051f1a850fa3636ad99dc2ca8cd34c621a6de26ab80451aeb797472e92f185e74dc88914bdb0dce7cd989ace8f55ba

          Download Submit

        • C:\Users\Admin\AppData\Local\R7AazwY\mblctr.exe
          Filesize

          935KB

          MD5

          fa4c36b574bf387d9582ed2c54a347a8

          SHA1

          149077715ee56c668567e3a9cb9842284f4fe678

          SHA256

          b71cdf708d4a4f045f784de5e5458ebf9a4fa2b188c3f7422e2fbfe19310be3f

          SHA512

          1f04ce0440eec7477153ebc2ce56eaabcbbac58d9d703c03337f030e160d22cd635ae201752bc2962643c75bbf2036afdd69d97e8cbc81260fd0e2f55946bb55

          Download Submit

        • C:\Users\Admin\AppData\Local\bob\WTSAPI32.dll
          Filesize

          1.2MB

          MD5

          8bc0d4886cb6df81b00ee131a64bd609

          SHA1

          42bf6c733a1b6df1f83a5b885dd41fe81dac7aa2

          SHA256

          504b7277610bdc88a3b8e4eac673ed964b78a16e865c78d1d0957369118bfa44

          SHA512

          d570ca3163744baca2cab8f43144807c302d374679e6f9d1dbb0574f7d5c47cfed494434c598b74bee5e43fd4fe2bd512845005c87297ee89c3a37452af20f2f

          Download Submit

        • C:\Users\Admin\AppData\Local\xynJo\dwmapi.dll
          Filesize

          1.2MB

          MD5

          663e3b004241099925060936b16efb07

          SHA1

          de4f677b1be4011385b6dde2337da1d94079a7d0

          SHA256

          74422e3efd52f4f9f6d4f58f7b7402c3224850b67446dbdb0c1670f19a8d77f1

          SHA512

          efb664e9baae84fbd36d5ffaf5457f4acbf7863f86c249aba067b5d8e710abf333ae7477ab930c7c947da50219539e980b5d658a5e00792e0b158fb076172080

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dzyzbjcaevupvd.lnk
          Filesize

          1KB

          MD5

          4ebbde9be5ec38c5514076dcefdeec66

          SHA1

          27c4f13e377537b8d4aad3c07aec717d0573761d

          SHA256

          a6b25372e3137b72f6d076fdfd22a6c50c8a53551c854a6819cdc09df7ed015a

          SHA512

          a56ce861fe3a19be86e6f42e151ae91b2750bcd1bf31c078b9873947178540ad7ba4b3e84435af9e5667cc6fcf534a08f7cbec278978cf760571a74aa6baf8aa

          Download Submit

        • \Users\Admin\AppData\Local\bob\raserver.exe
          Filesize

          123KB

          MD5

          cd0bc0b6b8d219808aea3ecd4e889b19

          SHA1

          9f8f4071ce2484008e36fdfd963378f4ebad703f

          SHA256

          16abc530c0367df1ad631f09e14c565cf99561949aa14acc533cd54bf8a5e22c

          SHA512

          84291ea3fafb38ef96817d5fe4a972475ef8ea24a4353568029e892fa8e15cf8e8f6ef4ff567813cd3b38092f0db4577d9dccb22be755eebdd4f77e623dc80ac

          Download Submit

        • \Users\Admin\AppData\Local\xynJo\Dxpserver.exe
          Filesize

          259KB

          MD5

          4d38389fb92e43c77a524fd96dbafd21

          SHA1

          08014e52f6894cad4f1d1e6fc1a703732e9acd19

          SHA256

          070bc95c486c15d2edc3548ba416dc9565ead401cb03a0472f719fb55ac94e73

          SHA512

          02d8d130cff2b8de15139d309e1cd74a2148bb786fd749e5f22775d45e193b0f75adf40274375cabce33576480ff20456f25172d29a034cd134b8084d40a67ba

          Download Submit

        • memory/1188-12-0x0000000140000000-0x0000000140132000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1188-10-0x0000000140000000-0x0000000140132000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1188-4-0x0000000077586000-0x0000000077587000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1188-14-0x0000000140000000-0x0000000140132000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1188-13-0x0000000140000000-0x0000000140132000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1188-30-0x0000000077820000-0x0000000077822000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1188-29-0x0000000077691000-0x0000000077692000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1188-26-0x0000000002E60000-0x0000000002E67000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1188-25-0x0000000140000000-0x0000000140132000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1188-17-0x0000000140000000-0x0000000140132000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1188-16-0x0000000140000000-0x0000000140132000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1188-15-0x0000000140000000-0x0000000140132000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1188-37-0x0000000140000000-0x0000000140132000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1188-38-0x0000000140000000-0x0000000140132000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1188-5-0x0000000002E80000-0x0000000002E81000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1188-11-0x0000000140000000-0x0000000140132000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1188-8-0x0000000140000000-0x0000000140132000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1188-75-0x0000000077586000-0x0000000077587000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1188-7-0x0000000140000000-0x0000000140132000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1188-9-0x0000000140000000-0x0000000140132000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1472-46-0x000007FEF6520000-0x000007FEF6652000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1472-0-0x00000000001A0000-0x00000000001A7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1472-1-0x000007FEF6520000-0x000007FEF6652000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1856-96-0x000007FEF6520000-0x000007FEF6653000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2420-76-0x0000000000290000-0x0000000000297000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2420-72-0x000007FEF6520000-0x000007FEF6653000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2420-79-0x000007FEF6520000-0x000007FEF6653000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2556-60-0x000007FEF7550000-0x000007FEF7683000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2556-55-0x000007FEF7550000-0x000007FEF7683000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2556-54-0x0000000000120000-0x0000000000127000-memory.dmp

          Filesize

          28KB

          Download