Overview

overview

10

Static

static

3

21c141dcb5...18.dll

windows7-x64

10

21c141dcb5...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    28-07-2024 20:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    21c141dcb53d6e92c947f3fe480a267d_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    21c141dcb53d6e92c947f3fe480a267d

  • SHA1

    2d12b1a6bc68b02c4df842f01afb3a0b97a2b901

  • SHA256

    8506a0be38a93d9236db2fbb42a97fc10e6fa42dc77ac6a5ed35476bd30f2574

  • SHA512

    87fb19f6bf66d1c67e43d22c6db0ec22318749cc7be0e9b7e6e5809ec23245bf5f2b96713a3fe8055c7f2cc4174407fe95d285283791655b07d06cff1e3d9b41

  • SSDEEP

    24576:buYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:F9cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\21c141dcb53d6e92c947f3fe480a267d_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2512
  • C:\Windows\system32\Dxpserver.exe
    C:\Windows\system32\Dxpserver.exe
    1⤵
      PID:2656
    • C:\Users\Admin\AppData\Local\5b1zUhd6u\Dxpserver.exe
      C:\Users\Admin\AppData\Local\5b1zUhd6u\Dxpserver.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2776
    • C:\Windows\system32\tcmsetup.exe
      C:\Windows\system32\tcmsetup.exe
      1⤵
        PID:1788
      • C:\Users\Admin\AppData\Local\wQZxf\tcmsetup.exe
        C:\Users\Admin\AppData\Local\wQZxf\tcmsetup.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1536
      • C:\Windows\system32\perfmon.exe
        C:\Windows\system32\perfmon.exe
        1⤵
          PID:1968
        • C:\Users\Admin\AppData\Local\pPYcSU\perfmon.exe
          C:\Users\Admin\AppData\Local\pPYcSU\perfmon.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2920

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\5b1zUhd6u\XmlLite.dll
          Filesize

          1.2MB

          MD5

          fc397de7f8b9620955bdc2d9d46e4a87

          SHA1

          48e9c74906cd99a767526ba68c16671d300be321

          SHA256

          f4e228c3c8df1720af2a03fbae4da06bf1880388320d067af41d722c0a621fb5

          SHA512

          003772b965ef09928e4cc7cb51b326ae3e067d261c55c06342b352468f99ea4fdeca4a9637184790c8226b5927a155c651eaa572c1206d26e92c08a6b66c307f

          Download Submit

        • C:\Users\Admin\AppData\Local\pPYcSU\credui.dll
          Filesize

          1.2MB

          MD5

          32a1a4e86e5b8463f24fcdd349e7902f

          SHA1

          df96e2908706788e47db23d7915ab2038e1a109a

          SHA256

          90da832b44ba3d086fcc252fcd90c1754db61008fea67c8c9c359bfd8e0d4263

          SHA512

          3437ba4f76a0ebd58f197339242983bdfac52954824fb83c0dc29da3f8ba121211c8a6a90a0f1a52da30be6c7d04437f66004305a7ba846fffec0b8e39845a43

          Download Submit

        • C:\Users\Admin\AppData\Local\wQZxf\TAPI32.dll
          Filesize

          1.2MB

          MD5

          7da2e32717c2bd2ccdf75ab4fbc64740

          SHA1

          080430f1331cb2a08871e547fd1b3242373f4bdb

          SHA256

          cd4f2f8c0a03a77265ff17497c0b6c6053d810f3bd9d19634bc439e86d63615c

          SHA512

          8ac87288b003cc575944cc34087140af7f128cf2d323b32c0a09560da87569b6eb68f73d861ddb4e26eecc8c56539bb597f479d6ff6e6bc234fb665fbe5b0fd1

          Download Submit

        • C:\Users\Admin\AppData\Local\wQZxf\tcmsetup.exe
          Filesize

          15KB

          MD5

          0b08315da0da7f9f472fbab510bfe7b8

          SHA1

          33ba48fd980216becc532466a5ff8476bec0b31c

          SHA256

          e19556bb7aa39bbd5f0d568a95aec0b3af18dda438cc5737f945243b24d106e7

          SHA512

          c30501546efe2b0c003ef87ac381e901c69ddfc6791c6a5102cff3a07f56555d94995a4413b93036821aa214fc31501fa87eb519e1890ef75b2ec497983ffd58

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Frhyegfvspmw.lnk
          Filesize

          1KB

          MD5

          ff57f08f34d4c464ed29d50780f3cd5a

          SHA1

          9bc08b216b8cac91f2510760ab6c36a55da0b999

          SHA256

          9afcdb8a1c41f92d2cf13981006bccb323b80c76de4a9cacfc3dfd13a63f645e

          SHA512

          fd6ff4c5c724c75ac1569e959c65c1c19de2190243dcf4ff2b0975878453fd1dcbe7612cc4d17d1a28fc08b87e488a3468b01a2f7a322c9760ea4f1e637db58f

          Download Submit

        • \Users\Admin\AppData\Local\5b1zUhd6u\Dxpserver.exe
          Filesize

          259KB

          MD5

          4d38389fb92e43c77a524fd96dbafd21

          SHA1

          08014e52f6894cad4f1d1e6fc1a703732e9acd19

          SHA256

          070bc95c486c15d2edc3548ba416dc9565ead401cb03a0472f719fb55ac94e73

          SHA512

          02d8d130cff2b8de15139d309e1cd74a2148bb786fd749e5f22775d45e193b0f75adf40274375cabce33576480ff20456f25172d29a034cd134b8084d40a67ba

          Download Submit

        • \Users\Admin\AppData\Local\pPYcSU\perfmon.exe
          Filesize

          168KB

          MD5

          3eb98cff1c242167df5fdbc6441ce3c5

          SHA1

          730b27a1c92e8df1e60db5a6fc69ea1b24f68a69

          SHA256

          6d8d5a244bb5a23c95653853fec3d04d2bdd2df5cff8cffb9848bddeb6adb081

          SHA512

          f42be2a52d97fd1db2ed5a1a1a81a186a0aab41204980a103df33a4190632ba03f3cbb88fcea8da7ed9a5e15f60732d49a924b025fe6d3e623195ec1d37dfb35

          Download Submit

        • memory/1200-27-0x00000000776A0000-0x00000000776A2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1200-16-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1200-4-0x0000000077406000-0x0000000077407000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1200-26-0x0000000077511000-0x0000000077512000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1200-15-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1200-14-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1200-13-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1200-12-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1200-11-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1200-10-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1200-9-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1200-36-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1200-37-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1200-5-0x0000000002E40000-0x0000000002E41000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1200-25-0x0000000002E20000-0x0000000002E27000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1200-24-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1200-7-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1200-8-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1200-64-0x0000000077406000-0x0000000077407000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1536-72-0x000007FEF6290000-0x000007FEF63C2000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1536-75-0x00000000000A0000-0x00000000000A7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1536-78-0x000007FEF6290000-0x000007FEF63C2000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2512-45-0x000007FEF62A0000-0x000007FEF63D0000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2512-0-0x0000000001E00000-0x0000000001E07000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2512-1-0x000007FEF62A0000-0x000007FEF63D0000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2776-59-0x000007FEF6C20000-0x000007FEF6D51000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2776-55-0x000007FEF6C20000-0x000007FEF6D51000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2776-53-0x0000000000120000-0x0000000000127000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2920-90-0x000007FEF6290000-0x000007FEF63C1000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2920-93-0x0000000000190000-0x0000000000197000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2920-96-0x000007FEF6290000-0x000007FEF63C1000-memory.dmp

          Filesize

          1.2MB

          Download