Overview

overview

10

Static

static

3

1fcda2221e...18.dll

windows7-x64

10

1fcda2221e...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    28-07-2024 19:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1fcda2221e8944f12e34e61b96fbf88f_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    1fcda2221e8944f12e34e61b96fbf88f

  • SHA1

    c26145b0db9ad0248dfddd89daa1894826069a39

  • SHA256

    a2d0319fed40865b788210013d7a165b8a3d7ec6bb847d4529dbf2ba073a8f2e

  • SHA512

    d9013272340b574863dafb98738d70037fd279a809c9c4f5e898540c5fbd59fe53ce2aa545a03d3ebdcc922dc8da13f5a781624e1d858bb7784d59cb3322ae0d

  • SSDEEP

    24576:7uYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:l9cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\1fcda2221e8944f12e34e61b96fbf88f_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2368
  • C:\Windows\system32\winlogon.exe
    C:\Windows\system32\winlogon.exe
    1⤵
      PID:2944
    • C:\Users\Admin\AppData\Local\6J9\winlogon.exe
      C:\Users\Admin\AppData\Local\6J9\winlogon.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2872
    • C:\Windows\system32\slui.exe
      C:\Windows\system32\slui.exe
      1⤵
        PID:2444
      • C:\Users\Admin\AppData\Local\kbOZax2f\slui.exe
        C:\Users\Admin\AppData\Local\kbOZax2f\slui.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:3060
      • C:\Windows\system32\irftp.exe
        C:\Windows\system32\irftp.exe
        1⤵
          PID:1952
        • C:\Users\Admin\AppData\Local\Fi63hL4K\irftp.exe
          C:\Users\Admin\AppData\Local\Fi63hL4K\irftp.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2068

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\6J9\WINSTA.dll
          Filesize

          1.2MB

          MD5

          7fd58afab1aa4f231ed3d973d84c7fea

          SHA1

          d47d3dabbce6522b5d4d5c8621a9f5f7d221e9df

          SHA256

          f7f6f3792ac91578528e39e3c5afe6a9321e3746a8e1cfafdec8bd5ffeb03ac0

          SHA512

          0b0d42686d74df6089f5fd9a58da36e7cf7ce03756dfd67780c99fe5c74b05725a9885506af839c488ec652f41380ddb45e76f4652237da6167dabd208f5461a

          Download Submit

        • C:\Users\Admin\AppData\Local\Fi63hL4K\WTSAPI32.dll
          Filesize

          1.2MB

          MD5

          9c450818f99ffde13565eaadb4caa8a2

          SHA1

          319170823a3dd8810c51a28d4b1c5761e8494196

          SHA256

          abba416eecccfdd925eea41d9d93acb5c0f59f7ff4d67303df50de95d3717f44

          SHA512

          abf9e28665463d91698d83632d61dbbd14d5e746fe8a9978e366b94a0394cc69c05e85fa8b72e2fa8b5922b238d1f42e997491dfa6f08cbda6edc47061087a5f

          Download Submit

        • C:\Users\Admin\AppData\Local\kbOZax2f\slc.dll
          Filesize

          1.2MB

          MD5

          a0d80184c86aa394c793eb960db6d80c

          SHA1

          1e4a0c232a2c236c14caf5b4358798afcbc19895

          SHA256

          b71837efe3ce3b092baaa6762dc772848a2e8f26e264a9e829b31b153070e50f

          SHA512

          9f562a2583174e01301a4e047259adb1bc2c7d9cdb19f4f89f3f6fe110f70e65e6380e890f191ce9625b57416debfe8b823177d14d67b6d068d9b19372908c4a

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Frhyegfvspmw.lnk
          Filesize

          1KB

          MD5

          b2b5ef2e571d2aeff22b3fcbe8f1e3fc

          SHA1

          87ee018391b3b052e154342bf8807e87f34ea447

          SHA256

          cf567472c814f47488feac46d97db65f7809d4146e8c22dc05c863a0c7a875dc

          SHA512

          a8391a04c77e7f2e27aff509d8baec50e12bf510a45a8dc3fb57db99dd339ab56c31ff9d71449f990c06e6453f464c5831fc378469dbc3a30bd80e9e0da92ce1

          Download Submit

        • \Users\Admin\AppData\Local\6J9\winlogon.exe
          Filesize

          381KB

          MD5

          1151b1baa6f350b1db6598e0fea7c457

          SHA1

          434856b834baf163c5ea4d26434eeae775a507fb

          SHA256

          b1506e0a7e826eff0f5252ef5026070c46e2235438403a9a24d73ee69c0b8a49

          SHA512

          df728d06238da1dece96f8b8d67a2423ed4dcb344b42d5958768d23bd570a79e7189e7c5ba783c1628fe8ddd1deaebeacb1b471c59c8a7c9beb21b4f1eb9edab

          Download Submit

        • \Users\Admin\AppData\Local\Fi63hL4K\irftp.exe
          Filesize

          192KB

          MD5

          0cae1fb725c56d260bfd6feba7ae9a75

          SHA1

          102ac676a1de3ec3d56401f8efd518c31c8b0b80

          SHA256

          312f4107ff37dc988d99c5f56178708bb74a3906740cff4e337c0dde8f1e151d

          SHA512

          db969064577c4158d6bf925354319766b0d0373ddefb03dbfc9a9d2cadf8ddcd50a7f99b7ddf2ffad5e7fdbb6f02090b5b678bdf792d265054bff3b56ee0b8ec

          Download Submit

        • \Users\Admin\AppData\Local\kbOZax2f\slui.exe
          Filesize

          341KB

          MD5

          c5ce5ce799387e82b7698a0ee5544a6d

          SHA1

          ed37fdb169bb539271c117d3e8a5f14fd8df1c0d

          SHA256

          34aa7ca0ea833263a6883827e161a5c218576c5ad97e0ce386fad4250676b42c

          SHA512

          79453b45e1f38d164ee3dbc232f774ff121d4394c22783140f5c8c722f184a69f499f2fb9621bdb28f565065b791883526e1a1d4abef9df82289613c2ce97a5c

          Download Submit

        • memory/1404-29-0x0000000077E20000-0x0000000077E22000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1404-12-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1404-4-0x0000000077B86000-0x0000000077B87000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1404-28-0x0000000077C91000-0x0000000077C92000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1404-25-0x0000000002D80000-0x0000000002D87000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1404-15-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1404-14-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1404-32-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1404-13-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1404-11-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1404-8-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1404-33-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1404-24-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1404-5-0x0000000002DA0000-0x0000000002DA1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1404-16-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1404-10-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1404-70-0x0000000077B86000-0x0000000077B87000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1404-7-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1404-9-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2068-85-0x000007FEF6F10000-0x000007FEF7042000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2068-88-0x0000000000130000-0x0000000000137000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2068-91-0x000007FEF6F10000-0x000007FEF7042000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2368-41-0x000007FEF70C0000-0x000007FEF71F1000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2368-0-0x000007FEF70C0000-0x000007FEF71F1000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2368-3-0x0000000000120000-0x0000000000127000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2872-53-0x000007FEF73A0000-0x000007FEF74D3000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2872-52-0x0000000001F90000-0x0000000001F97000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2872-49-0x000007FEF73A0000-0x000007FEF74D3000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3060-67-0x000007FEF70C0000-0x000007FEF71F2000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3060-73-0x000007FEF70C0000-0x000007FEF71F2000-memory.dmp

          Filesize

          1.2MB

          Download