Overview

overview

10

Static

static

3

20820c2a9b...18.dll

windows7-x64

10

20820c2a9b...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    28-07-2024 19:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    20820c2a9bf906522a7592b6a394f25c_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    20820c2a9bf906522a7592b6a394f25c

  • SHA1

    9468c6497d136660b8349d1748ba71152b749509

  • SHA256

    0837def50bbee311ec7d43a7769cea5a285fee80fc6cf2a9796573cb400bf4e8

  • SHA512

    6cefdee4fbb47b90237dc4a57f1c568f03de10963357fc6d319e2f9566a592f5605f4113dc471afc87329199cdecdf7a70b170d6af50be36e322ed7c4eb8d152

  • SSDEEP

    24576:XuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:Z9cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\20820c2a9bf906522a7592b6a394f25c_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2232
  • C:\Windows\system32\isoburn.exe
    C:\Windows\system32\isoburn.exe
    1⤵
      PID:1976
    • C:\Users\Admin\AppData\Local\68pVza2r\isoburn.exe
      C:\Users\Admin\AppData\Local\68pVza2r\isoburn.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2848
    • C:\Windows\system32\winlogon.exe
      C:\Windows\system32\winlogon.exe
      1⤵
        PID:2400
      • C:\Users\Admin\AppData\Local\CvXvfrRd7\winlogon.exe
        C:\Users\Admin\AppData\Local\CvXvfrRd7\winlogon.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:860
      • C:\Windows\system32\sdclt.exe
        C:\Windows\system32\sdclt.exe
        1⤵
          PID:2060
        • C:\Users\Admin\AppData\Local\KgO8qOtBD\sdclt.exe
          C:\Users\Admin\AppData\Local\KgO8qOtBD\sdclt.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2536

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\68pVza2r\UxTheme.dll
          Filesize

          1.2MB

          MD5

          71caa990207cb9f995158378cb73f671

          SHA1

          51e6eb871654228aa94d3931bb8f1eeb5f0a6f59

          SHA256

          f20695069d7dcf8d5daefc3cd87b9a59ccc5d1cce6581387975aadc1725d79ae

          SHA512

          24c46dd560508d7ba4069bdd0847a5f24caec3ce9ac0f772d90c3ef5ea014005576192e8515c8ef17100ab4367f079d210cb7c077ea2b0500b5cff24aeb3b19f

          Download Submit

        • C:\Users\Admin\AppData\Local\KgO8qOtBD\sdclt.exe
          Filesize

          1.2MB

          MD5

          cdebd55ffbda3889aa2a8ce52b9dc097

          SHA1

          4b3cbfff5e57fa0cb058e93e445e3851063646cf

          SHA256

          61bd24487c389fc2b939ce000721677cc173bde0edcafccff81069bbd9987bfd

          SHA512

          2af69742e90d3478ae0a770b2630bfdc469077311c1f755f941825399b9a411e3d8d124126f59b01049456cddc01b237a3114847f1fe53f9e7d1a97e4ba36f13

          Download Submit

        • C:\Users\Admin\AppData\Local\KgO8qOtBD\slc.dll
          Filesize

          1.2MB

          MD5

          a1845a7c9ae1e1522f48bb73f1497190

          SHA1

          77c7a2fe9273530ff3700e8a7f105638a2dbf261

          SHA256

          09acb6ace44836a619b1f3fb2e80ac55c077dda0f2f6678a5510e89261d3918f

          SHA512

          d87719488270ddcdc8cca2f454accc2a12ae6e91c522bdd94f53f72128ac620c27423b81c2fe818e857b14f556fba54dade379dbd3aeda0495a348c2d722b153

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ewnqrlgibmqii.lnk
          Filesize

          1KB

          MD5

          0744d1c75f4e575e372be8588ca10367

          SHA1

          c1381f87f0e5e45847ece170619aed1be97f41fb

          SHA256

          d5b8bb79148a4fba0fd60db843ae3931762570a61937a25915ccfe2926942396

          SHA512

          eb6f37350828032b1f499471f06393d691f1b91b66d42a981584fa19939e48fc08c8ed895ee703059ad3594c22247810276f59736c145afa51acac6d8d58a89b

          Download Submit

        • \Users\Admin\AppData\Local\68pVza2r\isoburn.exe
          Filesize

          89KB

          MD5

          f8051f06e1c4aa3f2efe4402af5919b1

          SHA1

          bbcf3711501dfb22b04b1a6f356d95a6d5998790

          SHA256

          50dcb4be409f50d26c0fc32dd9cdbf96bff4e19bf624221cb566ebeb3e09ce1a

          SHA512

          5f664d937abe4426ee7e0d8491a395f9ef4ffe7a51dba05b54b7ba27e80c9be37833400911c5878d3dec659f4fa1579ec8ba4cfc485fb2ce24dd37c321006daa

          Download Submit

        • \Users\Admin\AppData\Local\CvXvfrRd7\WINSTA.dll
          Filesize

          1.2MB

          MD5

          413c9bb1e63ebe4b947dcea6ae5e78e3

          SHA1

          49c757d7c98fc19fbb73534caa8593f45a7d3b51

          SHA256

          b0870fcd35ba351a485c9dbd1860d4bf73d3b3303a73f67ec1f6af7a0838c0d3

          SHA512

          d5ed28d8d177cfd93cd094bf82f9b444bdb426ba9e2ce695accec16b9dff7898b03b9dcf1ffedb0daa7202ded30cbf2b71ab522b05380faa17e8525fda152903

          Download Submit

        • \Users\Admin\AppData\Local\CvXvfrRd7\winlogon.exe
          Filesize

          381KB

          MD5

          1151b1baa6f350b1db6598e0fea7c457

          SHA1

          434856b834baf163c5ea4d26434eeae775a507fb

          SHA256

          b1506e0a7e826eff0f5252ef5026070c46e2235438403a9a24d73ee69c0b8a49

          SHA512

          df728d06238da1dece96f8b8d67a2423ed4dcb344b42d5958768d23bd570a79e7189e7c5ba783c1628fe8ddd1deaebeacb1b471c59c8a7c9beb21b4f1eb9edab

          Download Submit

        • memory/860-78-0x000007FEF76A0000-0x000007FEF77D2000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/860-75-0x0000000000290000-0x0000000000297000-memory.dmp

          Filesize

          28KB

          Download

        • memory/860-71-0x000007FEF76A0000-0x000007FEF77D2000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1344-25-0x00000000025A0000-0x00000000025A7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1344-8-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1344-24-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1344-16-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1344-15-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1344-14-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1344-13-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1344-12-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1344-36-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1344-38-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1344-4-0x00000000771E6000-0x00000000771E7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1344-26-0x00000000773F1000-0x00000000773F2000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1344-5-0x00000000025C0000-0x00000000025C1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1344-9-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1344-74-0x00000000771E6000-0x00000000771E7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1344-27-0x0000000077580000-0x0000000077582000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1344-11-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1344-10-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1344-7-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2232-1-0x000007FEF76B0000-0x000007FEF77E0000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2232-45-0x000007FEF76B0000-0x000007FEF77E0000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2232-0-0x0000000000120000-0x0000000000127000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2536-90-0x000007FEF76A0000-0x000007FEF77D1000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2536-93-0x00000000002B0000-0x00000000002B7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2536-96-0x000007FEF76A0000-0x000007FEF77D1000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2848-59-0x000007FEF77D0000-0x000007FEF7901000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2848-56-0x0000000000190000-0x0000000000197000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2848-53-0x000007FEF77D0000-0x000007FEF7901000-memory.dmp

          Filesize

          1.2MB

          Download