Overview

overview

10

Static

static

3

2eba1f3e3c...18.dll

windows7-x64

10

2eba1f3e3c...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    29-07-2024 00:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2eba1f3e3c4d522681391430b61ebf5e_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    2eba1f3e3c4d522681391430b61ebf5e

  • SHA1

    fa261d032dff878e2b05185a88ff061f2ad8cc79

  • SHA256

    3b2d01d04f1d9eac4c480c16befd364cdd797febe47b96ad4a78380af63cf33f

  • SHA512

    e35975deb8ec44d47cff6ca13407511b8dca41706069ab975c28e8f606c62b908e7e6c8298e0e975a4cb4f816f4314de895e6065eea819351384e6023227bf33

  • SSDEEP

    24576:2uYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:29cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\2eba1f3e3c4d522681391430b61ebf5e_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2988
  • C:\Windows\system32\winlogon.exe
    C:\Windows\system32\winlogon.exe
    1⤵
      PID:3040
    • C:\Users\Admin\AppData\Local\cqg\winlogon.exe
      C:\Users\Admin\AppData\Local\cqg\winlogon.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2716
    • C:\Windows\system32\mspaint.exe
      C:\Windows\system32\mspaint.exe
      1⤵
        PID:2460
      • C:\Users\Admin\AppData\Local\MCh1\mspaint.exe
        C:\Users\Admin\AppData\Local\MCh1\mspaint.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:3008
      • C:\Windows\system32\unregmp2.exe
        C:\Windows\system32\unregmp2.exe
        1⤵
          PID:324
        • C:\Users\Admin\AppData\Local\Ty7X\unregmp2.exe
          C:\Users\Admin\AppData\Local\Ty7X\unregmp2.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2088

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Ty7X\VERSION.dll
          Filesize

          1.2MB

          MD5

          1c008502759e05f8f6b26732e843f14c

          SHA1

          b2c89895fa0e02862274d4bd8c3869a7002b24dc

          SHA256

          afb3f83a249aea60170acdd6f918e0fc8de6747e097d114eb813718b9e8921b0

          SHA512

          dce5c0587114246577fe36e9f6bb60097a821965116c51e86f8805d4f4db185c66087c8173b7dd2602e5902f435a4126ce4b818a14bb54fbbb1ec750ec37c027

          Download Submit

        • C:\Users\Admin\AppData\Local\cqg\WINSTA.dll
          Filesize

          1.2MB

          MD5

          db9fb5e41b6ca24e9159cfbf21a451ff

          SHA1

          4b6c3ad6c073b6e53ae21734ccfc439bb53f1b6e

          SHA256

          456c1fc89fb5b6a51875013ab0d588db68f7f4df2df83b36dbe524e2a0657825

          SHA512

          cd4fbc58c47a5623b0cb61ccba856346f16b61ee6a174004ee3d2aca930531e8c257349cc2918f760347f9faf17896ea032f6a904e08a4d3ceeda5737cd11182

          Download Submit

        • C:\Users\Admin\AppData\Local\cqg\winlogon.exe
          Filesize

          381KB

          MD5

          1151b1baa6f350b1db6598e0fea7c457

          SHA1

          434856b834baf163c5ea4d26434eeae775a507fb

          SHA256

          b1506e0a7e826eff0f5252ef5026070c46e2235438403a9a24d73ee69c0b8a49

          SHA512

          df728d06238da1dece96f8b8d67a2423ed4dcb344b42d5958768d23bd570a79e7189e7c5ba783c1628fe8ddd1deaebeacb1b471c59c8a7c9beb21b4f1eb9edab

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dwxzrb.lnk
          Filesize

          1KB

          MD5

          15b9e2114a15bc9b00019d0231010de7

          SHA1

          ebeb3634333d34b8491f49874da4c4d5baa123d6

          SHA256

          cfb15bb7c44255155671681ca4283c8e0627696d2ef5b07650df47c04970a147

          SHA512

          b6046e3ac87a36b20d016b8a83e1a5ade92ab7fb82c2ab0f74dec0508b10d159327b5007d15fc6d82ccb6cabad49138c35c80955f96d51ec5df666df1c5c957d

          Download Submit

        • \Users\Admin\AppData\Local\MCh1\WINMM.dll
          Filesize

          1.2MB

          MD5

          da65de0ede793e30c8b90bc145a5317f

          SHA1

          bb6aa7ae5f5fadf4797a1a4a3c94d9cbc96293fa

          SHA256

          8b6a006580ec7297ae37a69d37bd2ea0bb78c1ade027fca77c0e191a51b86155

          SHA512

          c3e48602d95baa597f06c831decb1a6f362df6b066e8dd59e1215400fde0798b1a074f15ab6a9d786c8fa71c2f9542a3509a4061f92f265e775a91a92ca2312c

          Download Submit

        • \Users\Admin\AppData\Local\MCh1\mspaint.exe
          Filesize

          6.4MB

          MD5

          458f4590f80563eb2a0a72709bfc2bd9

          SHA1

          3f97dc3bd1467c710c6a8d26b97bb6cf47deb4c6

          SHA256

          ff923c051ae380bf30d749ebe9cf310ccab6572d84eb81b76fb1012bcbdf557f

          SHA512

          e34500658dbe105a704fff6988b75d13aa9931adfd585b8ce1f023c61abd573d58067ee1f43e80076729ba99c9a00c17eb8cfcfac9c3d271d76bd251ccab1681

          Download Submit

        • \Users\Admin\AppData\Local\Ty7X\unregmp2.exe
          Filesize

          316KB

          MD5

          64b328d52dfc8cda123093e3f6e4c37c

          SHA1

          f68f45b21b911906f3aa982e64504e662a92e5ab

          SHA256

          7d6be433ba7dd4a2b8f8b79d7b87055da8daafa3e0404432d40469c39c2040e1

          SHA512

          e29fc068532df36f39c86b79392b5c6191de6f69b7beaba28f9ac96a26089b341b770ff29556eca14f57afd1de59a6f3726818482d6861bdd8ac556ae768df00

          Download Submit

        • memory/1192-27-0x0000000077090000-0x0000000077092000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1192-24-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1192-4-0x0000000076DF6000-0x0000000076DF7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1192-16-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1192-15-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1192-14-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1192-13-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1192-12-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1192-11-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1192-10-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1192-9-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1192-36-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1192-37-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1192-5-0x0000000002D20000-0x0000000002D21000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1192-26-0x0000000076F01000-0x0000000076F02000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1192-25-0x0000000002D00000-0x0000000002D07000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1192-8-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1192-7-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1192-64-0x0000000076DF6000-0x0000000076DF7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2088-97-0x000007FEF6410000-0x000007FEF6541000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2088-102-0x000007FEF6410000-0x000007FEF6541000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2716-59-0x000007FEF6DE0000-0x000007FEF6F12000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2716-56-0x0000000000110000-0x0000000000117000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2716-53-0x000007FEF6DE0000-0x000007FEF6F12000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2988-45-0x000007FEF6420000-0x000007FEF6550000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2988-3-0x00000000002B0000-0x00000000002B7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2988-0-0x000007FEF6420000-0x000007FEF6550000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3008-72-0x0000000000130000-0x0000000000137000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3008-73-0x000007FEF6200000-0x000007FEF6332000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3008-76-0x000007FEF6200000-0x000007FEF6332000-memory.dmp

          Filesize

          1.2MB

          Download