Overview

overview

10

Static

static

3

2eea949d5e...18.dll

windows7-x64

10

2eea949d5e...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    29-07-2024 00:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2eea949d5e460e676cfc46fedbfd7228_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    2eea949d5e460e676cfc46fedbfd7228

  • SHA1

    1aaa16ff737078f33d1d3a1698dba0c06d391505

  • SHA256

    0957af4a0171acd92171ed5b6922e5209095058c4d80bb1cb3cc770810c1786d

  • SHA512

    0d1df077e17274c752997be07d6337d3548b259af0da041dd48f86e64e08c3db2c32107d78698b25be88953cb2bb83efe044a8ac1f1879393b985b39ff17cba3

  • SSDEEP

    24576:/uYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:B9cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Event Triggered Execution: Accessibility Features 1 TTPs

    Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.

    persistenceprivilege_escalation
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\2eea949d5e460e676cfc46fedbfd7228_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2196
  • C:\Windows\system32\rdpshell.exe
    C:\Windows\system32\rdpshell.exe
    1⤵
      PID:2580
    • C:\Users\Admin\AppData\Local\mv2NRI\rdpshell.exe
      C:\Users\Admin\AppData\Local\mv2NRI\rdpshell.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2608
    • C:\Windows\system32\osk.exe
      C:\Windows\system32\osk.exe
      1⤵
        PID:2288
      • C:\Users\Admin\AppData\Local\Al7vSpX\osk.exe
        C:\Users\Admin\AppData\Local\Al7vSpX\osk.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2464
      • C:\Windows\system32\rekeywiz.exe
        C:\Windows\system32\rekeywiz.exe
        1⤵
          PID:2172
        • C:\Users\Admin\AppData\Local\ypK5wM5i\rekeywiz.exe
          C:\Users\Admin\AppData\Local\ypK5wM5i\rekeywiz.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2332

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Al7vSpX\OLEACC.dll
          Filesize

          1.2MB

          MD5

          2cc27f532454289cce45ad8d10354e6d

          SHA1

          16411c94b805d2a2b0714dee55ed88117b1724a5

          SHA256

          448408de17a69a143b5571274b4830dfb24e0fbbcd3ea48de9fab62c742f4738

          SHA512

          a011a59855cc5dcfdaa1c47d9c1a31176432f6cb2ac7f742352712ca61cce8ce8bb05b7e31c90e5ee9396282d6fe4c88e16d3a76e4b9919e7e82cc57622c3d5a

          Download Submit

        • C:\Users\Admin\AppData\Local\mv2NRI\WINSTA.dll
          Filesize

          1.2MB

          MD5

          47d92ac5a75d2b9c6b5e6d0120d53918

          SHA1

          36444cba8c1784a89eed1c682e7dd55de84fba98

          SHA256

          5991621f8cb0c7a811cf03c326e33aceec6517710f49bbfa4226fef1dc32c598

          SHA512

          f73e0540bf733e47a58fd846ff374dd7ebf7f0f2ab94d487d634018ed06c3a6deef16eddf58790f813be99ef94c3d7de55c323a39307f93d92547439726be8be

          Download Submit

        • C:\Users\Admin\AppData\Local\ypK5wM5i\slc.dll
          Filesize

          1.2MB

          MD5

          46d5d62be0a293dedfd78c4043bb9861

          SHA1

          a876f5b9aba4713a9d67ae551ce98c16736572aa

          SHA256

          b6cfbc79864e0f58a24bc0c85a2a0690cb8ec0817f56286ccdc73d6373d0d5ee

          SHA512

          85a5656bd2d0ff89c13bf516f352e006dc04906dadaa10eb45ad2d6e1d48409a857b2d084d22653fc3ee2251978bb2ab9340788b99f7505064045b22dcd399ed

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ygxjfqh.lnk
          Filesize

          1KB

          MD5

          a6cf3d51c634c12bb20b4c85eb40d129

          SHA1

          412b9519c97cce114d2c4b32d8b7e0c7feebad6f

          SHA256

          c2d04a8e9210e26a1bfc8b64c67afa101b51faf1af460df059b2c841060fa308

          SHA512

          608adf6363067f77772dc3da09c552918af9d7029c8d0f49a055c48d012592f43c003634df201e6d5fe4a7d8c16145da048ac1a8ca86490c78d782f6e876af66

          Download Submit

        • \Users\Admin\AppData\Local\Al7vSpX\osk.exe
          Filesize

          676KB

          MD5

          b918311a8e59fb8ccf613a110024deba

          SHA1

          a9a64a53d2d1c023d058cfe23db4c9b4fbe59d1b

          SHA256

          e1f7612086c2d01f15f2e74f1c22bc6abeb56f18e6bda058edce8d780aebb353

          SHA512

          e3a2480e546bf31509d6e0ffb5ce9dc5da3eb93a1a06d8e89b68165f2dd9ad520edac52af4c485c93fe6028dffaf7fcaadaafb04e524954dd117551afff87cf1

          Download Submit

        • \Users\Admin\AppData\Local\mv2NRI\rdpshell.exe
          Filesize

          292KB

          MD5

          a62dfcea3a58ba8fcf32f831f018fe3f

          SHA1

          75f7690b19866f2c2b3dd3bfdff8a1c6fa8e958b

          SHA256

          f8346a44f12e5b1ca6beaae5fbdf5f7f494ba204379c21d1875b03ba6da6152e

          SHA512

          9a3df5be95017c23ab144302d2275654e86193e2cd94957d5f72bda3cb171ec2a6da14e6631a7fd4fd053b4529f4083aa287ada57484ad0ee01a8e5b2b54c603

          Download Submit

        • \Users\Admin\AppData\Local\ypK5wM5i\rekeywiz.exe
          Filesize

          67KB

          MD5

          767c75767b00ccfd41a547bb7b2adfff

          SHA1

          91890853a5476def402910e6507417d400c0d3cb

          SHA256

          bd70e504871a2ac1c883d19b87970c8d1b8b251c784bf777ba77ed764f5f2395

          SHA512

          f096043452a1aa213a5e4d62638de3ee4b0b3ad3d12b7ee0372d8c79e00e2e13b4fd0ebc4206bbdb5124bed292dd5b30ef1641288046ef835f89c332985154f9

          Download Submit

        • memory/1204-15-0x0000000140000000-0x0000000140132000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-26-0x0000000002620000-0x0000000002627000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1204-4-0x0000000076CB6000-0x0000000076CB7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1204-17-0x0000000140000000-0x0000000140132000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-30-0x0000000076F50000-0x0000000076F52000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1204-29-0x0000000076DC1000-0x0000000076DC2000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1204-16-0x0000000140000000-0x0000000140132000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-14-0x0000000140000000-0x0000000140132000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-13-0x0000000140000000-0x0000000140132000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-12-0x0000000140000000-0x0000000140132000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-11-0x0000000140000000-0x0000000140132000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-9-0x0000000140000000-0x0000000140132000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-34-0x0000000140000000-0x0000000140132000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-33-0x0000000140000000-0x0000000140132000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-8-0x0000000140000000-0x0000000140132000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-25-0x0000000140000000-0x0000000140132000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-10-0x0000000140000000-0x0000000140132000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-71-0x0000000076CB6000-0x0000000076CB7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1204-7-0x0000000140000000-0x0000000140132000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-5-0x00000000029E0000-0x00000000029E1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2196-42-0x000007FEF7060000-0x000007FEF7192000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2196-3-0x0000000000130000-0x0000000000137000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2196-0-0x000007FEF7060000-0x000007FEF7192000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2332-86-0x000007FEF5ED0000-0x000007FEF6003000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2332-89-0x0000000000200000-0x0000000000207000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2332-92-0x000007FEF5ED0000-0x000007FEF6003000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2464-68-0x000007FEF7070000-0x000007FEF71A3000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2464-74-0x000007FEF7070000-0x000007FEF71A3000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2608-56-0x000007FEF71A0000-0x000007FEF72D4000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2608-53-0x0000000000190000-0x0000000000197000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2608-50-0x000007FEF71A0000-0x000007FEF72D4000-memory.dmp

          Filesize

          1.2MB

          Download