Overview

overview

10

Static

static

3

2e03ac77d3...18.dll

windows7-x64

10

2e03ac77d3...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    29-07-2024 00:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2e03ac77d375deb5f78b2a2ea9f27b23_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    2e03ac77d375deb5f78b2a2ea9f27b23

  • SHA1

    573d366ab1d2b5cf0450eb3d040b6a4f3c9e43ce

  • SHA256

    90aaa47f51d7605218ee97cf17711d1dc9b238a6573ece4fe328489841874dc6

  • SHA512

    e1d08ebeb363f2d9f5a89afec4424372553329a64fcc14bc0f181e8d8b06a6f2ece04c7dd76948b8c87d5003a8de87e0b00bc1f74107aef43ef409290b1f1bc1

  • SSDEEP

    24576:uuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:O9cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\2e03ac77d375deb5f78b2a2ea9f27b23_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2628
  • C:\Windows\system32\wisptis.exe
    C:\Windows\system32\wisptis.exe
    1⤵
      PID:2820
    • C:\Users\Admin\AppData\Local\zHbW\wisptis.exe
      C:\Users\Admin\AppData\Local\zHbW\wisptis.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2572
    • C:\Windows\system32\recdisc.exe
      C:\Windows\system32\recdisc.exe
      1⤵
        PID:2604
      • C:\Users\Admin\AppData\Local\GEwsdSPt\recdisc.exe
        C:\Users\Admin\AppData\Local\GEwsdSPt\recdisc.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2672
      • C:\Windows\system32\lpksetup.exe
        C:\Windows\system32\lpksetup.exe
        1⤵
          PID:2532
        • C:\Users\Admin\AppData\Local\j1ZLpi\lpksetup.exe
          C:\Users\Admin\AppData\Local\j1ZLpi\lpksetup.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1660

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\GEwsdSPt\SPP.dll
          Filesize

          1.2MB

          MD5

          6444f1c37bdc60ceb4a606cf4e91c49a

          SHA1

          6f65c3666428e6f22e14bea18fb1e20b257aa1ab

          SHA256

          b090ce8a8c62151e524ada704ddd4abdc9da65916b9aa4426780b59d43db5478

          SHA512

          c085cdc437db7c7216165fade461be94ad48aeaea7bc742742287f29875072473f9eb6ce615b954441ea4efddd24dcb6b7cf350966d84f7796cfdfd3e7a62c86

          Download Submit

        • C:\Users\Admin\AppData\Local\GEwsdSPt\recdisc.exe
          Filesize

          232KB

          MD5

          f3b306179f1840c0813dc6771b018358

          SHA1

          dec7ce3c13f7a684cb52ae6007c99cf03afef005

          SHA256

          dcaeb590394b42d180e23e3cef4dd135513395b026e0ed489aec49848b85b8f0

          SHA512

          9f9ec4c2ca6373bd738bf415d059f3536390e46e5b0a560e9ee1b190407a6d0f481c38664c51b834a9e72d8878f71c3c19e427e3a6b5ca4ec6b02d1156eb9ef4

          Download Submit

        • C:\Users\Admin\AppData\Local\zHbW\WTSAPI32.dll
          Filesize

          1.2MB

          MD5

          fc170288f2ccf25f296c17079013b349

          SHA1

          f5f678ca979773d4ba2e7bd2b5f31c473045b72d

          SHA256

          f724c6e486832271fca4bcca41b8cfeb226736facae09ba8ea62d407060ccb99

          SHA512

          05f978a618ea0006244f67f116afe1eb2aeb85b2bc88dc008cceabe0b5de8c860264ee6e2d8ddbbd0453e604d92873f957e020c4a11df493db2d438e8cf2d658

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Filabyuswgwl.lnk
          Filesize

          1KB

          MD5

          9d3164db97edbff96e14ad34acf1881a

          SHA1

          7059639330671e622f25a19a653948013fc3be45

          SHA256

          dbd453ec4410e750577b3c6c31c6626316ba26ceb5b7da55e2caef5c25877b9c

          SHA512

          57b18e4b301b40bcf64a3efed2e3a2436d04352430d02d943798397a20bc9cb21d813f5db445e38d58e382797ef2e67d8bc65ae580aa9c613a81826e990eea38

          Download Submit

        • \Users\Admin\AppData\Local\j1ZLpi\dpx.dll
          Filesize

          1.2MB

          MD5

          32550215c419c7200fc47611925d5695

          SHA1

          e5465ebf4d883b63a099dca0b243fc8e97e361fa

          SHA256

          b1782a280c6e6915d84b685812f01a61c9d006d02d1d2897ba5458dbae8235e3

          SHA512

          f836aa8220f85c023ff0aafe89452a58d68dec3a1f9b0003e99147d92496276ef8a41bbb74abd031b2eaa5994fc53b57168be6aa8c6b094a2e1fa9801e243812

          Download Submit

        • \Users\Admin\AppData\Local\j1ZLpi\lpksetup.exe
          Filesize

          638KB

          MD5

          50d28f3f8b7c17056520c80a29efe17c

          SHA1

          1b1e62be0a0bdc9aec2e91842c35381297d8f01e

          SHA256

          71613ea48467d1a0b00f8bcaed270b7527fc5771f540a8eb0515b3a5fdc8604f

          SHA512

          92bc60402aacf1a62e47335adf8696a5c0d31637e624628d82b6ec1f17e1ee65ae8edf7e8dcd10933f59c892a4a74d8e461945df0991b706a4a53927c5fd3861

          Download Submit

        • \Users\Admin\AppData\Local\zHbW\wisptis.exe
          Filesize

          396KB

          MD5

          02e20372d9d6d28e37ba9704edc90b67

          SHA1

          d7d18ba0df95c3507bf20be8d72e25c5d11ab40c

          SHA256

          3338129ddf6fb53d6e743c10bc39ec372d9b2c39c607cbe8a71cff929f854144

          SHA512

          bcad8894614dcfc1429be04829c217e7c8ac3c40ea3927073de3421d96d9815739ee1b84f0200eb18b3b8406b972bd934204b7b31638c9fe7c297fb201ed4200

          Download Submit

        • memory/1188-24-0x0000000002510000-0x0000000002517000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1188-30-0x0000000077DB0000-0x0000000077DB2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1188-4-0x0000000077B16000-0x0000000077B17000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1188-17-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1188-16-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1188-15-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1188-14-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1188-13-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1188-12-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1188-11-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1188-10-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1188-9-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1188-35-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1188-33-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1188-5-0x0000000002530000-0x0000000002531000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1188-29-0x0000000077C21000-0x0000000077C22000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1188-26-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1188-67-0x0000000077B16000-0x0000000077B17000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1188-7-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1188-8-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1660-83-0x0000000000190000-0x0000000000197000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1660-89-0x000007FEF6790000-0x000007FEF68C2000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2572-54-0x000007FEF7330000-0x000007FEF7462000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2572-50-0x000007FEF7330000-0x000007FEF7462000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2628-42-0x000007FEF6790000-0x000007FEF68C1000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2628-0-0x000007FEF6790000-0x000007FEF68C1000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2628-3-0x00000000002A0000-0x00000000002A7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2672-64-0x000007FEF6790000-0x000007FEF68C2000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2672-68-0x00000000003A0000-0x00000000003A7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2672-71-0x000007FEF6790000-0x000007FEF68C2000-memory.dmp

          Filesize

          1.2MB

          Download