Overview

overview

10

Static

static

3

32537f5052...18.dll

windows7-x64

10

32537f5052...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    29-07-2024 02:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    32537f50522e3740a5c02b2b70095c69_JaffaCakes118.dll

  • Size

    1.4MB

  • MD5

    32537f50522e3740a5c02b2b70095c69

  • SHA1

    33c1010b9daea842501a2c4c854d4084d726880d

  • SHA256

    5f25e058ec1e4e713a06af4af810eaeee84640b5b6a3995d8bb384e06e958f74

  • SHA512

    660606f2c7cd54ae91a1be2fcbd41d52472ca3ac97880aefffa178b02f1c14df18a901b02267cfb58cfa441f123617f353ca7ce6d7c3b61daef5afb150d5b1e1

  • SSDEEP

    24576:guYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9NF:w9cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\32537f50522e3740a5c02b2b70095c69_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1716
  • C:\Windows\system32\xpsrchvw.exe
    C:\Windows\system32\xpsrchvw.exe
    1⤵
      PID:2208
    • C:\Users\Admin\AppData\Local\ZSf4s\xpsrchvw.exe
      C:\Users\Admin\AppData\Local\ZSf4s\xpsrchvw.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:1284
    • C:\Windows\system32\shrpubw.exe
      C:\Windows\system32\shrpubw.exe
      1⤵
        PID:2652
      • C:\Users\Admin\AppData\Local\elph5umW\shrpubw.exe
        C:\Users\Admin\AppData\Local\elph5umW\shrpubw.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2544
      • C:\Windows\system32\fveprompt.exe
        C:\Windows\system32\fveprompt.exe
        1⤵
          PID:2760
        • C:\Users\Admin\AppData\Local\aAnwkob\fveprompt.exe
          C:\Users\Admin\AppData\Local\aAnwkob\fveprompt.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2956

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\ZSf4s\WINMM.dll
          Filesize

          1.4MB

          MD5

          de575dba9858b5951b079ce606592700

          SHA1

          aa610292d475a6f2a7733e3ec54ad1b3858b1376

          SHA256

          72fa74d5cd405800bfc69980686e8cbffcaa2f39fb8994fd9ad2cf17af37ca94

          SHA512

          4ff195594a916453633237ac634a1bb6043a280741abd6d49c00ab30ede131067259983e456ba41d2cf88f06c2f7e8d6f0ba468930d2db148233f84f20b7d5eb

          Download Submit

        • C:\Users\Admin\AppData\Local\aAnwkob\slc.dll
          Filesize

          1.4MB

          MD5

          9ab2e6f6a9ac7f1d3d92f4b0f3e5c2a3

          SHA1

          349b00b3cdafe85475e9187af18c85e9c4bb72c0

          SHA256

          ab3a74305b81e0a449ace70001ca11e6003a24a195ce62e53567093bd573ac42

          SHA512

          e45af70639694332b90f6b892ee614a496eeec3c19acf5f45e0d3c4946b1491e39a92646d3046af9e990d9aebec50dd718d8dc015ccb5bf8b6cfe55055cfc535

          Download Submit

        • C:\Users\Admin\AppData\Local\elph5umW\ACLUI.dll
          Filesize

          1.4MB

          MD5

          162a0c445fe56de299dbe4d41278c54c

          SHA1

          2434728ddf7c5024c6df57534e4e095e3259a7be

          SHA256

          37d38458a2567e3fc02ef6adf7d65e4b0983954a059f914e39b40ed7c297cd83

          SHA512

          e7cf292028aa043512bbfe132935dbe3dcf6d9a25524576600b41a47360a72bacc63d44ab5ac9e6cb10186d127d3c68b2c61bd30d7ce0d420d8ec8017af4088f

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ygxjfqh.lnk
          Filesize

          1KB

          MD5

          e700d9db785aa9018cb767a0bff43064

          SHA1

          48a49fc40e03902a892fee586335763f7b29130b

          SHA256

          80fd61817c53d5a9354599a69e3d28e8f02371a67384b373c332191104580807

          SHA512

          857556bb18f21427f0435459865488a20d04ea0e02239f1cc2b6c80d651e67bb05746dfd71669a8e05a5ad87fefb8249121038328353051b97650bfd91e867a9

          Download Submit

        • \Users\Admin\AppData\Local\ZSf4s\xpsrchvw.exe
          Filesize

          4.6MB

          MD5

          492cb6a624d5dad73ee0294b5db37dd6

          SHA1

          e74806af04a5147ccabfb5b167eb95a0177c43b3

          SHA256

          ccb4ecd48561ce024ea176b7036f0f2713b98bc82aa37347a30d8187762a8784

          SHA512

          63bf2931764efe767fb42f9576702dd585a032f74ad2be2481eaf309f34950f05974d77b5cb220a3ff89c92af0c7693dc558f8e3a3ee2a0be6c5c07171d03835

          Download Submit

        • \Users\Admin\AppData\Local\aAnwkob\fveprompt.exe
          Filesize

          104KB

          MD5

          dc2c44a23b2cd52bd53accf389ae14b2

          SHA1

          e36c7b6f328aa2ab2f52478169c52c1916f04b5f

          SHA256

          7f5b19f2c6a94833196ee1929d48094889b33b504d73d3af88dd857ceaf67921

          SHA512

          ff083f74777a9cfc940d4e0cb55886397e27c85f867de9a5dd9ea2c2751d2a77bf75fe0734e424d9678c83e927788d07d0b3072024f7e5a9848c7ff1aa4090dc

          Download Submit

        • \Users\Admin\AppData\Local\elph5umW\shrpubw.exe
          Filesize

          398KB

          MD5

          29e6d0016611c8f948db5ea71372f76c

          SHA1

          01d007a01020370709cd6580717f9ace049647e8

          SHA256

          53c868882ebc9e0d4f703afeccb172043069ccc0b5b6f7cac1d2aad9c4640930

          SHA512

          300216ab47ee44b8f68d4835bf26641f949039522b680af00fb602f57d31c38812428dc624461bc2cc7d6384cad396bc033718e41e11a65f7dd0eeb36ed924e4

          Download Submit

        • memory/1204-25-0x0000000002A70000-0x0000000002A77000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1204-10-0x0000000140000000-0x0000000140163000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1204-4-0x00000000770C6000-0x00000000770C7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1204-29-0x0000000077460000-0x0000000077462000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1204-28-0x00000000772D1000-0x00000000772D2000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1204-16-0x0000000140000000-0x0000000140163000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1204-15-0x0000000140000000-0x0000000140163000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1204-14-0x0000000140000000-0x0000000140163000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1204-13-0x0000000140000000-0x0000000140163000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1204-11-0x0000000140000000-0x0000000140163000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1204-24-0x0000000140000000-0x0000000140163000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1204-32-0x0000000140000000-0x0000000140163000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1204-33-0x0000000140000000-0x0000000140163000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1204-5-0x0000000002A90000-0x0000000002A91000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1204-12-0x0000000140000000-0x0000000140163000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1204-9-0x0000000140000000-0x0000000140163000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1204-67-0x00000000770C6000-0x00000000770C7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1204-8-0x0000000140000000-0x0000000140163000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1204-7-0x0000000140000000-0x0000000140163000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1284-55-0x000007FEF5E70000-0x000007FEF5FD5000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1284-52-0x0000000000110000-0x0000000000117000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1284-49-0x000007FEF5E70000-0x000007FEF5FD5000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1716-41-0x000007FEF5E70000-0x000007FEF5FD3000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1716-3-0x0000000000380000-0x0000000000387000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1716-0-0x000007FEF5E70000-0x000007FEF5FD3000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/2544-68-0x00000000001B0000-0x00000000001B7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2544-69-0x000007FEF5DB0000-0x000007FEF5F14000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/2544-74-0x000007FEF5DB0000-0x000007FEF5F14000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/2956-86-0x000007FEF5E70000-0x000007FEF5FD4000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/2956-91-0x000007FEF5E70000-0x000007FEF5FD4000-memory.dmp

          Filesize

          1.4MB

          Download