Overview

overview

10

Static

static

3

34b5a5e26c...18.dll

windows7-x64

10

34b5a5e26c...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    29-07-2024 03:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    34b5a5e26c1fc9cb86f772e8984ef966_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    34b5a5e26c1fc9cb86f772e8984ef966

  • SHA1

    04c065da296af65d4d6217a984494239127ca651

  • SHA256

    3e6d8d1cbcc0301f55df11d1ed8889cd73920d683488f95bfaaef68cc795e2fe

  • SHA512

    b8ee5e509d1091a99b2f2b8523b3203f236d2ccc68a3be13b297018ab17c9c53bfc12b19888d096a15ce4dd6812a8177180d94c4b16bd71cc0320e918b37edaf

  • SSDEEP

    24576:GuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9Nxt:m9cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\34b5a5e26c1fc9cb86f772e8984ef966_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2880
  • C:\Windows\system32\mstsc.exe
    C:\Windows\system32\mstsc.exe
    1⤵
      PID:2872
    • C:\Users\Admin\AppData\Local\Ppw\mstsc.exe
      C:\Users\Admin\AppData\Local\Ppw\mstsc.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2996
    • C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
      C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
      1⤵
        PID:2344
      • C:\Users\Admin\AppData\Local\HxzHcW\SystemPropertiesDataExecutionPrevention.exe
        C:\Users\Admin\AppData\Local\HxzHcW\SystemPropertiesDataExecutionPrevention.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:696
      • C:\Windows\system32\icardagt.exe
        C:\Windows\system32\icardagt.exe
        1⤵
          PID:2316
        • C:\Users\Admin\AppData\Local\6Tpbsk4q\icardagt.exe
          C:\Users\Admin\AppData\Local\6Tpbsk4q\icardagt.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2380

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\HxzHcW\SYSDM.CPL
          Filesize

          1.2MB

          MD5

          c7cc560bd6b7b5d1c5e0962aa767240e

          SHA1

          aa43b83b3f916e5379f68ba934f10d94da2a06e2

          SHA256

          ec473216020f0289e2e246b532b355cafb064fdf515d3bebe6e69414d8332b8d

          SHA512

          d42014f5e4189f342208430c42ee595eb63cba659d3fdae71b75cbdf19ea00790d75e245553e6775e41d01a1df2c185bbe2d5fbb5b31179b1bff4fcf24070af3

          Download Submit

        • C:\Users\Admin\AppData\Local\Ppw\WINMM.dll
          Filesize

          1.2MB

          MD5

          d3967b84dba50e12d549046a520ae27d

          SHA1

          000cbacc1cefd25fcf378d25de7de58dfd5d71d0

          SHA256

          44ade4aae7f28ac36675d51e72a4eb15cd1d01575dd56d8335a0d8a25defcb2b

          SHA512

          faa48a891fbe144959db0231fe6ec8db83aff63f36f0d028787129b8f0e5c0a4f1bf190e2c5aad8c0a50566570ed069517c46e7d1db7245089ea0fd33ce77176

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ewnqrlgibmqii.lnk
          Filesize

          1KB

          MD5

          566469174f4168779a60bcfae4ab135a

          SHA1

          4a70309ca2538b3b09741aee529a938565cc7d26

          SHA256

          62981836d4ebb1b2b4d77737a2699a4acdd27f0fd99eeeca93636c73a76c58b9

          SHA512

          c20437c6de4a242c0fa13ffd62efbcb44cc02b7c6a30991c55b4319f88c26561f042bdf1e319391133b44bce45c442037b92bf4befdf8cb89345f9046fc33039

          Download Submit

        • \Users\Admin\AppData\Local\6Tpbsk4q\UxTheme.dll
          Filesize

          1.2MB

          MD5

          78c217c7a6fd77546bd259ee0c2df349

          SHA1

          30b77183d8f5e1bc0f0add228e117756ac52dbbb

          SHA256

          40043fdb96b37102ae0db191c300cadd9f4d109638fff538ab2290d7de4799a7

          SHA512

          8f6807b654916b5ce8b21b74db20445c77b9669aad4b3bea1ff2b0a759bc1dcfb7cf90013ecfd12d17f17952cdf48f8a8f33992a823fd2f44a245c96a8364e28

          Download Submit

        • \Users\Admin\AppData\Local\6Tpbsk4q\icardagt.exe
          Filesize

          1.3MB

          MD5

          2fe97a3052e847190a9775431292a3a3

          SHA1

          43edc451ac97365600391fa4af15476a30423ff6

          SHA256

          473d17e571d6947ce93103454f1e9fe27136403125152b97acb6cad5cc2a9ac7

          SHA512

          93ed1f9ef6fb256b53df9c6f2ce03301c0d3a0ef49c3f0604872653e4ba3fce369256f50604dd8386f543e1ea9231f5700213e683d3ea9af9e4d6c427a19117a

          Download Submit

        • \Users\Admin\AppData\Local\HxzHcW\SystemPropertiesDataExecutionPrevention.exe
          Filesize

          80KB

          MD5

          e43ff7785fac643093b3b16a9300e133

          SHA1

          a30688e84c0b0a22669148fe87680b34fcca2fba

          SHA256

          c8e1b3ecce673035a934d65b25c43ec23416f5bbf52d772e24e48e6fd3e77e9b

          SHA512

          61260999bb57817dea2d404bcf093820679e597298c752d38db181fe9963b5fa47e070d6a3c7c970905035b396389bb02946b44869dc8b9560acc419b065999a

          Download Submit

        • \Users\Admin\AppData\Local\Ppw\mstsc.exe
          Filesize

          1.1MB

          MD5

          50f739538ef014b2e7ec59431749d838

          SHA1

          b439762b8efe8cfb977e7374c11a7e4d8ed05eb3

          SHA256

          85c510c7fa8d64c70886ea01ec99e7b9064594f021a95b4cf88359421e732be3

          SHA512

          02e231ddc4ac012c597b9db42f8a77fbf35ca8253c030d443a0dd4db3d76a9ee1cced600f12d7bb06305e7a4da4a8fda980faad335adcb12738d80d453cb3cc8

          Download Submit

        • memory/696-81-0x000007FEF7DD0000-0x000007FEF7F02000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/696-78-0x0000000000120000-0x0000000000127000-memory.dmp

          Filesize

          28KB

          Download

        • memory/696-74-0x000007FEF7DD0000-0x000007FEF7F02000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1356-8-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1356-11-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1356-26-0x0000000002160000-0x0000000002167000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1356-25-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1356-17-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1356-16-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1356-15-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1356-31-0x0000000077D40000-0x0000000077D42000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1356-30-0x0000000077BB1000-0x0000000077BB2000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1356-39-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1356-37-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1356-4-0x0000000077AA6000-0x0000000077AA7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1356-7-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1356-5-0x0000000002520000-0x0000000002521000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1356-13-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1356-77-0x0000000077AA6000-0x0000000077AA7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1356-12-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1356-9-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1356-10-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1356-14-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2380-98-0x000007FEF7DD0000-0x000007FEF7F02000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2880-1-0x000007FEF7DC0000-0x000007FEF7EF1000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2880-46-0x000007FEF7DC0000-0x000007FEF7EF1000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2880-2-0x00000000001A0000-0x00000000001A7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2996-54-0x000007FEF7F00000-0x000007FEF8033000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2996-57-0x0000000001E40000-0x0000000001E47000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2996-60-0x000007FEF7F00000-0x000007FEF8033000-memory.dmp

          Filesize

          1.2MB

          Download