Overview

overview

10

Static

static

3

371af98fd5...18.dll

windows7-x64

10

371af98fd5...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    29/07/2024, 03:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    371af98fd5d1b6a8ecf30ab87a8ce6af_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    371af98fd5d1b6a8ecf30ab87a8ce6af

  • SHA1

    ae32ecdcb944cc6f2bab0a65e06f3e93d3222edd

  • SHA256

    ef76520c0aed81b7d9370ec55c8b159f4e7ffe0266e3d7789e9e886179e17816

  • SHA512

    b63c15c5ebb0fecdf9b144d34b544b2d614fe7558ba7f6e626946fa75622745ec149e43270d30e204078244187ccafe889d6d9961d9cd85ca1dc6b8142d400eb

  • SSDEEP

    24576:2uYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9NA:29cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\371af98fd5d1b6a8ecf30ab87a8ce6af_JaffaCakes118.dll
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:2516
  • C:\Windows\system32\Netplwiz.exe
    C:\Windows\system32\Netplwiz.exe
    1⤵
      PID:2896
    • C:\Users\Admin\AppData\Local\o6vdzMa8\Netplwiz.exe
      C:\Users\Admin\AppData\Local\o6vdzMa8\Netplwiz.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2600
    • C:\Windows\system32\rdrleakdiag.exe
      C:\Windows\system32\rdrleakdiag.exe
      1⤵
        PID:2288
      • C:\Users\Admin\AppData\Local\t1BOS\rdrleakdiag.exe
        C:\Users\Admin\AppData\Local\t1BOS\rdrleakdiag.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2272
      • C:\Windows\system32\wusa.exe
        C:\Windows\system32\wusa.exe
        1⤵
          PID:552
        • C:\Users\Admin\AppData\Local\TIF97r4\wusa.exe
          C:\Users\Admin\AppData\Local\TIF97r4\wusa.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1188

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\TIF97r4\WTSAPI32.dll
          Filesize

          1.2MB

          MD5

          956f5f4d2696e735f1eec14c41213348

          SHA1

          9a8cee1b98e2b9841ab6c63a50d40bf1efd5d58c

          SHA256

          7d3af9de082c2e6c38f64d311ef1a5941e6442def911c587baeef2567035e1cf

          SHA512

          4f76a3c1a7383c25877314ba7db076441bad160bc37e2b7aaf1d07baf7d33c9b6b7b8d7c0fea004b9d4d21478fd928322fcda315b5da22b4792fe8d8f7a2ce15

          Download Submit

        • C:\Users\Admin\AppData\Local\TIF97r4\wusa.exe
          Filesize

          300KB

          MD5

          c15b3d813f4382ade98f1892350f21c7

          SHA1

          a45c5abc6751bc8b9041e5e07923fa4fc1b4542b

          SHA256

          8f067da98eb3ea9f1db2f0063ff54e07d992fbf051779b467e222639be4127e3

          SHA512

          6d028fe81fe45d0ef291741513ecf939e412912647347d4d5bad89571f33e1084dc0fd26eb7313c7191f938c3f50243f453e2690e2475fc3f5539a20c2ff2f3c

          Download Submit

        • C:\Users\Admin\AppData\Local\o6vdzMa8\NETPLWIZ.dll
          Filesize

          1.2MB

          MD5

          8f2dabe1d89df691abb4fa7d2614d419

          SHA1

          d8d6b1bd8903c4756ac1b9c0fd46b267011a35a7

          SHA256

          e5a47c8cd73c6b2cb4c7b12ce4aa7e3f56e7422964054fd6adfb6aee7e315607

          SHA512

          56a196878c096034b0d933102df73744ce4d8af916f8c4b2c7b238a02215db2b448e974d3281321a4d9f2995757a4a5d881da5c4bd6bac135826986cdb58220c

          Download Submit

        • C:\Users\Admin\AppData\Local\t1BOS\VERSION.dll
          Filesize

          1.2MB

          MD5

          03e4e2400cbad1c50875155cbaf9ca6d

          SHA1

          4fc83f3ae1f21be033304d0fc8606e5fea102781

          SHA256

          db30571915a289700052bbeae4b586634711c68b2529618dafcbf0c95de5fe37

          SHA512

          621c76a178a7ced03e38fb1bf4e8842f0e0f6e7144967c72821f3e7c2f24c995402ac2ee33c407d4297f23ddc93f09f11491a882484aea0c97bdd137360b68c5

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Filabyuswgwl.lnk
          Filesize

          1KB

          MD5

          26a0f56f014a44ec9127cc93301ca17e

          SHA1

          22ddc8503c91e283f3fd1fe565a2db6da3338dbd

          SHA256

          d746f0b30bb47e01d0d4ef694777fbcd408895c8f3e5b01b9e70cf2902cc66ed

          SHA512

          d6c4c554714da40f6c0b7ad6f8f72647d1dd07e076efca5c97aaed7472d3b2330d3934b78840fd64b1f323b7390c9987503c82c50dd2f034c834491fb8deaedd

          Download Submit

        • \Users\Admin\AppData\Local\o6vdzMa8\Netplwiz.exe
          Filesize

          26KB

          MD5

          e43ec3c800d4c0716613392e81fba1d9

          SHA1

          37de6a235e978ecf3bb0fc2c864016c5b0134348

          SHA256

          636606415a85a16a7e6c5c8fcbdf35494991bce1c37dfc19c75ecb7ce12dc65c

          SHA512

          176c6d8b87bc5a9ca06698e2542ff34d474bcbbf21278390127981366eda89769bd9dd712f3b34f4dd8332a0b40ee0e609276400f16b51999471c8ff24522a08

          Download Submit

        • \Users\Admin\AppData\Local\t1BOS\rdrleakdiag.exe
          Filesize

          39KB

          MD5

          5e058566af53848541fa23fba4bb5b81

          SHA1

          769ce3bfc45e4d56ed01dbeeeca7be22f9b9eed6

          SHA256

          ae83b050fa722da7e4b19fc3d534f0126b1ec055643bb1f267b85b55160f4409

          SHA512

          352029cf0af7583a4c525cfd1da7467446bac410a885b2768d8052f39577ccce85b21d5bd946be6bf8341e7308c8e4f645e4d79232b93aaf6a92d6cd55f598d0

          Download Submit

        • memory/1188-97-0x000007FEF6010000-0x000007FEF6148000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1188-94-0x0000000000420000-0x0000000000427000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1188-91-0x000007FEF6010000-0x000007FEF6148000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1216-8-0x0000000140000000-0x0000000140137000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1216-4-0x0000000076FD6000-0x0000000076FD7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1216-27-0x00000000771E1000-0x00000000771E2000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1216-25-0x0000000140000000-0x0000000140137000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1216-15-0x0000000140000000-0x0000000140137000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1216-14-0x0000000140000000-0x0000000140137000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1216-13-0x0000000140000000-0x0000000140137000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1216-11-0x0000000140000000-0x0000000140137000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1216-28-0x0000000077370000-0x0000000077372000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1216-37-0x0000000140000000-0x0000000140137000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1216-38-0x0000000140000000-0x0000000140137000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1216-26-0x00000000024E0000-0x00000000024E7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1216-17-0x0000000140000000-0x0000000140137000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1216-16-0x0000000140000000-0x0000000140137000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1216-5-0x00000000024D0000-0x00000000024D1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1216-7-0x0000000140000000-0x0000000140137000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1216-10-0x0000000140000000-0x0000000140137000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1216-65-0x0000000076FD6000-0x0000000076FD7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1216-12-0x0000000140000000-0x0000000140137000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1216-9-0x0000000140000000-0x0000000140137000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2272-76-0x0000000000110000-0x0000000000117000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2272-73-0x000007FEF5EE0000-0x000007FEF6018000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2272-79-0x000007FEF5EE0000-0x000007FEF6018000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2516-0-0x000007FEF6910000-0x000007FEF6A47000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2516-46-0x000007FEF6910000-0x000007FEF6A47000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2516-3-0x00000000001C0000-0x00000000001C7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2600-60-0x000007FEF6910000-0x000007FEF6A48000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2600-57-0x00000000001A0000-0x00000000001A7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2600-54-0x000007FEF6910000-0x000007FEF6A48000-memory.dmp

          Filesize

          1.2MB

          Download