Overview

overview

10

Static

static

3

3985eb89d1...18.dll

windows7-x64

10

3985eb89d1...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    29-07-2024 05:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3985eb89d1fd86b34237dd652791e711_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    3985eb89d1fd86b34237dd652791e711

  • SHA1

    8d9e62ae446b92a2e000ba48049db40bc42826d9

  • SHA256

    9c8c275de7475ec92078de7d256ba88876564bc544414f73adcaae45b72750c1

  • SHA512

    ca6712691481ba69bad62c3921d4fd69748cb2f24470f53d9d4ebad7ae6971c1d8f1e2baaafa93bbb9b57d5646f82e3f37ba65b1dd3fc7fe2b91914b5af1ce90

  • SSDEEP

    24576:ZuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:L9cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\3985eb89d1fd86b34237dd652791e711_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:3040
  • C:\Windows\system32\rrinstaller.exe
    C:\Windows\system32\rrinstaller.exe
    1⤵
      PID:2928
    • C:\Users\Admin\AppData\Local\VNKyi\rrinstaller.exe
      C:\Users\Admin\AppData\Local\VNKyi\rrinstaller.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2640
    • C:\Windows\system32\sigverif.exe
      C:\Windows\system32\sigverif.exe
      1⤵
        PID:2276
      • C:\Users\Admin\AppData\Local\YBth\sigverif.exe
        C:\Users\Admin\AppData\Local\YBth\sigverif.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2060
      • C:\Windows\system32\SoundRecorder.exe
        C:\Windows\system32\SoundRecorder.exe
        1⤵
          PID:1204
        • C:\Users\Admin\AppData\Local\0TONuhu\SoundRecorder.exe
          C:\Users\Admin\AppData\Local\0TONuhu\SoundRecorder.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2496

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\0TONuhu\SoundRecorder.exe
          Filesize

          139KB

          MD5

          47f0f526ad4982806c54b845b3289de1

          SHA1

          8420ea488a2e187fe1b7fcfb53040d10d5497236

          SHA256

          e81b11fe30b16fa4e3f08810513c245248adce8566355a8f2a19c63b1143ff5b

          SHA512

          4c9a1aa5ed55087538c91a77d7420932263b69e59dc57b1db738e59624265b734bf29e2b6ed8d0adb2e0dec5763bfbf86876fd7d1139c21e829001c7868d515d

          Download Submit

        • C:\Users\Admin\AppData\Local\0TONuhu\UxTheme.dll
          Filesize

          1.2MB

          MD5

          e1eaa19f6a1342a97b4e61319fe445b0

          SHA1

          2fd8f9587a1e06ecb22987a113077b0ffd9a777d

          SHA256

          4b8407d1c66256d93402b2277a414355c3e50ce1faf4b26bd081ac2c1be53cdf

          SHA512

          8636290adefa5c3171774023c2a60860ff53ce7cc64e03c68cb486f2d328fd3a5817264bb012c832fc33ac9ad7a2a82e8efec977b6ea43952f632ea6c61b4549

          Download Submit

        • C:\Users\Admin\AppData\Local\VNKyi\MFPlat.DLL
          Filesize

          1.2MB

          MD5

          3c93eab0b45a0be33c1f75a72981b134

          SHA1

          b02515c1ef734c3d9e5838afcb9f14c067174956

          SHA256

          1ba3a683155915f35516365512ee6303d78ea0db9305845c916674b86c40c1b1

          SHA512

          980b3f8996c8f22711588a67d6622c6390525841030835f0e77f8fddbf0b6b301ca88b1a8341fe2f6aa32e8a412d70777d8f06ff3193771ec87415294f7be956

          Download Submit

        • C:\Users\Admin\AppData\Local\YBth\VERSION.dll
          Filesize

          1.2MB

          MD5

          d9d399e560a084a5c99350840efaa149

          SHA1

          517bd60f9a37421f4e27af465de29c7c826c16a9

          SHA256

          1877528e8a745d7253575f79023164cd526bd2047a036aec91dee9cd07a7c359

          SHA512

          3c344440a2cc26d4e5daefba44d6114ab040e076916caae137969a97d9008dbf3cdeb0b60fe291d3b4641b129817612e068544ec3afd4f961e7f9919ee399d0a

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ewnqrlgibmqii.lnk
          Filesize

          1KB

          MD5

          ff3e56452fcf608a727d94aea14b886f

          SHA1

          86300f1fc3a11212804ba4ffb6d1a1a7ab953603

          SHA256

          d25f81b6c0294fd3149495af087df748ada4d217c42536a9d0ac22c361832526

          SHA512

          8c044ae8fbc66cbeb80976d919bbd100deca7d83a4b2c26aecba0961fe066b09c4cb2154bebb568a7480010b1c3c9ae425a131ef55b8116768c8c88803845c9b

          Download Submit

        • \Users\Admin\AppData\Local\VNKyi\rrinstaller.exe
          Filesize

          54KB

          MD5

          0d3a73b0b30252680b383532f1758649

          SHA1

          9f098d2037e4dd94eca6d04c37b3d4ad8b0cc931

          SHA256

          fc8a992b6ac311e1b1491ec3e31e273a41f7fdf3f68176321307b68489a03fbc

          SHA512

          a7961f4d8d0e07959d1501d721c7751b01af6704c7da5c1f31e40de5372ee6a1fce2f3e0077c8e6a1bed017e11ce4be9b0d17c04e30b222fb3f0df67b870b2d4

          Download Submit

        • \Users\Admin\AppData\Local\YBth\sigverif.exe
          Filesize

          73KB

          MD5

          e8e95ae5534553fc055051cee99a7f55

          SHA1

          4e0f668849fd546edd083d5981ed685d02a68df4

          SHA256

          9e107fd99892d08b15c223ac17c49af75a4cbca41b5e939bb91c9dca9f0d0bec

          SHA512

          5d3c32d136a264b6d2cfba4602e4d8f75e55ba0e199e0e81d7a515c34d8b9237db29647c10ab79081173010ff8e2c6a59b652c0a9cfa796433aed2d200f02da6

          Download Submit

        • memory/1392-12-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1392-9-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1392-4-0x0000000077116000-0x0000000077117000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1392-13-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1392-24-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1392-25-0x0000000002A20000-0x0000000002A27000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1392-26-0x0000000077221000-0x0000000077222000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1392-16-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1392-15-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1392-14-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1392-29-0x00000000773B0000-0x00000000773B2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1392-37-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1392-36-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1392-5-0x0000000002A40000-0x0000000002A41000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1392-8-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1392-7-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1392-11-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1392-10-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1392-64-0x0000000077116000-0x0000000077117000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2060-75-0x0000000000190000-0x0000000000197000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2060-72-0x000007FEF7440000-0x000007FEF7572000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2060-78-0x000007FEF7440000-0x000007FEF7572000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2496-93-0x0000000000290000-0x0000000000297000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2496-96-0x000007FEF7440000-0x000007FEF7572000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2640-59-0x000007FEF7570000-0x000007FEF76A3000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2640-56-0x0000000001AC0000-0x0000000001AC7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2640-53-0x000007FEF7570000-0x000007FEF76A3000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3040-45-0x000007FEF7430000-0x000007FEF7561000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3040-3-0x0000000000120000-0x0000000000127000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3040-0-0x000007FEF7430000-0x000007FEF7561000-memory.dmp

          Filesize

          1.2MB

          Download