Overview

overview

10

Static

static

3

6d8bf02033...18.dll

windows7-x64

10

6d8bf02033...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    30-07-2024 01:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6d8bf02033dde545d05351f631980308_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    6d8bf02033dde545d05351f631980308

  • SHA1

    e3c3e55f963bd4df788dccd21f11c8e0f6c33542

  • SHA256

    81bfe8da0570d8f0bee3ac1e95c73ea4617601bb23c33d0e3431ea9e3db93baa

  • SHA512

    76d35b440a86c108b038df0163a02481fae95d78e97aef3de74152e33e9f3ab04ffedb73639b400020f1f362daa28d256933ef121cb8d134cab46dc6ad675d3e

  • SSDEEP

    24576:HuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9NvE:p9cKrUqZWLAcUH

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\6d8bf02033dde545d05351f631980308_JaffaCakes118.dll
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:2972
  • C:\Windows\system32\SoundRecorder.exe
    C:\Windows\system32\SoundRecorder.exe
    1⤵
      PID:2508
    • C:\Users\Admin\AppData\Local\RlBF\SoundRecorder.exe
      C:\Users\Admin\AppData\Local\RlBF\SoundRecorder.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:1408
    • C:\Windows\system32\wscript.exe
      C:\Windows\system32\wscript.exe
      1⤵
        PID:2688
      • C:\Users\Admin\AppData\Local\spLds\wscript.exe
        C:\Users\Admin\AppData\Local\spLds\wscript.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2752
      • C:\Windows\system32\wextract.exe
        C:\Windows\system32\wextract.exe
        1⤵
          PID:1808
        • C:\Users\Admin\AppData\Local\Dap4vr\wextract.exe
          C:\Users\Admin\AppData\Local\Dap4vr\wextract.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1416

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Dap4vr\VERSION.dll
          Filesize

          1.2MB

          MD5

          77ba87f3c41e515536ce1a5013bea7ca

          SHA1

          789fc3ee27fd1a560b8fb498fe59b0d9b17ff93e

          SHA256

          7dab7054767337311feaf11faac8744332e7d32e30f8b36fbc0210663c7d40f0

          SHA512

          d2e1e3071aae8e254765c7f2f1c15a1ca18ecc7222b5799152c0a6c2f26153c0cfaee162c929b5fc569eea855d18c8fef6a538b2aa914047cfd8e8ac91a83038

          Download Submit

        • C:\Users\Admin\AppData\Local\RlBF\SoundRecorder.exe
          Filesize

          139KB

          MD5

          47f0f526ad4982806c54b845b3289de1

          SHA1

          8420ea488a2e187fe1b7fcfb53040d10d5497236

          SHA256

          e81b11fe30b16fa4e3f08810513c245248adce8566355a8f2a19c63b1143ff5b

          SHA512

          4c9a1aa5ed55087538c91a77d7420932263b69e59dc57b1db738e59624265b734bf29e2b6ed8d0adb2e0dec5763bfbf86876fd7d1139c21e829001c7868d515d

          Download Submit

        • C:\Users\Admin\AppData\Local\RlBF\WINMM.dll
          Filesize

          1.2MB

          MD5

          34029dc98259532a2b92ae6e55efc339

          SHA1

          372ed64d63685657de997e212a6ff5699912ef1a

          SHA256

          7b45b3752b1f3bc84323c7f8797c6468af7c1c25e5eef762024045a2298b7c1a

          SHA512

          e8d2381d235a6db58d9eac59d1a4f863c561192f11e1a5c8f99a4e739b16f999a48b02c31e0bbbd5da22750afe2acad69ad2c7519a2d9a6cd336e09af5f50579

          Download Submit

        • C:\Users\Admin\AppData\Local\spLds\VERSION.dll
          Filesize

          1.2MB

          MD5

          b316ebd40ebcc30cf197958b22613c28

          SHA1

          6a80f0f41fb2c4d6dca7379313b613eac67470f5

          SHA256

          a763c74f5fcc96a4c877fb8f04165091b49ecd78cdd46a9680f7319d76e0a868

          SHA512

          78cab4f604bbb0f035bae23c01bdc0103180dde31526f8d0a9ae17fd656e86d86669e65936cdddc16d4f19b06d51086cc773c5e8b6d88c6013ddf1bb913441aa

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Filabyuswgwl.lnk
          Filesize

          1KB

          MD5

          0e15caf9586b205655f5390411c03c64

          SHA1

          61e8163703e82d39fd538d38c658ff5233239aef

          SHA256

          dcd3c44b32665e708e9dba11a99adff7f0d5f5ec701370f1e178ecb364764457

          SHA512

          706ed4b5b9b410fdcdd110c7351b12edcd2b8a3bc1ab22d235882ba50687db7df9b33e7d0b6f6e2121b1a387da0b69dda4cff7d3a3556154761968b1abdcf7e5

          Download Submit

        • \Users\Admin\AppData\Local\Dap4vr\wextract.exe
          Filesize

          140KB

          MD5

          1ea6500c25a80e8bdb65099c509af993

          SHA1

          6a090ef561feb4ae1c6794de5b19c5e893c4aafc

          SHA256

          99123d4e7bf93aa7f3315a432307c8b0cbaf24ad2cfb46edc149edbe24de4ca2

          SHA512

          b8f9f1ab48671e382d1385c34f0f19fc52fc0061e00db53bbbc2cdaee6d8a3f245707329f98e9167c53721aeaddcebfe66632729b6bcc98892031fd9914fb1fb

          Download Submit

        • \Users\Admin\AppData\Local\spLds\wscript.exe
          Filesize

          165KB

          MD5

          8886e0697b0a93c521f99099ef643450

          SHA1

          851bd390bf559e702b8323062dbeb251d9f2f6f7

          SHA256

          d73f7ee4e6e992a618d02580bdbf4fd6ba7c683d110928001092f4073341e95f

          SHA512

          fc4a176f49a69c5600c427af72d3d274cfeacef48612b18cda966c3b4dda0b9d59c0fe8114d5ed8e0fec780744346e2cd503d1fd15c0c908908d067214b9d837

          Download Submit

        • memory/1248-12-0x0000000140000000-0x0000000140136000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1248-15-0x0000000140000000-0x0000000140136000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1248-4-0x0000000076F66000-0x0000000076F67000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1248-11-0x0000000140000000-0x0000000140136000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1248-10-0x0000000140000000-0x0000000140136000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1248-9-0x0000000140000000-0x0000000140136000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1248-8-0x0000000140000000-0x0000000140136000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1248-7-0x0000000140000000-0x0000000140136000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1248-26-0x0000000077071000-0x0000000077072000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1248-25-0x0000000140000000-0x0000000140136000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1248-29-0x0000000077200000-0x0000000077202000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1248-37-0x0000000140000000-0x0000000140136000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1248-36-0x0000000140000000-0x0000000140136000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1248-5-0x0000000002DB0000-0x0000000002DB1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1248-14-0x0000000140000000-0x0000000140136000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1248-13-0x0000000140000000-0x0000000140136000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1248-18-0x0000000002D90000-0x0000000002D97000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1248-16-0x0000000140000000-0x0000000140136000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1248-64-0x0000000076F66000-0x0000000076F67000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1408-59-0x000007FEF73D0000-0x000007FEF7508000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1408-54-0x000007FEF73D0000-0x000007FEF7508000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1408-53-0x0000000000290000-0x0000000000297000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1416-98-0x000007FEF6710000-0x000007FEF6847000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2752-75-0x000007FEF6710000-0x000007FEF6847000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2752-78-0x0000000000100000-0x0000000000107000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2752-81-0x000007FEF6710000-0x000007FEF6847000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2972-45-0x000007FEF7370000-0x000007FEF74A6000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2972-0-0x00000000001D0000-0x00000000001D7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2972-1-0x000007FEF7370000-0x000007FEF74A6000-memory.dmp

          Filesize

          1.2MB

          Download