Overview

overview

10

Static

static

3

6ce1bc42db...18.dll

windows7-x64

10

6ce1bc42db...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    30-07-2024 01:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6ce1bc42dba1e06a071f724f691f5696_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    6ce1bc42dba1e06a071f724f691f5696

  • SHA1

    af88a5c242b101fb94bcda6f8e65ae1a159a65be

  • SHA256

    a1b778d340f60f244bc8030323206caef7b22f10df2861b1f330900c6decbdb9

  • SHA512

    67c8d1bc9c61f2d0def951e8e4e60f36a796f80b772353bb5e077f403e618a83abaa80ec7679e961bd767b435254140c9433eeb744169e898da5b2b563d982b6

  • SSDEEP

    24576:iuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:q9cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\6ce1bc42dba1e06a071f724f691f5696_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:984
  • C:\Windows\system32\tabcal.exe
    C:\Windows\system32\tabcal.exe
    1⤵
      PID:2880
    • C:\Users\Admin\AppData\Local\CoPCZ0jOR\tabcal.exe
      C:\Users\Admin\AppData\Local\CoPCZ0jOR\tabcal.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2996
    • C:\Windows\system32\OptionalFeatures.exe
      C:\Windows\system32\OptionalFeatures.exe
      1⤵
        PID:2512
      • C:\Users\Admin\AppData\Local\bRnOWl\OptionalFeatures.exe
        C:\Users\Admin\AppData\Local\bRnOWl\OptionalFeatures.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2500
      • C:\Windows\system32\dpnsvr.exe
        C:\Windows\system32\dpnsvr.exe
        1⤵
          PID:1960
        • C:\Users\Admin\AppData\Local\1yQnf\dpnsvr.exe
          C:\Users\Admin\AppData\Local\1yQnf\dpnsvr.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:3044

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\1yQnf\WINMM.dll
          Filesize

          1.2MB

          MD5

          a74394bdc6409984f0f750a2f4eea61d

          SHA1

          32edd486105151b0e4a6ea2fcf5bf010ac2b560b

          SHA256

          63b21ff37edb7d35deea9541323c8d1335c53c41f97950d562fae786d0511c3b

          SHA512

          894851cb26faedf6ed911fa236fa5881296a265dfb7a52df54bdeb54c3d7575f7a5d23e33058d48494a1d6ca0950762f7aad7278b748aad5218740179b5ce3fa

          Download Submit

        • C:\Users\Admin\AppData\Local\CoPCZ0jOR\HID.DLL
          Filesize

          1.2MB

          MD5

          970d14ae65b346de3e429daa313da6ed

          SHA1

          e21f7844e12bfe5d0db846a5eb6d6ee2e38a26b3

          SHA256

          60a8ab2544baec675e51fa9ad82e376abdd82060297f00c66a6b7023805d308a

          SHA512

          1dea2c6812370acaa9112b33cdb92ac7f6e35384dfba22a76070404fe2a17eeafebaf0c63e49f20c7e8a0cfed6a49ab172755a6aeb0dc34ea7841f947709923c

          Download Submit

        • C:\Users\Admin\AppData\Local\bRnOWl\appwiz.cpl
          Filesize

          1.2MB

          MD5

          b5849059e5713b99505af7f6dc48cc6f

          SHA1

          15bc6af2aa492e3db1879064d40b2f1b9c82ae3e

          SHA256

          8bcc5c74309cf6366703afee4c402d1665e77234c38ac824b0e43b2c71aa312c

          SHA512

          1c0de5327c037ea25c9978934ebbd99cebcafeeff87c2a00aa9f4bbec4710e06a1fcd2e88543ebe9050c6d9edc2cff8e0ab98916bacf5d3e54b5886d62e87c38

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Acjenwgziemamyd.lnk
          Filesize

          1KB

          MD5

          e0a1fd9089e4e0a3e6b94a7855241c84

          SHA1

          0031677df3a66ff3e305f0149a84134b143806d4

          SHA256

          12d361957444768033e3f24c83eb376bc7ec14cf5aeaaa04a6b83770bd47ee42

          SHA512

          03ace7b14933823159e60f8f7783ce9f0d2d2759bfcaeb6d0e18fa25d31707c686686a02cbc1aef0cb65ec031ae896db53e7dc25490d5d3d36c73522ed998344

          Download Submit

        • \Users\Admin\AppData\Local\1yQnf\dpnsvr.exe
          Filesize

          33KB

          MD5

          6806b72978f6bd27aef57899be68b93b

          SHA1

          713c246d0b0b8dcc298afaed4f62aed82789951c

          SHA256

          3485ee4159c5f9e4ed9dd06e668d1e04148154ff40327a9ccb591e8c5a79958c

          SHA512

          43c942358b2e949751149ecc4be5ff6cb0634957ff1128ad5e6051e83379fb5643100cae2f6ef3eaf36aff016063c150e93297aa866e780d0e4d51656a251c7b

          Download Submit

        • \Users\Admin\AppData\Local\CoPCZ0jOR\tabcal.exe
          Filesize

          77KB

          MD5

          98e7911befe83f76777317ce6905666d

          SHA1

          2780088dffe1dd1356c5dd5112a9f04afee3ee8d

          SHA256

          3fe8b63367b4298e70d46e87ce04cc7af5f30dfdb86b79eae41d0731d9415ea1

          SHA512

          fc0226381d9a6984cccac8282697c78966524e1359f7f6044559b8223e773d3c108dda08a2dd283aa171dca3390801f2c92a5d1dbb978dd7f92a67bd8877b8b6

          Download Submit

        • \Users\Admin\AppData\Local\bRnOWl\OptionalFeatures.exe
          Filesize

          95KB

          MD5

          eae7af6084667c8f05412ddf096167fc

          SHA1

          0dbe8aba001447030e48e8ad5466fd23481e6140

          SHA256

          01feebd3aca961f31ba4eac45347b105d1c5772627b08f5538047721b61ff9bc

          SHA512

          172a8accaa35a6c9f86713a330c5899dfeeffe3b43413a3d276fc16d45cd62ed9237aa6bff29cc60a2022fba8dcc156959723c041df4b7463436a3bdabef2a9d

          Download Submit

        • memory/984-46-0x000007FEF65A0000-0x000007FEF66D2000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/984-2-0x000007FEF65A0000-0x000007FEF66D2000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/984-0-0x0000000000120000-0x0000000000127000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1240-7-0x0000000140000000-0x0000000140132000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1240-37-0x0000000140000000-0x0000000140132000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1240-28-0x0000000077640000-0x0000000077642000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1240-27-0x00000000774B1000-0x00000000774B2000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1240-16-0x0000000140000000-0x0000000140132000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1240-15-0x0000000140000000-0x0000000140132000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1240-14-0x0000000140000000-0x0000000140132000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1240-13-0x0000000140000000-0x0000000140132000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1240-12-0x0000000140000000-0x0000000140132000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1240-75-0x00000000772A6000-0x00000000772A7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1240-38-0x0000000140000000-0x0000000140132000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1240-17-0x0000000140000000-0x0000000140132000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1240-8-0x0000000140000000-0x0000000140132000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1240-9-0x0000000140000000-0x0000000140132000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1240-4-0x00000000772A6000-0x00000000772A7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1240-5-0x0000000002D70000-0x0000000002D71000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1240-11-0x0000000140000000-0x0000000140132000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1240-10-0x0000000140000000-0x0000000140132000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1240-26-0x0000000002D50000-0x0000000002D57000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1240-25-0x0000000140000000-0x0000000140132000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2500-79-0x000007FEF65A0000-0x000007FEF66D3000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2500-76-0x0000000000290000-0x0000000000297000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2500-72-0x000007FEF65A0000-0x000007FEF66D3000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2996-60-0x000007FEF6BC0000-0x000007FEF6CF3000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2996-55-0x000007FEF6BC0000-0x000007FEF6CF3000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2996-54-0x0000000000190000-0x0000000000197000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3044-94-0x0000000000110000-0x0000000000117000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3044-91-0x000007FEF65A0000-0x000007FEF66D4000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3044-97-0x000007FEF65A0000-0x000007FEF66D4000-memory.dmp

          Filesize

          1.2MB

          Download