Overview

overview

10

Static

static

3

72fb9a4545...18.dll

windows7-x64

10

72fb9a4545...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    129s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    30-07-2024 14:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    72fb9a4545e473d7d94fe766e6654729_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    72fb9a4545e473d7d94fe766e6654729

  • SHA1

    eaffdc1dc71421e6f523456e2ecf7fd0ae60b2f2

  • SHA256

    9098e782f34228349487ef9250a37c00874cb70ef152d48ac89125ad23c899fc

  • SHA512

    740ab9c74701d3c280354c596e458fa05e795527c9bf522f87949abf13602db822e485f639c89d0a9996bfcb5782aa30040afcd75a9ac51c64ad2b2c349802c9

  • SSDEEP

    24576:juYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:N9cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\72fb9a4545e473d7d94fe766e6654729_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2524
  • C:\Windows\system32\SndVol.exe
    C:\Windows\system32\SndVol.exe
    1⤵
      PID:2812
    • C:\Users\Admin\AppData\Local\gzsGxb\SndVol.exe
      C:\Users\Admin\AppData\Local\gzsGxb\SndVol.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2776
    • C:\Windows\system32\ComputerDefaults.exe
      C:\Windows\system32\ComputerDefaults.exe
      1⤵
        PID:2648
      • C:\Users\Admin\AppData\Local\pNX\ComputerDefaults.exe
        C:\Users\Admin\AppData\Local\pNX\ComputerDefaults.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2688
      • C:\Windows\system32\WFS.exe
        C:\Windows\system32\WFS.exe
        1⤵
          PID:908
        • C:\Users\Admin\AppData\Local\7Qgp2ljnP\WFS.exe
          C:\Users\Admin\AppData\Local\7Qgp2ljnP\WFS.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:580

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\7Qgp2ljnP\WFS.exe
          Filesize

          951KB

          MD5

          a943d670747778c7597987a4b5b9a679

          SHA1

          c48b760ff9762205386563b93e8884352645ef40

          SHA256

          1a582ebe780abc1143baccaf4910714d3e9f4195edd86939499d03ed6e756610

          SHA512

          3d926ddead8afcb32b52b3eb3c416d197c15e5fff6ba9fa03a31a07522bdb9088b32500fc8b98d82af657071571d09cd336a65cf45c485ebcc145dea70b3a934

          Download Submit

        • C:\Users\Admin\AppData\Local\gzsGxb\SndVol.exe
          Filesize

          267KB

          MD5

          c3489639ec8e181044f6c6bfd3d01ac9

          SHA1

          e057c90b675a6da19596b0ac458c25d7440b7869

          SHA256

          a632ef1a1490d31d76f13997ee56f4f75796bf9e366c76446857e9ae855f4103

          SHA512

          63b96c8afb8c3f5f969459531d3a543f6e8714d5ca1664c6bbb01edd9f5e850856931d7923f363c9dc7d8843deeaad69722d15993641d04e786e02184446c0c9

          Download Submit

        • C:\Users\Admin\AppData\Local\pNX\ComputerDefaults.exe
          Filesize

          36KB

          MD5

          86bd981f55341273753ac42ea200a81e

          SHA1

          14fe410efc9aeb0a905b984ac27719ff0dd10ea7

          SHA256

          40b194be2bad2d3d4d1b69f9aec2853c8b663130810a11607ff72a9e3a06d5b3

          SHA512

          49bb6d4bf7a9356fadde7f6165af6973630827d28b69db10ad477a84d98b08fb82e4daae777166e1ddddb5b5efcdf634e4e9bd34b255dae87462ba32e8bba143

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Acjenwgziemamyd.lnk
          Filesize

          1KB

          MD5

          b13f34b824123e371dbb5b3b965509ea

          SHA1

          421a9653804c2e66663d39866fffefff3a15efb2

          SHA256

          f25fab4a1b259af5c0c46018e7cb73758ac79af53cc5be1be768a789602b4dc5

          SHA512

          d92f5075c71868ebfd8c0bd7ea7e6ece51387a18f133a7c918503bc42883410cc702076de54262d0f632c12fa44bf0273e295498edbe689cc0b15904c5609a88

          Download Submit

        • \Users\Admin\AppData\Local\7Qgp2ljnP\MFC42u.dll
          Filesize

          1.2MB

          MD5

          a8f1d5b95d1674b9d1aef05cc6fc9ed4

          SHA1

          62d7b022b5d66ac547ddc8d49a6ff4b6504bf3ca

          SHA256

          3d5107c01db3fade830b30e626cb6691cf49aeffa473af2e0270b1f3d92ae2e2

          SHA512

          a636f96918bb109b7f4b48bfe3c4d6a3b3a801d260b6a9c4d74bcb0ad4d579d20ad2fb9f1c0bf013cb4c3c53f35778dd13535372e3b75b08110a001deae2a439

          Download Submit

        • \Users\Admin\AppData\Local\gzsGxb\UxTheme.dll
          Filesize

          1.2MB

          MD5

          248063bd4c6262a3db49997b02f24f8c

          SHA1

          cd234d9c96b4c6fd7221af5442e6d5e7adfbf098

          SHA256

          b63036a18a4a6922714c9c1636b1b8acc2378120c986433ea0bdbd513c5f9e68

          SHA512

          cb14a94be9a2fdd4f28ccef594eb16b5812fb2a7517519bc8eaf0af4935e0c0a870652f692a5a006e069a8bd588b5428398efc22476560394396b11f49046437

          Download Submit

        • \Users\Admin\AppData\Local\pNX\appwiz.cpl
          Filesize

          1.2MB

          MD5

          db2041837bd104bc4d8bb73d9fbd4618

          SHA1

          be7466a012437613a0561b9d294e516aa05597b1

          SHA256

          f0686a464f4c8f8cc642769f0f9a97913dfd7f27ef917f456601479858303e97

          SHA512

          a489ea51a39dabf0997e6feb8dbe11bcca5d405eba64b251984a020a526354cc181879d7635eafcb5888400b1d214f04e46d1aa16bacf41edde90510d387305f

          Download Submit

        • memory/580-91-0x000007FEF6B70000-0x000007FEF6CA8000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/580-96-0x000007FEF6B70000-0x000007FEF6CA8000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/580-94-0x0000000000180000-0x0000000000187000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1212-36-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1212-29-0x0000000077D70000-0x0000000077D72000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1212-13-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1212-12-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1212-10-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1212-9-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1212-7-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1212-24-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1212-4-0x0000000077AD6000-0x0000000077AD7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1212-37-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1212-5-0x0000000002F40000-0x0000000002F41000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1212-15-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1212-8-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1212-11-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1212-17-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1212-28-0x0000000077BE1000-0x0000000077BE2000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1212-65-0x0000000077AD6000-0x0000000077AD7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1212-25-0x0000000002DD0000-0x0000000002DD7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1212-14-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2524-45-0x000007FEF6B70000-0x000007FEF6CA1000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2524-0-0x000007FEF6B70000-0x000007FEF6CA1000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2524-3-0x00000000003A0000-0x00000000003A7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2688-79-0x000007FEF6B70000-0x000007FEF6CA2000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2688-73-0x00000000000A0000-0x00000000000A7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2688-74-0x000007FEF6B70000-0x000007FEF6CA2000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2776-53-0x000007FEF72F0000-0x000007FEF7422000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2776-56-0x0000000000260000-0x0000000000267000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2776-58-0x000007FEF72F0000-0x000007FEF7422000-memory.dmp

          Filesize

          1.2MB

          Download