Overview

overview

10

Static

static

3

799a60a131...18.dll

windows7-x64

10

799a60a131...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    30-07-2024 18:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    799a60a13199faa45a6c016aa9721706_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    799a60a13199faa45a6c016aa9721706

  • SHA1

    c572d26d09ad7f652f1327e3a3c2caa8358ee55b

  • SHA256

    7c708981d426ade7e53c8627a4ae6994591f2ea2787291535cf782aefbd588cc

  • SHA512

    c8a70ac097d28c18cfb1b0176d8c45323cd0752f7d9076196bf62b123fbff62896aba4052d687dab27e4aaf8d4fe7d9487b05bbf308e385adfab2533186c3356

  • SSDEEP

    24576:iuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:q9cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\799a60a13199faa45a6c016aa9721706_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2672
  • C:\Windows\system32\TpmInit.exe
    C:\Windows\system32\TpmInit.exe
    1⤵
      PID:2208
    • C:\Users\Admin\AppData\Local\Nb0K\TpmInit.exe
      C:\Users\Admin\AppData\Local\Nb0K\TpmInit.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2844
    • C:\Windows\system32\StikyNot.exe
      C:\Windows\system32\StikyNot.exe
      1⤵
        PID:2368
      • C:\Users\Admin\AppData\Local\vxQy\StikyNot.exe
        C:\Users\Admin\AppData\Local\vxQy\StikyNot.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2908
      • C:\Windows\system32\rstrui.exe
        C:\Windows\system32\rstrui.exe
        1⤵
          PID:2656
        • C:\Users\Admin\AppData\Local\aJp6wN\rstrui.exe
          C:\Users\Admin\AppData\Local\aJp6wN\rstrui.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1144

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Nb0K\ACTIVEDS.dll
          Filesize

          1.2MB

          MD5

          36910fa55d65e141a982dfc50404ba21

          SHA1

          1b608dfee769762c30cd862bce60f2602612d311

          SHA256

          582a10161c91b9fc3a830bff17b607795eb75f1cd9f3232b45c54304c519a5f9

          SHA512

          0839587fd945be00e447da9fdd2e14c446146fc74589876701fd067e9ef4f7d7776f32b98ce95fc3972ee0403e426c06458bc427e1fb12aa8f1a6bf187cac275

          Download Submit

        • C:\Users\Admin\AppData\Local\aJp6wN\rstrui.exe
          Filesize

          290KB

          MD5

          3db5a1eace7f3049ecc49fa64461e254

          SHA1

          7dc64e4f75741b93804cbae365e10dc70592c6a9

          SHA256

          ba8387d4543b8b11e2202919b9608ee614753fe77f967aad9906702841658b49

          SHA512

          ea81e3233e382f1cf2938785c9ded7c8fbbf11a6a6f5cf4323e3211ae66dad4a2c597cb589ff11f9eae79516043aba77d4b24bfa6eb0aa045d405aabdea4a025

          Download Submit

        • C:\Users\Admin\AppData\Local\vxQy\UxTheme.dll
          Filesize

          1.2MB

          MD5

          e3c0a4b74f5bc32ca5985d3ea3a8c230

          SHA1

          6dd4b1e85fbb7a957667949d0cb0eab18880b889

          SHA256

          e0b2ce03e836fa14afc45a9cef5e63fad13057e0e1ba25d578d619ae33c1e3f2

          SHA512

          809ac646b29f16bb1551e6f6321dac2eec2e2343e6dfc022d141ecf3b3b4f5197895ba481320b4cd5fcabb1c008a03aba1009a2774c82dace1264baf07518827

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Filabyuswgwl.lnk
          Filesize

          1024B

          MD5

          3ccdf593b99cce99d3d85c8218dcbfdd

          SHA1

          6aa550078ccd70861ccff506e2140bdb3ca88475

          SHA256

          8d8994628579aeba22b86136442ab195d7ae29bbe6df4946aef4a69efc0e55de

          SHA512

          c9a513b7830722f735e06aedda8c5d16c3b27c7f836028a0596a8c71b70ce98413226628075a1ef76adba42ff2b4291cf45848466e9808a526040a1c0f6155d7

          Download Submit

        • \Users\Admin\AppData\Local\Nb0K\TpmInit.exe
          Filesize

          112KB

          MD5

          8b5eb38e08a678afa129e23129ca1e6d

          SHA1

          a27d30bb04f9fabdb5c92d5150661a75c5c7bc42

          SHA256

          4befa614e1b434b2f58c9e7ce947a946b1cf1834b219caeff42b3e36f22fd97c

          SHA512

          a7245cde299c68db85370ae1bdf32a26208e2cda1311afd06b0efd410664f36cafb62bf4b7ce058e203dcc515c45ebdef01543779ead864f3154175b7b36647d

          Download Submit

        • \Users\Admin\AppData\Local\aJp6wN\SRCORE.dll
          Filesize

          1.2MB

          MD5

          3e9bda70dcb0047cd24f90505e4fc719

          SHA1

          19463bc70018ea5cb8bcd1251b56a384a3381178

          SHA256

          f8c6c7686a791fb2e1e8eb0b092647654345f8b09ec90c10afbe66200199ccf3

          SHA512

          f436ecca83fa27cf32db2eb7a77566043cf37b539b853231c100115b1f54af6f5b630070c15b8407b5cb55865d289d85b8d715d6f2af512ca97b7d5225a402bf

          Download Submit

        • \Users\Admin\AppData\Local\vxQy\StikyNot.exe
          Filesize

          417KB

          MD5

          b22cb67919ebad88b0e8bb9cda446010

          SHA1

          423a794d26d96d9f812d76d75fa89bffdc07d468

          SHA256

          2f744feac48ede7d6b6d2727f7ddfa80b26d9e3b0009741b00992b19ad85e128

          SHA512

          f40aad2a381b766aae0a353fae3ab759d5c536b2d00d135527bba37b601d2f24323f079bd09600355d79404d574ac59201d415ef64c1568877ad0ce0da2dd1d5

          Download Submit

        • memory/1144-96-0x000007FEF7090000-0x000007FEF71C2000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1144-93-0x0000000000390000-0x0000000000397000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1324-28-0x0000000076F90000-0x0000000076F92000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1324-9-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1324-7-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1324-16-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1324-15-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1324-17-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1324-27-0x0000000076E01000-0x0000000076E02000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1324-26-0x0000000002080000-0x0000000002087000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1324-25-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1324-4-0x0000000076BF6000-0x0000000076BF7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1324-38-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1324-37-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1324-5-0x00000000020A0000-0x00000000020A1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1324-8-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1324-10-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1324-14-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1324-13-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1324-12-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1324-65-0x0000000076BF6000-0x0000000076BF7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1324-11-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2672-46-0x000007FEF7080000-0x000007FEF71B1000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2672-0-0x0000000000120000-0x0000000000127000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2672-2-0x000007FEF7080000-0x000007FEF71B1000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2844-60-0x000007FEF71C0000-0x000007FEF72F2000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2844-54-0x000007FEF71C0000-0x000007FEF72F2000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2844-57-0x0000000000190000-0x0000000000197000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2908-73-0x000007FEF7090000-0x000007FEF71C2000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2908-78-0x000007FEF7090000-0x000007FEF71C2000-memory.dmp

          Filesize

          1.2MB

          Download