Overview

overview

10

Static

static

3

7b85a378b5...18.dll

windows7-x64

10

7b85a378b5...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    31-07-2024 06:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7b85a378b5aa0e00ad580ced76cf24c4_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    7b85a378b5aa0e00ad580ced76cf24c4

  • SHA1

    0252c8d455476716c277a75f0ff0846f0ffceba5

  • SHA256

    01ff8188c74308b5694f1f5417b8dc8a2c5ac2fe59b4b10d792273dfd00c40d9

  • SHA512

    79811bfd3cc4afa16bcfb48a2ced69b540b0bb710b6d4a8e0ae2e4e2f0c1349940248ca35ed485254c0e675e2925f1e7a5a2f190ac83cd00daa3ef5d64deb6b2

  • SSDEEP

    24576:auYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:C9cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\7b85a378b5aa0e00ad580ced76cf24c4_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2884
  • C:\Windows\system32\SndVol.exe
    C:\Windows\system32\SndVol.exe
    1⤵
      PID:2632
    • C:\Users\Admin\AppData\Local\NmGvm\SndVol.exe
      C:\Users\Admin\AppData\Local\NmGvm\SndVol.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2676
    • C:\Windows\system32\OptionalFeatures.exe
      C:\Windows\system32\OptionalFeatures.exe
      1⤵
        PID:2324
      • C:\Users\Admin\AppData\Local\R5SXG\OptionalFeatures.exe
        C:\Users\Admin\AppData\Local\R5SXG\OptionalFeatures.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1800
      • C:\Windows\system32\javaws.exe
        C:\Windows\system32\javaws.exe
        1⤵
          PID:2024
        • C:\Users\Admin\AppData\Local\zWN\javaws.exe
          C:\Users\Admin\AppData\Local\zWN\javaws.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2916

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\NmGvm\SndVol.exe
          Filesize

          267KB

          MD5

          c3489639ec8e181044f6c6bfd3d01ac9

          SHA1

          e057c90b675a6da19596b0ac458c25d7440b7869

          SHA256

          a632ef1a1490d31d76f13997ee56f4f75796bf9e366c76446857e9ae855f4103

          SHA512

          63b96c8afb8c3f5f969459531d3a543f6e8714d5ca1664c6bbb01edd9f5e850856931d7923f363c9dc7d8843deeaad69722d15993641d04e786e02184446c0c9

          Download Submit

        • C:\Users\Admin\AppData\Local\NmGvm\UxTheme.dll
          Filesize

          1.2MB

          MD5

          447bdace59cf2ffd51e85841ff7e3513

          SHA1

          bfd6197c394e5ae982f0fb2d3679e6530058ec11

          SHA256

          5cf14f6844ab359fe3066401796a0bada857e6a52e1b52350ca998dad92aee8c

          SHA512

          8449bfcb7e6d33a971bca9ecf534067784534f1549d142bbe71e1b3207758b0519a42aafdac9e924d713615017a103a8fad83b9ab33e4d80b046029f7723afb0

          Download Submit

        • C:\Users\Admin\AppData\Local\R5SXG\appwiz.cpl
          Filesize

          1.2MB

          MD5

          cdeaf6e1076766de28fc850d0c5353cb

          SHA1

          8fad1a33d293fb1a2ded6d05496dd5d86efbeeca

          SHA256

          aa98484545aba8720a1c782f4a52fd09fb4dff32c35d02124784ea4ed6f15de3

          SHA512

          a7ac4878560e49a999758283abd88abd25b46bb276c2a7c7eaf7d6986bf0a7a916d4f11fe8a35a043b01c9b8aecf36f28dcec33d2c304785963250db2b38479a

          Download Submit

        • C:\Users\Admin\AppData\Local\zWN\VERSION.dll
          Filesize

          1.2MB

          MD5

          7b61c775aadaa97ae68bbffa9ee81a55

          SHA1

          a62e3b0bf0226a990f63a440f3992e0a3d2f88f7

          SHA256

          4923722b9a567ee0caca2bb4fba5a3eb51847da7d97ee4af15fe3854f1075203

          SHA512

          d399ea35a8d4b180f845be01c82de5c465c1eab9ed7ee2f280df3c22863d153597b434a700511ad35ba3ad7173e6551c41db50626cd0c857cd15cebf0ad38227

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Rinzzkcfiw.lnk
          Filesize

          1KB

          MD5

          a803032422560dbc9d11479f1de2fcb4

          SHA1

          b57d7c72c8a3d5285df56006f73960c1b8660411

          SHA256

          6bb18e800862cd879259b690b301436f4c1e505b2a7ede1c2d73c0a9ca61182c

          SHA512

          77a563baac8dcbc39c413f42a15b94e8597b947dd8377b5b13db706cde4ab3f87d33a2aeecbdee50935be2490d3dc68c2ed517316d9a54d56c85b587c57bb62f

          Download Submit

        • \Users\Admin\AppData\Local\R5SXG\OptionalFeatures.exe
          Filesize

          95KB

          MD5

          eae7af6084667c8f05412ddf096167fc

          SHA1

          0dbe8aba001447030e48e8ad5466fd23481e6140

          SHA256

          01feebd3aca961f31ba4eac45347b105d1c5772627b08f5538047721b61ff9bc

          SHA512

          172a8accaa35a6c9f86713a330c5899dfeeffe3b43413a3d276fc16d45cd62ed9237aa6bff29cc60a2022fba8dcc156959723c041df4b7463436a3bdabef2a9d

          Download Submit

        • \Users\Admin\AppData\Local\zWN\javaws.exe
          Filesize

          312KB

          MD5

          f94bc1a70c942621c4279236df284e04

          SHA1

          8f46d89c7db415a7f48ccd638963028f63df4e4f

          SHA256

          be9f8986a6c86d9f77978105d48b59eebfec3b9732dbf19e0f3d48bf7f20120c

          SHA512

          60edf20ca3cae9802263446af266568d0b5e0692eddcfcfc3b2f9a39327b3184613ca994460b919d17a6edc5936b4da16d9033f5138bcfd9bc0f09d88c8dcd52

          Download Submit

        • memory/1196-28-0x0000000076FE0000-0x0000000076FE2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1196-10-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1196-25-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1196-17-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1196-16-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1196-15-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1196-14-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1196-13-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1196-11-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1196-9-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1196-27-0x0000000076E51000-0x0000000076E52000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1196-4-0x0000000076D46000-0x0000000076D47000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1196-37-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1196-5-0x00000000029D0000-0x00000000029D1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1196-40-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1196-26-0x00000000025F0000-0x00000000025F7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1196-8-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1196-7-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1196-54-0x0000000076D46000-0x0000000076D47000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1196-12-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1800-73-0x00000000000F0000-0x00000000000F7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1800-74-0x000007FEF7600000-0x000007FEF7732000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1800-79-0x000007FEF7600000-0x000007FEF7732000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2676-61-0x000007FEFAA90000-0x000007FEFABC2000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2676-56-0x000007FEFAA90000-0x000007FEFABC2000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2676-55-0x0000000000140000-0x0000000000147000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2884-38-0x000007FEF7600000-0x000007FEF7731000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2884-0-0x0000000000110000-0x0000000000117000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2884-1-0x000007FEF7600000-0x000007FEF7731000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2916-91-0x0000000000490000-0x0000000000497000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2916-97-0x000007FEF7600000-0x000007FEF7732000-memory.dmp

          Filesize

          1.2MB

          Download