Overview

overview

10

Static

static

3

7ef24c1f5e...18.dll

windows7-x64

10

7ef24c1f5e...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    01-08-2024 03:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7ef24c1f5e48c05ea044e0526927416a_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    7ef24c1f5e48c05ea044e0526927416a

  • SHA1

    a6d769d027f54f788a6b4d81050de84b8250d948

  • SHA256

    604afec896aa6be5676ddf766bcf16e56c6822c5078cc40480bee754b305ff8c

  • SHA512

    6cedb29f93c705d9125d4acfc45c827ff06a703f21fbf650a204f20b0e0c9110eaf429e69dfcd96a0e10121849219494e523ec610fa3669719aa8d64ef29d583

  • SSDEEP

    24576:LuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:V9cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\7ef24c1f5e48c05ea044e0526927416a_JaffaCakes118.dll
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:2584
  • C:\Windows\system32\rdrleakdiag.exe
    C:\Windows\system32\rdrleakdiag.exe
    1⤵
      PID:2780
    • C:\Users\Admin\AppData\Local\ELTvYN\rdrleakdiag.exe
      C:\Users\Admin\AppData\Local\ELTvYN\rdrleakdiag.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:1900
    • C:\Windows\system32\iexpress.exe
      C:\Windows\system32\iexpress.exe
      1⤵
        PID:2264
      • C:\Users\Admin\AppData\Local\zZWBXNn\iexpress.exe
        C:\Users\Admin\AppData\Local\zZWBXNn\iexpress.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:664
      • C:\Windows\system32\spreview.exe
        C:\Windows\system32\spreview.exe
        1⤵
          PID:2044
        • C:\Users\Admin\AppData\Local\WUPI5ylp\spreview.exe
          C:\Users\Admin\AppData\Local\WUPI5ylp\spreview.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:276

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\ELTvYN\wer.dll
          Filesize

          1.2MB

          MD5

          6cc254d31580defe7f9eb6f4a4581d98

          SHA1

          0337b740bbbec7cb728cd5a43a8440b19ec7b5a7

          SHA256

          7db1b8aa4a659a98bdff19816a6ca37251d12ff8e46932e25716a31f06affb15

          SHA512

          148f5f1ed9d0c264fe6c9dfdda8e0754871173a3532a778131d1cc5ac64c5c1f700551605402340d043834c14be3f09cae939eaa575ead0578380f20fbeeecc7

          Download Submit

        • C:\Users\Admin\AppData\Local\WUPI5ylp\spreview.exe
          Filesize

          294KB

          MD5

          704cd4cac010e8e6d8de9b778ed17773

          SHA1

          81856abf70640f102b8b3defe2cf65669fe8e165

          SHA256

          4307f21d3ec3b51cba6a905a80045314ffccb4c60c11d99a3d77cc8103014208

          SHA512

          b380264276bad01d619a5f1f112791d6bf73dc52cdd5cca0cc1f726a6f66eefc5a78a37646792987c508f9cb5049f0eb86c71fb4c7a2d3e670c0c8623f0522ee

          Download Submit

        • C:\Users\Admin\AppData\Local\WUPI5ylp\sqmapi.dll
          Filesize

          1.2MB

          MD5

          85c4e0fe52fc81009ef731b736dcf64e

          SHA1

          8f17a5075ace5986d7fbb8cacf4f2e8b0d1d0231

          SHA256

          f4d5c617fa2210db6a01b1736c7bfec68d02d00e71e6fbb40110d2b91e9eee22

          SHA512

          f3122d65ed4098dd0907518b8cd39301542d3c1b2d6977757fee614dc52b4936dba4a0bc5e6088934b69260034b684572ee06a0b6f1cb67fee396dbd69bd997c

          Download Submit

        • C:\Users\Admin\AppData\Local\zZWBXNn\VERSION.dll
          Filesize

          1.2MB

          MD5

          ec6e9ba5ed7f8e71c86f9d66440c93ce

          SHA1

          212fc8a98e2ba0db0e1b1da6b87c2ef01cd6f8fd

          SHA256

          fdf443a752bd198fd7c259f180bacc913d1114bcb5636c04862779414ca27442

          SHA512

          2ecdf0964b468b3995c2081659c7f02afabe6bf4e1b81cb0df47ef440e0588dd974ea645b441f4e0afe5ee08845fabd7c761a554534fa9b5437f435dea491442

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ppapbotpack.lnk
          Filesize

          1KB

          MD5

          b5166223bc5e0348f49c05ac119bfbc4

          SHA1

          7633bbbd81f7f820f1e191134bff882bbded1082

          SHA256

          7356bc11da2261d871b9722a3fa1aa53057c1fe3c6286ed64c5b60083062d82c

          SHA512

          01c9d5eb1c28e18f60f96f02706d66a21e1b69e0a8e04a4c693c83618004d243221746db8e94112d43365a556b936fafebfcc49a94a07f0f8f2916fdb201eedd

          Download Submit

        • \Users\Admin\AppData\Local\ELTvYN\rdrleakdiag.exe
          Filesize

          39KB

          MD5

          5e058566af53848541fa23fba4bb5b81

          SHA1

          769ce3bfc45e4d56ed01dbeeeca7be22f9b9eed6

          SHA256

          ae83b050fa722da7e4b19fc3d534f0126b1ec055643bb1f267b85b55160f4409

          SHA512

          352029cf0af7583a4c525cfd1da7467446bac410a885b2768d8052f39577ccce85b21d5bd946be6bf8341e7308c8e4f645e4d79232b93aaf6a92d6cd55f598d0

          Download Submit

        • \Users\Admin\AppData\Local\zZWBXNn\iexpress.exe
          Filesize

          163KB

          MD5

          46fd16f9b1924a2ea8cd5c6716cc654f

          SHA1

          99284bc91cf829e9602b4b95811c1d72977700b6

          SHA256

          9f993a1f6a133fa8375eab99bf1710471dd13ef177ef713acf8921fb4ff565a3

          SHA512

          52c91043f514f3f8ce07f8e60357786eb7236fcf6cdcccca0dd76000b9a23d6b138cebcdec53b01823cb2313ec850fc7bece326ec01d44ed33f4052b789b7629

          Download Submit

        • memory/276-93-0x00000000000F0000-0x00000000000F7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/276-90-0x000007FEF7450000-0x000007FEF7581000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/276-96-0x000007FEF7450000-0x000007FEF7581000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/664-75-0x0000000000110000-0x0000000000117000-memory.dmp

          Filesize

          28KB

          Download

        • memory/664-71-0x000007FEF7070000-0x000007FEF71A1000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/664-78-0x000007FEF7070000-0x000007FEF71A1000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1208-15-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1208-16-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1208-9-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1208-29-0x0000000077E60000-0x0000000077E62000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1208-28-0x0000000077CD1000-0x0000000077CD2000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1208-36-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1208-37-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1208-4-0x0000000077BC6000-0x0000000077BC7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1208-11-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1208-12-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1208-5-0x0000000002F10000-0x0000000002F11000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1208-7-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1208-8-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1208-13-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1208-14-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1208-10-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1208-24-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1208-74-0x0000000077BC6000-0x0000000077BC7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1208-25-0x0000000002E70000-0x0000000002E77000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1900-59-0x000007FEF7B00000-0x000007FEF7C31000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1900-56-0x0000000001AC0000-0x0000000001AC7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1900-53-0x000007FEF7B00000-0x000007FEF7C31000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2584-0-0x000007FEF7AB0000-0x000007FEF7BE0000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2584-45-0x000007FEF7AB0000-0x000007FEF7BE0000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2584-3-0x00000000003B0000-0x00000000003B7000-memory.dmp

          Filesize

          28KB

          Download