Overview

overview

10

Static

static

3

7ef24c1f5e...18.dll

windows7-x64

10

7ef24c1f5e...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240730-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-08-2024 03:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7ef24c1f5e48c05ea044e0526927416a_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    7ef24c1f5e48c05ea044e0526927416a

  • SHA1

    a6d769d027f54f788a6b4d81050de84b8250d948

  • SHA256

    604afec896aa6be5676ddf766bcf16e56c6822c5078cc40480bee754b305ff8c

  • SHA512

    6cedb29f93c705d9125d4acfc45c827ff06a703f21fbf650a204f20b0e0c9110eaf429e69dfcd96a0e10121849219494e523ec610fa3669719aa8d64ef29d583

  • SSDEEP

    24576:LuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:V9cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\7ef24c1f5e48c05ea044e0526927416a_JaffaCakes118.dll
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:696
  • C:\Windows\system32\perfmon.exe
    C:\Windows\system32\perfmon.exe
    1⤵
      PID:3424
    • C:\Users\Admin\AppData\Local\ckVh\perfmon.exe
      C:\Users\Admin\AppData\Local\ckVh\perfmon.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:372
    • C:\Windows\system32\CustomShellHost.exe
      C:\Windows\system32\CustomShellHost.exe
      1⤵
        PID:2332
      • C:\Users\Admin\AppData\Local\TCk3CVs\CustomShellHost.exe
        C:\Users\Admin\AppData\Local\TCk3CVs\CustomShellHost.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:3964
      • C:\Windows\system32\DWWIN.EXE
        C:\Windows\system32\DWWIN.EXE
        1⤵
          PID:1088
        • C:\Users\Admin\AppData\Local\IrJkJ0\DWWIN.EXE
          C:\Users\Admin\AppData\Local\IrJkJ0\DWWIN.EXE
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1460

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\IrJkJ0\DWWIN.EXE
          Filesize

          229KB

          MD5

          444cc4d3422a0fdd45c1b78070026c60

          SHA1

          97162ff341fff1ec54b827ec02f8b86fd2d41a97

          SHA256

          4b3f620272e709ce3e01ae5b19ef0300bd476f2da6412637f703bbaded2821f0

          SHA512

          21742d330a6a5763ea41a8fed4d71b98e4a1b4c685675c4cfeb7253033c3a208c23902caf0efdf470a85e0770cb8fac8af0eb6d3a8511445b0570054b42d5553

          Download Submit

        • C:\Users\Admin\AppData\Local\IrJkJ0\VERSION.dll
          Filesize

          1.2MB

          MD5

          0c449e2e82cc89bf03cce1d61675fcc0

          SHA1

          ee403c0f8bc1bfe53a3187636a05606bf02b0909

          SHA256

          e1290c1dbd89d785b9a16aefac9aff59b6817d3ca67ea794876677a8467bdcef

          SHA512

          be550d00501b5db7d36ab28e7fffa54920a4d476b799e6f5def3cfa5ef1fc5c73f78e3234f959ca661166c83fcb4d5eff3918ea4fa6dbc0c3c1a46fb7f8f8b6a

          Download Submit

        • C:\Users\Admin\AppData\Local\TCk3CVs\CustomShellHost.exe
          Filesize

          835KB

          MD5

          70400e78b71bc8efdd063570428ae531

          SHA1

          cd86ecd008914fdd0389ac2dc00fe92d87746096

          SHA256

          91333f3282a2420359ae9d3adf537688741d21e964f021e2b152ab293447f289

          SHA512

          53005dda237fb23af79f54779c74a09835ad4cad3ca7b9dcec80e3793a60dd262f45b910bef96ab9c8e69d0c6990fea6ca5fee85d7f8425db523ae658372959e

          Download Submit

        • C:\Users\Admin\AppData\Local\TCk3CVs\WTSAPI32.dll
          Filesize

          1.2MB

          MD5

          f59f4cad069d8cc92d72240b6134cd09

          SHA1

          9d2c6b0fd3360b8b1f68655a085c7a3d7a661d39

          SHA256

          fab67fc34f93a4152da93adbf0d13adc48787fa2a84baf39e66d338c89509e00

          SHA512

          541cf5308df72bc81dd0de33d03fd10c3023b4e9701ffa93192c3904f4cb6ca63aa97e7ced5e3c614f06e696bd8735ec2cf497d5ce6e64bb283813c6945352db

          Download Submit

        • C:\Users\Admin\AppData\Local\ckVh\credui.dll
          Filesize

          1.2MB

          MD5

          8f681e84f9b40ea43da0b3901b7fd946

          SHA1

          93a7766145f7eb744efdc2d32533f42874140837

          SHA256

          24e4b9d13432c59ca5cb10c8e9e1405bc25392d5eed8c1b105947183efb19a09

          SHA512

          92a5653e9255d6f1c2d31eaf365f6b9e49d418d9ca8c5415fecde9f76a4f05550840921985a20361b6a04cdce5b5bcb49aba57923c3509cd962b3c291a30caa8

          Download Submit

        • C:\Users\Admin\AppData\Local\ckVh\perfmon.exe
          Filesize

          177KB

          MD5

          d38aa59c3bea5456bd6f95c73ad3c964

          SHA1

          40170eab389a6ba35e949f9c92962646a302d9ef

          SHA256

          5f041cff346fb37e5c5c9dab3c1272c76f8b5f579205170e97d2248d04a4ea0c

          SHA512

          59fa552a46e5d6237c7244b03d09d60e9489217b4319a212e822c73fe1f31a81837cb906ae7da92072bd3d9263fe0b967e073110ba81da3a90126f25115fff68

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Evbxgkmeevkeagz.lnk
          Filesize

          1KB

          MD5

          2aca3ad19a246ee39098713b7468f2cb

          SHA1

          426e1c31b001313e743901cfb2a97fe5587fb006

          SHA256

          a33997fe14154fa41e3c0302df364b4389d4df8976ec34b8aaa0973e27358caf

          SHA512

          c0fa2baab161eabff8f2d94614097fb336016dbd7f955da65c27d86c91b0e67c1424cf78c7be4000cbe26a417e2fd8ad06d0829b20956474e927827106d02ae9

          Download Submit

        • memory/372-51-0x00007FFDDD790000-0x00007FFDDD8C1000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/372-46-0x00007FFDDD790000-0x00007FFDDD8C1000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/372-45-0x00000230C5AC0000-0x00000230C5AC7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/696-3-0x0000000002BA0000-0x0000000002BA7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/696-1-0x00007FFDDD7A0000-0x00007FFDDD8D0000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/696-38-0x00007FFDDD7A0000-0x00007FFDDD8D0000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1460-87-0x00007FFDDD790000-0x00007FFDDD8C1000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1460-84-0x000001F7A9FE0000-0x000001F7A9FE7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3460-33-0x0000000002380000-0x0000000002387000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3460-32-0x00007FFDEB60A000-0x00007FFDEB60B000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3460-7-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3460-9-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3460-10-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3460-11-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3460-12-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3460-13-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3460-15-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3460-8-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3460-35-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3460-4-0x0000000002440000-0x0000000002441000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3460-6-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3460-34-0x00007FFDECF90000-0x00007FFDECFA0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3460-23-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3460-14-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3964-67-0x000001A8C6540000-0x000001A8C6547000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3964-68-0x00007FFDDD790000-0x00007FFDDD8C1000-memory.dmp

          Filesize

          1.2MB

          Download