Overview

overview

10

Static

static

3

882f81e1b0...18.dll

windows7-x64

10

882f81e1b0...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    15s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    10-08-2024 23:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    882f81e1b065d0ee8b1f09e3c0cf5005_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    882f81e1b065d0ee8b1f09e3c0cf5005

  • SHA1

    d0edf3240ba31504894f85af5f0a3cb3d3fe1a8a

  • SHA256

    a6691293ad0620c03ad88d76e5e032d56eb2101dedef76253168e8555eb37514

  • SHA512

    4c89e56f9f8a583601d6f9dd815a4aa7cfbbff4be8cfee2b4ee8f2ff3af0dc9c3ca3bd955ef1aca1d1b979e5aec6e7b1aa3304f1be2eddfe55cd6ba41a5a5a06

  • SSDEEP

    24576:GuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9NSt:m9cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Event Triggered Execution: Accessibility Features 1 TTPs

    Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.

    persistenceprivilege_escalation
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\882f81e1b065d0ee8b1f09e3c0cf5005_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2544
  • C:\Windows\system32\Utilman.exe
    C:\Windows\system32\Utilman.exe
    1⤵
      PID:1144
    • C:\Users\Admin\AppData\Local\HS3IhbUdl\Utilman.exe
      C:\Users\Admin\AppData\Local\HS3IhbUdl\Utilman.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2664
    • C:\Windows\system32\xpsrchvw.exe
      C:\Windows\system32\xpsrchvw.exe
      1⤵
        PID:960
      • C:\Users\Admin\AppData\Local\8g7nwBq\xpsrchvw.exe
        C:\Users\Admin\AppData\Local\8g7nwBq\xpsrchvw.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2584
      • C:\Windows\system32\TpmInit.exe
        C:\Windows\system32\TpmInit.exe
        1⤵
          PID:2448
        • C:\Users\Admin\AppData\Local\J0N0f\TpmInit.exe
          C:\Users\Admin\AppData\Local\J0N0f\TpmInit.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2560

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\8g7nwBq\WINMM.dll
          Filesize

          1.2MB

          MD5

          a72dda259db43f2124d25638bb51d3d7

          SHA1

          e6a815d04b254304fc4a585af8b503e439374f9c

          SHA256

          f4600effb003961b6d11d13f6cc94d713934650037c80a699861e18ec2ae2eb4

          SHA512

          9d35a6811f24f3a99312c8c2e647c56ae4d68ee6b30ec76623022fd4ad5e63314bb17ebcfd3005266a602796c359654a3df9bd456e70a40f360fab6b044bc4a0

          Download Submit

        • C:\Users\Admin\AppData\Local\HS3IhbUdl\DUI70.dll
          Filesize

          1.4MB

          MD5

          5e6555fc24a612885b65e05165a994d0

          SHA1

          3997e1a888dc9f738f9bc414736f56d00c84cad5

          SHA256

          662fff83c013f7a84a22234145611f8dd41156916faff5875a90c668033fd15e

          SHA512

          0b4b314bcdd9391b3bee6f0839d1e1ea76b80012e3c0120aee051cd6e632f3749e738b74c35851e7dba687a1df0d96371dc61c03b9052542f35fef58ca5da8ed

          Download Submit

        • C:\Users\Admin\AppData\Local\J0N0f\Secur32.dll
          Filesize

          1.2MB

          MD5

          f3ee5ba24246135a5529655adcbfb468

          SHA1

          54ceaa127eeb54f4f32a577db5fe6eb7e7bf50b6

          SHA256

          3a9c7109ec5a032556a626c6422abfa48025c2a5e181958272d5fdfd2033ce1a

          SHA512

          dc6fba665ab11aa98196919d51962d9d9ece9b13fd239f18d519190d0ade794adbe3bc1ca5b48db08b43412d4e9f423b83fa9ec02bd5aba2ce1aeeebe040059e

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Rinzzkcfiw.lnk
          Filesize

          1KB

          MD5

          80df3fac82b23a71ef6b39009f0abb86

          SHA1

          9bbf13967e61e177bd807d68563ed8016e48ccf4

          SHA256

          5a27883c3c9506f98e318dc7e4f50d09f44409980bb581287b532f7a314e6c79

          SHA512

          65173337b43d85c924101cabfa4d9c3ce1d5a613edeb72c1348363f8d633f6379f771afd0ded913c1cc0c0ad1a1432b68020a39c2f68b11e4cb3d9e34c19131e

          Download Submit

        • \Users\Admin\AppData\Local\8g7nwBq\xpsrchvw.exe
          Filesize

          4.6MB

          MD5

          492cb6a624d5dad73ee0294b5db37dd6

          SHA1

          e74806af04a5147ccabfb5b167eb95a0177c43b3

          SHA256

          ccb4ecd48561ce024ea176b7036f0f2713b98bc82aa37347a30d8187762a8784

          SHA512

          63bf2931764efe767fb42f9576702dd585a032f74ad2be2481eaf309f34950f05974d77b5cb220a3ff89c92af0c7693dc558f8e3a3ee2a0be6c5c07171d03835

          Download Submit

        • \Users\Admin\AppData\Local\HS3IhbUdl\Utilman.exe
          Filesize

          1.3MB

          MD5

          32c5ee55eadfc071e57851e26ac98477

          SHA1

          8f8d0aee344e152424143da49ce2c7badabb8f9d

          SHA256

          7ca90616e68bc851f14658a366d80f21ddb7a7dd8a866049e54651158784a9ea

          SHA512

          e0943efa81f3087c84a5909c72a436671ee8cc3cc80154901430e83ec7966aac800ad4b26f4a174a0071da617c0982ceda584686c6e2056e1a83e864aca6c975

          Download Submit

        • \Users\Admin\AppData\Local\J0N0f\TpmInit.exe
          Filesize

          112KB

          MD5

          8b5eb38e08a678afa129e23129ca1e6d

          SHA1

          a27d30bb04f9fabdb5c92d5150661a75c5c7bc42

          SHA256

          4befa614e1b434b2f58c9e7ce947a946b1cf1834b219caeff42b3e36f22fd97c

          SHA512

          a7245cde299c68db85370ae1bdf32a26208e2cda1311afd06b0efd410664f36cafb62bf4b7ce058e203dcc515c45ebdef01543779ead864f3154175b7b36647d

          Download Submit

        • memory/1192-28-0x0000000077700000-0x0000000077702000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1192-25-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1192-27-0x0000000077571000-0x0000000077572000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1192-16-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1192-14-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1192-13-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1192-12-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1192-11-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1192-10-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1192-9-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1192-26-0x00000000021E0000-0x00000000021E7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1192-4-0x0000000077366000-0x0000000077367000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1192-37-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1192-39-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1192-5-0x0000000002200000-0x0000000002201000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1192-17-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1192-8-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1192-7-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1192-57-0x0000000077366000-0x0000000077367000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1192-15-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2544-46-0x000007FEF7810000-0x000007FEF7941000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2544-0-0x0000000000190000-0x0000000000197000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2544-1-0x000007FEF7810000-0x000007FEF7941000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2560-92-0x000007FEF7820000-0x000007FEF7952000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2560-97-0x000007FEF7820000-0x000007FEF7952000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2584-72-0x000007FEF6C80000-0x000007FEF6DB3000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2584-75-0x0000000000400000-0x0000000000407000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2584-78-0x000007FEF6C80000-0x000007FEF6DB3000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2664-60-0x000007FEF7920000-0x000007FEF7A85000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/2664-54-0x000007FEF7920000-0x000007FEF7A85000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/2664-58-0x00000000000F0000-0x00000000000F7000-memory.dmp

          Filesize

          28KB

          Download