Overview

overview

10

Static

static

3

9451d3c072...18.dll

windows7-x64

10

9451d3c072...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    13-08-2024 18:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9451d3c0720234ff8d9c569a4aad8091_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    9451d3c0720234ff8d9c569a4aad8091

  • SHA1

    93bbf76f507f8cb828ce56565b2c49f24cdc833e

  • SHA256

    563a650a72c772c648f6b34055b1d31c379fa7beef40d6eba02aa25b5a7316d2

  • SHA512

    21682d7762390f1504933c3e1a978d806a2334f43f5ac6d6d2c575bbfd950c1dc8eb8b4cd4216a893f23b3cc814cbe48e6e493c5da6cb998960a19edce17f88d

  • SSDEEP

    24576:quYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:y9cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\9451d3c0720234ff8d9c569a4aad8091_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2752
  • C:\Windows\system32\xpsrchvw.exe
    C:\Windows\system32\xpsrchvw.exe
    1⤵
      PID:2360
    • C:\Users\Admin\AppData\Local\WHEp\xpsrchvw.exe
      C:\Users\Admin\AppData\Local\WHEp\xpsrchvw.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:264
    • C:\Windows\system32\tcmsetup.exe
      C:\Windows\system32\tcmsetup.exe
      1⤵
        PID:2516
      • C:\Users\Admin\AppData\Local\Tug\tcmsetup.exe
        C:\Users\Admin\AppData\Local\Tug\tcmsetup.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2856
      • C:\Windows\system32\wermgr.exe
        C:\Windows\system32\wermgr.exe
        1⤵
          PID:3036
        • C:\Users\Admin\AppData\Local\ux7\wermgr.exe
          C:\Users\Admin\AppData\Local\ux7\wermgr.exe
          1⤵
          • Executes dropped EXE
          PID:3040
        • C:\Windows\system32\dvdupgrd.exe
          C:\Windows\system32\dvdupgrd.exe
          1⤵
            PID:2896
          • C:\Users\Admin\AppData\Local\fPr3\dvdupgrd.exe
            C:\Users\Admin\AppData\Local\fPr3\dvdupgrd.exe
            1⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Checks whether UAC is enabled
            PID:2860

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Tug\TAPI32.dll
            Filesize

            1.2MB

            MD5

            fd1a7bd6cb592731b2a72a3c13b5a64b

            SHA1

            1e9a3a1757866e49d39dfdd615b14e7f4bef720e

            SHA256

            5eaa79f0c49ab526dab5815a382fdf33e40b269b3a3934e1eb537c0aa0b28058

            SHA512

            0612019dff80d30a696c40c91c7d245543f1c49c8b96b3a8ec002179b2f5c608194055850788033fd76c612149360317448f3e5b3e66c475840f9c0fc40519e3

            Download Submit

          • C:\Users\Admin\AppData\Local\WHEp\WINMM.dll
            Filesize

            1.2MB

            MD5

            bfce1946da72a87c75a4110cdc31ff9d

            SHA1

            086917f11c0e649f6d4181f72f976d1eec327529

            SHA256

            90f8e467f47a70a717a6760a3a6521d7786a20ca317770327f264f9249005254

            SHA512

            cce4adaf2eb0caeff8b219a115cbe37cc42a020d08c3b60dc7b6043474ea6617d70d5472ef4aaa8c67a72aa2b3a1ccdc9d1e08fd1a6f23fb4f9c0049ff176f36

            Download Submit

          • C:\Users\Admin\AppData\Local\fPr3\VERSION.dll
            Filesize

            1.2MB

            MD5

            95a7a506fa779ba6c33c9a96c7daeb3c

            SHA1

            3465cef5d5a9a3ba2e61b58d650afdb3645217c8

            SHA256

            f8abb3877570a77e57ae47aec3c927c669ee6b2dc2bedbdee5bf1f52d61aac81

            SHA512

            2a2860fa4daec27ac17e2cb94a4618a048c894d3f76dd047b92d2b4a7a8a0806cec12ba66171c20829103f3619fc1bd2a4a8d9de56629e14c92bdb76febcb1c5

            Download Submit

          • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Joeqzcwrjre.lnk
            Filesize

            1KB

            MD5

            b9a5597f45ac2d398e5cc03dec34ea58

            SHA1

            55c6fa243a1dbcbda44683a2c4a997cffa0626a2

            SHA256

            4161318a3fb6dbbf38453c11decfd2f1ccb9826d85bd41f96e199943dc1d0b45

            SHA512

            352dee0eb2b9bdb8a0d882bce38d2db59464a2c169d7d31305eb949789d6e83d5b0c124edaa41fc4e286a74846568675ff93effb1d8333df0e71145c0285a59a

            Download Submit

          • \Users\Admin\AppData\Local\Tug\tcmsetup.exe
            Filesize

            15KB

            MD5

            0b08315da0da7f9f472fbab510bfe7b8

            SHA1

            33ba48fd980216becc532466a5ff8476bec0b31c

            SHA256

            e19556bb7aa39bbd5f0d568a95aec0b3af18dda438cc5737f945243b24d106e7

            SHA512

            c30501546efe2b0c003ef87ac381e901c69ddfc6791c6a5102cff3a07f56555d94995a4413b93036821aa214fc31501fa87eb519e1890ef75b2ec497983ffd58

            Download Submit

          • \Users\Admin\AppData\Local\WHEp\xpsrchvw.exe
            Filesize

            4.6MB

            MD5

            492cb6a624d5dad73ee0294b5db37dd6

            SHA1

            e74806af04a5147ccabfb5b167eb95a0177c43b3

            SHA256

            ccb4ecd48561ce024ea176b7036f0f2713b98bc82aa37347a30d8187762a8784

            SHA512

            63bf2931764efe767fb42f9576702dd585a032f74ad2be2481eaf309f34950f05974d77b5cb220a3ff89c92af0c7693dc558f8e3a3ee2a0be6c5c07171d03835

            Download Submit

          • \Users\Admin\AppData\Local\fPr3\dvdupgrd.exe
            Filesize

            25KB

            MD5

            75a9b4172eac01d9648c6d2133af952f

            SHA1

            63c7e1af762d2b584e9cc841e8b0100f2a482b81

            SHA256

            18f9f520c7157023b0e7dfe7433a63c4dedd47b04d24aac4038b795893050736

            SHA512

            5a7a2c7f184efd9c84256a1a0a5e7aeb95432d63a567196be54e7a9437a5ada9b922983c5fc0cafb16eab4493665d8e56e2f646f9f6a2d6179986925ffcdf769

            Download Submit

          • \Users\Admin\AppData\Local\ux7\wermgr.exe
            Filesize

            49KB

            MD5

            41df7355a5a907e2c1d7804ec028965d

            SHA1

            453263d230c6317eb4a2eb3aceeec1bbcf5e153d

            SHA256

            207bfec939e7c017c4704ba76172ee2c954f485ba593bc1bc8c7666e78251861

            SHA512

            59c9d69d3942543af4f387137226516adec1a4304bd5696c6c1d338f9e5f40d136450907351cce018563df1358e06a792005167f5c08c689df32d809c4cebdcf

            Download Submit

          • memory/264-59-0x000007FEF67E0000-0x000007FEF6913000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/264-57-0x00000000000A0000-0x00000000000A7000-memory.dmp

            Filesize

            28KB

            Download

          • memory/264-54-0x000007FEF67E0000-0x000007FEF6913000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/1200-16-0x0000000140000000-0x0000000140131000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/1200-85-0x0000000077636000-0x0000000077637000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1200-12-0x0000000140000000-0x0000000140131000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/1200-11-0x0000000140000000-0x0000000140131000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/1200-9-0x0000000140000000-0x0000000140131000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/1200-8-0x0000000140000000-0x0000000140131000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/1200-31-0x00000000778D0000-0x00000000778D2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1200-30-0x0000000077741000-0x0000000077742000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1200-39-0x0000000140000000-0x0000000140131000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/1200-37-0x0000000140000000-0x0000000140131000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/1200-4-0x0000000077636000-0x0000000077637000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1200-17-0x0000000140000000-0x0000000140131000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/1200-25-0x0000000140000000-0x0000000140131000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/1200-5-0x0000000002E20000-0x0000000002E21000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1200-26-0x0000000002E00000-0x0000000002E07000-memory.dmp

            Filesize

            28KB

            Download

          • memory/1200-15-0x0000000140000000-0x0000000140131000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/1200-13-0x0000000140000000-0x0000000140131000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/1200-10-0x0000000140000000-0x0000000140131000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/1200-7-0x0000000140000000-0x0000000140131000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/1200-14-0x0000000140000000-0x0000000140131000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/2752-0-0x000007FEF67E0000-0x000007FEF6911000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/2752-46-0x000007FEF67E0000-0x000007FEF6911000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/2752-3-0x00000000001A0000-0x00000000001A7000-memory.dmp

            Filesize

            28KB

            Download

          • memory/2856-89-0x000007FEF67E0000-0x000007FEF6913000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/2856-86-0x0000000001AC0000-0x0000000001AC7000-memory.dmp

            Filesize

            28KB

            Download

          • memory/2860-110-0x000007FEF67E0000-0x000007FEF6912000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/2860-115-0x000007FEF67E0000-0x000007FEF6912000-memory.dmp

            Filesize

            1.2MB

            Download