Overview

overview

10

Static

static

3

982fabb733...18.dll

windows7-x64

10

982fabb733...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    14-08-2024 23:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    982fabb733c2a30259122452b2464dd0_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    982fabb733c2a30259122452b2464dd0

  • SHA1

    4b02a19b6354b3274f756d19a1496c1483a27ff1

  • SHA256

    4dcf29b7d5c46b1647550492fea89934c0279562875c1c1f5d2a32eadddfef2f

  • SHA512

    5f48b719565cb370e264d9443e0971f9e275b174caa06002d85f1cd596d3665113fb51b63bc99688d50072d8d4c0adb4eadb182e541dfd374562348e9091974e

  • SSDEEP

    24576:fuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:h9cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\982fabb733c2a30259122452b2464dd0_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2176
  • C:\Windows\system32\notepad.exe
    C:\Windows\system32\notepad.exe
    1⤵
      PID:2136
    • C:\Users\Admin\AppData\Local\08nLMZ\notepad.exe
      C:\Users\Admin\AppData\Local\08nLMZ\notepad.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:1340
    • C:\Windows\system32\p2phost.exe
      C:\Windows\system32\p2phost.exe
      1⤵
        PID:2696
      • C:\Users\Admin\AppData\Local\mwne6sJx\p2phost.exe
        C:\Users\Admin\AppData\Local\mwne6sJx\p2phost.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2520
      • C:\Windows\system32\spreview.exe
        C:\Windows\system32\spreview.exe
        1⤵
          PID:2688
        • C:\Users\Admin\AppData\Local\oNzFDMp\spreview.exe
          C:\Users\Admin\AppData\Local\oNzFDMp\spreview.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2700

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\08nLMZ\VERSION.dll
          Filesize

          1.2MB

          MD5

          a40e7789c5111201e21bf0f40a9324c3

          SHA1

          3e25a747581ee75ebc64fde4bfccfd111b898170

          SHA256

          532ed03a17ba5fb8f49db41d60ae882aa6753c2af61349ca67a36f56b7aa6394

          SHA512

          d89373588c12c855a81b989618d315595745d1b86a237485d7fd26e41a0d5da5d9ae0d0232b5e6b5ad3df70520fa910bf82c635408a6ef182b263c96bafccc16

          Download Submit

        • C:\Users\Admin\AppData\Local\mwne6sJx\P2PCOLLAB.dll
          Filesize

          1.2MB

          MD5

          21ade15624d6bd313f24f80abda17c13

          SHA1

          aecbdb4aebf980ab0390bf02a5f02f1819b39d9d

          SHA256

          bf0acee10e30cc8f6391149d19994b15e7ec3f2a4411512fd92d8b39409c49b8

          SHA512

          eed09fa9ecd3b199320b44f6a4b7f523fed32323a5325f709068c726caf40eee5e7ff25262bc2be1ad14e0413f72df736edfeedad82d6486afb621f683454dde

          Download Submit

        • C:\Users\Admin\AppData\Local\oNzFDMp\WINBRAND.dll
          Filesize

          1.2MB

          MD5

          0c5278cdcf8e70308d979cbaff4ea28a

          SHA1

          daf22255413e317948d0c87e1da9ac41e6d9d646

          SHA256

          92b97ba370fb15acff93902aa176de6014d8e2d9113d913dd02a33a8e5953ea7

          SHA512

          316f9a89b3a20568060922c63ea432bf5264a793b953ee9b89bb5d089d755b4e176fee9edd51b6f7f7ca3a2e3ea3e6e9ccdbf4b5cf86a99c3a4ef8990d54f04b

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ngqpewzrrtyksiv.lnk
          Filesize

          1KB

          MD5

          77864fb128983cc19be66e73cfb4c13a

          SHA1

          c3ba8ac537bcbb70a667b07d20c04ba3be292daa

          SHA256

          24a1af1fbb4bc433940926b3b711eaed2ff381a540dbf4e0a0e244f466a96c38

          SHA512

          409f8c29b1dbc6cb48745c7c434de8ef8a95bbc95b4c47af52e122f99cc79890cf40b849e21bbfa4e22834f52bd63f21e3f681d3edeca1dbf6cbd6ea95a58dc7

          Download Submit

        • \Users\Admin\AppData\Local\08nLMZ\notepad.exe
          Filesize

          189KB

          MD5

          f2c7bb8acc97f92e987a2d4087d021b1

          SHA1

          7eb0139d2175739b3ccb0d1110067820be6abd29

          SHA256

          142e1d688ef0568370c37187fd9f2351d7ddeda574f8bfa9b0fa4ef42db85aa2

          SHA512

          2f37a2e503cffbd7c05c7d8a125b55368ce11aad5b62f17aaac7aaf3391a6886fa6a0fd73223e9f30072419bf5762a8af7958e805a52d788ba41f61eb084bfe8

          Download Submit

        • \Users\Admin\AppData\Local\mwne6sJx\p2phost.exe
          Filesize

          172KB

          MD5

          0dbd420477352b278dfdc24f4672b79c

          SHA1

          df446f25be33ac60371557717073249a64e04bb2

          SHA256

          1baba169de6c8f3b3c33cea96314c67b709a171bdc8ea9c250a0d016db767345

          SHA512

          84014b2dcc00f9fa1a337089ad4d4abcaa9e3155171978ec07bc155ddaebebfabb529d8de3578e564b3aae59545f52d71af173ebb50d2af252f219ac60b453d1

          Download Submit

        • \Users\Admin\AppData\Local\oNzFDMp\spreview.exe
          Filesize

          294KB

          MD5

          704cd4cac010e8e6d8de9b778ed17773

          SHA1

          81856abf70640f102b8b3defe2cf65669fe8e165

          SHA256

          4307f21d3ec3b51cba6a905a80045314ffccb4c60c11d99a3d77cc8103014208

          SHA512

          b380264276bad01d619a5f1f112791d6bf73dc52cdd5cca0cc1f726a6f66eefc5a78a37646792987c508f9cb5049f0eb86c71fb4c7a2d3e670c0c8623f0522ee

          Download Submit

        • memory/1208-15-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1208-24-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1208-4-0x0000000076E86000-0x0000000076E87000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1208-14-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1208-12-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1208-11-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1208-10-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1208-9-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1208-8-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1208-26-0x0000000077091000-0x0000000077092000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1208-27-0x0000000077220000-0x0000000077222000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1208-36-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1208-38-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1208-5-0x0000000002D80000-0x0000000002D81000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1208-25-0x0000000002D60000-0x0000000002D67000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1208-16-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1208-7-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1208-13-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1208-64-0x0000000076E86000-0x0000000076E87000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1340-59-0x000007FEF67C0000-0x000007FEF68F1000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1340-54-0x000007FEF67C0000-0x000007FEF68F1000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1340-53-0x0000000000110000-0x0000000000117000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2176-45-0x000007FEF61B0000-0x000007FEF62E0000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2176-3-0x0000000001E10000-0x0000000001E17000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2176-0-0x000007FEF61B0000-0x000007FEF62E0000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2520-75-0x00000000001B0000-0x00000000001B7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2520-72-0x000007FEF61A0000-0x000007FEF62D1000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2520-78-0x000007FEF61A0000-0x000007FEF62D1000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2700-93-0x0000000000270000-0x0000000000277000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2700-96-0x000007FEF61A0000-0x000007FEF62D1000-memory.dmp

          Filesize

          1.2MB

          Download