Overview

overview

10

Static

static

3

967a503506...18.dll

windows7-x64

10

967a503506...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    14-08-2024 14:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    967a503506ff447b27fe29ef9b72c2c1_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    967a503506ff447b27fe29ef9b72c2c1

  • SHA1

    b6378a7ad579db6ba868da3c051f6d38b7077094

  • SHA256

    93524ff07e2650a8134290cd0c894af2b4855d4654788141ee640f34109f1ea2

  • SHA512

    d7fbf7538148c5f22c51b82e9c98da414e322fb915f2fb3d103466abe7c35a4753b39eec181ceec22e381f091aaeed3c64007721e0e85119410c6c1b87093b1a

  • SSDEEP

    24576:quYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:y9cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\967a503506ff447b27fe29ef9b72c2c1_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1908
  • C:\Windows\system32\wextract.exe
    C:\Windows\system32\wextract.exe
    1⤵
      PID:2764
    • C:\Users\Admin\AppData\Local\gCLyXoJQF\wextract.exe
      C:\Users\Admin\AppData\Local\gCLyXoJQF\wextract.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2632
    • C:\Windows\system32\sigverif.exe
      C:\Windows\system32\sigverif.exe
      1⤵
        PID:2720
      • C:\Users\Admin\AppData\Local\hExwprja\sigverif.exe
        C:\Users\Admin\AppData\Local\hExwprja\sigverif.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2216
      • C:\Windows\system32\irftp.exe
        C:\Windows\system32\irftp.exe
        1⤵
          PID:1980
        • C:\Users\Admin\AppData\Local\K1KMI\irftp.exe
          C:\Users\Admin\AppData\Local\K1KMI\irftp.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1324

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\K1KMI\WINMM.dll
          Filesize

          1.2MB

          MD5

          59aa1248d2eeea83f182a363486f80f3

          SHA1

          c98c85fd9721d3897b2e20921606c63aeee416f1

          SHA256

          571fd4b7ecc3e63344e6a2c964a554b8487f48a35f283c3494c8ab8202f5fd19

          SHA512

          0dae8e5676763de41c2aa313daaf2091125012cf7a559da68940fee3784c614fd82b2aea3d72e4b2a7b601184b5718cbe75b0c9a70e4bfa45476e5a7a2b65ea0

          Download Submit

        • C:\Users\Admin\AppData\Local\gCLyXoJQF\VERSION.dll
          Filesize

          1.2MB

          MD5

          92359e5db622a6ec3895d93146276cf7

          SHA1

          e45b165c9c4bcab31f9873015dba146033f04914

          SHA256

          bab61d17b906089fc1a896c8b3388ee0bba00191813de997fac5c198c87530ed

          SHA512

          621fb89b608c150234b7750fc55fb16b19e1b65ca764a47afbd37a885cbbde4ba0f67b4d2705d6804b06268d09dfd64361427f168c6e093ad1a8a7f9227ab7ce

          Download Submit

        • C:\Users\Admin\AppData\Local\hExwprja\VERSION.dll
          Filesize

          1.2MB

          MD5

          6ad24a189aa862a484484d7ec1f0a807

          SHA1

          e67f3d6f07f024b966cf8037fd75771d87dfa980

          SHA256

          8963a1e751d6e7c3f840354efecb369618fc64cf852db713d966d4a4b48c3057

          SHA512

          75d66b4fa11aed45924fa14d2bb4199e6b851b41d36501e53b07fbb8596e1a9ae1ded3e621456b2464d33052a042e3a63bb8e3e3179a65425d25297d6cb5bae6

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dwxzrb.lnk
          Filesize

          1KB

          MD5

          1a9ea09a06da7c73002eaf6a045a5e39

          SHA1

          0d92e56ed7fc52c7e41db098cf52b94e3587132e

          SHA256

          a16cb297fd9859c9ef3bd573beb0bd048175afbfc0b1c1dc998d1d9de4f258de

          SHA512

          0393f79857d5637db849b28ec09c668986e0c27cd0013490c9bbea000912bf75f030434aa0df52886b7a10c2a95f24f48aedcb162116c996f3b415d72a987c2a

          Download Submit

        • \Users\Admin\AppData\Local\K1KMI\irftp.exe
          Filesize

          192KB

          MD5

          0cae1fb725c56d260bfd6feba7ae9a75

          SHA1

          102ac676a1de3ec3d56401f8efd518c31c8b0b80

          SHA256

          312f4107ff37dc988d99c5f56178708bb74a3906740cff4e337c0dde8f1e151d

          SHA512

          db969064577c4158d6bf925354319766b0d0373ddefb03dbfc9a9d2cadf8ddcd50a7f99b7ddf2ffad5e7fdbb6f02090b5b678bdf792d265054bff3b56ee0b8ec

          Download Submit

        • \Users\Admin\AppData\Local\gCLyXoJQF\wextract.exe
          Filesize

          140KB

          MD5

          1ea6500c25a80e8bdb65099c509af993

          SHA1

          6a090ef561feb4ae1c6794de5b19c5e893c4aafc

          SHA256

          99123d4e7bf93aa7f3315a432307c8b0cbaf24ad2cfb46edc149edbe24de4ca2

          SHA512

          b8f9f1ab48671e382d1385c34f0f19fc52fc0061e00db53bbbc2cdaee6d8a3f245707329f98e9167c53721aeaddcebfe66632729b6bcc98892031fd9914fb1fb

          Download Submit

        • \Users\Admin\AppData\Local\hExwprja\sigverif.exe
          Filesize

          73KB

          MD5

          e8e95ae5534553fc055051cee99a7f55

          SHA1

          4e0f668849fd546edd083d5981ed685d02a68df4

          SHA256

          9e107fd99892d08b15c223ac17c49af75a4cbca41b5e939bb91c9dca9f0d0bec

          SHA512

          5d3c32d136a264b6d2cfba4602e4d8f75e55ba0e199e0e81d7a515c34d8b9237db29647c10ab79081173010ff8e2c6a59b652c0a9cfa796433aed2d200f02da6

          Download Submit

        • memory/1192-15-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1192-17-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1192-4-0x0000000077116000-0x0000000077117000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1192-14-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1192-12-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1192-11-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1192-10-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1192-9-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1192-8-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1192-7-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1192-30-0x00000000774B0000-0x00000000774B2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1192-29-0x0000000077321000-0x0000000077322000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1192-38-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1192-37-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1192-5-0x0000000002D90000-0x0000000002D91000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1192-16-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1192-25-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1192-75-0x0000000077116000-0x0000000077117000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1192-13-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1192-26-0x00000000025C0000-0x00000000025C7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1324-91-0x00000000001B0000-0x00000000001B7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1324-93-0x000007FEF60A0000-0x000007FEF61D3000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1324-97-0x000007FEF60A0000-0x000007FEF61D3000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1908-46-0x000007FEF61F0000-0x000007FEF6321000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1908-3-0x0000000001D00000-0x0000000001D07000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1908-0-0x000007FEF61F0000-0x000007FEF6321000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2216-72-0x000007FEF61F0000-0x000007FEF6322000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2216-76-0x0000000000110000-0x0000000000117000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2216-79-0x000007FEF61F0000-0x000007FEF6322000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2632-60-0x000007FEF69C0000-0x000007FEF6AF2000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2632-57-0x0000000000190000-0x0000000000197000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2632-54-0x000007FEF69C0000-0x000007FEF6AF2000-memory.dmp

          Filesize

          1.2MB

          Download