Overview

overview

10

Static

static

3

a0682d74e1...18.dll

windows7-x64

10

a0682d74e1...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    16-08-2024 23:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a0682d74e106b09ade2106ede229c053_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    a0682d74e106b09ade2106ede229c053

  • SHA1

    9fe391db18b3625649adf27e339e81003318dda6

  • SHA256

    0f22dce9cc7521ce92c5b64195b89405390cebe4f68a95852c92e1393d5ab821

  • SHA512

    3093e13ab01081095346941f710fda9c9ad53377719880366441a8a28543ca120cf47fa6abae2b863fa30a0076b675e51233cdf7e8d9a6ca463b77afcb9bce31

  • SSDEEP

    24576:KuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:S9cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\a0682d74e106b09ade2106ede229c053_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:976
  • C:\Windows\system32\raserver.exe
    C:\Windows\system32\raserver.exe
    1⤵
      PID:2432
    • C:\Users\Admin\AppData\Local\fXxql\raserver.exe
      C:\Users\Admin\AppData\Local\fXxql\raserver.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2484
    • C:\Windows\system32\msconfig.exe
      C:\Windows\system32\msconfig.exe
      1⤵
        PID:2400
      • C:\Users\Admin\AppData\Local\pT6HUq1\msconfig.exe
        C:\Users\Admin\AppData\Local\pT6HUq1\msconfig.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2672
      • C:\Windows\system32\perfmon.exe
        C:\Windows\system32\perfmon.exe
        1⤵
          PID:2292
        • C:\Users\Admin\AppData\Local\7BPz\perfmon.exe
          C:\Users\Admin\AppData\Local\7BPz\perfmon.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1484

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\7BPz\credui.dll
          Filesize

          1.2MB

          MD5

          4f0a87bb3d5624c886e9018010cdfc69

          SHA1

          f06410c53069f5d0f3b32314ef765984b495d158

          SHA256

          de4b67f5b60b0f3833e55c791f496c48a6e8bb256733d19584f92f724374e91e

          SHA512

          2a4b1af764da099a210bf9b68803582ff6eaa1a629953627ad712d0fa7b1a5ff022283488ddb604feb6ce12490bbc1634dedcfb29378f5a4439e541b7d18fc20

          Download Submit

        • C:\Users\Admin\AppData\Local\fXxql\WTSAPI32.dll
          Filesize

          1.2MB

          MD5

          9f11656afc1440bd301d17fce9ec6049

          SHA1

          27396e0c6f2913f7cf036ee17291b88cdb06aca5

          SHA256

          530f34861d3aef28b8d36a1aaa7e8a12dfc2914ff544aa039c056e4b586e4d1e

          SHA512

          e9c0031b0085bca85809ab71b3d674b120c82c2da1998fa81bb7cfe22acd16419d03de2edb2415af37acfea170949ae16c6a5664bf19fb1ce850d4a716f54195

          Download Submit

        • C:\Users\Admin\AppData\Local\pT6HUq1\MFC42u.dll
          Filesize

          1.2MB

          MD5

          e9f1d5c7dc5921321d77ef973e86fa01

          SHA1

          6f71889c2a02d324a494d706d84e9d5fff909544

          SHA256

          e45c07b70971743db791c59bc0bf64f02289693d98e34c33ec6897173a4ff2d0

          SHA512

          502054393f94f3cff25424012741b81d66727b20f0d68cc4b38d0c6fadabe1d7044ff068146044c5dac22c93c747af951214238374cf05068ca0beb0a657c4e1

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Acjenwgziemamyd.lnk
          Filesize

          943B

          MD5

          25dfcbb4b99afdb497e8125d6a2faff4

          SHA1

          d934b18c5595db83bf131629de42b928091dd1ec

          SHA256

          135aec97e01b97f54c9f51147ebd3c3b7ba065abfc75b58b46c381ed9fe4bcbc

          SHA512

          d2c46f3a3714c48a50c54af5ec6e801a1e4606855e2099ee5c7f5fba9dd3088d845fee2bccac769624a8a990c03c68bbd9cde88becd35bc0c68ddbf30c90aa21

          Download Submit

        • \Users\Admin\AppData\Local\7BPz\perfmon.exe
          Filesize

          168KB

          MD5

          3eb98cff1c242167df5fdbc6441ce3c5

          SHA1

          730b27a1c92e8df1e60db5a6fc69ea1b24f68a69

          SHA256

          6d8d5a244bb5a23c95653853fec3d04d2bdd2df5cff8cffb9848bddeb6adb081

          SHA512

          f42be2a52d97fd1db2ed5a1a1a81a186a0aab41204980a103df33a4190632ba03f3cbb88fcea8da7ed9a5e15f60732d49a924b025fe6d3e623195ec1d37dfb35

          Download Submit

        • \Users\Admin\AppData\Local\fXxql\raserver.exe
          Filesize

          123KB

          MD5

          cd0bc0b6b8d219808aea3ecd4e889b19

          SHA1

          9f8f4071ce2484008e36fdfd963378f4ebad703f

          SHA256

          16abc530c0367df1ad631f09e14c565cf99561949aa14acc533cd54bf8a5e22c

          SHA512

          84291ea3fafb38ef96817d5fe4a972475ef8ea24a4353568029e892fa8e15cf8e8f6ef4ff567813cd3b38092f0db4577d9dccb22be755eebdd4f77e623dc80ac

          Download Submit

        • \Users\Admin\AppData\Local\pT6HUq1\msconfig.exe
          Filesize

          293KB

          MD5

          e19d102baf266f34592f7c742fbfa886

          SHA1

          c9c9c45b7e97bb7a180064d0a1962429f015686d

          SHA256

          f3c8bb430f9c33e6caf06aaebde17b7fddcc55e8bb36cec2b9379038f1fca0b1

          SHA512

          1b9f1880dd3c26ae790b8eead641e73264f90dc7aa2645acc530aad20ad9d247db613e1725282c85bca98c4428ac255752a4f5c9b2a97f90908b7fe4167bb283

          Download Submit

        • memory/976-3-0x00000000001A0000-0x00000000001A7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/976-0-0x000007FEF7760000-0x000007FEF7891000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/976-46-0x000007FEF7760000-0x000007FEF7891000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-27-0x0000000077501000-0x0000000077502000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1204-17-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-14-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-13-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-12-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-11-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-10-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-28-0x0000000077690000-0x0000000077692000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1204-16-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-37-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-38-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-7-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-47-0x00000000772F6000-0x00000000772F7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1204-25-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-26-0x0000000002120000-0x0000000002127000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1204-15-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-4-0x00000000772F6000-0x00000000772F7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1204-5-0x00000000025D0000-0x00000000025D1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1204-8-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-9-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1484-91-0x000007FEF7770000-0x000007FEF78A2000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1484-94-0x0000000000110000-0x0000000000117000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1484-97-0x000007FEF7770000-0x000007FEF78A2000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2484-55-0x0000000000190000-0x0000000000197000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2484-61-0x000007FEF78A0000-0x000007FEF79D2000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2484-56-0x000007FEF78A0000-0x000007FEF79D2000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2672-79-0x000007FEF7770000-0x000007FEF78A8000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2672-74-0x000007FEF7770000-0x000007FEF78A8000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2672-73-0x00000000000A0000-0x00000000000A7000-memory.dmp

          Filesize

          28KB

          Download