Overview

overview

10

Static

static

3

9ec755bc82...18.dll

windows7-x64

10

9ec755bc82...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    16-08-2024 14:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9ec755bc82d0950c88b7eb47e9f25f1f_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    9ec755bc82d0950c88b7eb47e9f25f1f

  • SHA1

    5a72e981a2182ab70bb76365cbb5cef7da7b02fd

  • SHA256

    18225e4c3113085ea7969d7eeac3507e25eb36eddb6aa4511ff2618473b82e9f

  • SHA512

    3af88950dab298df873b54700467be8f0f3ac03efca508154cbbd5f6c9ce09cd5a5f24f240375478067be783f1e7c3ad38af568ed8f319b36a2bf89fd8fc9a46

  • SSDEEP

    24576:QuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:A9cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\9ec755bc82d0950c88b7eb47e9f25f1f_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1820
  • C:\Windows\system32\rekeywiz.exe
    C:\Windows\system32\rekeywiz.exe
    1⤵
      PID:2812
    • C:\Users\Admin\AppData\Local\1wk1SC\rekeywiz.exe
      C:\Users\Admin\AppData\Local\1wk1SC\rekeywiz.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2704
    • C:\Windows\system32\VaultSysUi.exe
      C:\Windows\system32\VaultSysUi.exe
      1⤵
        PID:576
      • C:\Users\Admin\AppData\Local\zt8Qd2\VaultSysUi.exe
        C:\Users\Admin\AppData\Local\zt8Qd2\VaultSysUi.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2912
      • C:\Windows\system32\StikyNot.exe
        C:\Windows\system32\StikyNot.exe
        1⤵
          PID:2388
        • C:\Users\Admin\AppData\Local\yxvYm\StikyNot.exe
          C:\Users\Admin\AppData\Local\yxvYm\StikyNot.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:3036

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\1wk1SC\rekeywiz.exe
          Filesize

          67KB

          MD5

          767c75767b00ccfd41a547bb7b2adfff

          SHA1

          91890853a5476def402910e6507417d400c0d3cb

          SHA256

          bd70e504871a2ac1c883d19b87970c8d1b8b251c784bf777ba77ed764f5f2395

          SHA512

          f096043452a1aa213a5e4d62638de3ee4b0b3ad3d12b7ee0372d8c79e00e2e13b4fd0ebc4206bbdb5124bed292dd5b30ef1641288046ef835f89c332985154f9

          Download Submit

        • C:\Users\Admin\AppData\Local\1wk1SC\slc.dll
          Filesize

          1.2MB

          MD5

          e2f51a314f2309ee091c880c29deccf1

          SHA1

          ade81a141a45db05382c15b94da6fc653ca27504

          SHA256

          e8dec1937edf5e436c9a7db68683b0953d075f8be286f7fa557196ba93db225d

          SHA512

          2978ffb91a5e0d2514ca6cba6c7eea20a9166cc8923296ffdbc6f6a87e321c6bbb03398fb0585e511fba68faae670409b6ed836390ebcbfece049d409247bbcf

          Download Submit

        • C:\Users\Admin\AppData\Local\yxvYm\StikyNot.exe
          Filesize

          417KB

          MD5

          b22cb67919ebad88b0e8bb9cda446010

          SHA1

          423a794d26d96d9f812d76d75fa89bffdc07d468

          SHA256

          2f744feac48ede7d6b6d2727f7ddfa80b26d9e3b0009741b00992b19ad85e128

          SHA512

          f40aad2a381b766aae0a353fae3ab759d5c536b2d00d135527bba37b601d2f24323f079bd09600355d79404d574ac59201d415ef64c1568877ad0ce0da2dd1d5

          Download Submit

        • C:\Users\Admin\AppData\Local\zt8Qd2\credui.dll
          Filesize

          1.2MB

          MD5

          6d7bb07fa69a945743c8c1c8c4823ad6

          SHA1

          40587c4807de75d08d6afa0212cf741d5bc91b3b

          SHA256

          0e1de7e2d6fdc99f35466d6bfeabd667ad928251393c55ae7f8da74bed20658b

          SHA512

          1d534348468dc10040b573fe17184ac833b4160416bda1b2af6d862241854a4d0d48aabf78ade66a0c73ecc4fd20a0d6d77be55888c648dbdc7476cd2f079812

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Nhelokvclymi.lnk
          Filesize

          1KB

          MD5

          b97714e67751d1a7246edeedad8c1d7c

          SHA1

          763cf214f7581625b7d1bcc05906ffa71b3efc1d

          SHA256

          8c951f81af5d4ca2e7ec74b24380bda67549849fd3322a2747ad7b760527d2cc

          SHA512

          e821e1808be1c0ba5d98cac0bddd92dc9473ae2a296565c7acf019eddaa480443002fab1ba1ae5d9ea311b25ad3590d8e317fd1b4f6bd7d724f6d8935b1521c2

          Download Submit

        • \Users\Admin\AppData\Local\yxvYm\slc.dll
          Filesize

          1.2MB

          MD5

          086736a93d751a5faed3cd7057bbad19

          SHA1

          aacab84611172da0da85488e2940813c12171568

          SHA256

          5df9c83acea55fa1cdaefb6c39d907b862ab47baeef57e92553675fd04fe8788

          SHA512

          3208231cf1353fa4de473e7d65f28cfdfbee861c183e7e4a6fed01125ee30fa4b50974ea216c4dc3a2a99d54a9a135fd7098dff4cb1cefc9f1dd3615913f260f

          Download Submit

        • \Users\Admin\AppData\Local\zt8Qd2\VaultSysUi.exe
          Filesize

          39KB

          MD5

          f40ef105d94350d36c799ee23f7fec0f

          SHA1

          ee3a5cfe8b807e1c1718a27eb97fa134360816e3

          SHA256

          eeb3f79be414b81f4eb8167390641787f14a033414533fb8de651c2247d054b2

          SHA512

          f16bcca6f6cecbdae117d5a41de7e86a6d9dfdfa2ce8c75ebff10d097083c106e7f9d030debed8cb20fdd71815a8aa7723a1d3c68b38ec382e55370331c594a1

          Download Submit

        • memory/1256-15-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1256-24-0x00000000025B0000-0x00000000025B7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1256-4-0x00000000774E6000-0x00000000774E7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1256-13-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1256-12-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1256-11-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1256-10-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1256-9-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1256-25-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1256-27-0x0000000077780000-0x0000000077782000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1256-26-0x00000000775F1000-0x00000000775F2000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1256-38-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1256-36-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1256-5-0x0000000002D70000-0x0000000002D71000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1256-46-0x00000000774E6000-0x00000000774E7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1256-16-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1256-14-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1256-7-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1256-8-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1820-45-0x000007FEF7950000-0x000007FEF7A80000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1820-0-0x0000000000130000-0x0000000000137000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1820-1-0x000007FEF7950000-0x000007FEF7A80000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2704-60-0x000007FEF7920000-0x000007FEF7A51000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2704-55-0x000007FEF7920000-0x000007FEF7A51000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2704-54-0x0000000000300000-0x0000000000307000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2912-75-0x0000000000110000-0x0000000000117000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2912-76-0x000007FEF7940000-0x000007FEF7A71000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2912-81-0x000007FEF7940000-0x000007FEF7A71000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3036-93-0x00000000001B0000-0x00000000001B7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3036-99-0x000007FEF7940000-0x000007FEF7A71000-memory.dmp

          Filesize

          1.2MB

          Download