Overview

overview

10

Static

static

3

a07b656063...18.dll

windows7-x64

10

a07b656063...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    17/08/2024, 00:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a07b656063b17069350a758375bf0e4a_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    a07b656063b17069350a758375bf0e4a

  • SHA1

    630f9abee5584c039c8853b254a8a3beb83022db

  • SHA256

    6a73321338957ab1a99d1baa1a556b9d50708f20fe34c981e48e16597a3a5119

  • SHA512

    22ebb45d8f5dab19b944a4d6b0bc3da307a13bb950b56f7c8a629fcde72277473fc988a849005c03a4dc150071d4647f762bebf0c1db3bce55dbc78ca3a76b12

  • SSDEEP

    24576:3uYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N7:59cKrUqZWLAcUj

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\a07b656063b17069350a758375bf0e4a_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2400
  • C:\Windows\system32\Dxpserver.exe
    C:\Windows\system32\Dxpserver.exe
    1⤵
      PID:2320
    • C:\Users\Admin\AppData\Local\zusteMa\Dxpserver.exe
      C:\Users\Admin\AppData\Local\zusteMa\Dxpserver.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2780
    • C:\Windows\system32\EhStorAuthn.exe
      C:\Windows\system32\EhStorAuthn.exe
      1⤵
        PID:2664
      • C:\Users\Admin\AppData\Local\96Kp9KPXs\EhStorAuthn.exe
        C:\Users\Admin\AppData\Local\96Kp9KPXs\EhStorAuthn.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1836
      • C:\Windows\system32\notepad.exe
        C:\Windows\system32\notepad.exe
        1⤵
          PID:2964
        • C:\Users\Admin\AppData\Local\rf6auimm6\notepad.exe
          C:\Users\Admin\AppData\Local\rf6auimm6\notepad.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:3032

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\96Kp9KPXs\UxTheme.dll
          Filesize

          1.2MB

          MD5

          a3816dfb570fec3ff393d02a833d8a38

          SHA1

          ab6e6a13820965fd88a277e13ce8988838ea7a8e

          SHA256

          56d698fd1e24fe345aab4b06aee72caf39ea1d5e0656b1f661516aad9455631d

          SHA512

          e0f048656fc4917e55dbf5fc69a24243859e1cff0d5081c7e7f925b2f0d32ce923392e6e91cfa40981722aac06aa9b76335295bc6dfa515c19ca5cb9bfb09ffc

          Download Submit

        • C:\Users\Admin\AppData\Local\rf6auimm6\VERSION.dll
          Filesize

          1.2MB

          MD5

          fcdbe957ce492a3c3a7c32ad7b76ddd5

          SHA1

          6315393034309a307f148e43c6c13e7206f4bccc

          SHA256

          fa7712ddceb870a35bbd0427db9d140e3d281fb6d0d7ab26db0511e54548aa3a

          SHA512

          1745df2d797f98c7b112c435f02812712de1420dc1d8f2a18751969ab1261678af1023ab6ce7017055b4029e75fe75b5025f0fe7b9685bf09fdbc73d7dd785c7

          Download Submit

        • C:\Users\Admin\AppData\Local\zusteMa\Dxpserver.exe
          Filesize

          259KB

          MD5

          4d38389fb92e43c77a524fd96dbafd21

          SHA1

          08014e52f6894cad4f1d1e6fc1a703732e9acd19

          SHA256

          070bc95c486c15d2edc3548ba416dc9565ead401cb03a0472f719fb55ac94e73

          SHA512

          02d8d130cff2b8de15139d309e1cd74a2148bb786fd749e5f22775d45e193b0f75adf40274375cabce33576480ff20456f25172d29a034cd134b8084d40a67ba

          Download Submit

        • C:\Users\Admin\AppData\Local\zusteMa\XmlLite.dll
          Filesize

          1.2MB

          MD5

          fe9f1453a69aa838363806d2b42f321b

          SHA1

          04b1c0cf1dfd2b47dfab3784a5f5a7a762117261

          SHA256

          8e2aa997a5e7d3d116ebb37063b8a2b732ba5cbcac1c2b8d0611f2a3421f53a3

          SHA512

          55ade2637ce5b57034c4e2bba71185e283cf72f9e15fbbeef04c307ac74c669fbe00477a6f056f5baffea04729ee9eed1ef898331691e2d8df4881fe9354f10a

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Acjenwgziemamyd.lnk
          Filesize

          1KB

          MD5

          6281763c7aa58ef242412e6ee8f6ba32

          SHA1

          bc390b5166760cb99d6a5c3570592d7ceef6ef7d

          SHA256

          93712fd77cc1f6bd57286147348620449f0e0198e3bc0cf251310d9465bd2f61

          SHA512

          549f5be43137ae5c4fcbfcf6201e64ae433edf4a7a80b85f7a9b988bc1352341429a4471fd9837576722c21dcc665287d5048fec7cd107edb52392be989fe34b

          Download Submit

        • \Users\Admin\AppData\Local\96Kp9KPXs\EhStorAuthn.exe
          Filesize

          137KB

          MD5

          3abe95d92c80dc79707d8e168d79a994

          SHA1

          64b10c17f602d3f21c84954541e7092bc55bb5ab

          SHA256

          2159d9d5c9355521de859d1c40907fcdfef19f8cf68eda7485b89e9aa119e3ad

          SHA512

          70fee5e87121229bba5c5e5aaa9f028ac0546dc9d38b7a00a81b882c8f8ce4abfdc364a598976b1463cca05e9400db715f8a4478ec61b03a693bbeee18c6ae5c

          Download Submit

        • \Users\Admin\AppData\Local\rf6auimm6\notepad.exe
          Filesize

          189KB

          MD5

          f2c7bb8acc97f92e987a2d4087d021b1

          SHA1

          7eb0139d2175739b3ccb0d1110067820be6abd29

          SHA256

          142e1d688ef0568370c37187fd9f2351d7ddeda574f8bfa9b0fa4ef42db85aa2

          SHA512

          2f37a2e503cffbd7c05c7d8a125b55368ce11aad5b62f17aaac7aaf3391a6886fa6a0fd73223e9f30072419bf5762a8af7958e805a52d788ba41f61eb084bfe8

          Download Submit

        • memory/1204-37-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-14-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-12-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-24-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-29-0x0000000077500000-0x0000000077502000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1204-28-0x0000000077371000-0x0000000077372000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1204-25-0x00000000024B0000-0x00000000024B7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1204-16-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-36-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-4-0x0000000077266000-0x0000000077267000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1204-15-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-9-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-13-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-11-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-46-0x0000000077266000-0x0000000077267000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1204-10-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-7-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-5-0x00000000024D0000-0x00000000024D1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1204-8-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1836-72-0x000007FEF6230000-0x000007FEF6361000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1836-77-0x000007FEF6230000-0x000007FEF6361000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2400-45-0x000007FEF6240000-0x000007FEF6370000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2400-0-0x0000000000120000-0x0000000000127000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2400-1-0x000007FEF6240000-0x000007FEF6370000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2780-60-0x000007FEF6850000-0x000007FEF6981000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2780-55-0x000007FEF6850000-0x000007FEF6981000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2780-54-0x0000000000110000-0x0000000000117000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3032-94-0x000007FEF6230000-0x000007FEF6361000-memory.dmp

          Filesize

          1.2MB

          Download