Overview

overview

10

Static

static

3

a26e9ff518...18.dll

windows7-x64

10

a26e9ff518...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    17-08-2024 11:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a26e9ff518e0a7dcb126011e6236057a_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    a26e9ff518e0a7dcb126011e6236057a

  • SHA1

    e091c8effd602b07c71fc1a3aa7bf3ea81302b0f

  • SHA256

    fd8a212a919eac3265b57d306f28a39c130b445c81776bec3488c009dad0b51f

  • SHA512

    9ad562df0826fb24e9aecf56a22bda8b666c7820e177e686ab2a7ef32b4d6081f1de7dc855fec328d026bf7bb6fee458b8cb46203481604e9b1d996daa0971b5

  • SSDEEP

    24576:OuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:u9cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\a26e9ff518e0a7dcb126011e6236057a_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2500
  • C:\Windows\system32\PresentationSettings.exe
    C:\Windows\system32\PresentationSettings.exe
    1⤵
      PID:1856
    • C:\Users\Admin\AppData\Local\p9iD8qB\PresentationSettings.exe
      C:\Users\Admin\AppData\Local\p9iD8qB\PresentationSettings.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2636
    • C:\Windows\system32\wisptis.exe
      C:\Windows\system32\wisptis.exe
      1⤵
        PID:332
      • C:\Users\Admin\AppData\Local\DiKW8\wisptis.exe
        C:\Users\Admin\AppData\Local\DiKW8\wisptis.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2292
      • C:\Windows\system32\TpmInit.exe
        C:\Windows\system32\TpmInit.exe
        1⤵
          PID:3008
        • C:\Users\Admin\AppData\Local\liY\TpmInit.exe
          C:\Users\Admin\AppData\Local\liY\TpmInit.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2960

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\DiKW8\slc.dll
          Filesize

          1.2MB

          MD5

          f4f411195d90336dc8f47d764dc7aa68

          SHA1

          a770a8defd842bbd6940b7ba817331e2a3cfabed

          SHA256

          21e4da6fb8ae8126e66d7ffe6617ab926def0132dff7c66a077a025f50ff82e2

          SHA512

          1f882f776e0ef41ebc097ed33fd754e35a415a1bc6005ecd85bb918cdabd25ccce9bf16ec4cb9da6b49ee006057f55a0b6991bee7e64452c8d42240166657fd3

          Download Submit

        • C:\Users\Admin\AppData\Local\liY\ACTIVEDS.dll
          Filesize

          1.2MB

          MD5

          825247faee6890afe591f0555347737a

          SHA1

          54bfa28357026dca80df2940a7fc2ffb7deca627

          SHA256

          a87936662c5997c20226a73fed2ee4af04a6efc5733f7a76b7cf452d4dd0ca92

          SHA512

          c5ef3baa33cae866d640e271c912e3fbf60c1390457e4a41976a3eb4fb1b13223c926997a157b228f6f6ba7c40fc699e419e672267ce3756f1dfb97c7803970a

          Download Submit

        • C:\Users\Admin\AppData\Local\p9iD8qB\PresentationSettings.exe
          Filesize

          172KB

          MD5

          a6f8d318f6041334889481b472000081

          SHA1

          b8cf08ec17b30c8811f2514246fcdff62731dd58

          SHA256

          208b94fd66a6ce266c3195f87029a41a0622fff47f2a5112552cb087adbb1258

          SHA512

          60f70fa8a19e6ea6f08f4907dd7fede3665ad3f2e013d49f6649442ea5871a967b9a53ec4d3328a06cb83b69be1b7af1bb14bf122b568bd1f8432ee1d0bfee69

          Download Submit

        • C:\Users\Admin\AppData\Local\p9iD8qB\WINMM.dll
          Filesize

          1.2MB

          MD5

          e39656deafd00ffeb5b2322835fc04d6

          SHA1

          024d7bd1d857ae900abd887aeaa1da2155329aa6

          SHA256

          03f60b8852a203d4580077a9b8d07b172d3dfa6e5369c95564d33cd734d4c44c

          SHA512

          009839806bc5e73e480d7d20db79fa3ad9da4909fe4776d94ef032e99bfe2857472f0a53efe9ae78a14f3f2cc0718fc01cf0a1087de98dba1be15063a8d1883d

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dwxzrb.lnk
          Filesize

          921B

          MD5

          29c491d3cecc4e81dbbfe91a6a38f3c3

          SHA1

          2d86c159ffe827a6e244843dcb7a9830e834a4a3

          SHA256

          8faae12dcaa64bb5035e8383c4d79b29c8cb8d68828fe34309459a5f77efc5c8

          SHA512

          bb25d0f1c3d9f9a1b89839cbdab54ae015e2b7153f5520dc1722984181ada4a116899248c3708c0a74431f764aa31e78c40ba29a20613f8a5fa237242d9a9da6

          Download Submit

        • \Users\Admin\AppData\Local\DiKW8\wisptis.exe
          Filesize

          396KB

          MD5

          02e20372d9d6d28e37ba9704edc90b67

          SHA1

          d7d18ba0df95c3507bf20be8d72e25c5d11ab40c

          SHA256

          3338129ddf6fb53d6e743c10bc39ec372d9b2c39c607cbe8a71cff929f854144

          SHA512

          bcad8894614dcfc1429be04829c217e7c8ac3c40ea3927073de3421d96d9815739ee1b84f0200eb18b3b8406b972bd934204b7b31638c9fe7c297fb201ed4200

          Download Submit

        • \Users\Admin\AppData\Local\liY\TpmInit.exe
          Filesize

          112KB

          MD5

          8b5eb38e08a678afa129e23129ca1e6d

          SHA1

          a27d30bb04f9fabdb5c92d5150661a75c5c7bc42

          SHA256

          4befa614e1b434b2f58c9e7ce947a946b1cf1834b219caeff42b3e36f22fd97c

          SHA512

          a7245cde299c68db85370ae1bdf32a26208e2cda1311afd06b0efd410664f36cafb62bf4b7ce058e203dcc515c45ebdef01543779ead864f3154175b7b36647d

          Download Submit

        • memory/1196-25-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1196-47-0x0000000077076000-0x0000000077077000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1196-15-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1196-14-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1196-13-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1196-12-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1196-11-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1196-9-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1196-7-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1196-28-0x0000000077410000-0x0000000077412000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1196-27-0x0000000077281000-0x0000000077282000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1196-4-0x0000000077076000-0x0000000077077000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1196-38-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1196-37-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1196-5-0x00000000024F0000-0x00000000024F1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1196-16-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1196-26-0x00000000024D0000-0x00000000024D7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1196-17-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1196-8-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1196-10-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2292-73-0x00000000002A0000-0x00000000002A7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2292-74-0x000007FEF5F60000-0x000007FEF6092000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2292-78-0x000007FEF5F60000-0x000007FEF6092000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2500-46-0x000007FEF5F60000-0x000007FEF6091000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2500-0-0x0000000000130000-0x0000000000137000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2500-2-0x000007FEF5F60000-0x000007FEF6091000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2636-61-0x000007FEF69B0000-0x000007FEF6AE3000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2636-56-0x000007FEF69B0000-0x000007FEF6AE3000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2636-55-0x0000000000110000-0x0000000000117000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2960-88-0x00000000003B0000-0x00000000003B7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2960-94-0x000007FEF5F60000-0x000007FEF6092000-memory.dmp

          Filesize

          1.2MB

          Download