Overview

overview

10

Static

static

3

a2c8e4117f...18.dll

windows7-x64

10

a2c8e4117f...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    17-08-2024 13:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a2c8e4117fbdd702afa7eaa9f3e4f45b_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    a2c8e4117fbdd702afa7eaa9f3e4f45b

  • SHA1

    8ef8013bd3fba4a9db7c2b003797eb59f3cc05c8

  • SHA256

    40545a6526811c53e2e60af1d8df29607162db993879b289bddf2d2dab73e9d7

  • SHA512

    20864d7b6ec128bd32994562d15f08b0b599242909c922c2e6eb4498dd6e2cd6292ffced315d9f54b4cd689387b2b6c5a1a14fe9a83fc0e6d28138e16e5db83c

  • SSDEEP

    24576:guYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:w9cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\a2c8e4117fbdd702afa7eaa9f3e4f45b_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1968
  • C:\Windows\system32\msdt.exe
    C:\Windows\system32\msdt.exe
    1⤵
      PID:2624
    • C:\Users\Admin\AppData\Local\ESBT5TQ7p\msdt.exe
      C:\Users\Admin\AppData\Local\ESBT5TQ7p\msdt.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2660
    • C:\Windows\system32\dpnsvr.exe
      C:\Windows\system32\dpnsvr.exe
      1⤵
        PID:2456
      • C:\Users\Admin\AppData\Local\6Jf5ymnj\dpnsvr.exe
        C:\Users\Admin\AppData\Local\6Jf5ymnj\dpnsvr.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2304
      • C:\Windows\system32\psr.exe
        C:\Windows\system32\psr.exe
        1⤵
          PID:1636
        • C:\Users\Admin\AppData\Local\5FQg\psr.exe
          C:\Users\Admin\AppData\Local\5FQg\psr.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2040

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\5FQg\XmlLite.dll
          Filesize

          1.2MB

          MD5

          6f7c2954767f1f588398ee57096d80e1

          SHA1

          6ad2df781ad163ea09c3df2136b3561e35427356

          SHA256

          5b449fc148272c50998f35083168a30b39e4c9053e665b52406d2531224f37ab

          SHA512

          6bf659416d1acda37b779ce1fe98a8289f4889ebfb0fe164e6c82cb7eeaff2eb6891a9f831dcaaa9b9022df9a09f41c5bb4593cdb4d6649a75d4d7f5bc891bdf

          Download Submit

        • C:\Users\Admin\AppData\Local\6Jf5ymnj\WINMM.dll
          Filesize

          1.2MB

          MD5

          4b06c86c33cdf68a5b5fd10cd5fd9c50

          SHA1

          63005646750f8b384271c0486613b62aa98e64ce

          SHA256

          8052d213ff0d7348fa2186160007b41a393f9e03bcd42a6af7b101e4b83614e5

          SHA512

          1495489fd56f7d57dd6c33c18ff2ae4e2d66438ba6455e1e6803540f54a06da905364d2ed1411854ba35792ac7e33cac0558530ca6126c2f06cc7f60791c5822

          Download Submit

        • C:\Users\Admin\AppData\Local\ESBT5TQ7p\wer.dll
          Filesize

          1.2MB

          MD5

          a9a7b0e241868c67a4c7885063925c0c

          SHA1

          1831cfce2f13109e811ff4c08fd5f44d3046d25f

          SHA256

          72e2baef6705e2676dbdd925ac5eab5eade58418993927ba2c140ac6de7afd8d

          SHA512

          c663ba8cf0710ff8cb1115be1aba982e8d97c7bc0a7a15439addb8e3a5ff89ac19e6184b405ab5933220c0d38bc7544d4ed2a7c27f004172c6e02ad299eddf53

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Joeqzcwrjre.lnk
          Filesize

          914B

          MD5

          784c958f706b3c093b81e957f5d1fab1

          SHA1

          d42ab2ff568782ab30ccd6addf61a1ac151e81b9

          SHA256

          6d15172e3da6cd24666aeb3968b58fbf4d5872e5c358e7052243ff1bbd861f35

          SHA512

          73bb598457f13f86c0a06969f0b1178ad759d8ad6bc5192ead342e7cbc8c32520656e8159e64a2cd77567631490e150eee0aca0acc5459dba17990e92103f6d3

          Download Submit

        • \Users\Admin\AppData\Local\5FQg\psr.exe
          Filesize

          715KB

          MD5

          a80527109d75cba125d940b007eea151

          SHA1

          facf32a9ede6abfaa09368bfdfcfec8554107272

          SHA256

          68910f8aae867e938b6a3b76cdf176898ba275d9ade85b4ce00b03232de4c495

          SHA512

          77b86a597c33af8d3fbd9711f4abe6e0ca33b86279b1d28a25dcf3545a34b221be1ad7d11004d016203809cead1ebfd4b7e889ee9df2efc100eabf77963c1774

          Download Submit

        • \Users\Admin\AppData\Local\6Jf5ymnj\dpnsvr.exe
          Filesize

          33KB

          MD5

          6806b72978f6bd27aef57899be68b93b

          SHA1

          713c246d0b0b8dcc298afaed4f62aed82789951c

          SHA256

          3485ee4159c5f9e4ed9dd06e668d1e04148154ff40327a9ccb591e8c5a79958c

          SHA512

          43c942358b2e949751149ecc4be5ff6cb0634957ff1128ad5e6051e83379fb5643100cae2f6ef3eaf36aff016063c150e93297aa866e780d0e4d51656a251c7b

          Download Submit

        • \Users\Admin\AppData\Local\ESBT5TQ7p\msdt.exe
          Filesize

          1.0MB

          MD5

          aecb7b09566b1f83f61d5a4b44ae9c7e

          SHA1

          3a4a2338c6b5ac833dc87497e04fe89c5481e289

          SHA256

          fbdbe7a2027cab237c4635ef71c1a93cf7afc4b79d56b63a119b7f8e3029ccf5

          SHA512

          6e14200262e0729ebcab2226c3eac729ab5af2a4c6f4f9c3e2950cc203387d9a0a447cf38665c724d4397353931fd10064dc067e043a3579538a6144e33e4746

          Download Submit

        • memory/1196-26-0x0000000002DA0000-0x0000000002DA7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1196-43-0x0000000076BD6000-0x0000000076BD7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1196-16-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1196-25-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1196-15-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1196-14-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1196-12-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1196-11-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1196-10-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1196-30-0x0000000076F70000-0x0000000076F72000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1196-29-0x0000000076DE1000-0x0000000076DE2000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1196-4-0x0000000076BD6000-0x0000000076BD7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1196-34-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1196-33-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1196-5-0x0000000002DC0000-0x0000000002DC1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1196-9-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1196-18-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1196-13-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1196-8-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1196-7-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1968-42-0x000007FEF5E80000-0x000007FEF5FB1000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1968-0-0x0000000001EE0000-0x0000000001EE7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1968-1-0x000007FEF5E80000-0x000007FEF5FB1000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2040-90-0x0000000000620000-0x0000000000627000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2040-87-0x000007FEF59B0000-0x000007FEF5AE2000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2040-93-0x000007FEF59B0000-0x000007FEF5AE2000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2304-69-0x0000000000110000-0x0000000000117000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2304-70-0x000007FEF5E80000-0x000007FEF5FB3000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2304-75-0x000007FEF5E80000-0x000007FEF5FB3000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2660-57-0x000007FEF6510000-0x000007FEF6642000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2660-52-0x000007FEF6510000-0x000007FEF6642000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2660-51-0x00000000002A0000-0x00000000002A7000-memory.dmp

          Filesize

          28KB

          Download