Overview

overview

10

Static

static

3

acfe91ad1b...18.dll

windows7-x64

10

acfe91ad1b...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    19-08-2024 23:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    acfe91ad1baf9ce432450d6bb0558e2b_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    acfe91ad1baf9ce432450d6bb0558e2b

  • SHA1

    e7a99b007e443ddd625892f5fbd5bfcd5227ddeb

  • SHA256

    c848f850797249c8c2315d762a79e6ea7536ba9ccb699f7d419907bb2a528eff

  • SHA512

    bc946115122b04649d208ee4971d8aa37fde2214888afc6a4a201c486a03775b1d13d9873a44435ef803a1c48a58aab928249192c0f9648aac6398fc7bc5f330

  • SSDEEP

    24576:ChLBOY3Zch8R9trbCPQFaD0JAc8V7M/GGS069NmgsSF:KTFJawGGj6fmg

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\acfe91ad1baf9ce432450d6bb0558e2b_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:3056
  • C:\Windows\system32\tcmsetup.exe
    C:\Windows\system32\tcmsetup.exe
    1⤵
      PID:2624
    • C:\Users\Admin\AppData\Local\qRVfddAwJ\tcmsetup.exe
      C:\Users\Admin\AppData\Local\qRVfddAwJ\tcmsetup.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2784
    • C:\Windows\system32\BitLockerWizardElev.exe
      C:\Windows\system32\BitLockerWizardElev.exe
      1⤵
        PID:1744
      • C:\Users\Admin\AppData\Local\ENGIJdMUL\BitLockerWizardElev.exe
        C:\Users\Admin\AppData\Local\ENGIJdMUL\BitLockerWizardElev.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:3020
      • C:\Windows\system32\vmicsvc.exe
        C:\Windows\system32\vmicsvc.exe
        1⤵
          PID:2392
        • C:\Users\Admin\AppData\Local\MEAi3f\vmicsvc.exe
          C:\Users\Admin\AppData\Local\MEAi3f\vmicsvc.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1400

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\ENGIJdMUL\FVEWIZ.dll
          Filesize

          1.2MB

          MD5

          4ba6b030f4989209f33374cbc2fc1ddc

          SHA1

          e3f853a2974fa150cb189d6de01a11bb67b2957b

          SHA256

          9b25f970b7ce34e834177d7312b48697708a9421e079ea9df79e4b84dc7d8984

          SHA512

          f3f7dda9e56edd2483e6178dbe2917388ea5ad283fb0fd2d664e0e98b9f1fc22b8284641b44b37fb1a18dfefa5f44e51dd753a51101c787758cc0b0dda68c692

          Download Submit

        • C:\Users\Admin\AppData\Local\MEAi3f\ACTIVEDS.dll
          Filesize

          1.2MB

          MD5

          e5a644b46ff9c96dae5a2beda8298de5

          SHA1

          732b27b3dfc80568b22a3cdaa33c9d47e15a422b

          SHA256

          22073cfa2a6e73ccdbc4ba9548cdd7ef237f997040dd096b0c900205b9de3844

          SHA512

          acfeb125ab3f80cdb0b1d7db474a9fbd07c9fad5e3c77407203c3c34b35583d37904676ca58362a9a14618ab41ad814a84c9997a87353dba455adbde5f63a2a9

          Download Submit

        • C:\Users\Admin\AppData\Local\qRVfddAwJ\TAPI32.dll
          Filesize

          1.2MB

          MD5

          d86901506255273a34387a28e282ce94

          SHA1

          db1d03ef948cc070e3967e76a1d0437e5db49a6a

          SHA256

          4da6e17869a3f146714d8e5c95d903fc455aefb4a60d5564545396a487e5a5e5

          SHA512

          0510d45d7f41589f6850209c2044189632617628f681859e5702113e80d45c147d857576272ccc98d3d73a1cbb8738af3c01803870058464adaf2a9c3bbf03c2

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Acjenwgziemamyd.lnk
          Filesize

          1KB

          MD5

          2dfea93c4a6ccb9522b9ba7871d29db3

          SHA1

          4018567d243da791449bf5b7332266c8b542050f

          SHA256

          e0576f1a21050b2193f2260e11d75e67f60b71e42ae431d6f5fca25d7e6e7caf

          SHA512

          41d72b6e3842ed833464abb838efa02077b71ae4bb368a00968fcc0c3f4e2622297ee873a455b3dea0fd967a4109dfe2643c77ef9f7a68ac90abd041a80824f4

          Download Submit

        • \Users\Admin\AppData\Local\ENGIJdMUL\BitLockerWizardElev.exe
          Filesize

          98KB

          MD5

          73f13d791e36d3486743244f16875239

          SHA1

          ed5ec55dbc6b3bda505f0a4c699c257c90c02020

          SHA256

          2483d2f0ad481005cca081a86a07be9060bc6d4769c4570f92ad96fa325be9b8

          SHA512

          911a7b532312d50cc5e7f6a046d46ab5b322aa17ce59a40477173ea50f000a95db45f169f4ea3574e3e00ae4234b9f8363ac79329d683c14ebee1d423e6e43af

          Download Submit

        • \Users\Admin\AppData\Local\MEAi3f\vmicsvc.exe
          Filesize

          238KB

          MD5

          79e14b291ca96a02f1eb22bd721deccd

          SHA1

          4c8dbff611acd8a92cd2280239f78bebd2a9947e

          SHA256

          d829166db30923406a025bf33d6a0997be0a3df950114d1f34547a9525b749e8

          SHA512

          f3d1fa7732b6b027bbaf22530331d27ede85f92c9fd64f940139fd262bd7468211a8a54c835d3934b1974b3d8ecddefa79ea77901b9ef49ab36069963693f988

          Download Submit

        • \Users\Admin\AppData\Local\qRVfddAwJ\tcmsetup.exe
          Filesize

          15KB

          MD5

          0b08315da0da7f9f472fbab510bfe7b8

          SHA1

          33ba48fd980216becc532466a5ff8476bec0b31c

          SHA256

          e19556bb7aa39bbd5f0d568a95aec0b3af18dda438cc5737f945243b24d106e7

          SHA512

          c30501546efe2b0c003ef87ac381e901c69ddfc6791c6a5102cff3a07f56555d94995a4413b93036821aa214fc31501fa87eb519e1890ef75b2ec497983ffd58

          Download Submit

        • memory/1228-35-0x0000000140000000-0x0000000140141000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1228-9-0x0000000140000000-0x0000000140141000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1228-7-0x0000000140000000-0x0000000140141000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1228-14-0x0000000140000000-0x0000000140141000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1228-13-0x0000000140000000-0x0000000140141000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1228-15-0x0000000140000000-0x0000000140141000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1228-24-0x0000000002590000-0x0000000002597000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1228-23-0x0000000140000000-0x0000000140141000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1228-36-0x0000000140000000-0x0000000140141000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1228-4-0x00000000776D6000-0x00000000776D7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1228-28-0x0000000077A70000-0x0000000077A72000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1228-27-0x00000000778E1000-0x00000000778E2000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1228-5-0x00000000025B0000-0x00000000025B1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1228-8-0x0000000140000000-0x0000000140141000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1228-10-0x0000000140000000-0x0000000140141000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1228-12-0x0000000140000000-0x0000000140141000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1228-11-0x0000000140000000-0x0000000140141000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1400-88-0x0000000000080000-0x0000000000087000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1400-94-0x000007FEF69C0000-0x000007FEF6B02000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2784-55-0x0000000000520000-0x0000000000527000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2784-58-0x000007FEF6F50000-0x000007FEF7093000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2784-52-0x000007FEF6F50000-0x000007FEF7093000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3020-71-0x000007FEF69C0000-0x000007FEF6B02000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3020-70-0x0000000000290000-0x0000000000297000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3020-76-0x000007FEF69C0000-0x000007FEF6B02000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3056-44-0x000007FEF69C0000-0x000007FEF6B01000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3056-0-0x00000000001A0000-0x00000000001A7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3056-2-0x000007FEF69C0000-0x000007FEF6B01000-memory.dmp

          Filesize

          1.3MB

          Download