Overview

overview

10

Static

static

3

a908ca5262...18.dll

windows7-x64

10

a908ca5262...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    19-08-2024 01:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a908ca52629cfab8057cb8d662b488b1_JaffaCakes118.dll

  • Size

    909KB

  • MD5

    a908ca52629cfab8057cb8d662b488b1

  • SHA1

    29d811439833907b69f1a6c2b09c95f499f52038

  • SHA256

    139721b2a97521b2eea00f077fd1e95eb0859296937b1579b0223e8e16b5c628

  • SHA512

    a2bb59d5211b2e08e4b277c78c9470580828726efcf39548a7b6b9ca51afa12c487abdfbd7762f45b2f7be2bdad357d9026c2a59f8558625c36f1508cf8db29b

  • SSDEEP

    12288:Late3r/6VSBuehNcvwh8zqv8gxLBkVHUR8LlRYchYN7QBAs2bh:LN3r/fHhSv3zqvRLBCHUyj7BA

Score
10/10
dridexbotnetevasionloaderpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Loader 'dmod' strings 11 IoCs

    Detects 'dmod' strings in Dridex loader.

    botnetloader
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\a908ca52629cfab8057cb8d662b488b1_JaffaCakes118.dll
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:1812
  • C:\Windows\system32\SystemPropertiesRemote.exe
    C:\Windows\system32\SystemPropertiesRemote.exe
    1⤵
      PID:2612
    • C:\Users\Admin\AppData\Local\YUTLTmY\SystemPropertiesRemote.exe
      C:\Users\Admin\AppData\Local\YUTLTmY\SystemPropertiesRemote.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2724
    • C:\Windows\system32\SystemPropertiesProtection.exe
      C:\Windows\system32\SystemPropertiesProtection.exe
      1⤵
        PID:2296
      • C:\Users\Admin\AppData\Local\o1CWro\SystemPropertiesProtection.exe
        C:\Users\Admin\AppData\Local\o1CWro\SystemPropertiesProtection.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:3044
      • C:\Windows\system32\taskmgr.exe
        C:\Windows\system32\taskmgr.exe
        1⤵
          PID:2408
        • C:\Users\Admin\AppData\Local\dl0T\taskmgr.exe
          C:\Users\Admin\AppData\Local\dl0T\taskmgr.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2044

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\YUTLTmY\SYSDM.CPL
          Filesize

          910KB

          MD5

          bd6b331e48565e554b35c166b18e90f6

          SHA1

          eb9d8fbe56d0bc3e951a7380d553509d3939f435

          SHA256

          6bad55258b0b61408760d3bc8da0dc838f4a71c9ff8610650130124143e00406

          SHA512

          928997989e9b6daee015a21a1c52916fbedd2d5ca0acab5d4c91e59940789d66fe61fec0c87e060daf8cbc423854139cb1c3d5b2d16c7b932ea3ce2e1669fc31

          Download Submit

        • C:\Users\Admin\AppData\Local\dl0T\Secur32.dll
          Filesize

          913KB

          MD5

          a67b3f67cf4936358f9a10bd4b53e937

          SHA1

          c339708293831d2218bb7a3065d548017a92a8fd

          SHA256

          676caa418aa63d3d92e6112f4efc5cadef21bb0fcdd10b6d6884559fd47ef903

          SHA512

          a490f37609890f262295e017ac4b87eae1c4b2affef824a3f880bd9f7c0a577a2f34e99fe9044717ca8fff0024fd368d94fc7c1394c3f9c0ba36b4bcb89a428a

          Download Submit

        • C:\Users\Admin\AppData\Local\o1CWro\SYSDM.CPL
          Filesize

          910KB

          MD5

          6b25130a12a1cc37003354ddc5f06061

          SHA1

          5375abc5a4a0f2b8761476ac1b41fa7f2fb0804a

          SHA256

          d05e1b6a48817bd008effe9146a2664cc8a7981606e5a1bf66c6671067035873

          SHA512

          f23041fce8498477f0952ce70a817e1a5693342023e44cc1a179e38a7921e59f6b1c81eeade25f6031b540eea9074cd2ba6a48f98f6b709a6081e3c0a9f4935f

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Filabyuswgwl.lnk
          Filesize

          1KB

          MD5

          33e19f1e97f4a3d02f3d61621d7b02d6

          SHA1

          d9e168d601947ba6282088551b00b530582fd62a

          SHA256

          aef18f968e0b6edfa8a2c290d792c55d22a9e4ff5a5b1edb251e158a5b9a88e6

          SHA512

          7ab90cbb69df037f884c3aaa5d70e5e4b58c38058079f3c553a8a474ca772e3b88eb587d51e6388eaf8e44b6d1f8be3bc76059bc22cb19e8137205320ceac0aa

          Download Submit

        • \Users\Admin\AppData\Local\YUTLTmY\SystemPropertiesRemote.exe
          Filesize

          80KB

          MD5

          d0d7ac869aa4e179da2cc333f0440d71

          SHA1

          e7b9a58f5bfc1ec321f015641a60978c0c683894

          SHA256

          5762e1570de6ca4ff4254d03c8f6e572f3b9c065bf5c78fd5a9ea3769c33818a

          SHA512

          1808b10dc85f8755a0074d1ea00794b46b4254573b6862c2813a89ca171ad94f95262e8b59a8f9a596c9bd6a724f440a14a813eab93aa140e818ee97af106db7

          Download Submit

        • \Users\Admin\AppData\Local\dl0T\taskmgr.exe
          Filesize

          251KB

          MD5

          09f7401d56f2393c6ca534ff0241a590

          SHA1

          e8b4d84a28e5ea17272416ec45726964fdf25883

          SHA256

          6766717b8afafe46b5fd66c7082ccce6b382cbea982c73cb651e35dc8187ace1

          SHA512

          7187a27cd32c1b295c74e36e1b6148a31d602962448b18395a44a721d17daa7271d0cd198edb2ed05ace439746517ffb1bcc11c7f682e09b025c950ea7b83192

          Download Submit

        • \Users\Admin\AppData\Local\o1CWro\SystemPropertiesProtection.exe
          Filesize

          80KB

          MD5

          05138d8f952d3fff1362f7c50158bc38

          SHA1

          780bc59fcddf06a7494d09771b8340acffdcc720

          SHA256

          753a43d8aa74341d06582bd6b3784dc5f8c6f46174c2a306cf284de238a9c6bd

          SHA512

          27fa8c0af3d01f0816852d04693087f3c25d1307d8857a7ea75b0bb3e0ac927d262f5ac5a335afee150142fa3187354d33ebbcf6c3cd5cc33cb4e6cd00c50255

          Download Submit

        • memory/1192-27-0x0000000076EA0000-0x0000000076EA2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1192-18-0x0000000140000000-0x00000001400E9000-memory.dmp

          Filesize

          932KB

          Download

        • memory/1192-15-0x0000000140000000-0x00000001400E9000-memory.dmp

          Filesize

          932KB

          Download

        • memory/1192-14-0x0000000140000000-0x00000001400E9000-memory.dmp

          Filesize

          932KB

          Download

        • memory/1192-13-0x0000000140000000-0x00000001400E9000-memory.dmp

          Filesize

          932KB

          Download

        • memory/1192-12-0x0000000140000000-0x00000001400E9000-memory.dmp

          Filesize

          932KB

          Download

        • memory/1192-11-0x0000000140000000-0x00000001400E9000-memory.dmp

          Filesize

          932KB

          Download

        • memory/1192-10-0x0000000140000000-0x00000001400E9000-memory.dmp

          Filesize

          932KB

          Download

        • memory/1192-9-0x0000000140000000-0x00000001400E9000-memory.dmp

          Filesize

          932KB

          Download

        • memory/1192-8-0x0000000140000000-0x00000001400E9000-memory.dmp

          Filesize

          932KB

          Download

        • memory/1192-17-0x0000000140000000-0x00000001400E9000-memory.dmp

          Filesize

          932KB

          Download

        • memory/1192-4-0x0000000076C06000-0x0000000076C07000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1192-26-0x0000000076D11000-0x0000000076D12000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1192-36-0x0000000140000000-0x00000001400E9000-memory.dmp

          Filesize

          932KB

          Download

        • memory/1192-37-0x0000000140000000-0x00000001400E9000-memory.dmp

          Filesize

          932KB

          Download

        • memory/1192-5-0x00000000024D0000-0x00000000024D1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1192-46-0x0000000076C06000-0x0000000076C07000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1192-24-0x0000000140000000-0x00000001400E9000-memory.dmp

          Filesize

          932KB

          Download

        • memory/1192-25-0x00000000024B0000-0x00000000024B7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1192-7-0x0000000140000000-0x00000001400E9000-memory.dmp

          Filesize

          932KB

          Download

        • memory/1192-16-0x0000000140000000-0x00000001400E9000-memory.dmp

          Filesize

          932KB

          Download

        • memory/1812-45-0x000007FEF6490000-0x000007FEF6579000-memory.dmp

          Filesize

          932KB

          Download

        • memory/1812-3-0x00000000002C0000-0x00000000002C7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1812-0-0x000007FEF6490000-0x000007FEF6579000-memory.dmp

          Filesize

          932KB

          Download

        • memory/2044-90-0x0000000000190000-0x0000000000197000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2044-96-0x000007FEF5E00000-0x000007FEF5EEA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/2724-60-0x000007FEF6490000-0x000007FEF657A000-memory.dmp

          Filesize

          936KB

          Download

        • memory/2724-55-0x000007FEF6490000-0x000007FEF657A000-memory.dmp

          Filesize

          936KB

          Download

        • memory/2724-54-0x0000000000110000-0x0000000000117000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3044-72-0x0000000000290000-0x0000000000297000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3044-73-0x000007FEF5E00000-0x000007FEF5EEA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/3044-78-0x000007FEF5E00000-0x000007FEF5EEA000-memory.dmp

          Filesize

          936KB

          Download