Overview

overview

10

Static

static

3

a9645d8d4b...18.dll

windows7-x64

10

a9645d8d4b...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    18s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    19-08-2024 03:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a9645d8d4bd77b185fe75c17173fd55c_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    a9645d8d4bd77b185fe75c17173fd55c

  • SHA1

    efe6d2a7684b2c66de1ef26484a2838d49629f02

  • SHA256

    05f584345e0092fedeaf52c65be820f9ab66b3a53b8aa92d20d2ff5ad7ed499d

  • SHA512

    d17e1e251720b509dfff40be060359d07589d811ff2a959c061c4fa929b7b5821c5e30488b63623dcf2cc626ffa638b31b5566a7e33bf9bea597a1b099ccd082

  • SSDEEP

    24576:guYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:w9cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\a9645d8d4bd77b185fe75c17173fd55c_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1768
  • C:\Windows\system32\SoundRecorder.exe
    C:\Windows\system32\SoundRecorder.exe
    1⤵
      PID:1580
    • C:\Users\Admin\AppData\Local\A4a\SoundRecorder.exe
      C:\Users\Admin\AppData\Local\A4a\SoundRecorder.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2796
    • C:\Windows\system32\DeviceDisplayObjectProvider.exe
      C:\Windows\system32\DeviceDisplayObjectProvider.exe
      1⤵
        PID:2616
      • C:\Users\Admin\AppData\Local\JNy9Q\DeviceDisplayObjectProvider.exe
        C:\Users\Admin\AppData\Local\JNy9Q\DeviceDisplayObjectProvider.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2788
      • C:\Windows\system32\winlogon.exe
        C:\Windows\system32\winlogon.exe
        1⤵
          PID:2568
        • C:\Users\Admin\AppData\Local\KWBt412\winlogon.exe
          C:\Users\Admin\AppData\Local\KWBt412\winlogon.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2624

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\A4a\SoundRecorder.exe
          Filesize

          139KB

          MD5

          47f0f526ad4982806c54b845b3289de1

          SHA1

          8420ea488a2e187fe1b7fcfb53040d10d5497236

          SHA256

          e81b11fe30b16fa4e3f08810513c245248adce8566355a8f2a19c63b1143ff5b

          SHA512

          4c9a1aa5ed55087538c91a77d7420932263b69e59dc57b1db738e59624265b734bf29e2b6ed8d0adb2e0dec5763bfbf86876fd7d1139c21e829001c7868d515d

          Download Submit

        • C:\Users\Admin\AppData\Local\A4a\WINMM.dll
          Filesize

          1.2MB

          MD5

          53d9694f4ef7c411d8285bf337c7c870

          SHA1

          5459a55bc34d061b469da343ebf870599fee7b5e

          SHA256

          d706da67d152784f98c470bfbf9296cdcd38759d21b300abac2378e6b591c78a

          SHA512

          5d0ddd0be7222316843e244938317e5739a480a7dfcc60a98cb86ce7aa8fc8c26b29c396daf09ac9aa1f71213acb813f90b0ec25785c0a6bcd70764e40b0480f

          Download Submit

        • C:\Users\Admin\AppData\Local\JNy9Q\XmlLite.dll
          Filesize

          1.2MB

          MD5

          d5e9624f029e46da7b1c79c1a63f53ba

          SHA1

          69ee4beb9f19cc13f0565d0eaa168bbb5a06abbe

          SHA256

          72bf39c43ef8e3863da1977c5ebda3dce5d13b5e5f6338708e064b86db805cb9

          SHA512

          b9f0791bf86aaaee0c66b915027295fd1354fd93b329f503790d5d1d079ecf898f6e7369b65c6cf365d07f9cab3418c2924ada39896cd24358f5e47fd4882130

          Download Submit

        • C:\Users\Admin\AppData\Local\KWBt412\winlogon.exe
          Filesize

          381KB

          MD5

          1151b1baa6f350b1db6598e0fea7c457

          SHA1

          434856b834baf163c5ea4d26434eeae775a507fb

          SHA256

          b1506e0a7e826eff0f5252ef5026070c46e2235438403a9a24d73ee69c0b8a49

          SHA512

          df728d06238da1dece96f8b8d67a2423ed4dcb344b42d5958768d23bd570a79e7189e7c5ba783c1628fe8ddd1deaebeacb1b471c59c8a7c9beb21b4f1eb9edab

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Nhelokvclymi.lnk
          Filesize

          696B

          MD5

          b78608d9fd1a44629a68039b8c8c6689

          SHA1

          a9b13cddff85c885b205906deaac05c23deaf597

          SHA256

          6814b3f973472db43b2d43a1c61caf6b25d51a22e9a032c663ab6d039f831a81

          SHA512

          1379c804dd2e67bfe19915fe4acb5d0b8c69868cdabde1b06284319124d72337acafcbaa2b6aa5399e0510975d9502330a8747b9ec50694b5671ff7027175616

          Download Submit

        • \Users\Admin\AppData\Local\JNy9Q\DeviceDisplayObjectProvider.exe
          Filesize

          109KB

          MD5

          7e2eb3a4ae11190ef4c8a9b9a9123234

          SHA1

          72e98687a8d28614e2131c300403c2822856e865

          SHA256

          8481a8ec19cb656ce328c877d5817d317203ba34424a2e9d169ddce5bf2cd2b0

          SHA512

          18b1a0637f48929972a463d441182307725ebf1410dd461a1966bd040ac5dcced138155b7c713bfc924ea2f7b39527a084a08b44fa24c3eb9c654871f99caabf

          Download Submit

        • \Users\Admin\AppData\Local\KWBt412\WINSTA.dll
          Filesize

          1.2MB

          MD5

          8c29b4df6298a9816055f04e433a3d52

          SHA1

          ace8652473022edebaf95b2f5b5fc376ebd7d358

          SHA256

          fdb5e8abd48ee8d759191545cbf4c3a275586e6938732a0ef6cd3ea7fdf90a5d

          SHA512

          51e89293bff0686ea747715739e37a1e3f9c36af08726f3a5f0a3a2eee8c396593b69bdf1382d0d92f37fcee672b24bfd59da28c754992fea144471c9ff8d3d9

          Download Submit

        • memory/1392-15-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1392-25-0x00000000020F0000-0x00000000020F7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1392-4-0x0000000076C26000-0x0000000076C27000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1392-14-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1392-13-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1392-12-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1392-11-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1392-10-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1392-9-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1392-8-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1392-16-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1392-33-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1392-32-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1392-5-0x0000000002110000-0x0000000002111000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1392-42-0x0000000076C26000-0x0000000076C27000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1392-24-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1392-28-0x0000000076D31000-0x0000000076D32000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1392-7-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1392-29-0x0000000076EC0000-0x0000000076EC2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1768-41-0x000007FEF6F60000-0x000007FEF7090000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1768-0-0x000007FEF6F60000-0x000007FEF7090000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1768-3-0x00000000003A0000-0x00000000003A7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2624-89-0x00000000001A0000-0x00000000001A7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2624-86-0x000007FEF6F50000-0x000007FEF7082000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2624-92-0x000007FEF6F50000-0x000007FEF7082000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2788-71-0x00000000000F0000-0x00000000000F7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2788-68-0x000007FEF6F50000-0x000007FEF7081000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2788-74-0x000007FEF6F50000-0x000007FEF7081000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2796-56-0x000007FEF7080000-0x000007FEF71B2000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2796-50-0x000007FEF7080000-0x000007FEF71B2000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2796-53-0x0000000000110000-0x0000000000117000-memory.dmp

          Filesize

          28KB

          Download