Overview

overview

10

Static

static

3

a9645d8d4b...18.dll

windows7-x64

10

a9645d8d4b...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-08-2024 03:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a9645d8d4bd77b185fe75c17173fd55c_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    a9645d8d4bd77b185fe75c17173fd55c

  • SHA1

    efe6d2a7684b2c66de1ef26484a2838d49629f02

  • SHA256

    05f584345e0092fedeaf52c65be820f9ab66b3a53b8aa92d20d2ff5ad7ed499d

  • SHA512

    d17e1e251720b509dfff40be060359d07589d811ff2a959c061c4fa929b7b5821c5e30488b63623dcf2cc626ffa638b31b5566a7e33bf9bea597a1b099ccd082

  • SSDEEP

    24576:guYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:w9cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\a9645d8d4bd77b185fe75c17173fd55c_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:4564
  • C:\Windows\system32\dxgiadaptercache.exe
    C:\Windows\system32\dxgiadaptercache.exe
    1⤵
      PID:1008
    • C:\Users\Admin\AppData\Local\KI3BBZ1Q\dxgiadaptercache.exe
      C:\Users\Admin\AppData\Local\KI3BBZ1Q\dxgiadaptercache.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:3244
    • C:\Windows\system32\wbengine.exe
      C:\Windows\system32\wbengine.exe
      1⤵
        PID:1800
      • C:\Users\Admin\AppData\Local\tzZH\wbengine.exe
        C:\Users\Admin\AppData\Local\tzZH\wbengine.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:3780
      • C:\Windows\system32\dialer.exe
        C:\Windows\system32\dialer.exe
        1⤵
          PID:3712
        • C:\Users\Admin\AppData\Local\N6ls\dialer.exe
          C:\Users\Admin\AppData\Local\N6ls\dialer.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:4928

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\KI3BBZ1Q\dxgi.dll
          Filesize

          1.2MB

          MD5

          5088bcb59f73940c8421480f3172d308

          SHA1

          99d9f758e9b101a0bd2dcca862137c96d5c151a8

          SHA256

          c8b87151385d98c29805a9c12571cb3366dfda6ccacee778305e1d2f65706fea

          SHA512

          e93f14739a5b181e0a04fc6f6302a2bed4a5de7fae16ce08c9588e969981f1c2af6cc85c0268ea332bb756c463bb895296122059ce7022f71abe8b7968d94d67

          Download Submit

        • C:\Users\Admin\AppData\Local\KI3BBZ1Q\dxgiadaptercache.exe
          Filesize

          230KB

          MD5

          e62f89130b7253f7780a862ed9aff294

          SHA1

          b031e64a36e93f95f2061be5b0383069efac2070

          SHA256

          4bea9f741fe4ca9d6262477849896b9fa6377326d11af044561c31bde2d994b5

          SHA512

          05649d38a0b5d825bb8442549427b0ff77b139c9dd297b04d6c0fb1415504c95ed750cd79efea2ff514abfc5d1003e6251a3cd871d352dcea06be0cdeb0304f7

          Download Submit

        • C:\Users\Admin\AppData\Local\N6ls\TAPI32.dll
          Filesize

          1.2MB

          MD5

          c43144926271835a4fc807f225fd0ecb

          SHA1

          a17069f176eaf36f9578062b2001273506e41545

          SHA256

          cd360d8957b23ba29735ba001b95dbbb46f40200fe934f18412a9fd4c4e26f4a

          SHA512

          772249a5b356c34c29bd5bb5c5b0175725530691b26580fd85de4892b1ebcc4605f1e05cf6aa79d33b4803210cdcb7c861ae7988cfe63c62eda85884ae2b9dc1

          Download Submit

        • C:\Users\Admin\AppData\Local\N6ls\dialer.exe
          Filesize

          39KB

          MD5

          b2626bdcf079c6516fc016ac5646df93

          SHA1

          838268205bd97d62a31094d53643c356ea7848a6

          SHA256

          e3ac5e6196f3a98c1946d85c653866c318bb2a86dd865deffa7b52f665d699bb

          SHA512

          615cfe1f91b895513c687906bf3439ca352afcadd3b73f950af0a3b5fb1b358168a7a25a6796407b212fde5f803dd880bcdc350d8bac7e7594090d37ce259971

          Download Submit

        • C:\Users\Admin\AppData\Local\tzZH\SPP.dll
          Filesize

          1.2MB

          MD5

          792a0b3a255040ad85ba12051e25de4f

          SHA1

          76aea54b4260a40f1614b5346f8828b489a9012a

          SHA256

          5ade48a5860ec2c1be7c68828aa0ac880d696afabfd2751ac3df62ac4754a596

          SHA512

          3d80796e98df1706a7c2f1ed64f7ba62276bda48ba0653e46aa969396cc6552bceea4c6f3efec04263698b4db38d66a0d9932ce1a6f82c7a942f5e454f2d176d

          Download Submit

        • C:\Users\Admin\AppData\Local\tzZH\wbengine.exe
          Filesize

          1.5MB

          MD5

          17270a354a66590953c4aac1cf54e507

          SHA1

          715babcc8e46b02ac498f4f06df7937904d9798d

          SHA256

          9954394b43783061f9290706320cc65597c29176d5b8e7a26fa1d6b3536832b4

          SHA512

          6be0ba6be84d01ab47f5a4ca98a6b940c43bd2d1e1a273d41c3e88aca47da11d932024b007716d1a6ffe6cee396b0e3e6971ab2afc293e72472f2e61c17b2a89

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Sfbjsepzltomqmf.lnk
          Filesize

          1008B

          MD5

          714fda20f25f443f8c53f6eb5f897f1d

          SHA1

          b31cc229e8a51531cb6f7d258fe74b7b05562f3e

          SHA256

          145211e0a0aecb388ef1a15c7a44f07f4d9aae238735c79951675eead04e5a99

          SHA512

          fc2fb40b24cbfd2d75a6fb91e25e928bbd39afc99c66a6240e40e573e54bf967835363534383829c9614d2522dcd67890bafe73233b4fbdb5e9e2a20ce702dab

          Download Submit

        • memory/3244-51-0x00007FFE745A0000-0x00007FFE746D1000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3244-46-0x00007FFE745A0000-0x00007FFE746D1000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3244-45-0x000001D822560000-0x000001D822567000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3464-26-0x00007FFE89770000-0x00007FFE89780000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3464-24-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3464-12-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3464-11-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3464-10-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3464-9-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3464-8-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3464-14-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3464-6-0x00007FFE8875A000-0x00007FFE8875B000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3464-15-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3464-25-0x00000000007A0000-0x00000000007A7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3464-4-0x0000000002910000-0x0000000002911000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3464-35-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3464-16-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3464-13-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3464-7-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3780-62-0x000001E20CEE0000-0x000001E20CEE7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3780-68-0x00007FFE745A0000-0x00007FFE746D1000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4564-1-0x00007FFE7AEC0000-0x00007FFE7AFF0000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4564-38-0x00007FFE7AEC0000-0x00007FFE7AFF0000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4564-0-0x000002215ABE0000-0x000002215ABE7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4928-82-0x0000022C1EB40000-0x0000022C1EB47000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4928-79-0x00007FFE745A0000-0x00007FFE746D2000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4928-85-0x00007FFE745A0000-0x00007FFE746D2000-memory.dmp

          Filesize

          1.2MB

          Download