Overview

overview

10

Static

static

3

aa023b42d8...18.dll

windows7-x64

10

aa023b42d8...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    19-08-2024 06:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    aa023b42d8bfbb61dccb9678e890f5f9_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    aa023b42d8bfbb61dccb9678e890f5f9

  • SHA1

    4d4fa60f05778f0781f2bbb112bdeefd21846fe1

  • SHA256

    eb9493d24f510de451b6e489d2136c1eb086ec4fac12f87848a7b6ba57f7dffc

  • SHA512

    c375a14a25a7662b130bda2c4b9e24979c93bea59f29b4518f77780bf59accda028247591b60b8ad1ec6216cb45e6772df224ddc4d75e0c6ad040aa8f4770970

  • SSDEEP

    24576:juYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:N9cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\aa023b42d8bfbb61dccb9678e890f5f9_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2292
  • C:\Windows\system32\BitLockerWizard.exe
    C:\Windows\system32\BitLockerWizard.exe
    1⤵
      PID:2632
    • C:\Users\Admin\AppData\Local\p2gFKBlO\BitLockerWizard.exe
      C:\Users\Admin\AppData\Local\p2gFKBlO\BitLockerWizard.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2636
    • C:\Windows\system32\wscript.exe
      C:\Windows\system32\wscript.exe
      1⤵
        PID:2456
      • C:\Users\Admin\AppData\Local\rQuT\wscript.exe
        C:\Users\Admin\AppData\Local\rQuT\wscript.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2492
      • C:\Windows\system32\StikyNot.exe
        C:\Windows\system32\StikyNot.exe
        1⤵
          PID:2388
        • C:\Users\Admin\AppData\Local\dQ5w\StikyNot.exe
          C:\Users\Admin\AppData\Local\dQ5w\StikyNot.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1696

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\dQ5w\DUI70.dll
          Filesize

          1.4MB

          MD5

          712f58e52fea85dc7087cfc1e717c46a

          SHA1

          a7d0c72e5a33efcf06595bb0f5352292be1273e2

          SHA256

          0b10e6620ee3669bc0bba3c37cfe829bcf38bd4a097f047a4660a59edff7f290

          SHA512

          8369905887f1e1b615f150cb24086439747ba32ad7c518a132d24624e73be0667681707d10fff9aefc28319d5bed21fb794aaa006eef531521e2bf0d00bb2ef1

          Download Submit

        • C:\Users\Admin\AppData\Local\dQ5w\StikyNot.exe
          Filesize

          417KB

          MD5

          b22cb67919ebad88b0e8bb9cda446010

          SHA1

          423a794d26d96d9f812d76d75fa89bffdc07d468

          SHA256

          2f744feac48ede7d6b6d2727f7ddfa80b26d9e3b0009741b00992b19ad85e128

          SHA512

          f40aad2a381b766aae0a353fae3ab759d5c536b2d00d135527bba37b601d2f24323f079bd09600355d79404d574ac59201d415ef64c1568877ad0ce0da2dd1d5

          Download Submit

        • C:\Users\Admin\AppData\Local\p2gFKBlO\FVEWIZ.dll
          Filesize

          1.2MB

          MD5

          a896cb2ed564e0e2a16993ed3f608974

          SHA1

          6e8badbb7c29ab9817b6c9ca3b8a2c08c15878c9

          SHA256

          3d37060622dfb0c11b965b4b75796a6665441f9e9827ec48f38eba769ae9621b

          SHA512

          910431273af40d37f1c423d8dc2cd8501b434c77459740db284ebb011def70f0633e9485ab4906c6421ca4da458eda6919234edff655a6c53fbbf1f4b07f3e5a

          Download Submit

        • C:\Users\Admin\AppData\Local\rQuT\VERSION.dll
          Filesize

          1.2MB

          MD5

          4db9eb2414a974afa7d07c06baf1e39c

          SHA1

          5530fc9b960181a509b4955b49ab933526aef75b

          SHA256

          0b3404aed2a2dc94760d191803ce76c3ff8d172f8981e7aa2e2ea604a2c53824

          SHA512

          72276098211f2a02e4487e63067a5b9c99c7ecaabfcf95af683498cb336191c47245f8fe70f1f70dd758cf395a2d01a4398913bdb8fce723cd40d8e953c7717b

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ygxjfqh.lnk
          Filesize

          1KB

          MD5

          9e27f4ea7f3354999f617737a209b3e2

          SHA1

          4e198bf1e9d912f96385b53c8dd0ac753a2f151d

          SHA256

          53ac2142a43747f1fb94e11369e67673b9c534e225ee0dec98817433b4f9b594

          SHA512

          f20af5c74cf09d255f980d53377661df35dd1b9c7e25b6af2310674f32513e48d170ab661cbf07163e480d34604c17bdbeda546a7f6de257e5a2025e705522d6

          Download Submit

        • \Users\Admin\AppData\Local\p2gFKBlO\BitLockerWizard.exe
          Filesize

          98KB

          MD5

          08a761595ad21d152db2417d6fdb239a

          SHA1

          d84c1bc2e8c9afce9fb79916df9bca169f93a936

          SHA256

          ec0b9e5f29a43f9db44fa76b85701058f26776ab974044c1d4741591b74d0620

          SHA512

          8b07828e9c0edf09277f89294b8e1a54816f6f3d1fe132b3eb70370b81feb82d056ec31566793bd6f451725f79c3b4aeedb15a83216115e00943e0c19cab37c9

          Download Submit

        • \Users\Admin\AppData\Local\rQuT\wscript.exe
          Filesize

          165KB

          MD5

          8886e0697b0a93c521f99099ef643450

          SHA1

          851bd390bf559e702b8323062dbeb251d9f2f6f7

          SHA256

          d73f7ee4e6e992a618d02580bdbf4fd6ba7c683d110928001092f4073341e95f

          SHA512

          fc4a176f49a69c5600c427af72d3d274cfeacef48612b18cda966c3b4dda0b9d59c0fe8114d5ed8e0fec780744346e2cd503d1fd15c0c908908d067214b9d837

          Download Submit

        • memory/1204-39-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-26-0x0000000002A70000-0x0000000002A77000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1204-16-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-15-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-14-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-13-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-12-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-11-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-10-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-8-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-27-0x00000000772D1000-0x00000000772D2000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1204-28-0x0000000077460000-0x0000000077462000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1204-37-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-4-0x00000000770C6000-0x00000000770C7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1204-5-0x0000000002A90000-0x0000000002A91000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1204-47-0x00000000770C6000-0x00000000770C7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1204-25-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-17-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-7-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-9-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1696-101-0x00000000002A0000-0x00000000002A7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1696-100-0x000007FEF5E70000-0x000007FEF5FD5000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1696-94-0x00000000002A0000-0x00000000002A7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1696-95-0x000007FEF5E70000-0x000007FEF5FD5000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/2292-46-0x000007FEF6370000-0x000007FEF64A1000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2292-3-0x00000000001A0000-0x00000000001A7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2292-0-0x000007FEF6370000-0x000007FEF64A1000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2492-82-0x000007FEF6370000-0x000007FEF64A2000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2492-77-0x000007FEF6370000-0x000007FEF64A2000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2492-76-0x0000000000190000-0x0000000000197000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2636-61-0x000007FEF6A00000-0x000007FEF6B32000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2636-55-0x0000000000290000-0x0000000000297000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2636-56-0x000007FEF6A00000-0x000007FEF6B32000-memory.dmp

          Filesize

          1.2MB

          Download