Overview

overview

10

Static

static

3

bbd4e284b0...18.dll

windows7-x64

10

bbd4e284b0...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    23-08-2024 13:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bbd4e284b00e85697e11b7d15c813adc_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    bbd4e284b00e85697e11b7d15c813adc

  • SHA1

    54cdb498f7e6cc601dced0637ffd830fc53820d2

  • SHA256

    0f1c282e13dfd7aa0eabd5cf404e21768d5e9c703ae18a4c919576e675a45f0e

  • SHA512

    40aa178bb1df2ec6e71323d67baa34b57887325391f5580b6e1ba2f5ead0a450e08f7802777967d41ddba114761cef900cb5b88654db04cc346e4be867da8c9f

  • SSDEEP

    24576:7uYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:l9cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\bbd4e284b00e85697e11b7d15c813adc_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1708
  • C:\Windows\system32\shrpubw.exe
    C:\Windows\system32\shrpubw.exe
    1⤵
      PID:2184
    • C:\Users\Admin\AppData\Local\Mn6\shrpubw.exe
      C:\Users\Admin\AppData\Local\Mn6\shrpubw.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2824
    • C:\Windows\system32\DevicePairingWizard.exe
      C:\Windows\system32\DevicePairingWizard.exe
      1⤵
        PID:2072
      • C:\Users\Admin\AppData\Local\ASK\DevicePairingWizard.exe
        C:\Users\Admin\AppData\Local\ASK\DevicePairingWizard.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2012
      • C:\Windows\system32\icardagt.exe
        C:\Windows\system32\icardagt.exe
        1⤵
          PID:2548
        • C:\Users\Admin\AppData\Local\8sgxLNXc\icardagt.exe
          C:\Users\Admin\AppData\Local\8sgxLNXc\icardagt.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2756

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\8sgxLNXc\VERSION.dll
          Filesize

          1.2MB

          MD5

          5378bec6f732365080b82e35dab09740

          SHA1

          364561acd1abd7d72617acf1904199cbc458f275

          SHA256

          101bbb4deccbc560a4c52b0ab89e6a27ba73990464010c533141e13581f8e268

          SHA512

          8b8dfa850eeb30882e4209216bce931583c0600f7a180847047417d7a81b7765539ab410fe4e30c6af7643481ba50b0fb1cabf737e6a9576b8ad604eb91b3fb6

          Download Submit

        • C:\Users\Admin\AppData\Local\ASK\DevicePairingWizard.exe
          Filesize

          73KB

          MD5

          9728725678f32e84575e0cd2d2c58e9b

          SHA1

          dd9505d3548f08e5198a8d6ba6bcd60b1da86d5c

          SHA256

          d95d3aa065a657c354244e3d9d4dc62673dc36c1bed60650fade7d128ddab544

          SHA512

          a5d22240450e7b659cba507f9abe7e6d861e9712ca2335ea5ceb69e3557362b00f5d02bf84c3a6fed82a09eda555866dcab43741ad9c6db96e1e302ef2363377

          Download Submit

        • C:\Users\Admin\AppData\Local\ASK\MFC42u.dll
          Filesize

          1.2MB

          MD5

          b378c12a8edcef69bd89f1da05a55437

          SHA1

          9c344c6e30ff28a0f4d0a0fc8311cc9c38fa20c9

          SHA256

          9594093bc7ed51790edc25284afe3e9ab147c185914a07e23c018a0c402e75d7

          SHA512

          debf655fc71da1a6bca2a4b543abab1567d56352cbab683323378fb8c7d6c88727a55377d584bfa6a01fbcfffaf7e9d362fd711ec7bcf29eed718fa1743ad02f

          Download Submit

        • C:\Users\Admin\AppData\Local\Mn6\srvcli.dll
          Filesize

          1.2MB

          MD5

          8e7df9b9000082aeccf4e74e0699a36e

          SHA1

          a2f808fc754ec4ce22b80ada40ae7310b6bda59c

          SHA256

          32f5bd632189d3f83fb00cf60c6caa93aa0a8f5b28ae3e14f90e4e9c1217191c

          SHA512

          f098323cdb8feee24b287ebdcc7cd4709a928468aaf1ad032056393b16ff25b77cf920976c5a864d3ddcd1f3070f61403a2154389500e0ca8239cbced1018acf

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Nhelokvclymi.lnk
          Filesize

          1KB

          MD5

          3ca0fe8dc7e385d069caf1ec7932cb93

          SHA1

          73190e77a6ff4d0df607b4b815e81434b0e90949

          SHA256

          8aae590ab3610d0b82df673a250cccd6afe8fec202006fd4d2b9d1d774a63e7d

          SHA512

          dc851e1006f94ee7312d1ac5240c4e354b343261f7d6d2c8046627ca8d6ae5e5f07b9caee72927d534e35b4ff2604d62cdfc6bc9534671b6b960afc0cb6ac270

          Download Submit

        • \Users\Admin\AppData\Local\8sgxLNXc\icardagt.exe
          Filesize

          1.3MB

          MD5

          2fe97a3052e847190a9775431292a3a3

          SHA1

          43edc451ac97365600391fa4af15476a30423ff6

          SHA256

          473d17e571d6947ce93103454f1e9fe27136403125152b97acb6cad5cc2a9ac7

          SHA512

          93ed1f9ef6fb256b53df9c6f2ce03301c0d3a0ef49c3f0604872653e4ba3fce369256f50604dd8386f543e1ea9231f5700213e683d3ea9af9e4d6c427a19117a

          Download Submit

        • \Users\Admin\AppData\Local\Mn6\shrpubw.exe
          Filesize

          398KB

          MD5

          29e6d0016611c8f948db5ea71372f76c

          SHA1

          01d007a01020370709cd6580717f9ace049647e8

          SHA256

          53c868882ebc9e0d4f703afeccb172043069ccc0b5b6f7cac1d2aad9c4640930

          SHA512

          300216ab47ee44b8f68d4835bf26641f949039522b680af00fb602f57d31c38812428dc624461bc2cc7d6384cad396bc033718e41e11a65f7dd0eeb36ed924e4

          Download Submit

        • memory/1272-23-0x00000000021C0000-0x00000000021C7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1272-26-0x0000000077AB1000-0x0000000077AB2000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1272-4-0x00000000778A6000-0x00000000778A7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1272-17-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1272-15-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1272-14-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1272-13-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1272-12-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1272-11-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1272-10-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1272-9-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1272-36-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1272-37-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1272-5-0x0000000002830000-0x0000000002831000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1272-46-0x00000000778A6000-0x00000000778A7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1272-25-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1272-27-0x0000000077C40000-0x0000000077C42000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1272-7-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1272-8-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1708-45-0x000007FEF7D50000-0x000007FEF7E81000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1708-1-0x000007FEF7D50000-0x000007FEF7E81000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1708-0-0x0000000000140000-0x0000000000147000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2012-72-0x000007FEF7D60000-0x000007FEF7E98000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2012-75-0x00000000000F0000-0x00000000000F7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2012-78-0x000007FEF7D60000-0x000007FEF7E98000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2756-90-0x000007FEF7D50000-0x000007FEF7E82000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2756-95-0x000007FEF7D50000-0x000007FEF7E82000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2824-60-0x000007FEF71C0000-0x000007FEF72F2000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2824-55-0x000007FEF71C0000-0x000007FEF72F2000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2824-54-0x0000000000130000-0x0000000000137000-memory.dmp

          Filesize

          28KB

          Download