Overview

overview

10

Static

static

3

c11d18fc30...18.dll

windows7-x64

10

c11d18fc30...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    25-08-2024 16:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c11d18fc3052e4bd6c7e1930289ff881_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    c11d18fc3052e4bd6c7e1930289ff881

  • SHA1

    a1efb5769620a2d2a01b9e8879e2c7ad6d3e6098

  • SHA256

    0acbdd88ad3bfa71a43bfc53fd70200c636ed15847b4587c26b73dd17d2834f0

  • SHA512

    2b9a906d482462d17051173427fb71a75e607f2353918983d903fb7c4086a9967fea47cc3e69a539cb4a7ed5288bb4d000c6f1351481e4bf6ac95e97cbbbe5d1

  • SSDEEP

    24576:5uYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:r9cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\c11d18fc3052e4bd6c7e1930289ff881_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:3064
  • C:\Windows\system32\fveprompt.exe
    C:\Windows\system32\fveprompt.exe
    1⤵
      PID:804
    • C:\Users\Admin\AppData\Local\GPK6criZ\fveprompt.exe
      C:\Users\Admin\AppData\Local\GPK6criZ\fveprompt.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2884
    • C:\Windows\system32\slui.exe
      C:\Windows\system32\slui.exe
      1⤵
        PID:2500
      • C:\Users\Admin\AppData\Local\vrMSSHCLX\slui.exe
        C:\Users\Admin\AppData\Local\vrMSSHCLX\slui.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2916
      • C:\Windows\system32\msdtc.exe
        C:\Windows\system32\msdtc.exe
        1⤵
          PID:2564
        • C:\Users\Admin\AppData\Local\7i0zckNl\msdtc.exe
          C:\Users\Admin\AppData\Local\7i0zckNl\msdtc.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2032

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\7i0zckNl\VERSION.dll
          Filesize

          1.2MB

          MD5

          2693ecb5c2725c3c27e76dac5c792afd

          SHA1

          47e7e0ad895881c79e1cde1fa82dce6a7de343f1

          SHA256

          adcb5392a1ff7430dcf53ad5c170d9a579080f38bb83c1dddfc4760ef5542f5d

          SHA512

          bc69b915f682cf997695b86df26f13e1691f7cc198f65c1a844c350d832f2b8a64416e5955bf27a715fb6b4fbc7268fa51f4120115e3b9dfb998087b11f24bdd

          Download Submit

        • C:\Users\Admin\AppData\Local\7i0zckNl\msdtc.exe
          Filesize

          138KB

          MD5

          de0ece52236cfa3ed2dbfc03f28253a8

          SHA1

          84bbd2495c1809fcd19b535d41114e4fb101466c

          SHA256

          2fbbec4cacb5161f68d7c2935852a5888945ca0f107cf8a1c01f4528ce407de3

          SHA512

          69386134667626c60c99d941c8ab52f8e5235e3897b5af76965572287afd5dcd42b8207a520587844a57a268e4decb3f3c550e5b7a06230ee677dc5e40c50bb3

          Download Submit

        • C:\Users\Admin\AppData\Local\GPK6criZ\fveprompt.exe
          Filesize

          104KB

          MD5

          dc2c44a23b2cd52bd53accf389ae14b2

          SHA1

          e36c7b6f328aa2ab2f52478169c52c1916f04b5f

          SHA256

          7f5b19f2c6a94833196ee1929d48094889b33b504d73d3af88dd857ceaf67921

          SHA512

          ff083f74777a9cfc940d4e0cb55886397e27c85f867de9a5dd9ea2c2751d2a77bf75fe0734e424d9678c83e927788d07d0b3072024f7e5a9848c7ff1aa4090dc

          Download Submit

        • C:\Users\Admin\AppData\Local\GPK6criZ\slc.dll
          Filesize

          1.2MB

          MD5

          1ab88a622ffa6282dd7bea4b41247ffa

          SHA1

          47d958fa6e637f862a5e28a5a14ea78ecacd362c

          SHA256

          05044e44bc19d8b8c7532aed15465c99054dc2d8441e80e01b715c5680146828

          SHA512

          19b9224bd45860911b8f196bcecc332472694be94f82a378aa2b4d3e0c89c6174074d3e2967b84d6b4f134f8af6673f7770658df5651d8108c6816951ab07c77

          Download Submit

        • C:\Users\Admin\AppData\Local\vrMSSHCLX\WINBRAND.dll
          Filesize

          1.2MB

          MD5

          82ad36a2f37380c254363d3cb4619d94

          SHA1

          a3aaf6a0d872af77b964c3894b904a3e33fe7f08

          SHA256

          4b049dc280227f0d07855bf0dd43cad3b6f9771ff8c9e8f6ba5edff3c6f7e2f2

          SHA512

          7048a2ff8adfccb172b6044ff0b5bb60b77c76e085f494f238f6e305603f24138d3795a27706d67fef8b93b2d6d8ad30db7df41c3052a7c08669a0668f9e3923

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Nhelokvclymi.lnk
          Filesize

          974B

          MD5

          9ac5325fdb08fcfe0d1481f4509e06a2

          SHA1

          4145e620db93a65d715a4bfbce6be1cd50d61394

          SHA256

          9aa84c89ca2fcb8a1c5cdf2aa7ddfef6ecf08ecae6d13ff08603c1527ede6eda

          SHA512

          a86adb6a94bf7c59a80dd4b5900747f174b1aee9d2684f27de99199a3206b88e0cff7a882fca42eb49c3246474006e2a013a722ebd94bbc131dd183e34ce5c26

          Download Submit

        • \Users\Admin\AppData\Local\vrMSSHCLX\slui.exe
          Filesize

          341KB

          MD5

          c5ce5ce799387e82b7698a0ee5544a6d

          SHA1

          ed37fdb169bb539271c117d3e8a5f14fd8df1c0d

          SHA256

          34aa7ca0ea833263a6883827e161a5c218576c5ad97e0ce386fad4250676b42c

          SHA512

          79453b45e1f38d164ee3dbc232f774ff121d4394c22783140f5c8c722f184a69f499f2fb9621bdb28f565065b791883526e1a1d4abef9df82289613c2ce97a5c

          Download Submit

        • memory/1244-27-0x0000000077800000-0x0000000077802000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1244-8-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1244-4-0x0000000077466000-0x0000000077467000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1244-26-0x0000000077671000-0x0000000077672000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1244-24-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1244-15-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1244-14-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1244-13-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1244-10-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1244-36-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1244-9-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1244-25-0x0000000002E90000-0x0000000002E97000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1244-37-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1244-5-0x0000000002EB0000-0x0000000002EB1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1244-46-0x0000000077466000-0x0000000077467000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1244-16-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1244-12-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1244-7-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1244-11-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2032-90-0x0000000000110000-0x0000000000117000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2032-91-0x000007FEF6DA0000-0x000007FEF6ED1000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2032-96-0x000007FEF6DA0000-0x000007FEF6ED1000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2884-60-0x000007FEF7B20000-0x000007FEF7C51000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2884-55-0x000007FEF7B20000-0x000007FEF7C51000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2884-54-0x0000000000190000-0x0000000000197000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2916-72-0x0000000000120000-0x0000000000127000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2916-73-0x000007FEF79F0000-0x000007FEF7B21000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2916-78-0x000007FEF79F0000-0x000007FEF7B21000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3064-45-0x000007FEF7A00000-0x000007FEF7B30000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3064-0-0x000007FEF7A00000-0x000007FEF7B30000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3064-3-0x0000000000130000-0x0000000000137000-memory.dmp

          Filesize

          28KB

          Download