Overview

overview

10

Static

static

3

c1fad4e897...18.dll

windows7-x64

10

c1fad4e897...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    26-08-2024 01:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c1fad4e897cfb353e662f497347789ac_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    c1fad4e897cfb353e662f497347789ac

  • SHA1

    a99d03b2b5f0cb26545802db4e02bc084167538b

  • SHA256

    8bf41e771cc975937d4117383a49b019d875fe2dcae707a9c85962982a31e608

  • SHA512

    0249475d0007c2ebdc99cf646c0172654df481d3be3b6821d27110ed444af2eab1ec1451df24e30afae68e3f2a098d358af877790833ee6993d041d4aff9eb2c

  • SSDEEP

    24576:xuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9Nd:j9cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\c1fad4e897cfb353e662f497347789ac_JaffaCakes118.dll
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:1528
  • C:\Windows\system32\rstrui.exe
    C:\Windows\system32\rstrui.exe
    1⤵
      PID:2788
    • C:\Users\Admin\AppData\Local\Z3d7n\rstrui.exe
      C:\Users\Admin\AppData\Local\Z3d7n\rstrui.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2916
    • C:\Windows\system32\fveprompt.exe
      C:\Windows\system32\fveprompt.exe
      1⤵
        PID:1848
      • C:\Users\Admin\AppData\Local\qOsiuw5N\fveprompt.exe
        C:\Users\Admin\AppData\Local\qOsiuw5N\fveprompt.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2300
      • C:\Windows\system32\icardagt.exe
        C:\Windows\system32\icardagt.exe
        1⤵
          PID:1712
        • C:\Users\Admin\AppData\Local\9SaABmK\icardagt.exe
          C:\Users\Admin\AppData\Local\9SaABmK\icardagt.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2060

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Z3d7n\SPP.dll
          Filesize

          1.2MB

          MD5

          e1f62bfe2093bb25340ffaf2b1f8a220

          SHA1

          8bf1556d2411a4776f6d550d0c08fc1dca245d78

          SHA256

          fe98096788f6ab046c3a128d0a84deb9ff2561431de95335c73d7a6535201260

          SHA512

          fb574c19d4eb1aed7461732a531c5444c454b15256cbfefd389b098bd7d5f57c0492f5da98e21ad34e7286999ef72802bc13760b05830985ce25ad90a5bb7f47

          Download Submit

        • C:\Users\Admin\AppData\Local\qOsiuw5N\slc.dll
          Filesize

          1.2MB

          MD5

          87826a6b2177b21ae5a159efc89e2f06

          SHA1

          7f2654d95e10f0212f7a0e607452d1fb97c54895

          SHA256

          870f77b347354292777faa336113a1c6ffad34150caabdc0931fab99adcc8075

          SHA512

          a94d1e42155e8c2378172732ea74e8d4e3b9f03b61fb71a4306779e80ca0b3e3c7c8eed30ab579469560693011fe0ca205149902bb69e49a9ea615f04d668799

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Filabyuswgwl.lnk
          Filesize

          1KB

          MD5

          a14e00919ea006d2505813e85ccaf29c

          SHA1

          ce245cb177de735024302b190f229ed924f0792a

          SHA256

          f081134b4e7751b86c67e132881c34c1932c2241a0a7cbbea5e0b4da383312c4

          SHA512

          f3aabbba49190dec9342cf7eaa6ed1af8cd6aaf40880a1aad7bf7a24e9c0f0e7a9ab80545e6efe5dff3094d47ccd383df0fb32099813e22243b98e97e69c058c

          Download Submit

        • \Users\Admin\AppData\Local\9SaABmK\VERSION.dll
          Filesize

          1.2MB

          MD5

          f966deecd1b9e32a8904371620f1e5ff

          SHA1

          dd60c0074efbe956f5eed75fe7eb086df8385cb4

          SHA256

          76aee4bb585677620572f2a8b15b2c82e43b131c97b9784af8e3b1897bdc41f9

          SHA512

          d24f8550b84c029884b7e1d0edb2e16c7d202387a108db9b6a639fe2dd2366c6b9ef6b6e3d9046552623c0435ecc457db1db21718c45e34ff4cf18d4e118e507

          Download Submit

        • \Users\Admin\AppData\Local\9SaABmK\icardagt.exe
          Filesize

          1.3MB

          MD5

          2fe97a3052e847190a9775431292a3a3

          SHA1

          43edc451ac97365600391fa4af15476a30423ff6

          SHA256

          473d17e571d6947ce93103454f1e9fe27136403125152b97acb6cad5cc2a9ac7

          SHA512

          93ed1f9ef6fb256b53df9c6f2ce03301c0d3a0ef49c3f0604872653e4ba3fce369256f50604dd8386f543e1ea9231f5700213e683d3ea9af9e4d6c427a19117a

          Download Submit

        • \Users\Admin\AppData\Local\Z3d7n\rstrui.exe
          Filesize

          290KB

          MD5

          3db5a1eace7f3049ecc49fa64461e254

          SHA1

          7dc64e4f75741b93804cbae365e10dc70592c6a9

          SHA256

          ba8387d4543b8b11e2202919b9608ee614753fe77f967aad9906702841658b49

          SHA512

          ea81e3233e382f1cf2938785c9ded7c8fbbf11a6a6f5cf4323e3211ae66dad4a2c597cb589ff11f9eae79516043aba77d4b24bfa6eb0aa045d405aabdea4a025

          Download Submit

        • \Users\Admin\AppData\Local\qOsiuw5N\fveprompt.exe
          Filesize

          104KB

          MD5

          dc2c44a23b2cd52bd53accf389ae14b2

          SHA1

          e36c7b6f328aa2ab2f52478169c52c1916f04b5f

          SHA256

          7f5b19f2c6a94833196ee1929d48094889b33b504d73d3af88dd857ceaf67921

          SHA512

          ff083f74777a9cfc940d4e0cb55886397e27c85f867de9a5dd9ea2c2751d2a77bf75fe0734e424d9678c83e927788d07d0b3072024f7e5a9848c7ff1aa4090dc

          Download Submit

        • memory/1196-16-0x0000000140000000-0x0000000140146000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1196-8-0x0000000140000000-0x0000000140146000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1196-12-0x0000000140000000-0x0000000140146000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1196-13-0x0000000140000000-0x0000000140146000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1196-14-0x0000000140000000-0x0000000140146000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1196-15-0x0000000140000000-0x0000000140146000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1196-17-0x0000000140000000-0x0000000140146000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1196-27-0x0000000140000000-0x0000000140146000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1196-28-0x0000000076FE1000-0x0000000076FE2000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1196-19-0x0000000140000000-0x0000000140146000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1196-18-0x00000000024D0000-0x00000000024D7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1196-4-0x0000000076DD6000-0x0000000076DD7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1196-29-0x0000000077170000-0x0000000077172000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1196-38-0x0000000140000000-0x0000000140146000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1196-39-0x0000000140000000-0x0000000140146000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1196-5-0x00000000024F0000-0x00000000024F1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1196-48-0x0000000076DD6000-0x0000000076DD7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1196-11-0x0000000140000000-0x0000000140146000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1196-9-0x0000000140000000-0x0000000140146000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1196-7-0x0000000140000000-0x0000000140146000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1196-10-0x0000000140000000-0x0000000140146000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1528-47-0x000007FEF6700000-0x000007FEF6846000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1528-0-0x00000000001C0000-0x00000000001C7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1528-1-0x000007FEF6700000-0x000007FEF6846000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2060-97-0x000007FEF5F80000-0x000007FEF60C7000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2300-74-0x0000000000290000-0x0000000000297000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2300-75-0x000007FEF5F80000-0x000007FEF60C7000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2300-80-0x000007FEF5F80000-0x000007FEF60C7000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2916-62-0x000007FEF6700000-0x000007FEF6847000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2916-56-0x0000000000110000-0x0000000000117000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2916-57-0x000007FEF6700000-0x000007FEF6847000-memory.dmp

          Filesize

          1.3MB

          Download