Overview

overview

10

Static

static

3

ccdaece63d...18.dll

windows7-x64

10

ccdaece63d...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    31-08-2024 13:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ccdaece63d6ac64a80d629b4600b457f_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    ccdaece63d6ac64a80d629b4600b457f

  • SHA1

    71ce86f3f7908eeecd91a4dca36d68fb8e64f130

  • SHA256

    9886df6ecc914c70bd45014fddf8bf12d3d3b66431f24fddd9cc9bc56eca7dbe

  • SHA512

    f0755421fbe403d91b7fa7e6469ac2d10c697ac6763df6d230b25a5703936a9592024b712ab86a26a5c6576a38b2439af976619cc8a6e2ca3a3ed1b725c1f9b1

  • SSDEEP

    24576:5uYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:r9cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\ccdaece63d6ac64a80d629b4600b457f_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1412
  • C:\Windows\system32\rstrui.exe
    C:\Windows\system32\rstrui.exe
    1⤵
      PID:2580
    • C:\Users\Admin\AppData\Local\JPzM748g\rstrui.exe
      C:\Users\Admin\AppData\Local\JPzM748g\rstrui.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2528
    • C:\Windows\system32\dwm.exe
      C:\Windows\system32\dwm.exe
      1⤵
        PID:1372
      • C:\Users\Admin\AppData\Local\IE1L\dwm.exe
        C:\Users\Admin\AppData\Local\IE1L\dwm.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:308
      • C:\Windows\system32\dccw.exe
        C:\Windows\system32\dccw.exe
        1⤵
          PID:1684
        • C:\Users\Admin\AppData\Local\jN7\dccw.exe
          C:\Users\Admin\AppData\Local\jN7\dccw.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1540

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\IE1L\UxTheme.dll
          Filesize

          1.2MB

          MD5

          d9d995119b90bf6a5a098f8f85218648

          SHA1

          2b6d5c380d06238fe5c6d8e628fb0543f127e185

          SHA256

          83df501475e568d84d77b01a703e211ff461a775c4d7523c88dd9d272f17d29a

          SHA512

          5d4355320c00de759009afb939a44c5870c4223f349f7b4afcd20d37bba9e10c9c53629c0788b42fd198c5b2c9d07291f22c9ff8533dc81aa63ae65847960a87

          Download Submit

        • C:\Users\Admin\AppData\Local\IE1L\dwm.exe
          Filesize

          117KB

          MD5

          f162d5f5e845b9dc352dd1bad8cef1bc

          SHA1

          35bc294b7e1f062ef5cb5fa1bd3fc942a3e37ae2

          SHA256

          8a7b7528db30ab123b060d8e41954d95913c07bb40cdae32e97f9edb0baf79c7

          SHA512

          7077e800453a4564a24af022636a2f6547bdae2c9c6f4ed080d0c98415ecc4fbf538109cbebd456e321b9b74a00613d647b63998e31925fbd841fc9d4613e851

          Download Submit

        • C:\Users\Admin\AppData\Local\JPzM748g\SRCORE.dll
          Filesize

          1.2MB

          MD5

          8def97960f9f4c2ed19ca3da78f60121

          SHA1

          e36954e0f44093ab3e923624f09bf0a46c29dc8b

          SHA256

          8fe19e1b7f30412bc1d73a344ed399a55037663113f73784b1215cd9f738b382

          SHA512

          738a9c0d66eddaf098aa043cecaa4e26ec9121923d23de098b5cbd4669fd596573c27d5b988f8972a387f29604b894a741c6549a4f1d8b2a65768af7eeeeffa6

          Download Submit

        • C:\Users\Admin\AppData\Local\jN7\dxva2.dll
          Filesize

          1.2MB

          MD5

          a4728a17516e727586bc1158de99e4dc

          SHA1

          669b95a1c84f892e2cd94458e857b9a55ca3c5c6

          SHA256

          7a7609a440e9a1375c4dee2c182b353d9ed030a26d819997d00fe8c75212a7d9

          SHA512

          c2a24b5be5f751b920612cd218b276e41461fe50fac0517135d15a0edbd04e0919f1c1062c7cd10ac1ab87d5d4997716addd3cb87010c3679f52725d015857e8

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Rinzzkcfiw.lnk
          Filesize

          1KB

          MD5

          6d4cdd7f0e6038ddcf8c46edca64b25e

          SHA1

          54bb61cba457d31c04d1283108cdccc0426b174c

          SHA256

          e610f65066c2c306eafb6c16879dac2141779f1d8dbe0969f5f2e835a256cc2a

          SHA512

          6be75774496294e874922e6b1b8b3f07fd1dafd29f01f7b1534cfc9003247a084931a86d1d212dd6ef78ca6696ca6b3f9dddc0390fdfe98271849c26e6a30455

          Download Submit

        • \Users\Admin\AppData\Local\JPzM748g\rstrui.exe
          Filesize

          290KB

          MD5

          3db5a1eace7f3049ecc49fa64461e254

          SHA1

          7dc64e4f75741b93804cbae365e10dc70592c6a9

          SHA256

          ba8387d4543b8b11e2202919b9608ee614753fe77f967aad9906702841658b49

          SHA512

          ea81e3233e382f1cf2938785c9ded7c8fbbf11a6a6f5cf4323e3211ae66dad4a2c597cb589ff11f9eae79516043aba77d4b24bfa6eb0aa045d405aabdea4a025

          Download Submit

        • \Users\Admin\AppData\Local\jN7\dccw.exe
          Filesize

          861KB

          MD5

          a46cee731351eb4146db8e8a63a5c520

          SHA1

          8ea441e4a77642e12987ac842b36034230edd731

          SHA256

          283526a98a83524d21ff23f9109754c6587380b67f74cc02a9a4cd56fdb720d5

          SHA512

          3573c0ae21406db0c6fdda7c065fabde03235bde7f5589910822500bdfa37144f59f6e58e753e7347b899998db1dcb28050ac5a4e2c611558ae5fa405fbbc5cc

          Download Submit

        • memory/308-79-0x000007FEF5D40000-0x000007FEF5E75000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/308-75-0x000007FEF5D40000-0x000007FEF5E75000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1360-9-0x0000000140000000-0x0000000140134000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1360-49-0x0000000076D66000-0x0000000076D67000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1360-18-0x0000000140000000-0x0000000140134000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1360-17-0x0000000140000000-0x0000000140134000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1360-16-0x0000000140000000-0x0000000140134000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1360-15-0x0000000140000000-0x0000000140134000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1360-14-0x0000000140000000-0x0000000140134000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1360-12-0x0000000140000000-0x0000000140134000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1360-10-0x0000000140000000-0x0000000140134000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1360-4-0x0000000076D66000-0x0000000076D67000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1360-28-0x00000000025A0000-0x00000000025A7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1360-30-0x0000000077100000-0x0000000077102000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1360-39-0x0000000140000000-0x0000000140134000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1360-40-0x0000000140000000-0x0000000140134000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1360-5-0x00000000025C0000-0x00000000025C1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1360-19-0x0000000140000000-0x0000000140134000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1360-29-0x0000000076F71000-0x0000000076F72000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1360-27-0x0000000140000000-0x0000000140134000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1360-7-0x0000000140000000-0x0000000140134000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1360-13-0x0000000140000000-0x0000000140134000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1360-8-0x0000000140000000-0x0000000140134000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1360-11-0x0000000140000000-0x0000000140134000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1412-48-0x000007FEF5D40000-0x000007FEF5E74000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1412-0-0x000007FEF5D40000-0x000007FEF5E74000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1412-1-0x0000000000120000-0x0000000000127000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1540-89-0x0000000000170000-0x0000000000177000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1540-94-0x000007FEF5D40000-0x000007FEF5E75000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2528-63-0x000007FEF66A0000-0x000007FEF67D5000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2528-58-0x000007FEF66A0000-0x000007FEF67D5000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2528-57-0x00000000000F0000-0x00000000000F7000-memory.dmp

          Filesize

          28KB

          Download