Overview

overview

10

Static

static

3

ccdaece63d...18.dll

windows7-x64

10

ccdaece63d...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-08-2024 13:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ccdaece63d6ac64a80d629b4600b457f_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    ccdaece63d6ac64a80d629b4600b457f

  • SHA1

    71ce86f3f7908eeecd91a4dca36d68fb8e64f130

  • SHA256

    9886df6ecc914c70bd45014fddf8bf12d3d3b66431f24fddd9cc9bc56eca7dbe

  • SHA512

    f0755421fbe403d91b7fa7e6469ac2d10c697ac6763df6d230b25a5703936a9592024b712ab86a26a5c6576a38b2439af976619cc8a6e2ca3a3ed1b725c1f9b1

  • SSDEEP

    24576:5uYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:r9cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\ccdaece63d6ac64a80d629b4600b457f_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:4744
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4400,i,3239535018877284530,3457823197501312703,262144 --variations-seed-version --mojo-platform-channel-handle=4372 /prefetch:8
    1⤵
      PID:4836
    • C:\Windows\system32\sdclt.exe
      C:\Windows\system32\sdclt.exe
      1⤵
        PID:3412
      • C:\Users\Admin\AppData\Local\nZ7\sdclt.exe
        C:\Users\Admin\AppData\Local\nZ7\sdclt.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:652
      • C:\Windows\system32\dialer.exe
        C:\Windows\system32\dialer.exe
        1⤵
          PID:4696
        • C:\Users\Admin\AppData\Local\KzaW\dialer.exe
          C:\Users\Admin\AppData\Local\KzaW\dialer.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:4708
        • C:\Windows\system32\MoUsoCoreWorker.exe
          C:\Windows\system32\MoUsoCoreWorker.exe
          1⤵
            PID:3144
          • C:\Users\Admin\AppData\Local\zSeZGF\MoUsoCoreWorker.exe
            C:\Users\Admin\AppData\Local\zSeZGF\MoUsoCoreWorker.exe
            1⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Checks whether UAC is enabled
            PID:3024

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\KzaW\TAPI32.dll
            Filesize

            1.2MB

            MD5

            8ce4f2498989b2aa979d1878e473e803

            SHA1

            7d98669b1473b1e4b9fffd2c55d3a21056a2b361

            SHA256

            0a1d84d92c97bfaab9466bbaa8027549154d3048990418c8d604b3f50eda9974

            SHA512

            bf957ac2fac4f5627d6386be6ed0b4ccfc286718de4d756fa53cc3f4be2c631a9da39a8782ca8c5a0e22a07e7d3841836f861f05b31c9cc55095cf9e20f3ede0

            Download Submit

          • C:\Users\Admin\AppData\Local\KzaW\dialer.exe
            Filesize

            39KB

            MD5

            b2626bdcf079c6516fc016ac5646df93

            SHA1

            838268205bd97d62a31094d53643c356ea7848a6

            SHA256

            e3ac5e6196f3a98c1946d85c653866c318bb2a86dd865deffa7b52f665d699bb

            SHA512

            615cfe1f91b895513c687906bf3439ca352afcadd3b73f950af0a3b5fb1b358168a7a25a6796407b212fde5f803dd880bcdc350d8bac7e7594090d37ce259971

            Download Submit

          • C:\Users\Admin\AppData\Local\nZ7\SPP.dll
            Filesize

            1.2MB

            MD5

            a137f7ff38dd5aff5c4ffdecfd8a4a2e

            SHA1

            1081a62b109616945f2f5f27d0ce6c8dc54692c9

            SHA256

            8665e1f0df9577e00c3b7c3c924d57e1fbda62116997073567f6c77a06298cbd

            SHA512

            bd048c48e31bca1cc142b7420db13dc011756827cb664aed08779d56d1de3883c10ebee6fece8dd94db888af7d99cf900ddc03a3056e24bc7eab47d9766599a7

            Download Submit

          • C:\Users\Admin\AppData\Local\nZ7\sdclt.exe
            Filesize

            1.2MB

            MD5

            e09d48f225e7abcab14ebd3b8a9668ec

            SHA1

            1c5b9322b51c09a407d182df481609f7cb8c425d

            SHA256

            efd238ea79b93d07852d39052f1411618c36e7597e8af0966c4a3223f0021dc3

            SHA512

            384d606b90c4803e5144b4de24edc537cb22dd59336a18a58d229500ed36aec92c8467cae6d3f326647bd044d8074931da553c7809727fb70227e99c257df0b4

            Download Submit

          • C:\Users\Admin\AppData\Local\zSeZGF\MoUsoCoreWorker.exe
            Filesize

            1.6MB

            MD5

            47c6b45ff22b73caf40bb29392386ce3

            SHA1

            7e29a8d98fbb9b02d3d22e3576f4fd61ab50ffe9

            SHA256

            cbccb642725edb42e749e26ded68a16b3aa20e291a1a7793a2d4efebb75f99c0

            SHA512

            c919ab84a497616e7969d58c251f4e6efc337b41ef6956864b86d66ae1437294c124232fec54433eab3a6518ed529f8445dd0b23706b2f42f3fa42e69711f331

            Download Submit

          • C:\Users\Admin\AppData\Local\zSeZGF\XmlLite.dll
            Filesize

            1.2MB

            MD5

            6dd886a83e4b30c6d088a45ef809b5c8

            SHA1

            4fb98b7f0a3a7be271fe8a5b55819883d6152031

            SHA256

            190a68fc9fad6ceea933860c4ab6e2da215f7e7af2c22d4cf05c91f2c58c1eb3

            SHA512

            2177ad7f0b55babb2e042d28b417c68dfefd5e66b31b4bfe45b98052fcd1a5ded9324726bdb8c60b8af77b4234ca6e50296b4f22a99ef1319bcd446160f414b3

            Download Submit

          • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Jmybglakcar.lnk
            Filesize

            1KB

            MD5

            ce15d72658bb880b05da4e806316bc05

            SHA1

            e13c4e456f62d4e7649cdad7d6c1a82ab98fbfa5

            SHA256

            a25b3c6318016bfa82c129b2de2c76b4a1ed00c97faa87356b628cdf2432dc0f

            SHA512

            ffb5faa8f166b7d7af87f3a2a2fd51d42c7ad80e8cbe076ffe11b3316b98abd4fa8a4423720a3176b0329c7019601fd93e12ae82ead151cfce987271ae59a020

            Download Submit

          • memory/652-54-0x00007FF888650000-0x00007FF888785000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/652-48-0x00007FF888650000-0x00007FF888785000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/652-51-0x0000024EF9A20000-0x0000024EF9A27000-memory.dmp

            Filesize

            28KB

            Download

          • memory/3024-88-0x00007FF888650000-0x00007FF888785000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3024-82-0x000002B9D36A0000-0x000002B9D36A7000-memory.dmp

            Filesize

            28KB

            Download

          • memory/3552-36-0x00000000032B0000-0x00000000032B7000-memory.dmp

            Filesize

            28KB

            Download

          • memory/3552-4-0x0000000008310000-0x0000000008311000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3552-15-0x0000000140000000-0x0000000140134000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3552-13-0x0000000140000000-0x0000000140134000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3552-14-0x0000000140000000-0x0000000140134000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3552-12-0x0000000140000000-0x0000000140134000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3552-11-0x0000000140000000-0x0000000140134000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3552-8-0x0000000140000000-0x0000000140134000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3552-7-0x0000000140000000-0x0000000140134000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3552-16-0x0000000140000000-0x0000000140134000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3552-17-0x0000000140000000-0x0000000140134000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3552-18-0x0000000140000000-0x0000000140134000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3552-19-0x0000000140000000-0x0000000140134000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3552-6-0x00007FF8A5F4A000-0x00007FF8A5F4B000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3552-37-0x00007FF8A7830000-0x00007FF8A7840000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3552-38-0x0000000140000000-0x0000000140134000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3552-27-0x0000000140000000-0x0000000140134000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3552-10-0x0000000140000000-0x0000000140134000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3552-9-0x0000000140000000-0x0000000140134000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/4708-71-0x00007FF888650000-0x00007FF888786000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/4708-68-0x0000027F41BB0000-0x0000027F41BB7000-memory.dmp

            Filesize

            28KB

            Download

          • memory/4708-65-0x00007FF888650000-0x00007FF888786000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/4744-3-0x000001DD12DC0000-0x000001DD12DC7000-memory.dmp

            Filesize

            28KB

            Download

          • memory/4744-41-0x00007FF898340000-0x00007FF898474000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/4744-0-0x00007FF898340000-0x00007FF898474000-memory.dmp

            Filesize

            1.2MB

            Download