Overview

overview

10

Static

static

3

cf87a56aaa...18.dll

windows7-x64

10

cf87a56aaa...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    06-09-2024 12:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cf87a56aaa2dc88e7682b33d3a6e10a1_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    cf87a56aaa2dc88e7682b33d3a6e10a1

  • SHA1

    51de1ac388a07d0c3a25e3ee0a807a62e5494b10

  • SHA256

    5a38c0f8a4964449b78f6d1a7e9685cbf59f04951226ba93e772db38f3709fc6

  • SHA512

    cc2729ba0baf0e0ddca898d028557136829b317d06c962e1c02f90af7227aa15fac0979c473cfa3b19d70b9aca9382656522a008ad243628e9124c89dc5331d9

  • SSDEEP

    24576:ZVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:ZV8hf6STw1ZlQauvzSq01ICe6zvm

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\cf87a56aaa2dc88e7682b33d3a6e10a1_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2232
  • C:\Windows\system32\irftp.exe
    C:\Windows\system32\irftp.exe
    1⤵
      PID:1256
    • C:\Users\Admin\AppData\Local\9RPsqq\irftp.exe
      C:\Users\Admin\AppData\Local\9RPsqq\irftp.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2308
    • C:\Windows\system32\MpSigStub.exe
      C:\Windows\system32\MpSigStub.exe
      1⤵
        PID:2560
      • C:\Users\Admin\AppData\Local\7qq\MpSigStub.exe
        C:\Users\Admin\AppData\Local\7qq\MpSigStub.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1928
      • C:\Windows\system32\SystemPropertiesPerformance.exe
        C:\Windows\system32\SystemPropertiesPerformance.exe
        1⤵
          PID:2296
        • C:\Users\Admin\AppData\Local\Rp1plJKb5\SystemPropertiesPerformance.exe
          C:\Users\Admin\AppData\Local\Rp1plJKb5\SystemPropertiesPerformance.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1508

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\7qq\VERSION.dll
          Filesize

          1.2MB

          MD5

          7437586171f72654346be43119f8fb10

          SHA1

          b0604cf94668a92f6c7a6407bf29d7d525bc46b8

          SHA256

          008dfc1a6b41965097d5d1bed74633d3f1009640c5138b27854c6dcaf1b6c05e

          SHA512

          ab074f6abc51154ae4069c484522eac7acd8a0f2e986388ab552aeba1cdc441cf8e7e345b6d6129ac40b39acb699d25d6bc55e00bb4e05670e8b094a1ab65058

          Download Submit

        • C:\Users\Admin\AppData\Local\9RPsqq\WINMM.dll
          Filesize

          1.2MB

          MD5

          3b045ef65aa5ec92c9f2845797850dd7

          SHA1

          0ba38b8c3b275b4b78c4e5881cb7e5d76c582b9c

          SHA256

          39733da258cf5d74fd9f1a3046f43f331969b1abfd76db659462c58182f7ee8e

          SHA512

          b467630010316e0f84eb74a9c4c90157d1b1be77762f2e1d5bda910fa4fa7216c056e5229a12220df1c0fccd487141ca4a7ca40272eb429a3a6aa1e281ce47b4

          Download Submit

        • C:\Users\Admin\AppData\Local\Rp1plJKb5\SYSDM.CPL
          Filesize

          1.2MB

          MD5

          170663459c9bb5a893977d0e9817bf48

          SHA1

          ecc2042e28ca50e7fb4428ab4978b0b2e28c2a9f

          SHA256

          9bfaa73fd47d3902b74187f0e4c422769bf050aae4448060f1ecf9627fe5a9fd

          SHA512

          cf8611aa721ae9697bea1e64831247e822ed7a073ad173a7ac96e4a2d599c97f779f0c0dda5cd2814575f1d93054975035ce9992438da3f00cc711e5114cadd1

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Lcuygmmobxhxaxh.lnk
          Filesize

          1KB

          MD5

          6e5b9c41443045e0d59d55b99cdf4719

          SHA1

          af373cd4786a6db989a50b1d6f3c300078fd7d1d

          SHA256

          d2926584df9cee072028a58b24af0b0dca02f04bcf87845d84a18586e50caf2b

          SHA512

          3ab7086ab8a1fe452dfa302b108d6c8b4773170c3e4fa8dc084f0447e9c0aac9828d4064c994af339e42c26a642b6dcfa8469d4aeb1ac2cb6f76be1d890f1745

          Download Submit

        • \Users\Admin\AppData\Local\7qq\MpSigStub.exe
          Filesize

          264KB

          MD5

          2e6bd16aa62e5e95c7b256b10d637f8f

          SHA1

          350be084477b1fe581af83ca79eb58d4defe260f

          SHA256

          d795968b8067bb610033fa4a5b21eb2f96cef61513aba62912b8eb5c6a5ff7b3

          SHA512

          1f37150f6bcbe0df54bb85a5ad585824cea9332baa9be1649a95c1dfb41723de85c09d98fb2ca8261a49c2184d3bda638b84b2b7b60b97fe42a15ab1620a2542

          Download Submit

        • \Users\Admin\AppData\Local\9RPsqq\irftp.exe
          Filesize

          192KB

          MD5

          0cae1fb725c56d260bfd6feba7ae9a75

          SHA1

          102ac676a1de3ec3d56401f8efd518c31c8b0b80

          SHA256

          312f4107ff37dc988d99c5f56178708bb74a3906740cff4e337c0dde8f1e151d

          SHA512

          db969064577c4158d6bf925354319766b0d0373ddefb03dbfc9a9d2cadf8ddcd50a7f99b7ddf2ffad5e7fdbb6f02090b5b678bdf792d265054bff3b56ee0b8ec

          Download Submit

        • \Users\Admin\AppData\Local\Rp1plJKb5\SystemPropertiesPerformance.exe
          Filesize

          80KB

          MD5

          870726cdcc241a92785572628b89cc07

          SHA1

          63d47cc4fe9beb75862add1abca1d8ae8235710a

          SHA256

          1ab77fa1ee0cbe59ca185c228c3c11abeba2b2008a162c91a06d3c40542e7fc6

          SHA512

          89b961c2a2716fe0800e54e0206c8b349a26f1bc2a463ec9bd12f3ab22bfcb13e6402b4c20ddcf284d838a3c66e73335af8f6dc4554d76646382e387242c6f72

          Download Submit

        • memory/1188-15-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1188-16-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1188-4-0x0000000077066000-0x0000000077067000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1188-14-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1188-13-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1188-12-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1188-11-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1188-10-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1188-8-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1188-28-0x0000000077300000-0x0000000077302000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1188-25-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1188-37-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1188-38-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1188-5-0x0000000002AF0000-0x0000000002AF1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1188-47-0x0000000077066000-0x0000000077067000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1188-27-0x0000000077171000-0x0000000077172000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1188-26-0x00000000029F0000-0x00000000029F7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1188-7-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1188-9-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1508-91-0x0000000000120000-0x0000000000127000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1508-97-0x0000000140000000-0x0000000140144000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1928-73-0x0000000000270000-0x0000000000277000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1928-74-0x0000000140000000-0x0000000140144000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1928-79-0x0000000140000000-0x0000000140144000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2232-46-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2232-0-0x0000000001D00000-0x0000000001D07000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2232-1-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2308-61-0x0000000140000000-0x0000000140145000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2308-56-0x0000000140000000-0x0000000140145000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2308-55-0x00000000001B0000-0x00000000001B7000-memory.dmp

          Filesize

          28KB

          Download