Overview

overview

10

Static

static

3

d24290c72a...18.dll

windows7-x64

10

d24290c72a...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    07-09-2024 15:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d24290c72ad04d54e46acbe21b617c43_JaffaCakes118.dll

  • Size

    1.1MB

  • MD5

    d24290c72ad04d54e46acbe21b617c43

  • SHA1

    b7a91df70b0620b578a3d709b5af18b2d8eb8f33

  • SHA256

    c45a7ae23c315e0e5cb56d1bfe89d4a5ab30194c99f6f16b814d246f787c24de

  • SHA512

    d07efe41fc582b3d838d6e6191af14737b9733455bb57baad38a77aa066cb8a9dbd36678810fbaf27cbf8bf9dffa59529dd9f078bd32e4131c4da5dffe835da6

  • SSDEEP

    12288:VdMIwS97wJs6tSKDXEabXaC+jhc1S8XXk7CZzHsZH9dq0TOt:7MIJxSDX3bqjhcfHk7MzH6zyt

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 9 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\d24290c72ad04d54e46acbe21b617c43_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2268
  • C:\Windows\system32\msra.exe
    C:\Windows\system32\msra.exe
    1⤵
      PID:1512
    • C:\Users\Admin\AppData\Local\mypJOrI7\msra.exe
      C:\Users\Admin\AppData\Local\mypJOrI7\msra.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:1044
    • C:\Windows\system32\tabcal.exe
      C:\Windows\system32\tabcal.exe
      1⤵
        PID:2288
      • C:\Users\Admin\AppData\Local\XWbCY\tabcal.exe
        C:\Users\Admin\AppData\Local\XWbCY\tabcal.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1216
      • C:\Windows\system32\winlogon.exe
        C:\Windows\system32\winlogon.exe
        1⤵
          PID:2920
        • C:\Users\Admin\AppData\Local\Sp4\winlogon.exe
          C:\Users\Admin\AppData\Local\Sp4\winlogon.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2892

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Sp4\WINSTA.dll
          Filesize

          1.1MB

          MD5

          5112470516e71ba42272174548e2e3d1

          SHA1

          73c9dd2e160ac67f6e9cfcffb88a82f203e5727c

          SHA256

          a3e1c3361e2df236f58f0320545398ffd42b0fa07f0c1ba37a64991f101f4de1

          SHA512

          fddb4bb860adb67bda4e782c2a20286f7f0d739e5dcd8a467045842732eeb8ad382b9d0eed47dedbec53d6c53e240dd12f62ac78e6081ea248742fec942b15ec

          Download Submit

        • C:\Users\Admin\AppData\Local\XWbCY\HID.DLL
          Filesize

          1.1MB

          MD5

          df7f7a9c61966b68cadfb8dbb6d3d034

          SHA1

          ae69e8af262fa68157e61af2f4d700cee12a74e0

          SHA256

          7639d0c8ea8f0aa6a9f089ec887dac0164670b6c0defd316017e77198483ac08

          SHA512

          7257f6f5a039ec524fbcbbb9f87a2742fc1f165208f4ec7decad289780cd9d5a31abd711e1cf51cecf25c294a8d8c9ab0be84e2026274f9540e50cae05ee67b1

          Download Submit

        • C:\Users\Admin\AppData\Local\mypJOrI7\Secur32.dll
          Filesize

          1.1MB

          MD5

          2d96e61b5abfb873748a3fd798c97357

          SHA1

          4f3ea1978f15a93854564444c17981d32d0a721a

          SHA256

          18043e12fdca0893601f736cb22e96912404c0fcff959372feab376e55f07170

          SHA512

          cecd4c53a5995e3f8bf548b0735a54835708120b96d6dbebf656ad08e0b4bdac349370288c77a8e82a5a98085b2c026cf023328be1bc05ac97da8550e45d0428

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ppapbotpack.lnk
          Filesize

          1KB

          MD5

          83712064b379bd22b7c33daefd770c57

          SHA1

          e205ffc68959883c5ec1ccfbfe5d0f5c94c59b75

          SHA256

          01b50104fc0afe543d5024af7a76c896f4da85231b61ceaef906e7a9c138192d

          SHA512

          f28286ca6b1a724ca08a74f78b0c071fce1527d5e412a358a3b8c9bf2ec74f3ad22a843054e9b5ddb0c7f5be5b6af7bf1fa4a05735c67915819f1c374fa730a0

          Download Submit

        • \Users\Admin\AppData\Local\Sp4\winlogon.exe
          Filesize

          381KB

          MD5

          1151b1baa6f350b1db6598e0fea7c457

          SHA1

          434856b834baf163c5ea4d26434eeae775a507fb

          SHA256

          b1506e0a7e826eff0f5252ef5026070c46e2235438403a9a24d73ee69c0b8a49

          SHA512

          df728d06238da1dece96f8b8d67a2423ed4dcb344b42d5958768d23bd570a79e7189e7c5ba783c1628fe8ddd1deaebeacb1b471c59c8a7c9beb21b4f1eb9edab

          Download Submit

        • \Users\Admin\AppData\Local\XWbCY\tabcal.exe
          Filesize

          77KB

          MD5

          98e7911befe83f76777317ce6905666d

          SHA1

          2780088dffe1dd1356c5dd5112a9f04afee3ee8d

          SHA256

          3fe8b63367b4298e70d46e87ce04cc7af5f30dfdb86b79eae41d0731d9415ea1

          SHA512

          fc0226381d9a6984cccac8282697c78966524e1359f7f6044559b8223e773d3c108dda08a2dd283aa171dca3390801f2c92a5d1dbb978dd7f92a67bd8877b8b6

          Download Submit

        • \Users\Admin\AppData\Local\mypJOrI7\msra.exe
          Filesize

          636KB

          MD5

          e79df53bad587e24b3cf965a5746c7b6

          SHA1

          87a97ec159a3fc1db211f3c2c62e4d60810e7a70

          SHA256

          4e7c22648acf664ab13dfeb2dc062ae90af1e6c621186981f395fb279bbc9b9d

          SHA512

          9a329c39ce0bc5aede01e96c4190cc7ccd17729fbc3a2b6df73057be8efaa3fa92cfef6e26a25bde6f7f94f64f6d6d0e4c5459aef2aead367e43178dd275acfb

          Download Submit

        • memory/1044-81-0x0000000140000000-0x0000000140119000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1044-76-0x0000000140000000-0x0000000140119000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1044-78-0x0000000000110000-0x0000000000117000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1180-15-0x0000000140000000-0x0000000140118000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1180-10-0x0000000140000000-0x0000000140118000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1180-38-0x0000000140000000-0x0000000140118000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1180-37-0x0000000140000000-0x0000000140118000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1180-36-0x0000000140000000-0x0000000140118000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1180-35-0x0000000140000000-0x0000000140118000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1180-34-0x0000000140000000-0x0000000140118000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1180-33-0x0000000140000000-0x0000000140118000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1180-32-0x0000000140000000-0x0000000140118000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1180-31-0x0000000140000000-0x0000000140118000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1180-30-0x0000000140000000-0x0000000140118000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1180-28-0x0000000140000000-0x0000000140118000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1180-27-0x0000000140000000-0x0000000140118000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1180-20-0x0000000140000000-0x0000000140118000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1180-19-0x0000000140000000-0x0000000140118000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1180-29-0x0000000140000000-0x0000000140118000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1180-18-0x0000000140000000-0x0000000140118000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1180-17-0x0000000140000000-0x0000000140118000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1180-21-0x0000000140000000-0x0000000140118000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1180-14-0x0000000140000000-0x0000000140118000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1180-13-0x0000000140000000-0x0000000140118000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1180-12-0x0000000140000000-0x0000000140118000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1180-11-0x0000000140000000-0x0000000140118000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1180-46-0x0000000002CD0000-0x0000000002CD7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1180-9-0x0000000140000000-0x0000000140118000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1180-49-0x0000000077D70000-0x0000000077D72000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1180-48-0x0000000077D40000-0x0000000077D42000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1180-47-0x0000000140000000-0x0000000140118000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1180-8-0x0000000140000000-0x0000000140118000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1180-7-0x0000000140000000-0x0000000140118000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1180-6-0x0000000140000000-0x0000000140118000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1180-58-0x0000000140000000-0x0000000140118000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1180-60-0x0000000140000000-0x0000000140118000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1180-68-0x0000000077AD6000-0x0000000077AD7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1180-22-0x0000000140000000-0x0000000140118000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1180-23-0x0000000140000000-0x0000000140118000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1180-26-0x0000000140000000-0x0000000140118000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1180-24-0x0000000140000000-0x0000000140118000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1180-25-0x0000000140000000-0x0000000140118000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1180-3-0x0000000077AD6000-0x0000000077AD7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1180-4-0x0000000002CF0000-0x0000000002CF1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1180-16-0x0000000140000000-0x0000000140118000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1216-98-0x0000000140000000-0x0000000140119000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1216-93-0x0000000000100000-0x0000000000107000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2268-0-0x0000000140000000-0x0000000140118000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/2268-2-0x0000000000290000-0x0000000000297000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2268-67-0x0000000140000000-0x0000000140118000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/2892-110-0x0000000140000000-0x000000014011A000-memory.dmp

          Filesize

          1.1MB

          Download