Overview

overview

10

Static

static

3

d4b352a768...18.dll

windows7-x64

10

d4b352a768...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    08-09-2024 15:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d4b352a768590a50e1a05ed9d448532f_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    d4b352a768590a50e1a05ed9d448532f

  • SHA1

    4523e3c1119bd266bd2a37e79891bac697394778

  • SHA256

    3a73e3bcb1526fd55c631a34ac7496450411304463378d110c51e4fabf79974c

  • SHA512

    830560117515b2a5173a6185588d9d68f97cfa640eea06b2aa3ec550b6fe61e10bd18955bd3b04a6a48fc12461a9474466cb341dee2b7cb416e37695fc276e7c

  • SSDEEP

    24576:AyTonNVlKTt/Q5ECvVP7hpJMvjtKpvPf9+m6kLRqgSyI:AyWRKTt/QlPVp3h9

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\d4b352a768590a50e1a05ed9d448532f_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2708
  • C:\Windows\system32\msra.exe
    C:\Windows\system32\msra.exe
    1⤵
      PID:2100
    • C:\Users\Admin\AppData\Local\x5lrjLgL1\msra.exe
      C:\Users\Admin\AppData\Local\x5lrjLgL1\msra.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:1968
    • C:\Windows\system32\shrpubw.exe
      C:\Windows\system32\shrpubw.exe
      1⤵
        PID:2420
      • C:\Users\Admin\AppData\Local\I9zSlCRFt\shrpubw.exe
        C:\Users\Admin\AppData\Local\I9zSlCRFt\shrpubw.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2540
      • C:\Windows\system32\SndVol.exe
        C:\Windows\system32\SndVol.exe
        1⤵
          PID:2916
        • C:\Users\Admin\AppData\Local\cSvUPD\SndVol.exe
          C:\Users\Admin\AppData\Local\cSvUPD\SndVol.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:3008

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\I9zSlCRFt\MFC42u.dll
          Filesize

          1.2MB

          MD5

          4290d7804d2c0289963b212d75ffe52a

          SHA1

          46265ffc84fde7cfbf0251dc647c7a78d72a13fd

          SHA256

          c8427cdc5a681aa620ad168b3402f04527afcd14c683fa057d96c85739027c38

          SHA512

          6c83dc0b7b1b00355d56b4640e077a64a639577fec8e5942b2bbd6fb5cb00b19cde3b5cbcef351487039d1150c9bc2a22ccf30315f35d3d11a0554b43f589bab

          Download Submit

        • C:\Users\Admin\AppData\Local\cSvUPD\dwmapi.dll
          Filesize

          1.2MB

          MD5

          fc93908315bf46370a93245911c05f1c

          SHA1

          80f06556b322e831ba7def947581548db3896927

          SHA256

          178c324c83ebb96529013c398736e9af8715185d40a67c680f7507c92ae2af4c

          SHA512

          602d7af24b63ad7a3a19c248ee7fcfd3f0bb03c2b6a1a3560309070f7b0d2a4d2e8ee0732b69a8104b695362bc749fc7f8d9577172fd128cad6f00349d6d0c40

          Download Submit

        • C:\Users\Admin\AppData\Local\x5lrjLgL1\UxTheme.dll
          Filesize

          1.2MB

          MD5

          3661d051a7987102934aec0f5691b304

          SHA1

          6f66ef86cefaec121e43a8f8da6c16cf2bb55bd6

          SHA256

          bb2d38af28b7ed54f7a30f1001df226abb2644ac48186ee8d0b4901dd9a4c578

          SHA512

          2ee360ffa3b322bb21b485cf131be375aa224c434d368753e7dadcb3749731490bb93d6fbbba85cc383eaae4c5b5fdb63bf8469f47cb7a33116ea1f65f92e1ec

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ngqpewzrrtyksiv.lnk
          Filesize

          1KB

          MD5

          bc736f41e8dfa54980c94e4a257f7ede

          SHA1

          80b086f511d06a1ae357f544583c81663c85df01

          SHA256

          20dbe5e4dfc3e8b7922b9cc08f92198960032e9ff17fd7a1f3662bdcb9467d8e

          SHA512

          943cd33d3d57d45973ce9124e1a041efcebccf86c408628170387dac52d202b877e882fb91552dfd7d71b6c012b1c4435e00d33a11a4b0b9810981eabef5e455

          Download Submit

        • \Users\Admin\AppData\Local\I9zSlCRFt\shrpubw.exe
          Filesize

          398KB

          MD5

          29e6d0016611c8f948db5ea71372f76c

          SHA1

          01d007a01020370709cd6580717f9ace049647e8

          SHA256

          53c868882ebc9e0d4f703afeccb172043069ccc0b5b6f7cac1d2aad9c4640930

          SHA512

          300216ab47ee44b8f68d4835bf26641f949039522b680af00fb602f57d31c38812428dc624461bc2cc7d6384cad396bc033718e41e11a65f7dd0eeb36ed924e4

          Download Submit

        • \Users\Admin\AppData\Local\cSvUPD\SndVol.exe
          Filesize

          267KB

          MD5

          c3489639ec8e181044f6c6bfd3d01ac9

          SHA1

          e057c90b675a6da19596b0ac458c25d7440b7869

          SHA256

          a632ef1a1490d31d76f13997ee56f4f75796bf9e366c76446857e9ae855f4103

          SHA512

          63b96c8afb8c3f5f969459531d3a543f6e8714d5ca1664c6bbb01edd9f5e850856931d7923f363c9dc7d8843deeaad69722d15993641d04e786e02184446c0c9

          Download Submit

        • \Users\Admin\AppData\Local\x5lrjLgL1\msra.exe
          Filesize

          636KB

          MD5

          e79df53bad587e24b3cf965a5746c7b6

          SHA1

          87a97ec159a3fc1db211f3c2c62e4d60810e7a70

          SHA256

          4e7c22648acf664ab13dfeb2dc062ae90af1e6c621186981f395fb279bbc9b9d

          SHA512

          9a329c39ce0bc5aede01e96c4190cc7ccd17729fbc3a2b6df73057be8efaa3fa92cfef6e26a25bde6f7f94f64f6d6d0e4c5459aef2aead367e43178dd275acfb

          Download Submit

        • memory/1208-37-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1208-8-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1208-27-0x0000000077091000-0x0000000077092000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1208-15-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1208-14-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1208-13-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1208-12-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1208-11-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1208-38-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1208-4-0x0000000076E86000-0x0000000076E87000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1208-10-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1208-9-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1208-26-0x0000000002D60000-0x0000000002D67000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1208-5-0x0000000002D80000-0x0000000002D81000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1208-47-0x0000000076E86000-0x0000000076E87000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1208-25-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1208-16-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1208-7-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1208-30-0x0000000077220000-0x0000000077222000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1968-62-0x0000000140000000-0x0000000140132000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1968-55-0x0000000140000000-0x0000000140132000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2540-74-0x0000000000190000-0x0000000000197000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2540-75-0x0000000140000000-0x0000000140138000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2540-80-0x0000000140000000-0x0000000140138000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2708-46-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2708-0-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2708-3-0x00000000001A0000-0x00000000001A7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3008-97-0x0000000140000000-0x0000000140132000-memory.dmp

          Filesize

          1.2MB

          Download