Overview

overview

10

Static

static

3

d55614e6cb...18.dll

windows7-x64

10

d55614e6cb...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    09-09-2024 00:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d55614e6cbad9762cfc2da2a9a63c4e1_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    d55614e6cbad9762cfc2da2a9a63c4e1

  • SHA1

    ccac6a50e607b7d04d08909f5b7cf599bb3fb251

  • SHA256

    a6866e4ea5286aa400679b697215fcb3c11c72a67d0b5412da6a10e67086abd1

  • SHA512

    87559e43ddaa3c2568702431f8b1856533697f414d9f6916e363d747d89c48d6348ea754ae18396cad7aff581c0bc75c35cc9b4b48dab85c9a00690178699a9c

  • SSDEEP

    24576:GuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9Nrt:m9cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\d55614e6cbad9762cfc2da2a9a63c4e1_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:3052
  • C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
    C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
    1⤵
      PID:2688
    • C:\Users\Admin\AppData\Local\GoN9ADt\SystemPropertiesDataExecutionPrevention.exe
      C:\Users\Admin\AppData\Local\GoN9ADt\SystemPropertiesDataExecutionPrevention.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2632
    • C:\Windows\system32\fveprompt.exe
      C:\Windows\system32\fveprompt.exe
      1⤵
        PID:1536
      • C:\Users\Admin\AppData\Local\gsg1o\fveprompt.exe
        C:\Users\Admin\AppData\Local\gsg1o\fveprompt.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1760
      • C:\Windows\system32\StikyNot.exe
        C:\Windows\system32\StikyNot.exe
        1⤵
          PID:1936
        • C:\Users\Admin\AppData\Local\qM6D\StikyNot.exe
          C:\Users\Admin\AppData\Local\qM6D\StikyNot.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2700

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\GoN9ADt\SYSDM.CPL
          Filesize

          1.2MB

          MD5

          cde24016f3abb842e27ca99b93e3c395

          SHA1

          7b007f2ce7b8d2eb73292ad7dd6acaced22fa5b0

          SHA256

          08b1530860a26b31f134e4711d42ace4f776db47d6990fb5107258d8c00dfa83

          SHA512

          4dedc9d88a441b1026c19eea05ea05c931ac3504c8dbb45e6d86c8e0ce95d49bed7fd91c95c095e13a09e50941194a9bef38579ead73136b950ed7dc25b085ea

          Download Submit

        • C:\Users\Admin\AppData\Local\GoN9ADt\SystemPropertiesDataExecutionPrevention.exe
          Filesize

          80KB

          MD5

          e43ff7785fac643093b3b16a9300e133

          SHA1

          a30688e84c0b0a22669148fe87680b34fcca2fba

          SHA256

          c8e1b3ecce673035a934d65b25c43ec23416f5bbf52d772e24e48e6fd3e77e9b

          SHA512

          61260999bb57817dea2d404bcf093820679e597298c752d38db181fe9963b5fa47e070d6a3c7c970905035b396389bb02946b44869dc8b9560acc419b065999a

          Download Submit

        • C:\Users\Admin\AppData\Local\gsg1o\slc.dll
          Filesize

          1.2MB

          MD5

          4075522040bb239375bb6d47b9121aea

          SHA1

          6fc032245d469a8fa47d346a5f31853fcd2ba22f

          SHA256

          f5b41d1143fa2267e62f00e09d7bfdf54e587b7d852494877966cb58f4e9dd33

          SHA512

          816aa16cba8e5469767b6413bcedc1bba71c726431f292c2e0242ad155914bd325da4f3e8f1ce0f3a09cdf7fc6514757ddee4e1feeb688f00eda60a05098d8a8

          Download Submit

        • C:\Users\Admin\AppData\Local\qM6D\slc.dll
          Filesize

          1.2MB

          MD5

          4bbe5bb8c74200be7039d0aa99229929

          SHA1

          bf722f3d658ce51ea0a7a294a5a5d6190a8c7df8

          SHA256

          1f541fb0e97c627d3f9dc7dc5a10c4f90bf20eede65da4ae2ce3c8f95c7b54db

          SHA512

          d0af83d5000feab210f8b2e58c9a8a797352b9a63539cfa642680b1ed4aa350738d3a616c3f46100fc21970835f5e44cc90752a2ea71887715a8de465b6efce0

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yjafzwirjcl.lnk
          Filesize

          945B

          MD5

          bc8a2d56eae56cd2374cf9cab83d1e94

          SHA1

          0aa04886660545e0f790b65e3003850bffe4b0c5

          SHA256

          edd43699a64aa49639678d566a174a471134c5344dde3df691df4a042f504ec3

          SHA512

          dd024094e846ca48d24e6dc94a0165d26c82edadc47a9c3f1462a731c9126e1bc8d5380ade8d3fc4b44ad92e28ad39c7de9248aec433bb6c40b72d67254334c6

          Download Submit

        • \Users\Admin\AppData\Local\gsg1o\fveprompt.exe
          Filesize

          104KB

          MD5

          dc2c44a23b2cd52bd53accf389ae14b2

          SHA1

          e36c7b6f328aa2ab2f52478169c52c1916f04b5f

          SHA256

          7f5b19f2c6a94833196ee1929d48094889b33b504d73d3af88dd857ceaf67921

          SHA512

          ff083f74777a9cfc940d4e0cb55886397e27c85f867de9a5dd9ea2c2751d2a77bf75fe0734e424d9678c83e927788d07d0b3072024f7e5a9848c7ff1aa4090dc

          Download Submit

        • \Users\Admin\AppData\Local\qM6D\StikyNot.exe
          Filesize

          417KB

          MD5

          b22cb67919ebad88b0e8bb9cda446010

          SHA1

          423a794d26d96d9f812d76d75fa89bffdc07d468

          SHA256

          2f744feac48ede7d6b6d2727f7ddfa80b26d9e3b0009741b00992b19ad85e128

          SHA512

          f40aad2a381b766aae0a353fae3ab759d5c536b2d00d135527bba37b601d2f24323f079bd09600355d79404d574ac59201d415ef64c1568877ad0ce0da2dd1d5

          Download Submit

        • memory/1192-9-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1192-45-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1192-29-0x0000000077B81000-0x0000000077B82000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1192-17-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1192-16-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1192-15-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1192-14-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1192-13-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1192-12-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1192-11-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1192-10-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1192-4-0x0000000077976000-0x0000000077977000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1192-37-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1192-5-0x0000000002770000-0x0000000002771000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1192-44-0x0000000077976000-0x0000000077977000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1192-30-0x0000000077D10000-0x0000000077D12000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1192-25-0x0000000002A50000-0x0000000002A57000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1192-26-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1192-7-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1192-8-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1760-73-0x0000000000130000-0x0000000000137000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1760-74-0x000007FEF6C70000-0x000007FEF6DA2000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1760-79-0x000007FEF6C70000-0x000007FEF6DA2000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2632-61-0x000007FEF7200000-0x000007FEF7332000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2632-56-0x000007FEF7200000-0x000007FEF7332000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2632-55-0x0000000000110000-0x0000000000117000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2700-96-0x000007FEF6C70000-0x000007FEF6DA2000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3052-43-0x000007FEF6C70000-0x000007FEF6DA1000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3052-0-0x00000000001A0000-0x00000000001A7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3052-2-0x000007FEF6C70000-0x000007FEF6DA1000-memory.dmp

          Filesize

          1.2MB

          Download