Overview

overview

10

Static

static

3

d7124391cb...18.dll

windows7-x64

10

d7124391cb...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    09/09/2024, 20:50

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    d7124391cb48a2dd54731363a0abc0df_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    d7124391cb48a2dd54731363a0abc0df

  • SHA1

    e41176662cbdecf7e10bb93ae809932610f2803e

  • SHA256

    43edfba88ac4ef39ede058afdd0640c659e3cf939a920c7f45449bf514ecd9cf

  • SHA512

    14e4f489a3bb06c4a00feac97adbc520dc3cc4c967d20482d6d18f59f7b6e2fc175dc1e31579b5ada833f1b4983357c02f4361dec2ca7fc2bcee050cc58dfe1e

  • SSDEEP

    24576:fuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:h9cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\d7124391cb48a2dd54731363a0abc0df_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2396
  • C:\Windows\system32\mspaint.exe
    C:\Windows\system32\mspaint.exe
    1⤵
      PID:2956
    • C:\Users\Admin\AppData\Local\CQTCFLNM\mspaint.exe
      C:\Users\Admin\AppData\Local\CQTCFLNM\mspaint.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2636
    • C:\Windows\system32\wscript.exe
      C:\Windows\system32\wscript.exe
      1⤵
        PID:2868
      • C:\Users\Admin\AppData\Local\x8fFkh\wscript.exe
        C:\Users\Admin\AppData\Local\x8fFkh\wscript.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2296
      • C:\Windows\system32\BdeUISrv.exe
        C:\Windows\system32\BdeUISrv.exe
        1⤵
          PID:1816
        • C:\Users\Admin\AppData\Local\RZ0hyF3rn\BdeUISrv.exe
          C:\Users\Admin\AppData\Local\RZ0hyF3rn\BdeUISrv.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1244

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\CQTCFLNM\mspaint.exe
          Filesize

          6.4MB

          MD5

          458f4590f80563eb2a0a72709bfc2bd9

          SHA1

          3f97dc3bd1467c710c6a8d26b97bb6cf47deb4c6

          SHA256

          ff923c051ae380bf30d749ebe9cf310ccab6572d84eb81b76fb1012bcbdf557f

          SHA512

          e34500658dbe105a704fff6988b75d13aa9931adfd585b8ce1f023c61abd573d58067ee1f43e80076729ba99c9a00c17eb8cfcfac9c3d271d76bd251ccab1681

          Download Submit

        • C:\Users\Admin\AppData\Local\RZ0hyF3rn\WTSAPI32.dll
          Filesize

          1.2MB

          MD5

          e8709b6bd82c4ce9b569db572c9e89e1

          SHA1

          41dab2d8a47dcf820e4f89694f0831a7c1ac20bf

          SHA256

          c3a08106271faafe6a40f73525077647ea1ff6d40684399a0735947fa6b33406

          SHA512

          50ba86480c0a99a0988d68eee94b1d59c589c6a7fd346544417d5c51d39d2fa8e1c13766b6861979ed0ff81fa22ee704bc2ba383de5dca9e93b36fdae92c9390

          Download Submit

        • C:\Users\Admin\AppData\Local\x8fFkh\VERSION.dll
          Filesize

          1.2MB

          MD5

          83ffd8d5788aba2a87b6e14ad56b63fc

          SHA1

          ab30f219fd5a72d0c7126380cdd665b0ae3d478a

          SHA256

          aab1643683308cc5dab475c8e2492d35dd8ce44955744e2799892e44ffcc9182

          SHA512

          a12e97a0079cbc3ca293166d39f493e0c23fc0414db6218e74ce87d66fb0642b32cc8e706677c6669e543d9ecac65408edb095c0148a3cbd3b24c1dfec843157

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Lcuygmmobxhxaxh.lnk
          Filesize

          1KB

          MD5

          f3d2a234017a94ae5f832b6396826f72

          SHA1

          03f18f7f22d468530a9e37f349b26bd6518934ac

          SHA256

          e4bfb9825a12d2fc6e806cf85b0aafb3eadbde591ebe4ff6760ca3d9bb7a7103

          SHA512

          b9a161980e50edc50a7807033406d998052b2091d3165c1b974ba18abf120001751b67b61ad1cc1ddb1f7b7aed2ae69c1ce756eec0189becc6c8d7de03e58772

          Download Submit

        • \Users\Admin\AppData\Local\CQTCFLNM\MFC42u.dll
          Filesize

          1.2MB

          MD5

          0d563912e5b4fee67513dcbfa8a630c8

          SHA1

          0cbb53e693c1e74d3e2c0cad0597708d19bfa799

          SHA256

          128a7aff0e5608dd2277afe9cccb00ea19d938eaf43c09816a73617ef933fe88

          SHA512

          4bae39f1fa4a4a2b9f0f20d07f9ff730d4054b3bb9cdd6dba59ffd5f78800b34d0d974428a49d8ec3ae29fee605202646680114c530db11526beb202d3b4b576

          Download Submit

        • \Users\Admin\AppData\Local\RZ0hyF3rn\BdeUISrv.exe
          Filesize

          47KB

          MD5

          1da6b19be5d4949c868a264bc5e74206

          SHA1

          d5ee86ba03a03ef8c93d93accafe40461084c839

          SHA256

          00330a0e0eb1dbb6ee84997963f8e15c7c15c1df787f1c7f109609d7b31bd35c

          SHA512

          9cee858c55eb0852e5bad53a675a094ae591b46b07afe9fb4224cac32e0be577fe36c1ed3e9f6bda4d4eb0c924a773d00e3181cd97f07e24c6c68c70f2b002c6

          Download Submit

        • \Users\Admin\AppData\Local\x8fFkh\wscript.exe
          Filesize

          165KB

          MD5

          8886e0697b0a93c521f99099ef643450

          SHA1

          851bd390bf559e702b8323062dbeb251d9f2f6f7

          SHA256

          d73f7ee4e6e992a618d02580bdbf4fd6ba7c683d110928001092f4073341e95f

          SHA512

          fc4a176f49a69c5600c427af72d3d274cfeacef48612b18cda966c3b4dda0b9d59c0fe8114d5ed8e0fec780744346e2cd503d1fd15c0c908908d067214b9d837

          Download Submit

        • memory/1192-15-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1192-11-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1192-7-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1192-13-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1192-16-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1192-27-0x0000000077E60000-0x0000000077E62000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1192-26-0x0000000077CD1000-0x0000000077CD2000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1192-25-0x0000000002D00000-0x0000000002D07000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1192-24-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1192-4-0x0000000077BC6000-0x0000000077BC7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1192-14-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1192-36-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1192-37-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1192-5-0x0000000002D20000-0x0000000002D21000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1192-9-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1192-10-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1192-12-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1192-8-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1244-99-0x000007FEF6DD0000-0x000007FEF6F01000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2296-82-0x000007FEF6DD0000-0x000007FEF6F01000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2296-79-0x0000000000100000-0x0000000000107000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2296-76-0x000007FEF6DD0000-0x000007FEF6F01000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2396-45-0x000007FEF6DE0000-0x000007FEF6F10000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2396-1-0x00000000003A0000-0x00000000003A7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2396-0-0x000007FEF6DE0000-0x000007FEF6F10000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2636-58-0x000007FEF7400000-0x000007FEF7537000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2636-54-0x000007FEF7400000-0x000007FEF7537000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2636-53-0x0000000000190000-0x0000000000197000-memory.dmp

          Filesize

          28KB

          Download