Overview

overview

10

Static

static

3

d97f80ce2a...18.dll

windows7-x64

10

d97f80ce2a...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    11-09-2024 02:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d97f80ce2a0f7b494b57d1cbb0540816_JaffaCakes118.dll

  • Size

    988KB

  • MD5

    d97f80ce2a0f7b494b57d1cbb0540816

  • SHA1

    977f98ba04fb23584f8da01712f1bbc6c0737c3c

  • SHA256

    838304ff62d092eadc72ce5443f3e1a93cd10520de99a9bc9cd04376c205505c

  • SHA512

    e246b2d4d92262d6dfecbd755781b1655f816d2913ad1998491fb3062081adc400c4bcde7bcdb78c917ed7e5b0b97daf0769d56b1d414c90234f90372f58663f

  • SSDEEP

    24576:LVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:LV8hf6STw1ZlQauvzSq01ICe6zvm

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\d97f80ce2a0f7b494b57d1cbb0540816_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2624
  • C:\Windows\system32\WFS.exe
    C:\Windows\system32\WFS.exe
    1⤵
      PID:2604
    • C:\Users\Admin\AppData\Local\2segLj\WFS.exe
      C:\Users\Admin\AppData\Local\2segLj\WFS.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:236
    • C:\Windows\system32\spreview.exe
      C:\Windows\system32\spreview.exe
      1⤵
        PID:1140
      • C:\Users\Admin\AppData\Local\xGYa5W\spreview.exe
        C:\Users\Admin\AppData\Local\xGYa5W\spreview.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2476
      • C:\Windows\system32\cttune.exe
        C:\Windows\system32\cttune.exe
        1⤵
          PID:300
        • C:\Users\Admin\AppData\Local\3P4m\cttune.exe
          C:\Users\Admin\AppData\Local\3P4m\cttune.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:3036

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\2segLj\MFC42u.dll
          Filesize

          1015KB

          MD5

          1e4d4f98fc4944db7083403aeb6953b5

          SHA1

          ced20cfa5e6ee4ec229cd90a0f6e847ed3cb8063

          SHA256

          eb1cdf98f43a73b2bb416053eef768fe78577b0527d29842dc24416992cfcc83

          SHA512

          ac29391a0445ebd535ad43c46f876859e539c18ffff95baa3518d5319a602d6ef472e7e7a0f2cf7b172fb80ce5c3ab747f047a8c1dfbe98e57bf0e25209b62d3

          Download Submit

        • C:\Users\Admin\AppData\Local\3P4m\cttune.exe
          Filesize

          314KB

          MD5

          7116848fd23e6195fcbbccdf83ce9af4

          SHA1

          35fb16a0b68f8a84d5dfac8c110ef5972f1bee93

          SHA256

          39937665f72725bdb3b82389a5dbd906c63f4c14208312d7f7a59d6067e1cfa6

          SHA512

          e38bf57eee5836b8598dd88dc3d266f497d911419a8426f73df6dcaa503611a965aabbd746181cb19bc38eebdb48db778a17f781a8f9e706cbd7a6ebec38f894

          Download Submit

        • C:\Users\Admin\AppData\Local\xGYa5W\VERSION.dll
          Filesize

          988KB

          MD5

          66eb94b970c95a9e408e9ffe47ac61a0

          SHA1

          f48c15c624266f95168af5cb18ae4efd251e9bb4

          SHA256

          cc88a5e75d23f3f423f1f433f9db2178911f0fcce2240bb96107d324752fc34c

          SHA512

          a5a0838c27c692f7dfe929a4848dd17e4498dac274d7b07690aba8e392ad5b6190812c395d664d747b3f439abe33d5c30a5513a2a9f3de8b6a5541d12a3a76b8

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ygxjfqh.lnk
          Filesize

          892B

          MD5

          b938c088c124187c1255633f740a6925

          SHA1

          320e1a489ab61f6807ab5ec57d4274cc3fd8f893

          SHA256

          92ad180f0e4d88a7e53e8b8af5956d814eafffec8893e3bb82dd94448b34c7b0

          SHA512

          08f960ad6af8a2793171683968f940775c56ba229cc98b4b160dc634cd5c3dd54c7898f2e8afac8ef464a20b1069595ff8f8e4e498e314e30d755a178e093da2

          Download Submit

        • \Users\Admin\AppData\Local\2segLj\WFS.exe
          Filesize

          951KB

          MD5

          a943d670747778c7597987a4b5b9a679

          SHA1

          c48b760ff9762205386563b93e8884352645ef40

          SHA256

          1a582ebe780abc1143baccaf4910714d3e9f4195edd86939499d03ed6e756610

          SHA512

          3d926ddead8afcb32b52b3eb3c416d197c15e5fff6ba9fa03a31a07522bdb9088b32500fc8b98d82af657071571d09cd336a65cf45c485ebcc145dea70b3a934

          Download Submit

        • \Users\Admin\AppData\Local\3P4m\OLEACC.dll
          Filesize

          989KB

          MD5

          a8208143ea3200848813f7adaec1a24e

          SHA1

          5c0b033a811dd59ea1d193205f6320de89fbf335

          SHA256

          efba54e165b88dfbcd999e7c9f4b47941d84d0d10400075299ca8185ac21f553

          SHA512

          c69b222384a27a8610774b3a2820f0a3eb2cfac0ccfac3c0641a3469404f61d022da4e0ae2d14dac3e5d2b4bfabf6baed296cacbf160e9bc4caf550a1e68b7b9

          Download Submit

        • \Users\Admin\AppData\Local\xGYa5W\spreview.exe
          Filesize

          294KB

          MD5

          704cd4cac010e8e6d8de9b778ed17773

          SHA1

          81856abf70640f102b8b3defe2cf65669fe8e165

          SHA256

          4307f21d3ec3b51cba6a905a80045314ffccb4c60c11d99a3d77cc8103014208

          SHA512

          b380264276bad01d619a5f1f112791d6bf73dc52cdd5cca0cc1f726a6f66eefc5a78a37646792987c508f9cb5049f0eb86c71fb4c7a2d3e670c0c8623f0522ee

          Download Submit

        • memory/236-59-0x0000000140000000-0x0000000140103000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/236-54-0x0000000140000000-0x0000000140103000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/236-53-0x00000000000F0000-0x00000000000F7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1204-26-0x0000000076F50000-0x0000000076F52000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1204-14-0x0000000140000000-0x00000001400FC000-memory.dmp

          Filesize

          1008KB

          Download

        • memory/1204-12-0x0000000140000000-0x00000001400FC000-memory.dmp

          Filesize

          1008KB

          Download

        • memory/1204-11-0x0000000140000000-0x00000001400FC000-memory.dmp

          Filesize

          1008KB

          Download

        • memory/1204-9-0x0000000140000000-0x00000001400FC000-memory.dmp

          Filesize

          1008KB

          Download

        • memory/1204-8-0x0000000140000000-0x00000001400FC000-memory.dmp

          Filesize

          1008KB

          Download

        • memory/1204-35-0x0000000140000000-0x00000001400FC000-memory.dmp

          Filesize

          1008KB

          Download

        • memory/1204-36-0x0000000140000000-0x00000001400FC000-memory.dmp

          Filesize

          1008KB

          Download

        • memory/1204-4-0x0000000076CB6000-0x0000000076CB7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1204-45-0x0000000076CB6000-0x0000000076CB7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1204-23-0x0000000140000000-0x00000001400FC000-memory.dmp

          Filesize

          1008KB

          Download

        • memory/1204-25-0x0000000076DC1000-0x0000000076DC2000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1204-7-0x0000000140000000-0x00000001400FC000-memory.dmp

          Filesize

          1008KB

          Download

        • memory/1204-13-0x0000000140000000-0x00000001400FC000-memory.dmp

          Filesize

          1008KB

          Download

        • memory/1204-24-0x0000000002620000-0x0000000002627000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1204-10-0x0000000140000000-0x00000001400FC000-memory.dmp

          Filesize

          1008KB

          Download

        • memory/1204-5-0x00000000029E0000-0x00000000029E1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2476-71-0x0000000000080000-0x0000000000087000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2476-72-0x0000000140000000-0x00000001400FD000-memory.dmp

          Filesize

          1012KB

          Download

        • memory/2476-77-0x0000000140000000-0x00000001400FD000-memory.dmp

          Filesize

          1012KB

          Download

        • memory/2624-3-0x0000000000380000-0x0000000000387000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2624-44-0x0000000140000000-0x00000001400FC000-memory.dmp

          Filesize

          1008KB

          Download

        • memory/2624-0-0x0000000140000000-0x00000001400FC000-memory.dmp

          Filesize

          1008KB

          Download

        • memory/3036-89-0x0000000000390000-0x0000000000397000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3036-95-0x0000000140000000-0x00000001400FD000-memory.dmp

          Filesize

          1012KB

          Download