Overview

overview

10

Static

static

3

e35c61ebe9...18.dll

windows7-x64

10

e35c61ebe9...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    15-09-2024 21:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e35c61ebe91c031d45c2ae5fee1ce298_JaffaCakes118.dll

  • Size

    985KB

  • MD5

    e35c61ebe91c031d45c2ae5fee1ce298

  • SHA1

    18f2b3c265c8cb3dfc839e276c8b991e2dc03eaf

  • SHA256

    6da8b8e1b1f1db5c5497500cc342b5778541c2d6584a958ce64ae77c09895ecc

  • SHA512

    9b29a54deec72ef1e8c713da7659299df77a842e4543b2cf2d09dcea30cc68e87fff71e629acbf76feaada6a6019ac79c9ea438c3dc3d00d44f731bc767e620d

  • SSDEEP

    24576:hhLBOY3Zch8R9trbCPQFaD0JAc8V7M/GGS069NmgsSF:pTFJawGGj6fmg

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\e35c61ebe91c031d45c2ae5fee1ce298_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2100
  • C:\Windows\system32\Dxpserver.exe
    C:\Windows\system32\Dxpserver.exe
    1⤵
      PID:2456
    • C:\Users\Admin\AppData\Local\umLozn\Dxpserver.exe
      C:\Users\Admin\AppData\Local\umLozn\Dxpserver.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2540
    • C:\Windows\system32\taskmgr.exe
      C:\Windows\system32\taskmgr.exe
      1⤵
        PID:2612
      • C:\Users\Admin\AppData\Local\wb43\taskmgr.exe
        C:\Users\Admin\AppData\Local\wb43\taskmgr.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2776
      • C:\Windows\system32\SystemPropertiesProtection.exe
        C:\Windows\system32\SystemPropertiesProtection.exe
        1⤵
          PID:1900
        • C:\Users\Admin\AppData\Local\kJoj2Y2B\SystemPropertiesProtection.exe
          C:\Users\Admin\AppData\Local\kJoj2Y2B\SystemPropertiesProtection.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:544

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\kJoj2Y2B\SYSDM.CPL
          Filesize

          986KB

          MD5

          5dcfc0f90e555f578a6ddfb061a3d62a

          SHA1

          0b04925fb698532d4ee0218d88126b5cffee0fdd

          SHA256

          e9a55c6d2cc4717d25e2f7efe3c7a2fe9c9b9ab3c6cb1b1d6b08195b1064ae07

          SHA512

          56491d48f22373a060800692b0850a25ac97b14ac0223397e1b637c1c1c99f4b4daf5fb037e8681b73146ecd43b939ec267b498133cfc8fb79cdff52b7d6ef94

          Download Submit

        • C:\Users\Admin\AppData\Local\umLozn\XmlLite.dll
          Filesize

          986KB

          MD5

          4ce237ceab31031d3dc6a23e946cd28d

          SHA1

          501c372a2d8033a43b97ce45e472507e72884784

          SHA256

          38f74b1bbcced8bf7a0258743e3102742ca905de6c29bfff54792181bd583e22

          SHA512

          5d711e61e22d1219d93e25373649276efe8fc667f3e3979f0d64c2fda715347199674fcc678dcb8871572fe8905b6742765701f0a2bf50531856f257923a432e

          Download Submit

        • C:\Users\Admin\AppData\Local\wb43\credui.dll
          Filesize

          987KB

          MD5

          a336693b8ae0173c7428743a429c8872

          SHA1

          fa4b75c66ef13271c588c5d0eb9f9219b53145e2

          SHA256

          f292c64882091906041cff2109bd07adff231b056d09b7a71b198936c66eacdf

          SHA512

          0251c214b557891b709a654d7667f793b0a08d2973e0f32a8d48b2af479c5d1f7ece73fd306f112885a20f358660a5654e8bdbaee5b18b9b758a47813d8ba95f

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ncfyujonfo.lnk
          Filesize

          1KB

          MD5

          f73d9207727c78a855f1a6ee214be65f

          SHA1

          c751c8250cc637cd7af81cba243661b05fd640ae

          SHA256

          9140863c6b6ab7f36e63b2c5a3d94e23bbbedccb4cd81ad7d0b7219e8451c726

          SHA512

          3721417448fa1cc17d9190f5c21a25e9f474e9b6f4bb60a2ae06a7d85c530305b50cc84ccce8a810c09f40ff5d357e5773e2f1538ace242b757932151901645f

          Download Submit

        • \Users\Admin\AppData\Local\kJoj2Y2B\SystemPropertiesProtection.exe
          Filesize

          80KB

          MD5

          05138d8f952d3fff1362f7c50158bc38

          SHA1

          780bc59fcddf06a7494d09771b8340acffdcc720

          SHA256

          753a43d8aa74341d06582bd6b3784dc5f8c6f46174c2a306cf284de238a9c6bd

          SHA512

          27fa8c0af3d01f0816852d04693087f3c25d1307d8857a7ea75b0bb3e0ac927d262f5ac5a335afee150142fa3187354d33ebbcf6c3cd5cc33cb4e6cd00c50255

          Download Submit

        • \Users\Admin\AppData\Local\umLozn\Dxpserver.exe
          Filesize

          259KB

          MD5

          4d38389fb92e43c77a524fd96dbafd21

          SHA1

          08014e52f6894cad4f1d1e6fc1a703732e9acd19

          SHA256

          070bc95c486c15d2edc3548ba416dc9565ead401cb03a0472f719fb55ac94e73

          SHA512

          02d8d130cff2b8de15139d309e1cd74a2148bb786fd749e5f22775d45e193b0f75adf40274375cabce33576480ff20456f25172d29a034cd134b8084d40a67ba

          Download Submit

        • \Users\Admin\AppData\Local\wb43\taskmgr.exe
          Filesize

          251KB

          MD5

          09f7401d56f2393c6ca534ff0241a590

          SHA1

          e8b4d84a28e5ea17272416ec45726964fdf25883

          SHA256

          6766717b8afafe46b5fd66c7082ccce6b382cbea982c73cb651e35dc8187ace1

          SHA512

          7187a27cd32c1b295c74e36e1b6148a31d602962448b18395a44a721d17daa7271d0cd198edb2ed05ace439746517ffb1bcc11c7f682e09b025c950ea7b83192

          Download Submit

        • memory/544-94-0x000007FEF6A10000-0x000007FEF6B0D000-memory.dmp

          Filesize

          1012KB

          Download

        • memory/1236-7-0x0000000140000000-0x00000001400FC000-memory.dmp

          Filesize

          1008KB

          Download

        • memory/1236-28-0x0000000077430000-0x0000000077432000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1236-15-0x0000000140000000-0x00000001400FC000-memory.dmp

          Filesize

          1008KB

          Download

        • memory/1236-14-0x0000000140000000-0x00000001400FC000-memory.dmp

          Filesize

          1008KB

          Download

        • memory/1236-13-0x0000000140000000-0x00000001400FC000-memory.dmp

          Filesize

          1008KB

          Download

        • memory/1236-12-0x0000000140000000-0x00000001400FC000-memory.dmp

          Filesize

          1008KB

          Download

        • memory/1236-11-0x0000000140000000-0x00000001400FC000-memory.dmp

          Filesize

          1008KB

          Download

        • memory/1236-9-0x0000000140000000-0x00000001400FC000-memory.dmp

          Filesize

          1008KB

          Download

        • memory/1236-4-0x0000000077096000-0x0000000077097000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1236-36-0x0000000140000000-0x00000001400FC000-memory.dmp

          Filesize

          1008KB

          Download

        • memory/1236-37-0x0000000140000000-0x00000001400FC000-memory.dmp

          Filesize

          1008KB

          Download

        • memory/1236-5-0x0000000002FA0000-0x0000000002FA1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1236-45-0x0000000077096000-0x0000000077097000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1236-27-0x00000000772A1000-0x00000000772A2000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1236-24-0x0000000002F30000-0x0000000002F37000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1236-8-0x0000000140000000-0x00000001400FC000-memory.dmp

          Filesize

          1008KB

          Download

        • memory/1236-10-0x0000000140000000-0x00000001400FC000-memory.dmp

          Filesize

          1008KB

          Download

        • memory/1236-23-0x0000000140000000-0x00000001400FC000-memory.dmp

          Filesize

          1008KB

          Download

        • memory/2100-44-0x000007FEF75C0000-0x000007FEF76BC000-memory.dmp

          Filesize

          1008KB

          Download

        • memory/2100-3-0x0000000000120000-0x0000000000127000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2100-0-0x000007FEF75C0000-0x000007FEF76BC000-memory.dmp

          Filesize

          1008KB

          Download

        • memory/2540-59-0x000007FEF75E0000-0x000007FEF76DD000-memory.dmp

          Filesize

          1012KB

          Download

        • memory/2540-53-0x000007FEF75E0000-0x000007FEF76DD000-memory.dmp

          Filesize

          1012KB

          Download

        • memory/2540-56-0x0000000000390000-0x0000000000397000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2776-74-0x0000000000190000-0x0000000000197000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2776-71-0x000007FEF6A10000-0x000007FEF6B0D000-memory.dmp

          Filesize

          1012KB

          Download

        • memory/2776-77-0x000007FEF6A10000-0x000007FEF6B0D000-memory.dmp

          Filesize

          1012KB

          Download