Overview

overview

10

Static

static

3

ea01a6add7...18.dll

windows7-x64

10

ea01a6add7...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    18-09-2024 21:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ea01a6add7afdcb129fd6fff4ddb15ce_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    ea01a6add7afdcb129fd6fff4ddb15ce

  • SHA1

    11ec5fbc5ad77d25e9d22518f47f8f0b160a46a9

  • SHA256

    d9be09a9dd8aaa00eeffcc1023440100139d3176e9ee7600fce67b7d754f204d

  • SHA512

    6225b33bd6a0df411679014c25f23d0d41de3c96052f2eae86d1b072831a5e18bbb636775fbf88c2941b16d351aad70ec017545edb58d45122fe0e8cb1fc026d

  • SSDEEP

    24576:MuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:k9cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ea01a6add7afdcb129fd6fff4ddb15ce_JaffaCakes118.dll
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:1056
  • C:\Windows\system32\raserver.exe
    C:\Windows\system32\raserver.exe
    1⤵
      PID:2440
    • C:\Users\Admin\AppData\Local\TYfpFZRj3\raserver.exe
      C:\Users\Admin\AppData\Local\TYfpFZRj3\raserver.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2476
    • C:\Windows\system32\SndVol.exe
      C:\Windows\system32\SndVol.exe
      1⤵
        PID:1424
      • C:\Users\Admin\AppData\Local\3gwTFGDd\SndVol.exe
        C:\Users\Admin\AppData\Local\3gwTFGDd\SndVol.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1200
      • C:\Windows\system32\consent.exe
        C:\Windows\system32\consent.exe
        1⤵
          PID:2272
        • C:\Users\Admin\AppData\Local\nTRpbX\consent.exe
          C:\Users\Admin\AppData\Local\nTRpbX\consent.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2056

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\3gwTFGDd\dwmapi.dll
          Filesize

          1.2MB

          MD5

          9c7e8934e1205f45921e67388d728e28

          SHA1

          3bc40017bed5aebae9daece1c029c209fa5aadf0

          SHA256

          b65dc0019caa1f7061cd06a6f2a0cc6720bd6406e9f96b18782fcffd50741088

          SHA512

          f75057bfba4cdf9693102ae5d1b87fb820571a7990d27d8284185c3a9d6c48015b2461e5ed228cd23420f62b434b82fb71a6c7babb6aa055e0e2439a42163563

          Download Submit

        • C:\Users\Admin\AppData\Local\TYfpFZRj3\WTSAPI32.dll
          Filesize

          1.2MB

          MD5

          4e6df26f7bea307f0a5f22e7b4b596e4

          SHA1

          25ad3ec0f4ec6a7d98c8e2c3ea209ede770f2e0e

          SHA256

          28a7eae5bc224147c0c4da6a92f89f85ff5a2b08500c1e9db54819df33c1fbec

          SHA512

          75d688a1709b111f4b1dd0763c28f764d160007134371cde837ac7ce76e33af0a574c5c1e80d05e178b400dde9c00f19e6fd4aae383364ad1c6c6c796c3e3e82

          Download Submit

        • C:\Users\Admin\AppData\Local\nTRpbX\WTSAPI32.dll
          Filesize

          1.2MB

          MD5

          7900ac67bce31986947dbd3dd8a5aca2

          SHA1

          10eac4c680929f76eef3566991e9703d4dd5fc04

          SHA256

          93db665e75ebdd08c446200b0f561f01d894b5451c2eaaec228415158839a9c3

          SHA512

          ed7e63f1fd5c7fcf7251f99baec24ea57c7c20e265d04ad3dfd5131e2a3535deb6fe518425331ef74a1ed08bde7194872b2476dd91a3263b9af3eb18ce5e0657

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ppapbotpack.lnk
          Filesize

          1KB

          MD5

          5269e04d61664e2ad3244854fd057d10

          SHA1

          b7d0beb193aec21ce9e205a74e591ac7e6e8788b

          SHA256

          b0e1911d86fcf7ed92398c5f8d12b7093c1d06cf4b093c5b0229085f9caf5bb7

          SHA512

          4de97fbbce829970f427c1e81c8b689d6d961246f1913b8a2ab17d36581640e5b2134ab5585dcfcb0b1eed7a20ef34207184dffc4e9f69b83cce1327833edf4a

          Download Submit

        • \Users\Admin\AppData\Local\3gwTFGDd\SndVol.exe
          Filesize

          267KB

          MD5

          c3489639ec8e181044f6c6bfd3d01ac9

          SHA1

          e057c90b675a6da19596b0ac458c25d7440b7869

          SHA256

          a632ef1a1490d31d76f13997ee56f4f75796bf9e366c76446857e9ae855f4103

          SHA512

          63b96c8afb8c3f5f969459531d3a543f6e8714d5ca1664c6bbb01edd9f5e850856931d7923f363c9dc7d8843deeaad69722d15993641d04e786e02184446c0c9

          Download Submit

        • \Users\Admin\AppData\Local\TYfpFZRj3\raserver.exe
          Filesize

          123KB

          MD5

          cd0bc0b6b8d219808aea3ecd4e889b19

          SHA1

          9f8f4071ce2484008e36fdfd963378f4ebad703f

          SHA256

          16abc530c0367df1ad631f09e14c565cf99561949aa14acc533cd54bf8a5e22c

          SHA512

          84291ea3fafb38ef96817d5fe4a972475ef8ea24a4353568029e892fa8e15cf8e8f6ef4ff567813cd3b38092f0db4577d9dccb22be755eebdd4f77e623dc80ac

          Download Submit

        • \Users\Admin\AppData\Local\nTRpbX\consent.exe
          Filesize

          109KB

          MD5

          0b5511674394666e9d221f8681b2c2e6

          SHA1

          6e4e720dfc424a12383f0b8194e4477e3bc346dc

          SHA256

          ccad775decb5aec98118b381eeccc6d540928035cfb955abcb4ad3ded390b79b

          SHA512

          00d28a00fd3ceaeae42ba6882ffb42aa4cc8b92b07a10f28df8e1931df4b806aebdcfab1976bf8d5ce0b98c64da19d4ee06a6315734fa5f885ecd1f6e1ff16a7

          Download Submit

        • memory/1056-0-0x00000000001B0000-0x00000000001B7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1056-1-0x000007FEF72B0000-0x000007FEF73E4000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1056-48-0x000007FEF72B0000-0x000007FEF73E4000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1200-81-0x000007FEF72B0000-0x000007FEF73E5000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1200-75-0x0000000000820000-0x0000000000827000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1364-18-0x0000000140000000-0x0000000140134000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1364-7-0x0000000140000000-0x0000000140134000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1364-29-0x0000000077C31000-0x0000000077C32000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1364-28-0x0000000140000000-0x0000000140134000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1364-27-0x00000000025D0000-0x00000000025D7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1364-19-0x0000000140000000-0x0000000140134000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1364-15-0x0000000140000000-0x0000000140134000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1364-17-0x0000000140000000-0x0000000140134000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1364-30-0x0000000077DC0000-0x0000000077DC2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1364-40-0x0000000140000000-0x0000000140134000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1364-39-0x0000000140000000-0x0000000140134000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1364-14-0x0000000140000000-0x0000000140134000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1364-49-0x0000000077B26000-0x0000000077B27000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1364-16-0x0000000140000000-0x0000000140134000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1364-8-0x0000000140000000-0x0000000140134000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1364-4-0x0000000077B26000-0x0000000077B27000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1364-5-0x0000000002AF0000-0x0000000002AF1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1364-13-0x0000000140000000-0x0000000140134000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1364-9-0x0000000140000000-0x0000000140134000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1364-10-0x0000000140000000-0x0000000140134000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1364-11-0x0000000140000000-0x0000000140134000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1364-12-0x0000000140000000-0x0000000140134000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2056-93-0x0000000000290000-0x0000000000297000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2056-99-0x000007FEF72B0000-0x000007FEF73E5000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2476-57-0x0000000000190000-0x0000000000197000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2476-63-0x000007FEF72B0000-0x000007FEF73E5000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2476-58-0x000007FEF72B0000-0x000007FEF73E5000-memory.dmp

          Filesize

          1.2MB

          Download