Overview

overview

10

Static

static

3

e92a566002...18.dll

windows7-x64

10

e92a566002...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    18/09/2024, 12:55

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    e92a56600266f295094dfbf8f2dce8d3_JaffaCakes118.dll

  • Size

    1.4MB

  • MD5

    e92a56600266f295094dfbf8f2dce8d3

  • SHA1

    52db6d1d6db1e21c1cc8a90b275522eed96e04e2

  • SHA256

    526ebbf20321313197a89bbac67ecc6b3289419dfc06b67031c9d838a355e1ff

  • SHA512

    5d24771e4232982f1cfb60393826f18c5934840910dafb07cb6e1de8a6932681bd5636ef60e3f413ad2c8b57b451982d59f75dc988693fd757ce12594025990f

  • SSDEEP

    24576:OuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:u9cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\e92a56600266f295094dfbf8f2dce8d3_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2700
  • C:\Windows\system32\rstrui.exe
    C:\Windows\system32\rstrui.exe
    1⤵
      PID:2524
    • C:\Users\Admin\AppData\Local\ezTYR2dMh\rstrui.exe
      C:\Users\Admin\AppData\Local\ezTYR2dMh\rstrui.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2568
    • C:\Windows\system32\PresentationSettings.exe
      C:\Windows\system32\PresentationSettings.exe
      1⤵
        PID:920
      • C:\Users\Admin\AppData\Local\qlXB\PresentationSettings.exe
        C:\Users\Admin\AppData\Local\qlXB\PresentationSettings.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1876
      • C:\Windows\system32\wusa.exe
        C:\Windows\system32\wusa.exe
        1⤵
          PID:564
        • C:\Users\Admin\AppData\Local\W4d\wusa.exe
          C:\Users\Admin\AppData\Local\W4d\wusa.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1680

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\W4d\WTSAPI32.dll
                Filesize

                1.4MB

                MD5

                aa1b4ef70eb8693449a59850fd6eec7a

                SHA1

                bec0e50f89f7fe6872cadbb0a7cccef3c0c66848

                SHA256

                a5df76b1afddea35cb66cb0001f42a12517a27db45cca52c4358de7b73e1deca

                SHA512

                afeaf164df195889a2778d0bb666ae707919e74b55c0f8f1331aa232005664e954db52dc9e7da94d100132926d9ef6a99e7a51dba19c315ec2b05ce440d04dc8

                Download Submit

              • C:\Users\Admin\AppData\Local\ezTYR2dMh\SRCORE.dll
                Filesize

                1.4MB

                MD5

                a50b444f7f8e6a7a8fd47df245950c8e

                SHA1

                68403dcc90c30b4969d30ecd81f6105f78530421

                SHA256

                19942ba0d5090b86dd30bfb4b6c878873bea491a924617dd042c40e4b00ff986

                SHA512

                9584944b28ac4a4cf7564a5a2287a5d6760ed143646cba5ff9a7afbf683321a3caef1e23550e45916a80e737405e9d101448fda533735c145fdd73f65ff734d1

                Download Submit

              • C:\Users\Admin\AppData\Local\qlXB\slc.dll
                Filesize

                1.4MB

                MD5

                b08b1e9fcd60154ce26e76d54f766952

                SHA1

                6e57757563a9d3559f1f9a4006786ecbcd402aa1

                SHA256

                2755231ed97dbcbd5dc30d8d2dbc1613b54de1e8c8692ac994f8d92cd30be802

                SHA512

                df1992400dc124f35ff6f930694e265ad4af01505f69fd21d758c15ce50dc5db9a234e9a1a9bdd0710063b712696fd2f294ba01243a7004aa54c2c89518bd07d

                Download Submit

              • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wzkhocxsoqdr.lnk
                Filesize

                1007B

                MD5

                5d37ae3d8869e43b1c6974414714af04

                SHA1

                647d072f582d2cb4d971ced8ca31392ba52baf2c

                SHA256

                08e9e0bf8810426db9a6f9e1c635698725b002384c83fcfc7dfc9d2b479fb2f2

                SHA512

                76cebb2010d821b99cd4f80c87a4199cf927114d07bf53e42527c9582d43182ae794d6ac642b0c1ab94e0aeff9d4b88e8274838651264c33b570b4cf11a566a6

                Download Submit

              • \Users\Admin\AppData\Local\W4d\wusa.exe
                Filesize

                300KB

                MD5

                c15b3d813f4382ade98f1892350f21c7

                SHA1

                a45c5abc6751bc8b9041e5e07923fa4fc1b4542b

                SHA256

                8f067da98eb3ea9f1db2f0063ff54e07d992fbf051779b467e222639be4127e3

                SHA512

                6d028fe81fe45d0ef291741513ecf939e412912647347d4d5bad89571f33e1084dc0fd26eb7313c7191f938c3f50243f453e2690e2475fc3f5539a20c2ff2f3c

                Download Submit

              • \Users\Admin\AppData\Local\ezTYR2dMh\rstrui.exe
                Filesize

                290KB

                MD5

                3db5a1eace7f3049ecc49fa64461e254

                SHA1

                7dc64e4f75741b93804cbae365e10dc70592c6a9

                SHA256

                ba8387d4543b8b11e2202919b9608ee614753fe77f967aad9906702841658b49

                SHA512

                ea81e3233e382f1cf2938785c9ded7c8fbbf11a6a6f5cf4323e3211ae66dad4a2c597cb589ff11f9eae79516043aba77d4b24bfa6eb0aa045d405aabdea4a025

                Download Submit

              • \Users\Admin\AppData\Local\qlXB\PresentationSettings.exe
                Filesize

                172KB

                MD5

                a6f8d318f6041334889481b472000081

                SHA1

                b8cf08ec17b30c8811f2514246fcdff62731dd58

                SHA256

                208b94fd66a6ce266c3195f87029a41a0622fff47f2a5112552cb087adbb1258

                SHA512

                60f70fa8a19e6ea6f08f4907dd7fede3665ad3f2e013d49f6649442ea5871a967b9a53ec4d3328a06cb83b69be1b7af1bb14bf122b568bd1f8432ee1d0bfee69

                Download Submit

              • memory/1228-12-0x0000000140000000-0x0000000140164000-memory.dmp

                Filesize

                1.4MB

                Download

              • memory/1228-41-0x0000000077486000-0x0000000077487000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1228-16-0x0000000140000000-0x0000000140164000-memory.dmp

                Filesize

                1.4MB

                Download

              • memory/1228-15-0x0000000140000000-0x0000000140164000-memory.dmp

                Filesize

                1.4MB

                Download

              • memory/1228-28-0x0000000077820000-0x0000000077822000-memory.dmp

                Filesize

                8KB

                Download

              • memory/1228-31-0x0000000140000000-0x0000000140164000-memory.dmp

                Filesize

                1.4MB

                Download

              • memory/1228-27-0x0000000077691000-0x0000000077692000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1228-26-0x0000000002270000-0x0000000002277000-memory.dmp

                Filesize

                28KB

                Download

              • memory/1228-14-0x0000000140000000-0x0000000140164000-memory.dmp

                Filesize

                1.4MB

                Download

              • memory/1228-13-0x0000000140000000-0x0000000140164000-memory.dmp

                Filesize

                1.4MB

                Download

              • memory/1228-32-0x0000000140000000-0x0000000140164000-memory.dmp

                Filesize

                1.4MB

                Download

              • memory/1228-4-0x0000000077486000-0x0000000077487000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1228-11-0x0000000140000000-0x0000000140164000-memory.dmp

                Filesize

                1.4MB

                Download

              • memory/1228-9-0x0000000140000000-0x0000000140164000-memory.dmp

                Filesize

                1.4MB

                Download

              • memory/1228-5-0x00000000026A0000-0x00000000026A1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1228-8-0x0000000140000000-0x0000000140164000-memory.dmp

                Filesize

                1.4MB

                Download

              • memory/1228-25-0x0000000140000000-0x0000000140164000-memory.dmp

                Filesize

                1.4MB

                Download

              • memory/1228-17-0x0000000140000000-0x0000000140164000-memory.dmp

                Filesize

                1.4MB

                Download

              • memory/1228-7-0x0000000140000000-0x0000000140164000-memory.dmp

                Filesize

                1.4MB

                Download

              • memory/1228-10-0x0000000140000000-0x0000000140164000-memory.dmp

                Filesize

                1.4MB

                Download

              • memory/1680-90-0x00000000000F0000-0x00000000000F7000-memory.dmp

                Filesize

                28KB

                Download

              • memory/1680-93-0x000007FEF7910000-0x000007FEF7A75000-memory.dmp

                Filesize

                1.4MB

                Download

              • memory/1876-67-0x0000000000110000-0x0000000000117000-memory.dmp

                Filesize

                28KB

                Download

              • memory/1876-69-0x000007FEF7910000-0x000007FEF7A75000-memory.dmp

                Filesize

                1.4MB

                Download

              • memory/1876-75-0x000007FEF7910000-0x000007FEF7A75000-memory.dmp

                Filesize

                1.4MB

                Download

              • memory/2568-55-0x000007FEF7A40000-0x000007FEF7BA5000-memory.dmp

                Filesize

                1.4MB

                Download

              • memory/2568-50-0x000007FEF7A40000-0x000007FEF7BA5000-memory.dmp

                Filesize

                1.4MB

                Download

              • memory/2568-49-0x0000000000170000-0x0000000000177000-memory.dmp

                Filesize

                28KB

                Download

              • memory/2700-38-0x000007FEF78D0000-0x000007FEF7A34000-memory.dmp

                Filesize

                1.4MB

                Download

              • memory/2700-2-0x000007FEF78D0000-0x000007FEF7A34000-memory.dmp

                Filesize

                1.4MB

                Download

              • memory/2700-0-0x0000000000290000-0x0000000000297000-memory.dmp

                Filesize

                28KB

                Download