Overview

overview

10

Static

static

3

ec0fbfbc9d...18.dll

windows7-x64

10

ec0fbfbc9d...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19-09-2024 19:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ec0fbfbc9d92e4357791f2f1613571eb_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    ec0fbfbc9d92e4357791f2f1613571eb

  • SHA1

    ac4c84d2178402a2e6fb29b3bdb6178495161f11

  • SHA256

    a638b49731c356434985d9ef68e10b6def07bf5b398059ea17c2cf8dd1b9f1cc

  • SHA512

    d9d1c1502ae4774d7eeb8ccb3315ef41a40e15c5a7644e8fda521ec94bf6b9315efcc0ed8c289f716fb143d2c2975f76bd29e4963d8c8854fe303c61609a14a7

  • SSDEEP

    24576:WuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:W9cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\ec0fbfbc9d92e4357791f2f1613571eb_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2764
  • C:\Windows\system32\cmstp.exe
    C:\Windows\system32\cmstp.exe
    1⤵
      PID:2468
    • C:\Users\Admin\AppData\Local\FXBZ4\cmstp.exe
      C:\Users\Admin\AppData\Local\FXBZ4\cmstp.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2532
    • C:\Windows\system32\WFS.exe
      C:\Windows\system32\WFS.exe
      1⤵
        PID:1476
      • C:\Users\Admin\AppData\Local\hV1E\WFS.exe
        C:\Users\Admin\AppData\Local\hV1E\WFS.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1436
      • C:\Windows\system32\rdrleakdiag.exe
        C:\Windows\system32\rdrleakdiag.exe
        1⤵
          PID:2900
        • C:\Users\Admin\AppData\Local\o4EHs\rdrleakdiag.exe
          C:\Users\Admin\AppData\Local\o4EHs\rdrleakdiag.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2952

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\FXBZ4\VERSION.dll
          Filesize

          1.2MB

          MD5

          c98e882c55c69984232bed395a98cf92

          SHA1

          7b8d3c4f41f963b6018ea4b6d764fb2d2e4472ce

          SHA256

          c00ca015a60ed6bbbed85fa1227fbdabaf46009f1be68a820a0d56f1df704ac4

          SHA512

          782bb4d980743197190e7d2d2ac32e18d056bde36db757328c0739d823254715975e0ea732bac24f849957e6e90fc307b1b50ee014b0e4437ac3ec30ac9f4a88

          Download Submit

        • C:\Users\Admin\AppData\Local\hV1E\WINMM.dll
          Filesize

          1.2MB

          MD5

          f649feae853d22330866bc99aa9d0f52

          SHA1

          f2468c05fb93669b1278ce2de1e3d4ca6a6ecfc9

          SHA256

          29e66e44325d76b3787e04af97b15796021d10876323d5bd36527a449372c208

          SHA512

          83d113b5b1e8334522555ade7bc92e88f925292e80cd03cc27110e91c75daeff643973a6c661d090cd13badb75913c18bb9af497a35b38d28a584dc7644bb7c3

          Download Submit

        • C:\Users\Admin\AppData\Local\o4EHs\wer.dll
          Filesize

          1.2MB

          MD5

          3287e88cdc5333680f2da63d827c9cd3

          SHA1

          a486a8b3da021f43a3d196ac892dd580f419edc2

          SHA256

          2d9990709d12729792517d3418333cde736bb1a4037db11ed1dc1fc3e59af364

          SHA512

          30b3d6d69458f828611b4b7dfa3c38072bf1e25ec119ee91edcbf8850eaedf01d83fe51e0a33a8a2ec143e02eb7251de172978257ecfd05fc5bf4a390d124eee

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wzkhocxsoqdr.lnk
          Filesize

          1KB

          MD5

          e5ded4673a42e6203a4aa882aeb7df26

          SHA1

          05710992a4c22af958c375412331a74cef8a293c

          SHA256

          237a3f0d3ff55daebbe4971045e51b177d211eeae6cb26914332eb87dff334d6

          SHA512

          dfbcf93c4512cecd3c30910586d51312ce5fafc6f7b55b4b19786d7a4cbee598824faa6bce45a346c957362b7ee3646abf72c56d0c0d77f29c6d2ee56013cc72

          Download Submit

        • \Users\Admin\AppData\Local\FXBZ4\cmstp.exe
          Filesize

          90KB

          MD5

          74c6da5522f420c394ae34b2d3d677e3

          SHA1

          ba135738ef1fb2f4c2c6c610be2c4e855a526668

          SHA256

          51d298b1a8a2d00d5c608c52dba0655565d021e9798ee171d7fa92cc0de729a6

          SHA512

          bfd76b1c3e677292748f88bf595bfef0b536eb22f2583b028cbf08f6ae4eda1aa3787c4e892aad12b7681fc2363f99250430a0e7019a7498e24db391868e787a

          Download Submit

        • \Users\Admin\AppData\Local\hV1E\WFS.exe
          Filesize

          951KB

          MD5

          a943d670747778c7597987a4b5b9a679

          SHA1

          c48b760ff9762205386563b93e8884352645ef40

          SHA256

          1a582ebe780abc1143baccaf4910714d3e9f4195edd86939499d03ed6e756610

          SHA512

          3d926ddead8afcb32b52b3eb3c416d197c15e5fff6ba9fa03a31a07522bdb9088b32500fc8b98d82af657071571d09cd336a65cf45c485ebcc145dea70b3a934

          Download Submit

        • \Users\Admin\AppData\Local\o4EHs\rdrleakdiag.exe
          Filesize

          39KB

          MD5

          5e058566af53848541fa23fba4bb5b81

          SHA1

          769ce3bfc45e4d56ed01dbeeeca7be22f9b9eed6

          SHA256

          ae83b050fa722da7e4b19fc3d534f0126b1ec055643bb1f267b85b55160f4409

          SHA512

          352029cf0af7583a4c525cfd1da7467446bac410a885b2768d8052f39577ccce85b21d5bd946be6bf8341e7308c8e4f645e4d79232b93aaf6a92d6cd55f598d0

          Download Submit

        • memory/1192-9-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1192-43-0x00000000774A6000-0x00000000774A7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1192-28-0x0000000077840000-0x0000000077842000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1192-26-0x00000000021F0000-0x00000000021F7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1192-17-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1192-16-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1192-15-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1192-13-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1192-11-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1192-33-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1192-10-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1192-4-0x00000000774A6000-0x00000000774A7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1192-8-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1192-35-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1192-5-0x0000000002210000-0x0000000002211000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1192-27-0x00000000776B1000-0x00000000776B2000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1192-12-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1192-25-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1192-7-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1192-14-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1436-69-0x00000000001B0000-0x00000000001B7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1436-70-0x000007FEF6DC0000-0x000007FEF6EF3000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1436-75-0x000007FEF6DC0000-0x000007FEF6EF3000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2532-57-0x000007FEFB2F0000-0x000007FEFB422000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2532-52-0x000007FEFB2F0000-0x000007FEFB422000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2532-51-0x00000000000F0000-0x00000000000F7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2764-34-0x000007FEF7A90000-0x000007FEF7BC1000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2764-0-0x000007FEF7A90000-0x000007FEF7BC1000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2764-3-0x0000000000190000-0x0000000000197000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2952-89-0x00000000001F0000-0x00000000001F7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2952-91-0x000007FEF7A90000-0x000007FEF7BC2000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2952-95-0x000007FEF7A90000-0x000007FEF7BC2000-memory.dmp

          Filesize

          1.2MB

          Download