Overview

overview

10

Static

static

3

ef144112ab...18.dll

windows7-x64

10

ef144112ab...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-09-2024 04:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ef144112ab3bd4e5fede0a35175b0865_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    ef144112ab3bd4e5fede0a35175b0865

  • SHA1

    ea9e920ef55c48d710b9dbd593ba87e1da2f1b35

  • SHA256

    a63b33397161f4ae306b3304283359d24e52c75aef053ef690794cc664069c91

  • SHA512

    15f45026594769fddeed6ff1f60f15b27cab2492bd12d4d5d910abdab1802e281540823bcde73c0eab38ecd5ab8bc38054b3d7da6db3bb71a4c1b8fd0d236ee1

  • SSDEEP

    24576:2uYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:29cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\ef144112ab3bd4e5fede0a35175b0865_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2008
  • C:\Windows\system32\spinstall.exe
    C:\Windows\system32\spinstall.exe
    1⤵
      PID:2904
    • C:\Users\Admin\AppData\Local\EHRZ\spinstall.exe
      C:\Users\Admin\AppData\Local\EHRZ\spinstall.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2752
    • C:\Windows\system32\DWWIN.EXE
      C:\Windows\system32\DWWIN.EXE
      1⤵
        PID:2912
      • C:\Users\Admin\AppData\Local\hK3Lqn\DWWIN.EXE
        C:\Users\Admin\AppData\Local\hK3Lqn\DWWIN.EXE
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1916
      • C:\Windows\system32\p2phost.exe
        C:\Windows\system32\p2phost.exe
        1⤵
          PID:2500
        • C:\Users\Admin\AppData\Local\Ozb2E\p2phost.exe
          C:\Users\Admin\AppData\Local\Ozb2E\p2phost.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2876

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\EHRZ\XmlLite.dll
          Filesize

          1.2MB

          MD5

          83098da2418300b548dd9287d8ee2ea0

          SHA1

          526d19bd60085fbe6da703959e812e925dd4c887

          SHA256

          ed76fde7931ff8995fb4eaa26088a13c7e562d3a42a6257070e0c0b7bf8d87b0

          SHA512

          ca453c2b5074c1debadc9bc9d980ca95f78fae4804c3e5999653548b03c6df5b025644dc325e17f21583249dc44b4cb1842736cc81f55f818c89f74facb48a56

          Download Submit

        • C:\Users\Admin\AppData\Local\Ozb2E\P2P.dll
          Filesize

          1.2MB

          MD5

          0b16ca29b913074da7c99295d12284ba

          SHA1

          4e6f9a30307e40098418c0ae7703fd3c99d14a3d

          SHA256

          f062bab1638677b48112a3aabe6c9ceb589e87dd2e5d12e441f95b7f0af2aa42

          SHA512

          50c86e2261ff0da66d18f387232601b449f73e0079015abad756247f4bc60a0b1ce9c5888a5e113b85b97ca8014fd92e6fbb2219bcb4f5ca2c22baba021bbb17

          Download Submit

        • C:\Users\Admin\AppData\Local\hK3Lqn\DWWIN.EXE
          Filesize

          149KB

          MD5

          25247e3c4e7a7a73baeea6c0008952b1

          SHA1

          8087adb7a71a696139ddc5c5abc1a84f817ab688

          SHA256

          c740497a7e58f7678e25b68b03573b4136a364464ee97c02ce5e0fe00cec7050

          SHA512

          bc27946894e7775f772ac882740430c8b9d3f37a573e2524207f7bb32f44d4a227cb1e9a555e118d68af7f1e129abd2ac5cabbcd8bbf3551c485bae05108324b

          Download Submit

        • C:\Users\Admin\AppData\Local\hK3Lqn\wer.dll
          Filesize

          1.2MB

          MD5

          6ac16ea4db83d7050f8bf978faed166e

          SHA1

          aca910a41128e5acdba0ca1d36aadda26ba10ad4

          SHA256

          8ae4962fe0f66b18c383fbbb0a382128e6e7d055a53d8b12ff544ef0df89218b

          SHA512

          1ae0ebacb26fcffff57cab79c431eef3fea3c00fdf84a0915e3425dc98e8835a264854c66b3cd11e95ca6d4ad9c659c32d3081ff3a08a8c8a0de8e28d4f757ed

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wbvsyha.lnk
          Filesize

          1KB

          MD5

          8f030f88435f131667683acebc6ba036

          SHA1

          b6d78c83a2395f68013528d05ec19c3514b7a7da

          SHA256

          66be5515f86e2c908ed6d28ffb134f79f0af29c033fa4236b3e2b45b40bf74e6

          SHA512

          b91b155f1f2ccb22458613784f13ef0190b3381c2651ab65d070890800de8056036daf31eaafbd475969f0c8aa9cef25e9560a059830ce89bbf910acf96564aa

          Download Submit

        • \Users\Admin\AppData\Local\EHRZ\spinstall.exe
          Filesize

          584KB

          MD5

          29c1d5b330b802efa1a8357373bc97fe

          SHA1

          90797aaa2c56fc2a667c74475996ea1841bc368f

          SHA256

          048bd22abf158346ab991a377cc6e9d2b20b4d73ccee7656c96a41f657e7be7f

          SHA512

          66f4f75a04340a1dd55dfdcc3ff1103ea34a55295f56c12e88d38d1a41e5be46b67c98bd66ac9f878ce79311773e374ed2bce4dd70e8bb5543e4ec1dd56625ee

          Download Submit

        • \Users\Admin\AppData\Local\Ozb2E\p2phost.exe
          Filesize

          172KB

          MD5

          0dbd420477352b278dfdc24f4672b79c

          SHA1

          df446f25be33ac60371557717073249a64e04bb2

          SHA256

          1baba169de6c8f3b3c33cea96314c67b709a171bdc8ea9c250a0d016db767345

          SHA512

          84014b2dcc00f9fa1a337089ad4d4abcaa9e3155171978ec07bc155ddaebebfabb529d8de3578e564b3aae59545f52d71af173ebb50d2af252f219ac60b453d1

          Download Submit

        • memory/1152-15-0x0000000140000000-0x0000000140132000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1152-47-0x0000000077136000-0x0000000077137000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1152-29-0x0000000077241000-0x0000000077242000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1152-17-0x0000000140000000-0x0000000140132000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1152-16-0x0000000140000000-0x0000000140132000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1152-14-0x0000000140000000-0x0000000140132000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1152-13-0x0000000140000000-0x0000000140132000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1152-12-0x0000000140000000-0x0000000140132000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1152-11-0x0000000140000000-0x0000000140132000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1152-10-0x0000000140000000-0x0000000140132000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1152-9-0x0000000140000000-0x0000000140132000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1152-4-0x0000000077136000-0x0000000077137000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1152-37-0x0000000140000000-0x0000000140132000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1152-38-0x0000000140000000-0x0000000140132000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1152-5-0x0000000002E80000-0x0000000002E81000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1152-30-0x00000000773D0000-0x00000000773D2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1152-26-0x0000000140000000-0x0000000140132000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1152-23-0x0000000002E60000-0x0000000002E67000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1152-7-0x0000000140000000-0x0000000140132000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1152-8-0x0000000140000000-0x0000000140132000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1916-73-0x0000000000190000-0x0000000000197000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1916-74-0x000007FEF6AE0000-0x000007FEF6C13000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1916-79-0x000007FEF6AE0000-0x000007FEF6C13000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2008-46-0x000007FEF6AE0000-0x000007FEF6C12000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2008-2-0x00000000001A0000-0x00000000001A7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2008-0-0x000007FEF6AE0000-0x000007FEF6C12000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2752-61-0x000007FEF70D0000-0x000007FEF7203000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2752-58-0x0000000000100000-0x0000000000107000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2752-55-0x000007FEF70D0000-0x000007FEF7203000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2876-91-0x0000000000290000-0x0000000000297000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2876-97-0x000007FEF6AE0000-0x000007FEF6C13000-memory.dmp

          Filesize

          1.2MB

          Download