Overview

overview

10

Static

static

3

f27d0ce1d6...18.dll

windows7-x64

10

f27d0ce1d6...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22-09-2024 17:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f27d0ce1d6f4f2dc3ca5cd5d21185e04_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    f27d0ce1d6f4f2dc3ca5cd5d21185e04

  • SHA1

    ceb9a18cca6d60940ba6817f65b0c7d6c715ba9a

  • SHA256

    eee2e1a66ec290793a4c288e15f1517031ae55eb7af9a1f5215ca63366c067d0

  • SHA512

    55de677ed09b5cae3a18a799b010e09e2e33446f306b858d7b58adfcfc1aab83968320f898f354f28da57e86038b9c93d6a771760a8cc76e8481c1e9cc06a6ea

  • SSDEEP

    24576:PyTonNVlKTt/Q5ECvVP7hpJMvjtKpvPf9+m6kLRqgSyI:PyWRKTt/QlPVp3h9

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\f27d0ce1d6f4f2dc3ca5cd5d21185e04_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1040
  • C:\Windows\system32\Netplwiz.exe
    C:\Windows\system32\Netplwiz.exe
    1⤵
      PID:2992
    • C:\Users\Admin\AppData\Local\mRD4\Netplwiz.exe
      C:\Users\Admin\AppData\Local\mRD4\Netplwiz.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2648
    • C:\Windows\system32\BdeUISrv.exe
      C:\Windows\system32\BdeUISrv.exe
      1⤵
        PID:2180
      • C:\Users\Admin\AppData\Local\NVPa5gG\BdeUISrv.exe
        C:\Users\Admin\AppData\Local\NVPa5gG\BdeUISrv.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2592
      • C:\Windows\system32\MpSigStub.exe
        C:\Windows\system32\MpSigStub.exe
        1⤵
          PID:2372
        • C:\Users\Admin\AppData\Local\Uq7\MpSigStub.exe
          C:\Users\Admin\AppData\Local\Uq7\MpSigStub.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1812

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\NVPa5gG\WTSAPI32.dll
          Filesize

          1.2MB

          MD5

          8f6fe542d86ac32f09ddf28af97f7561

          SHA1

          3f84fdecdc2dd932f4f1c5b0809851415e4d2bef

          SHA256

          4204e59c44cb44d74e6c7c8a0e1db738b907e81a5c930821d857710977d7e004

          SHA512

          70758183cdf5fca6cacb3a3e136b6f40f39ef29f88eed6dbc00d4eaef575c3124c885b860cb2606f1c16abc3a3201bb8c1c5e67083ad6a242f42ef9eb8a217a5

          Download Submit

        • C:\Users\Admin\AppData\Local\mRD4\NETPLWIZ.dll
          Filesize

          1.2MB

          MD5

          cbeddfd810f6cbba8b7a87b4a907678d

          SHA1

          c6e2c2e770f8862f29314a1b668dd71b79817721

          SHA256

          b034439b3c0a36be9f14117a8bc9e61212ef3b986d9c24f4a44a548b5670cd51

          SHA512

          9c43487ea2d42b7fb4878e346652932e3696ae1e383542b5226b0ed7454e152c883f213e7f55b1aa199cd85f8dc0231eea0aef1d48f70280e656a6b2ec38e9f4

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wzkhocxsoqdr.lnk
          Filesize

          1KB

          MD5

          b551f80e777b2183ba4209e965a27f93

          SHA1

          6c43a6606cbcb60692814315bf22e2cfb1178c64

          SHA256

          f30a791446c1d2a66c634ad1ce35c122395a562a337778e4bd0f0da0c38c4c1b

          SHA512

          3dfe0703c5b2a7ad2984d47955573c4429adf9a8182bba056481c980e62b60407a7c3566584389f3460963ebade1b83a4b182f0421f03990a77e4a538a26c01c

          Download Submit

        • \Users\Admin\AppData\Local\NVPa5gG\BdeUISrv.exe
          Filesize

          47KB

          MD5

          1da6b19be5d4949c868a264bc5e74206

          SHA1

          d5ee86ba03a03ef8c93d93accafe40461084c839

          SHA256

          00330a0e0eb1dbb6ee84997963f8e15c7c15c1df787f1c7f109609d7b31bd35c

          SHA512

          9cee858c55eb0852e5bad53a675a094ae591b46b07afe9fb4224cac32e0be577fe36c1ed3e9f6bda4d4eb0c924a773d00e3181cd97f07e24c6c68c70f2b002c6

          Download Submit

        • \Users\Admin\AppData\Local\Uq7\MpSigStub.exe
          Filesize

          264KB

          MD5

          2e6bd16aa62e5e95c7b256b10d637f8f

          SHA1

          350be084477b1fe581af83ca79eb58d4defe260f

          SHA256

          d795968b8067bb610033fa4a5b21eb2f96cef61513aba62912b8eb5c6a5ff7b3

          SHA512

          1f37150f6bcbe0df54bb85a5ad585824cea9332baa9be1649a95c1dfb41723de85c09d98fb2ca8261a49c2184d3bda638b84b2b7b60b97fe42a15ab1620a2542

          Download Submit

        • \Users\Admin\AppData\Local\Uq7\VERSION.dll
          Filesize

          1.2MB

          MD5

          ac899166bb9eb93ccbf434c8e3fe06bb

          SHA1

          ed0637fc4cb3436a43730ce8cbd170a9dbfd31af

          SHA256

          f7c9c898877f8fa86e035bfa7e158acb206384eba738441ce45d286e4c70c64d

          SHA512

          2e1dcc92d2c954eaf6ed8219a8360993b035eea4a866d3ad3b83a87e64762945b2bf080b65da590aaa0f9535411c35e4613a181d82b92bcc67b5a050c74e0574

          Download Submit

        • \Users\Admin\AppData\Local\mRD4\Netplwiz.exe
          Filesize

          26KB

          MD5

          e43ec3c800d4c0716613392e81fba1d9

          SHA1

          37de6a235e978ecf3bb0fc2c864016c5b0134348

          SHA256

          636606415a85a16a7e6c5c8fcbdf35494991bce1c37dfc19c75ecb7ce12dc65c

          SHA512

          176c6d8b87bc5a9ca06698e2542ff34d474bcbbf21278390127981366eda89769bd9dd712f3b34f4dd8332a0b40ee0e609276400f16b51999471c8ff24522a08

          Download Submit

        • memory/1040-3-0x0000000000290000-0x0000000000297000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1040-0-0x0000000140000000-0x0000000140142000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1040-39-0x0000000140000000-0x0000000140142000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1188-15-0x0000000140000000-0x0000000140142000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1188-24-0x0000000140000000-0x0000000140142000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1188-11-0x0000000140000000-0x0000000140142000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1188-10-0x0000000140000000-0x0000000140142000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1188-9-0x0000000140000000-0x0000000140142000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1188-8-0x0000000140000000-0x0000000140142000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1188-13-0x0000000140000000-0x0000000140142000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1188-14-0x0000000140000000-0x0000000140142000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1188-33-0x0000000140000000-0x0000000140142000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1188-32-0x0000000140000000-0x0000000140142000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1188-42-0x0000000077066000-0x0000000077067000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1188-12-0x0000000140000000-0x0000000140142000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1188-25-0x0000000002630000-0x0000000002637000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1188-4-0x0000000077066000-0x0000000077067000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1188-5-0x0000000002AF0000-0x0000000002AF1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1188-7-0x0000000140000000-0x0000000140142000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1188-28-0x0000000077171000-0x0000000077172000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1188-29-0x0000000077300000-0x0000000077302000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1812-85-0x0000000000170000-0x0000000000177000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1812-91-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2592-73-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2648-56-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2648-51-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2648-50-0x0000000000080000-0x0000000000087000-memory.dmp

          Filesize

          28KB

          Download