Overview

overview

10

Static

static

3

f286092e8f...18.dll

windows7-x64

10

f286092e8f...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22-09-2024 17:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f286092e8fe5d17abc765a52b10751ab_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    f286092e8fe5d17abc765a52b10751ab

  • SHA1

    b61edfebd10a23144d9a57f18ab23793a03e3acb

  • SHA256

    3669fd31aaec1ed1c3de1f93b27b2b662ccc5c02957edca53da6f7a7072488f3

  • SHA512

    75c27d2e52dd9cb29770da557d3360229d213871c70ba84dfab092eaabe1a42c1a363b66207a8b1d0d95ba7cf0a541be95cf40f781455df29be75a7a24ecfed2

  • SSDEEP

    24576:HVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:HV8hf6STw1ZlQauvzSq01ICe6zvm

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\f286092e8fe5d17abc765a52b10751ab_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2420
  • C:\Windows\system32\SndVol.exe
    C:\Windows\system32\SndVol.exe
    1⤵
      PID:2668
    • C:\Users\Admin\AppData\Local\8swC\SndVol.exe
      C:\Users\Admin\AppData\Local\8swC\SndVol.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2616
    • C:\Windows\system32\ddodiag.exe
      C:\Windows\system32\ddodiag.exe
      1⤵
        PID:1568
      • C:\Users\Admin\AppData\Local\ZtHK7E\ddodiag.exe
        C:\Users\Admin\AppData\Local\ZtHK7E\ddodiag.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1224
      • C:\Windows\system32\wscript.exe
        C:\Windows\system32\wscript.exe
        1⤵
          PID:1056
        • C:\Users\Admin\AppData\Local\ksZncaQsg\wscript.exe
          C:\Users\Admin\AppData\Local\ksZncaQsg\wscript.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1004

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\8swC\dwmapi.dll
          Filesize

          1.2MB

          MD5

          f81e5ea40713cb60c3205945c23203f4

          SHA1

          7951d0953ea05dd518438dcb67869cbd14e4d637

          SHA256

          a4d7534ced1b7ddcdb6c71f5766087416d9a448bfc3406e0b41b0610d65fc7df

          SHA512

          8aad220fb6117601a82ce9484c391b132bd79ba4e51d8eff5c51ef1004b1823746319db0e031778157c0bca08a57a756689163f40e54db9d773393e634c95593

          Download Submit

        • C:\Users\Admin\AppData\Local\ZtHK7E\XmlLite.dll
          Filesize

          1.2MB

          MD5

          7c24c2833b30d4f95a08ed0501bfc450

          SHA1

          a621cbbd3e1110738993aa301504364413461d03

          SHA256

          d2ffb7253ea24d2e1372d8c052faab50cb839baa3e234228f0abbe00b33ce94f

          SHA512

          5c8c4baee55520c3c60aed1a6221bbdd0ed942d093af8a050ce6940165babdaddfda732c5f3959ae3df2da3d7f6f9f4ec849ad73707757b6f7ec6300a12df8fa

          Download Submit

        • C:\Users\Admin\AppData\Local\ksZncaQsg\VERSION.dll
          Filesize

          1.2MB

          MD5

          e2e45d875fe0ed856e262f6538c9422e

          SHA1

          c410dfb839b9f5c581f584e898f01c7225853884

          SHA256

          c4b44d8c5be01a04a19010ae3077c3d901375a7e1e92ecc663ac74e245319565

          SHA512

          cd7cfd18851a71f0255cccfb6dd3280abfd017a99fbd1f76f815491de3194e8725c481550a3e09e80ee1c13706ea84d1439bd5410ce2ed85d6e7921b389e6336

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wbvsyha.lnk
          Filesize

          993B

          MD5

          b3504837f2894fcc8b5bb707c42a6582

          SHA1

          96453016b184c403cf5091d2a938f6404ed703c1

          SHA256

          88255f2698b3782429dd31ae33dbf61dbee9bd7038f74ff48657dd3dffb9dfb8

          SHA512

          3e4331fd02932f1d552634991a04e7b1002315343164a10c6f0fab934d3e163c70b6cb95ea99328e71f6fc27e38a3c4fa9e98aae5e246c38e5c73f6b7fb83932

          Download Submit

        • \Users\Admin\AppData\Local\8swC\SndVol.exe
          Filesize

          267KB

          MD5

          c3489639ec8e181044f6c6bfd3d01ac9

          SHA1

          e057c90b675a6da19596b0ac458c25d7440b7869

          SHA256

          a632ef1a1490d31d76f13997ee56f4f75796bf9e366c76446857e9ae855f4103

          SHA512

          63b96c8afb8c3f5f969459531d3a543f6e8714d5ca1664c6bbb01edd9f5e850856931d7923f363c9dc7d8843deeaad69722d15993641d04e786e02184446c0c9

          Download Submit

        • \Users\Admin\AppData\Local\ZtHK7E\ddodiag.exe
          Filesize

          42KB

          MD5

          509f9513ca16ba2f2047f5227a05d1a8

          SHA1

          fe8d63259cb9afa17da7b7b8ede4e75081071b1a

          SHA256

          ddf48c333e45c56c9e3f16e492c023bf138629f4c093b8aaab8ea60310c8c96e

          SHA512

          ad3168767e5eba575ae766e1e2923b1db4571bbeb302d7c58e8023612e33913dcd9e5f4a4c1bc7b1556442a0807117066f17c62b38fe2ae0dfaa3817b7318862

          Download Submit

        • \Users\Admin\AppData\Local\ksZncaQsg\wscript.exe
          Filesize

          165KB

          MD5

          8886e0697b0a93c521f99099ef643450

          SHA1

          851bd390bf559e702b8323062dbeb251d9f2f6f7

          SHA256

          d73f7ee4e6e992a618d02580bdbf4fd6ba7c683d110928001092f4073341e95f

          SHA512

          fc4a176f49a69c5600c427af72d3d274cfeacef48612b18cda966c3b4dda0b9d59c0fe8114d5ed8e0fec780744346e2cd503d1fd15c0c908908d067214b9d837

          Download Submit

        • memory/1004-99-0x0000000140000000-0x0000000140144000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1152-38-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1152-47-0x0000000077916000-0x0000000077917000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1152-13-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1152-14-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1152-26-0x0000000002F00000-0x0000000002F07000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1152-25-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1152-16-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1152-15-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1152-4-0x0000000077916000-0x0000000077917000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1152-37-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1152-28-0x0000000077BB0000-0x0000000077BB2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1152-27-0x0000000077A21000-0x0000000077A22000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1152-5-0x0000000002FA0000-0x0000000002FA1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1152-7-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1152-8-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1152-9-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1152-12-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1152-11-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1152-10-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1224-73-0x00000000000F0000-0x00000000000F7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1224-79-0x0000000140000000-0x0000000140144000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2420-46-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2420-0-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2420-1-0x00000000001A0000-0x00000000001A7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2616-61-0x0000000140000000-0x0000000140144000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2616-56-0x0000000140000000-0x0000000140144000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2616-55-0x00000000000A0000-0x00000000000A7000-memory.dmp

          Filesize

          28KB

          Download