Overview

overview

10

Static

static

3

f4dcda795d...18.dll

windows7-x64

10

f4dcda795d...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    25/09/2024, 01:21

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    f4dcda795d669eadc3e6aece306f5edd_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    f4dcda795d669eadc3e6aece306f5edd

  • SHA1

    11264496a75d446d6d6f443d8200caad04340ed9

  • SHA256

    1c173d1937e8af89b502f278fb6053f5a1823663ff45e9d9b174483c5d7b46df

  • SHA512

    93b7ade0fa90d5f7b0db616d79c498b43aeeb92de6e264c7908124c78f8b57cf5554e26ad36e7c08a36cf6c65207760eb60846c63e215dd3852226aa6d9ba165

  • SSDEEP

    24576:luYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9Nipt:f9cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\f4dcda795d669eadc3e6aece306f5edd_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1244
  • C:\Windows\system32\OptionalFeatures.exe
    C:\Windows\system32\OptionalFeatures.exe
    1⤵
      PID:2068
    • C:\Users\Admin\AppData\Local\N1kJMLe\OptionalFeatures.exe
      C:\Users\Admin\AppData\Local\N1kJMLe\OptionalFeatures.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2632
    • C:\Windows\system32\dpapimig.exe
      C:\Windows\system32\dpapimig.exe
      1⤵
        PID:2212
      • C:\Users\Admin\AppData\Local\uyP\dpapimig.exe
        C:\Users\Admin\AppData\Local\uyP\dpapimig.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2920
      • C:\Windows\system32\rdpclip.exe
        C:\Windows\system32\rdpclip.exe
        1⤵
          PID:1476
        • C:\Users\Admin\AppData\Local\y9tPWsDQ4\rdpclip.exe
          C:\Users\Admin\AppData\Local\y9tPWsDQ4\rdpclip.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2108

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\N1kJMLe\appwiz.cpl
          Filesize

          1.2MB

          MD5

          09b9bc8499ab0cce52d08e83dd0e3537

          SHA1

          4aac1a29289a2baf685518d666b000211c00856b

          SHA256

          2d4cc2aed7904d4d0f07d1e9b4c58987e7af27fe1b3f55580cccd25cbc7a6bbd

          SHA512

          f2d1fc42927381e9bc58e3b368092406d5b54d064efe8c4cc270c0d6bf5e914e8eee5f163f87293292afcfb3b62a9ee05b289d461d82fc49a445fb93c6b40b7d

          Download Submit

        • C:\Users\Admin\AppData\Local\y9tPWsDQ4\rdpclip.exe
          Filesize

          206KB

          MD5

          25d284eb2f12254c001afe9a82575a81

          SHA1

          cf131801fdd5ec92278f9e0ae62050e31c6670a5

          SHA256

          837e0d864c474956c0d9d4e7ae5f884007f19b7f420db9afcf0d266aefa6608b

          SHA512

          7b4f208fa1681a0a139577ebc974e7acfc85e3c906a674e111223783460585eb989cb6b38f215d79f89e747a0e9224d90e1aa43e091d2042edb8bac7b27b968b

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ygxjfqh.lnk
          Filesize

          952B

          MD5

          aad769598bbee0370d8ab2fb04927ccb

          SHA1

          eeec49e12616f2258ddc7c802ccd57024852509f

          SHA256

          6e8da17efe5e561867abd696f6b4bd817ce3da3874f7adb0f98cb3c6e37487e8

          SHA512

          0935ba595cd743a48fa4a27625c9a537c30489953831310ce30e7816ab4923bf56e2d6581ba6b1ce278980fbef529d0ec77c33c990d045d6c06aa95713785d9a

          Download Submit

        • \Users\Admin\AppData\Local\N1kJMLe\OptionalFeatures.exe
          Filesize

          95KB

          MD5

          eae7af6084667c8f05412ddf096167fc

          SHA1

          0dbe8aba001447030e48e8ad5466fd23481e6140

          SHA256

          01feebd3aca961f31ba4eac45347b105d1c5772627b08f5538047721b61ff9bc

          SHA512

          172a8accaa35a6c9f86713a330c5899dfeeffe3b43413a3d276fc16d45cd62ed9237aa6bff29cc60a2022fba8dcc156959723c041df4b7463436a3bdabef2a9d

          Download Submit

        • \Users\Admin\AppData\Local\uyP\DUI70.dll
          Filesize

          1.4MB

          MD5

          a41e48f4ffbf50bd3093f23344178014

          SHA1

          d79ec9b2b0f3cde2fcefd97f3ed3dce649c3fc43

          SHA256

          18bde7e65c11b613dd8bb59c9af48085c61fe93ccf06c81e3d0e2941be6a73ba

          SHA512

          6310c05a45ad52184e3edb1f0456dd7c8bc544fd05f5b712c427f278e864cb810d2c6003112ef597cf3aea10ce81e816a5b245a93d297e187cbede115e760d4d

          Download Submit

        • \Users\Admin\AppData\Local\uyP\dpapimig.exe
          Filesize

          73KB

          MD5

          0e8b8abea4e23ddc9a70614f3f651303

          SHA1

          6d332ba4e7a78039f75b211845514ab35ab467b2

          SHA256

          66fc6b68e54b8840a38b4de980cc22aed21009afc1494a9cc68e892329f076a1

          SHA512

          4feded78f9b953472266693e0943030d00f82a5cc8559df60ae0479de281164155e19687afc67cba74d04bb9ad092f5c7732f2d2f9b06274ca2ae87dc2d4a6dc

          Download Submit

        • \Users\Admin\AppData\Local\y9tPWsDQ4\WINSTA.dll
          Filesize

          1.2MB

          MD5

          7bcc923b273d609917761fc6fa255103

          SHA1

          b7f5be00732e90a0592adc5af9aaa49fc6cede3b

          SHA256

          9c7e0877649c62974d6532a0a6ab42ca29be6844b18600d7368314b935a6d7c4

          SHA512

          fa032ac8f3f2d2345c88549eeb3b2c2b63c5e852b0b3862701dd14805a91e1e06eda171989ed45a4792f1bd25171054266dc0f4bc67d20e0f3ce40f2890d78e6

          Download Submit

        • memory/1204-24-0x0000000002940000-0x0000000002947000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1204-28-0x00000000774B1000-0x00000000774B2000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1204-4-0x00000000772A6000-0x00000000772A7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1204-16-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-15-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-14-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-13-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-12-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-11-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-10-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-9-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-36-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-37-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-5-0x0000000002960000-0x0000000002961000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1204-46-0x00000000772A6000-0x00000000772A7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1204-25-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-29-0x0000000077640000-0x0000000077642000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1204-7-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-8-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1244-45-0x000007FEF6540000-0x000007FEF6670000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1244-0-0x0000000001E00000-0x0000000001E07000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1244-1-0x000007FEF6540000-0x000007FEF6670000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2108-89-0x000007FEF6530000-0x000007FEF6662000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2108-94-0x000007FEF6530000-0x000007FEF6662000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2632-60-0x000007FEF6BC0000-0x000007FEF6CF1000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2632-55-0x000007FEF6BC0000-0x000007FEF6CF1000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2632-54-0x0000000000110000-0x0000000000117000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2920-72-0x000007FEF6030000-0x000007FEF6194000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/2920-77-0x000007FEF6030000-0x000007FEF6194000-memory.dmp

          Filesize

          1.4MB

          Download