Overview

overview

10

Static

static

3

f85ef19bb0...18.dll

windows7-x64

10

f85ef19bb0...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    26-09-2024 12:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f85ef19bb03d5ca288b7b6aa1077168c_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    f85ef19bb03d5ca288b7b6aa1077168c

  • SHA1

    abfb99abb75dbdaa00e7b3827c22817180c3a016

  • SHA256

    3a5d69c3a2b52ad6d2eb5c1471ca4e93fbb17cae1bc33972a67c2aedda09581f

  • SHA512

    0a4d9fdc3ab4694f6ce9ef3dc5251d1f048a60bdf73ccde4e6e00c6074fa4ba69ead7aaa0c63ebdc83ce00a453c935c8a4b4f1953f709dfcd8d57be10e42e485

  • SSDEEP

    24576:QuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:A9cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\f85ef19bb03d5ca288b7b6aa1077168c_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1452
  • C:\Windows\system32\raserver.exe
    C:\Windows\system32\raserver.exe
    1⤵
      PID:2972
    • C:\Users\Admin\AppData\Local\ckKbokPBY\raserver.exe
      C:\Users\Admin\AppData\Local\ckKbokPBY\raserver.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2616
    • C:\Windows\system32\wisptis.exe
      C:\Windows\system32\wisptis.exe
      1⤵
        PID:2324
      • C:\Users\Admin\AppData\Local\icw1O\wisptis.exe
        C:\Users\Admin\AppData\Local\icw1O\wisptis.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2440
      • C:\Windows\system32\spinstall.exe
        C:\Windows\system32\spinstall.exe
        1⤵
          PID:2968
        • C:\Users\Admin\AppData\Local\nd2e\spinstall.exe
          C:\Users\Admin\AppData\Local\nd2e\spinstall.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1936

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\ckKbokPBY\WTSAPI32.dll
          Filesize

          1.2MB

          MD5

          5769eab96bf951ec99e0a3218f293764

          SHA1

          41f55556f01a72198612e1f68a8e6c2275bb0ef4

          SHA256

          7d5ad8a9a3c9d6a974892bafa81137e0a6a73c1c55156a5aa9dc5188b0e44d2d

          SHA512

          5168a934a218c89176f75f67fad8ac96e78e558d97b35c943a157864e1bc2a41859b09d4521ec72e137b7d9cd3f01b0399195b8dafdbd8ffb036bb8fb54b45d0

          Download Submit

        • C:\Users\Admin\AppData\Local\icw1O\HID.DLL
          Filesize

          1.2MB

          MD5

          09748a4ca9316999fb07abc3f418e27f

          SHA1

          aabb44bc3cc164dedeccd9700c57511907a806e7

          SHA256

          d9b150c61d4d7de266ffad60509f6010abe6bf7305a7fea4d7f7d11c1e52e8d7

          SHA512

          d4b26c7c7200707cb8340724e9133ef9b445458d0ebe7688962834166fe3d8433b14e751f9a6408271fa404b07777df5784d221eab643ff725fe190d2117211e

          Download Submit

        • C:\Users\Admin\AppData\Local\nd2e\WTSAPI32.dll
          Filesize

          1.2MB

          MD5

          7513e55f426079b6b52f0552a7803462

          SHA1

          a226c22be48e94d2ebb4bea498f851330df7ad5a

          SHA256

          dcedc57c6491efeca3a4733f843dce09a783b2a98524a9af9b1f94a5be5ce783

          SHA512

          465e1f02f1ea1abf09dc9ee8bd049a5fc83c3ffc8a585bcc6d78355de43c389112c58d064e55122a5513f02aa4029a3b9c8a036e95c90a73740770b9013a1386

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ygxjfqh.lnk
          Filesize

          1KB

          MD5

          ffb82126457de128c3acec5a1d403491

          SHA1

          9f025a64dc217b0cbcfff7db1e2fe355fbf325e5

          SHA256

          841a651c8a80fc53c57ce7524c65496470abc6a1c6773d8795bbd22f2ab49420

          SHA512

          8500631abe4763d7cf942102f3b578eb130b9f6e44e7d61e8ac9a263e1adc61abab70deb1e02b777378933e69beeefffa557ced1b8dbfa093e4a169ad8514c73

          Download Submit

        • \Users\Admin\AppData\Local\ckKbokPBY\raserver.exe
          Filesize

          123KB

          MD5

          cd0bc0b6b8d219808aea3ecd4e889b19

          SHA1

          9f8f4071ce2484008e36fdfd963378f4ebad703f

          SHA256

          16abc530c0367df1ad631f09e14c565cf99561949aa14acc533cd54bf8a5e22c

          SHA512

          84291ea3fafb38ef96817d5fe4a972475ef8ea24a4353568029e892fa8e15cf8e8f6ef4ff567813cd3b38092f0db4577d9dccb22be755eebdd4f77e623dc80ac

          Download Submit

        • \Users\Admin\AppData\Local\icw1O\wisptis.exe
          Filesize

          396KB

          MD5

          02e20372d9d6d28e37ba9704edc90b67

          SHA1

          d7d18ba0df95c3507bf20be8d72e25c5d11ab40c

          SHA256

          3338129ddf6fb53d6e743c10bc39ec372d9b2c39c607cbe8a71cff929f854144

          SHA512

          bcad8894614dcfc1429be04829c217e7c8ac3c40ea3927073de3421d96d9815739ee1b84f0200eb18b3b8406b972bd934204b7b31638c9fe7c297fb201ed4200

          Download Submit

        • \Users\Admin\AppData\Local\nd2e\spinstall.exe
          Filesize

          584KB

          MD5

          29c1d5b330b802efa1a8357373bc97fe

          SHA1

          90797aaa2c56fc2a667c74475996ea1841bc368f

          SHA256

          048bd22abf158346ab991a377cc6e9d2b20b4d73ccee7656c96a41f657e7be7f

          SHA512

          66f4f75a04340a1dd55dfdcc3ff1103ea34a55295f56c12e88d38d1a41e5be46b67c98bd66ac9f878ce79311773e374ed2bce4dd70e8bb5543e4ec1dd56625ee

          Download Submit

        • memory/1204-28-0x0000000077250000-0x0000000077252000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1204-47-0x0000000076FB6000-0x0000000076FB7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1204-25-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-27-0x00000000770C1000-0x00000000770C2000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1204-15-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-14-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-13-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-12-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-11-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-10-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-26-0x0000000002D70000-0x0000000002D77000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1204-4-0x0000000076FB6000-0x0000000076FB7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1204-37-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-38-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-5-0x0000000002D90000-0x0000000002D91000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1204-17-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-9-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-16-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-8-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1204-7-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1452-46-0x000007FEF6090000-0x000007FEF61C1000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1452-3-0x00000000003A0000-0x00000000003A7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1452-0-0x000007FEF6090000-0x000007FEF61C1000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1936-88-0x0000000000100000-0x0000000000107000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1936-94-0x000007FEF6090000-0x000007FEF61C2000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2440-73-0x00000000002B0000-0x00000000002B7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2440-74-0x000007FEF6090000-0x000007FEF61C2000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2440-78-0x000007FEF6090000-0x000007FEF61C2000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2616-61-0x000007FEF67D0000-0x000007FEF6902000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2616-56-0x000007FEF67D0000-0x000007FEF6902000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2616-55-0x0000000000120000-0x0000000000127000-memory.dmp

          Filesize

          28KB

          Download