Overview

overview

10

Static

static

3

f8881045a1...18.dll

windows7-x64

10

f8881045a1...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    26-09-2024 14:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f8881045a1ea4f61e672b9e6edcc4a8b_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    f8881045a1ea4f61e672b9e6edcc4a8b

  • SHA1

    aebacdb61c914143ba4160c44fa458be9559f358

  • SHA256

    505e175a4ff5d40800c0cf4a00332b8230504090a9f24b1f255d86770dbb23b6

  • SHA512

    b683a09a09942ba5e0d16ed752d81bfe72cfa8f100d9ec7dd6bbfb98495cdb26eb383beafa16e777a1452f9758cfe0305545381cbb5c32019119926440741992

  • SSDEEP

    24576:muYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:G9cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\f8881045a1ea4f61e672b9e6edcc4a8b_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:984
  • C:\Windows\system32\VaultSysUi.exe
    C:\Windows\system32\VaultSysUi.exe
    1⤵
      PID:2576
    • C:\Users\Admin\AppData\Local\IlJJmS0d\VaultSysUi.exe
      C:\Users\Admin\AppData\Local\IlJJmS0d\VaultSysUi.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2908
    • C:\Windows\system32\dpnsvr.exe
      C:\Windows\system32\dpnsvr.exe
      1⤵
        PID:3044
      • C:\Users\Admin\AppData\Local\Raib6\dpnsvr.exe
        C:\Users\Admin\AppData\Local\Raib6\dpnsvr.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2800
      • C:\Windows\system32\wextract.exe
        C:\Windows\system32\wextract.exe
        1⤵
          PID:2580
        • C:\Users\Admin\AppData\Local\puDpfTB0\wextract.exe
          C:\Users\Admin\AppData\Local\puDpfTB0\wextract.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2356

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\IlJJmS0d\credui.dll
          Filesize

          1.2MB

          MD5

          ba0cfd74dbf7938fa7785953ae18772e

          SHA1

          445b79222020fb2a524f3bf53d715a6d29e65185

          SHA256

          2d0bb8e7967b7aa13aefe730d8d5b6e197c8b79c56571d45d1b42cd3d0fcd80d

          SHA512

          4f5fcfab66e1a78e9b191a64fabb8d42b67ac1ab092db697b88136365094567c401e84b7fb22f24d3b6f9fc132f68475247a241e09d5428bb5c0f22b8ef9bdab

          Download Submit

        • C:\Users\Admin\AppData\Local\Raib6\WINMM.dll
          Filesize

          1.2MB

          MD5

          d5098227a882337c295ee44054c84671

          SHA1

          ddc8b36f4df1f08700f5895e371fbfcb72743364

          SHA256

          d4aa26b78c6a30ae3a478a48751feaebcfc8cd0d91911d22e6e274550ef0ef91

          SHA512

          3ae3c28cabf57e43687e6ade4cfea66ddabe7499d22ed86e64c0166ae847b3b7e460fee50d808e260ef3cc6f42cf0984d138f3732b0c6f9de390e5eafd1238c9

          Download Submit

        • C:\Users\Admin\AppData\Local\puDpfTB0\VERSION.dll
          Filesize

          1.2MB

          MD5

          ebc7a714a95a95c20cd91c7d8c28429d

          SHA1

          a2a83014fb2f96511ce76765bf18ac40b1cc7ec5

          SHA256

          be0b12b28b5960b118b12ed6c94257d5b4dbec1739962de90dd5141f93da46e0

          SHA512

          d5b6cd6f05b411ac8a244748760865c8c0e2e2562335f28488e58ef846beaca5069bc438a5c9751ac7326ea0839be4a45a91cfd606e1f5bb8fad5d7bcb00650c

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wzkhocxsoqdr.lnk
          Filesize

          1KB

          MD5

          cf0ff1a231958587629c4c976eaefb31

          SHA1

          50485e56e77daad15600ac11d50f57045bf48064

          SHA256

          75ba02d23c9960b50000623dc69ddd7318f738e26ca8af05de4d1cde9e70b0f6

          SHA512

          0c0e3128dcf3c351aa00c1168eaad6f4d33f7489582bc7d87f14c47b2e9911ad3fdf58338274a5660734b15e978d98bfeaeed6c8ef046f9c0096af6f8332b16f

          Download Submit

        • \Users\Admin\AppData\Local\IlJJmS0d\VaultSysUi.exe
          Filesize

          39KB

          MD5

          f40ef105d94350d36c799ee23f7fec0f

          SHA1

          ee3a5cfe8b807e1c1718a27eb97fa134360816e3

          SHA256

          eeb3f79be414b81f4eb8167390641787f14a033414533fb8de651c2247d054b2

          SHA512

          f16bcca6f6cecbdae117d5a41de7e86a6d9dfdfa2ce8c75ebff10d097083c106e7f9d030debed8cb20fdd71815a8aa7723a1d3c68b38ec382e55370331c594a1

          Download Submit

        • \Users\Admin\AppData\Local\Raib6\dpnsvr.exe
          Filesize

          33KB

          MD5

          6806b72978f6bd27aef57899be68b93b

          SHA1

          713c246d0b0b8dcc298afaed4f62aed82789951c

          SHA256

          3485ee4159c5f9e4ed9dd06e668d1e04148154ff40327a9ccb591e8c5a79958c

          SHA512

          43c942358b2e949751149ecc4be5ff6cb0634957ff1128ad5e6051e83379fb5643100cae2f6ef3eaf36aff016063c150e93297aa866e780d0e4d51656a251c7b

          Download Submit

        • \Users\Admin\AppData\Local\puDpfTB0\wextract.exe
          Filesize

          140KB

          MD5

          1ea6500c25a80e8bdb65099c509af993

          SHA1

          6a090ef561feb4ae1c6794de5b19c5e893c4aafc

          SHA256

          99123d4e7bf93aa7f3315a432307c8b0cbaf24ad2cfb46edc149edbe24de4ca2

          SHA512

          b8f9f1ab48671e382d1385c34f0f19fc52fc0061e00db53bbbc2cdaee6d8a3f245707329f98e9167c53721aeaddcebfe66632729b6bcc98892031fd9914fb1fb

          Download Submit

        • memory/984-0-0x0000000000110000-0x0000000000117000-memory.dmp

          Filesize

          28KB

          Download

        • memory/984-1-0x000007FEF6C90000-0x000007FEF6DC1000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/984-31-0x000007FEF6C90000-0x000007FEF6DC1000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1244-28-0x0000000077710000-0x0000000077712000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1244-34-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1244-14-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1244-13-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1244-11-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1244-10-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1244-9-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1244-8-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1244-16-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1244-27-0x0000000077581000-0x0000000077582000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1244-35-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1244-7-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1244-43-0x0000000077376000-0x0000000077377000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1244-25-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1244-17-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1244-4-0x0000000077376000-0x0000000077377000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1244-15-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1244-5-0x0000000002B10000-0x0000000002B11000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1244-26-0x0000000002AF0000-0x0000000002AF7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1244-12-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2356-90-0x0000000000370000-0x0000000000377000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2356-92-0x000007FEF6C90000-0x000007FEF6DC2000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2356-96-0x000007FEF6C90000-0x000007FEF6DC2000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2800-78-0x000007FEF6C90000-0x000007FEF6DC3000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2800-73-0x000007FEF6C90000-0x000007FEF6DC3000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2800-72-0x0000000000170000-0x0000000000177000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2908-60-0x000007FEFB1C0000-0x000007FEFB2F2000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2908-55-0x000007FEFB1C0000-0x000007FEFB2F2000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2908-54-0x0000000000070000-0x0000000000077000-memory.dmp

          Filesize

          28KB

          Download