Overview

overview

10

Static

static

3

fd08217e7b...18.dll

windows7-x64

10

fd08217e7b...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    28-09-2024 19:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fd08217e7bf39060422120e0bf0c3c55_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    fd08217e7bf39060422120e0bf0c3c55

  • SHA1

    30b0479d71ea93a53e6ba7dc47c5f3cbf226de13

  • SHA256

    71589f5444e986a5cb4bd2043518f4209f7afa633c826b3f8471dba7a47a689f

  • SHA512

    c0aff810372c653b505c50abd8a21960dc951798102cf726373178f53fe7cf96d33f97baacd0b98e34eee4fa3416243fe0af4f3ef9f1ff5b3ba6eb194fe98208

  • SSDEEP

    24576:suYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:E9cKrUqZWLAcU

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\fd08217e7bf39060422120e0bf0c3c55_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:3016
  • C:\Windows\system32\WFS.exe
    C:\Windows\system32\WFS.exe
    1⤵
      PID:2560
    • C:\Users\Admin\AppData\Local\PZU04Qt5u\WFS.exe
      C:\Users\Admin\AppData\Local\PZU04Qt5u\WFS.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2572
    • C:\Windows\system32\SndVol.exe
      C:\Windows\system32\SndVol.exe
      1⤵
        PID:1792
      • C:\Users\Admin\AppData\Local\C9jMOR4c\SndVol.exe
        C:\Users\Admin\AppData\Local\C9jMOR4c\SndVol.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1832
      • C:\Windows\system32\xpsrchvw.exe
        C:\Windows\system32\xpsrchvw.exe
        1⤵
          PID:2060
        • C:\Users\Admin\AppData\Local\Unot\xpsrchvw.exe
          C:\Users\Admin\AppData\Local\Unot\xpsrchvw.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2196

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\C9jMOR4c\SndVol.exe
          Filesize

          267KB

          MD5

          c3489639ec8e181044f6c6bfd3d01ac9

          SHA1

          e057c90b675a6da19596b0ac458c25d7440b7869

          SHA256

          a632ef1a1490d31d76f13997ee56f4f75796bf9e366c76446857e9ae855f4103

          SHA512

          63b96c8afb8c3f5f969459531d3a543f6e8714d5ca1664c6bbb01edd9f5e850856931d7923f363c9dc7d8843deeaad69722d15993641d04e786e02184446c0c9

          Download Submit

        • C:\Users\Admin\AppData\Local\C9jMOR4c\dwmapi.dll
          Filesize

          1.2MB

          MD5

          2c3f3b43a5b76e08c55a7ab1823d1c45

          SHA1

          732387467555f4452c68c8ee39c1de035d8c9d40

          SHA256

          38808937dbd20aca8d0798bcf692646b95b34d562600b8eb4e5e915fe30e159d

          SHA512

          1faf8f9c7287866f5ba428da5b53214a3b98216e738d71229959a5e2c3791ee6c43405116bdf062cdc395a6c8cb7f226cbb3e98ecc88c6394f158ae51fc4c28c

          Download Submit

        • C:\Users\Admin\AppData\Local\PZU04Qt5u\UxTheme.dll
          Filesize

          1.2MB

          MD5

          2140cd46193d83b093ff67d67e832ebf

          SHA1

          46fd0d2f8c7bf6276ec132ff6809fe05419f8ba4

          SHA256

          75a48c2cd8c3ff7c85897d1de8a38e961fa366f47c4c949f387cf7947746b9a5

          SHA512

          4bb8789a0944b5fb2dc76a21039aa2c9add9247ffdce60ab105f7765ab92fa696a0bfbba1c1709000bb87d7ee36bed825826e2b5174114792a7df498ae25847b

          Download Submit

        • C:\Users\Admin\AppData\Local\Unot\WINMM.dll
          Filesize

          1.2MB

          MD5

          6bdb719b0857947788fcb2a4fddecd1f

          SHA1

          4554036a95c724523ae1c491bd2a459b0c6ee5be

          SHA256

          eb415e510d69fc81dbbbf165876cf2612480a6657b4e452db4165c9580fbd587

          SHA512

          7a78203f5b6126ac0635961466292903d51fed042ae4c9c0f811fc3ea62e0035f4b1c104a85880a95bf7e38b6c5f9ced42a20b8ef97ef9908e2d64a23de35657

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ncfyujonfo.lnk
          Filesize

          1KB

          MD5

          e87d2ac1515d360bb98ab5908e8ab305

          SHA1

          72619989694f136ff7844cdc69c949a69fca29c0

          SHA256

          95be8ed865c3bf24b4ff0e342fe28c4f9c5daba005b780d5fa00b3f05d8d6db3

          SHA512

          90c271f50fdd57029f757ab2bd973394c7a7a56c6c85f7b9f8d013d2bf274fe704ce6b0a3b159e81483b2528e2cecde6e53d7e89bf541f005d06ce59cabfa38b

          Download Submit

        • \Users\Admin\AppData\Local\PZU04Qt5u\WFS.exe
          Filesize

          951KB

          MD5

          a943d670747778c7597987a4b5b9a679

          SHA1

          c48b760ff9762205386563b93e8884352645ef40

          SHA256

          1a582ebe780abc1143baccaf4910714d3e9f4195edd86939499d03ed6e756610

          SHA512

          3d926ddead8afcb32b52b3eb3c416d197c15e5fff6ba9fa03a31a07522bdb9088b32500fc8b98d82af657071571d09cd336a65cf45c485ebcc145dea70b3a934

          Download Submit

        • \Users\Admin\AppData\Local\Unot\xpsrchvw.exe
          Filesize

          4.6MB

          MD5

          492cb6a624d5dad73ee0294b5db37dd6

          SHA1

          e74806af04a5147ccabfb5b167eb95a0177c43b3

          SHA256

          ccb4ecd48561ce024ea176b7036f0f2713b98bc82aa37347a30d8187762a8784

          SHA512

          63bf2931764efe767fb42f9576702dd585a032f74ad2be2481eaf309f34950f05974d77b5cb220a3ff89c92af0c7693dc558f8e3a3ee2a0be6c5c07171d03835

          Download Submit

        • memory/1196-14-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1196-47-0x0000000077786000-0x0000000077787000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1196-12-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1196-13-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1196-25-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1196-26-0x0000000002E20000-0x0000000002E27000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1196-27-0x0000000077891000-0x0000000077892000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1196-17-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1196-16-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1196-15-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1196-30-0x0000000077A20000-0x0000000077A22000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1196-4-0x0000000077786000-0x0000000077787000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1196-37-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1196-38-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1196-5-0x0000000002E40000-0x0000000002E41000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1196-11-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1196-7-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1196-8-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1196-10-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1196-9-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1832-73-0x0000000000190000-0x0000000000197000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1832-74-0x000007FEF6980000-0x000007FEF6AB2000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1832-79-0x000007FEF6980000-0x000007FEF6AB2000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2196-91-0x000007FEF6460000-0x000007FEF6593000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2196-95-0x000007FEF6460000-0x000007FEF6593000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2572-61-0x000007FEF6460000-0x000007FEF6592000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2572-56-0x000007FEF6460000-0x000007FEF6592000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2572-55-0x00000000002B0000-0x00000000002B7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3016-46-0x000007FEF6980000-0x000007FEF6AB1000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3016-0-0x0000000000530000-0x0000000000537000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3016-2-0x000007FEF6980000-0x000007FEF6AB1000-memory.dmp

          Filesize

          1.2MB

          Download