Overview

overview

10

Static

static

3

fdf4a24f88...18.dll

windows7-x64

10

fdf4a24f88...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    29-09-2024 06:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fdf4a24f88214b0a4f02a8669a7c5ff8_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    fdf4a24f88214b0a4f02a8669a7c5ff8

  • SHA1

    d187ad8ffee9d34bbb8dafc787dd3858fe47cfcf

  • SHA256

    a151a8221a96d0ae5359b263a82cdcaf6bc4be7e3272f8c2edcecd8691b7df7f

  • SHA512

    771d54ff126bff1ebc52614c9f62f639f6fa212cf95da56b6bb07df228b88eef30ba7ff2b0d9bc45209b946dec201b47436508b5cd60c21a486fdf2f33854822

  • SSDEEP

    24576:vVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8j3:vV8hf6STw1ZlQauvzSq01ICe6zvme

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\fdf4a24f88214b0a4f02a8669a7c5ff8_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2708
  • C:\Windows\system32\wextract.exe
    C:\Windows\system32\wextract.exe
    1⤵
      PID:2156
    • C:\Users\Admin\AppData\Local\ODZ\wextract.exe
      C:\Users\Admin\AppData\Local\ODZ\wextract.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2608
    • C:\Windows\system32\BdeUISrv.exe
      C:\Windows\system32\BdeUISrv.exe
      1⤵
        PID:1928
      • C:\Users\Admin\AppData\Local\Tfnr\BdeUISrv.exe
        C:\Users\Admin\AppData\Local\Tfnr\BdeUISrv.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2296
      • C:\Windows\system32\dvdupgrd.exe
        C:\Windows\system32\dvdupgrd.exe
        1⤵
          PID:376
        • C:\Users\Admin\AppData\Local\haBhwMsF1\dvdupgrd.exe
          C:\Users\Admin\AppData\Local\haBhwMsF1\dvdupgrd.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1608

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\ODZ\VERSION.dll
          Filesize

          1.2MB

          MD5

          53838d96ac6bf0c5091bb18139bcb91e

          SHA1

          31efbab51e7ea6ba16e34cbf61864a14df214189

          SHA256

          925ff7262f77b0a8e8514349ac95fd5d717c3f6cad0eb14b615a48c6988559ba

          SHA512

          4007dd555732788c710cbd9fc7f60424ebe0f7f0ca9a604de40d9441347cd9b1460daa1fa34b4f05528b31cf76c9ae049aae35747f1afb6081c609ace7a51258

          Download Submit

        • C:\Users\Admin\AppData\Local\ODZ\wextract.exe
          Filesize

          140KB

          MD5

          1ea6500c25a80e8bdb65099c509af993

          SHA1

          6a090ef561feb4ae1c6794de5b19c5e893c4aafc

          SHA256

          99123d4e7bf93aa7f3315a432307c8b0cbaf24ad2cfb46edc149edbe24de4ca2

          SHA512

          b8f9f1ab48671e382d1385c34f0f19fc52fc0061e00db53bbbc2cdaee6d8a3f245707329f98e9167c53721aeaddcebfe66632729b6bcc98892031fd9914fb1fb

          Download Submit

        • C:\Users\Admin\AppData\Local\Tfnr\WTSAPI32.dll
          Filesize

          1.2MB

          MD5

          9cb9d74c58c37e596ccbbf15187405c4

          SHA1

          545357d4737a4288039526236d89433c67109808

          SHA256

          522f93068690b894a594249b79ccf112f6769b6e55639d40825b6d614ac76b76

          SHA512

          8dad6dd599baed063fe8a7aea967af2e1bd54a7b4e8a5d50c67f474a16c8829e80ee6023c380e14c2af1bf712436414521028ca33d94fc0ed9382f23f29eda39

          Download Submit

        • C:\Users\Admin\AppData\Local\haBhwMsF1\VERSION.dll
          Filesize

          1.2MB

          MD5

          db42526292bfd3bbabfa10932bd271fb

          SHA1

          9e6298b8f39997f9fb11d486d60053fd3cb8bca4

          SHA256

          5a9788aa3aaa16213ae4f56f2f20cdf71731fc1d1d9e3cbd1bb084beca857074

          SHA512

          8e7d3224c0411f9d7c7afd6daad94d03b0b776456cb653fc561c45278945708b548250a532e1172d7566d245b0fb1c8fe33239e4f5a899e7e84c395124807961

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ngqpewzrrtyksiv.lnk
          Filesize

          923B

          MD5

          08d842bb2217ffdcad8ee19797d61db3

          SHA1

          6839876096fd39c780d9f818fce65b8a82110b9a

          SHA256

          5da08c7d83f8ccd0285712f26e59a64dac286a10b9749f01b8a113b9c8d68fff

          SHA512

          3e9e00e082994dce72323602c87958922f911d162033aeaecfbf467465bffa68f700f6eafe58af5aa71855cccad328f7d7a7f30d42db77a14e0845460623b227

          Download Submit

        • \Users\Admin\AppData\Local\Tfnr\BdeUISrv.exe
          Filesize

          47KB

          MD5

          1da6b19be5d4949c868a264bc5e74206

          SHA1

          d5ee86ba03a03ef8c93d93accafe40461084c839

          SHA256

          00330a0e0eb1dbb6ee84997963f8e15c7c15c1df787f1c7f109609d7b31bd35c

          SHA512

          9cee858c55eb0852e5bad53a675a094ae591b46b07afe9fb4224cac32e0be577fe36c1ed3e9f6bda4d4eb0c924a773d00e3181cd97f07e24c6c68c70f2b002c6

          Download Submit

        • \Users\Admin\AppData\Local\haBhwMsF1\dvdupgrd.exe
          Filesize

          25KB

          MD5

          75a9b4172eac01d9648c6d2133af952f

          SHA1

          63c7e1af762d2b584e9cc841e8b0100f2a482b81

          SHA256

          18f9f520c7157023b0e7dfe7433a63c4dedd47b04d24aac4038b795893050736

          SHA512

          5a7a2c7f184efd9c84256a1a0a5e7aeb95432d63a567196be54e7a9437a5ada9b922983c5fc0cafb16eab4493665d8e56e2f646f9f6a2d6179986925ffcdf769

          Download Submit

        • memory/1188-35-0x0000000140000000-0x000000014012F000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1188-10-0x0000000140000000-0x000000014012F000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1188-12-0x0000000140000000-0x000000014012F000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1188-14-0x0000000140000000-0x000000014012F000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1188-24-0x0000000002180000-0x0000000002187000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1188-26-0x0000000076E90000-0x0000000076E92000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1188-25-0x0000000076D01000-0x0000000076D02000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1188-13-0x0000000140000000-0x000000014012F000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1188-23-0x0000000140000000-0x000000014012F000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1188-4-0x0000000076AF6000-0x0000000076AF7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1188-36-0x0000000140000000-0x000000014012F000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1188-5-0x00000000021A0000-0x00000000021A1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1188-45-0x0000000076AF6000-0x0000000076AF7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1188-11-0x0000000140000000-0x000000014012F000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1188-9-0x0000000140000000-0x000000014012F000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1188-8-0x0000000140000000-0x000000014012F000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1188-7-0x0000000140000000-0x000000014012F000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1608-93-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2296-76-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2608-59-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2608-54-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2608-53-0x0000000000290000-0x0000000000297000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2708-44-0x0000000140000000-0x000000014012F000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2708-3-0x0000000000120000-0x0000000000127000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2708-1-0x0000000140000000-0x000000014012F000-memory.dmp

          Filesize

          1.2MB

          Download