Overview

overview

10

Static

static

3

034426c5bd...18.dll

windows7-x64

10

034426c5bd...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    30-09-2024 21:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    034426c5bd525235fcafbbb062e0906c_JaffaCakes118.dll

  • Size

    840KB

  • MD5

    034426c5bd525235fcafbbb062e0906c

  • SHA1

    035feff6c9fd3656aa4e91d9478d78fac9cab06d

  • SHA256

    eeae042764b330ce8fcf47e9f959389658b9babc7d9bf84b9836adc1fec4565d

  • SHA512

    182eefa4e540076bf5d65f193142eb6b15713c2449d2a45c788b6e6fcddb241a542fe763481c5eb6673d6861642efde081d3ee3cbb9421e51d0dba1f4980fc76

  • SSDEEP

    12288:PdMIwS97wJs6tSKDXEabXaC+jhc1S8XXk7CZzHsZH9dq0T:VMIJxSDX3bqjhcfHk7MzH6z

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 9 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\034426c5bd525235fcafbbb062e0906c_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2736
  • C:\Windows\system32\wbengine.exe
    C:\Windows\system32\wbengine.exe
    1⤵
      PID:2112
    • C:\Users\Admin\AppData\Local\AGA1KQiT\wbengine.exe
      C:\Users\Admin\AppData\Local\AGA1KQiT\wbengine.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:1096
    • C:\Windows\system32\raserver.exe
      C:\Windows\system32\raserver.exe
      1⤵
        PID:2720
      • C:\Users\Admin\AppData\Local\hmCAZd\raserver.exe
        C:\Users\Admin\AppData\Local\hmCAZd\raserver.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1628
      • C:\Windows\system32\mfpmp.exe
        C:\Windows\system32\mfpmp.exe
        1⤵
          PID:2020
        • C:\Users\Admin\AppData\Local\ANibHdad\mfpmp.exe
          C:\Users\Admin\AppData\Local\ANibHdad\mfpmp.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2396

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\AGA1KQiT\XmlLite.dll
          Filesize

          844KB

          MD5

          bdb0495c908c41d2ab2b7a7ce2be812a

          SHA1

          2b5627cd8d83ed99ed5f9d37d54613e40c86dc0f

          SHA256

          2d2a9571481e59d8034d0442732806d886001f202d5687d81bb537757c32702b

          SHA512

          a9ae3320e6feaf5fe53258e654abfda1e9af12b2a11aa545fbb43e1ab4f97bc9da4d5a1fa76719ad20828cdfb815637e259b94a75649b7e54a9a1e9d9c8500bb

          Download Submit

        • C:\Users\Admin\AppData\Local\ANibHdad\MFPlat.DLL
          Filesize

          848KB

          MD5

          9fc1e36d6e5f8e43e8e9e6ee45a7ceda

          SHA1

          0fef52956241a3db1611ae05fb5ddbb4272872f9

          SHA256

          41d5fd1392501eeb640946919e710431612b3ab5bdbd5e75b4a26a03af4d3b7f

          SHA512

          e8c0f61233b1bccd67ae29f023d7815321046f7f27048c9f3cc6d527e635398a6b15c0ae840665734f232ac325fb30478f90bb3da5f3e266908da33b3de2aad4

          Download Submit

        • C:\Users\Admin\AppData\Local\hmCAZd\WTSAPI32.dll
          Filesize

          844KB

          MD5

          d1f6b07eceb98411f1406ac85d8c9507

          SHA1

          770437b6ae590631e2365461f1ea706fc1cedee6

          SHA256

          330eb1649c8ee07eac63a4925cc8663993985f1c8a07e3b4d62941c22ad55ab8

          SHA512

          e2e1f46d863ce825e1349921437ba29c21a85aadb3726e349c0da40c3a303e1d2af1a827ef9eaf6236ee4f2839d9bd63cd78bad8c03f8cd59593206f85bf22a5

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wzkhocxsoqdr.lnk
          Filesize

          1KB

          MD5

          abe481c4fd5bd976044a5840058a7ad2

          SHA1

          1e17fb7a83fa5f4fb4c6f706712951202e60ec63

          SHA256

          7174f2cbb10db15b7fa1f319317c7355a5f6d2f6659516a74973d922fb54a908

          SHA512

          3a6ab332e0366c067c6de7f9cfb46f9d99605f1d3145a4b949426eabc497747ac524dbf7d884917b244af7742bcd37aa29e694eb59bb156e76fba4a359e534e9

          Download Submit

        • \Users\Admin\AppData\Local\AGA1KQiT\wbengine.exe
          Filesize

          1.4MB

          MD5

          78f4e7f5c56cb9716238eb57da4b6a75

          SHA1

          98b0b9db6ec5961dbb274eff433a8bc21f7e557b

          SHA256

          46a4e78ce5f2a4b26f4e9c3ff04a99d9b727a82ac2e390a82a1611c3f6e0c9af

          SHA512

          1a24ea71624dbbca188ee3b4812e09bc42e7d38ceac02b69940d7693475c792685a23141c8faa85a87ab6aace3f951c1a81facb610d757ac6df37cf2aa65ccd2

          Download Submit

        • \Users\Admin\AppData\Local\ANibHdad\mfpmp.exe
          Filesize

          24KB

          MD5

          2d8600b94de72a9d771cbb56b9f9c331

          SHA1

          a0e2ac409159546183aa45875497844c4adb5aac

          SHA256

          7d8d8918761b8b6c95758375a6e7cf7fb8e43abfdd3846476219883ef3f8c185

          SHA512

          3aaa6619f29434c294b9b197c3b86fdc5d88b0254c8f35f010c9b5f254fd47fbc3272412907e2a5a4f490bda2acfbbd7a90f968e25067abf921b934d2616eafc

          Download Submit

        • \Users\Admin\AppData\Local\hmCAZd\raserver.exe
          Filesize

          123KB

          MD5

          cd0bc0b6b8d219808aea3ecd4e889b19

          SHA1

          9f8f4071ce2484008e36fdfd963378f4ebad703f

          SHA256

          16abc530c0367df1ad631f09e14c565cf99561949aa14acc533cd54bf8a5e22c

          SHA512

          84291ea3fafb38ef96817d5fe4a972475ef8ea24a4353568029e892fa8e15cf8e8f6ef4ff567813cd3b38092f0db4577d9dccb22be755eebdd4f77e623dc80ac

          Download Submit

        • memory/1096-80-0x0000000140000000-0x00000001400D3000-memory.dmp

          Filesize

          844KB

          Download

        • memory/1096-75-0x00000000000F0000-0x00000000000F7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1096-76-0x0000000140000000-0x00000001400D3000-memory.dmp

          Filesize

          844KB

          Download

        • memory/1228-22-0x0000000140000000-0x00000001400D2000-memory.dmp

          Filesize

          840KB

          Download

        • memory/1228-18-0x0000000140000000-0x00000001400D2000-memory.dmp

          Filesize

          840KB

          Download

        • memory/1228-48-0x0000000077820000-0x0000000077822000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1228-47-0x00000000777F0000-0x00000000777F2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1228-46-0x0000000140000000-0x00000001400D2000-memory.dmp

          Filesize

          840KB

          Download

        • memory/1228-37-0x0000000002270000-0x0000000002277000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1228-36-0x0000000140000000-0x00000001400D2000-memory.dmp

          Filesize

          840KB

          Download

        • memory/1228-35-0x0000000140000000-0x00000001400D2000-memory.dmp

          Filesize

          840KB

          Download

        • memory/1228-34-0x0000000140000000-0x00000001400D2000-memory.dmp

          Filesize

          840KB

          Download

        • memory/1228-33-0x0000000140000000-0x00000001400D2000-memory.dmp

          Filesize

          840KB

          Download

        • memory/1228-32-0x0000000140000000-0x00000001400D2000-memory.dmp

          Filesize

          840KB

          Download

        • memory/1228-31-0x0000000140000000-0x00000001400D2000-memory.dmp

          Filesize

          840KB

          Download

        • memory/1228-30-0x0000000140000000-0x00000001400D2000-memory.dmp

          Filesize

          840KB

          Download

        • memory/1228-29-0x0000000140000000-0x00000001400D2000-memory.dmp

          Filesize

          840KB

          Download

        • memory/1228-28-0x0000000140000000-0x00000001400D2000-memory.dmp

          Filesize

          840KB

          Download

        • memory/1228-27-0x0000000140000000-0x00000001400D2000-memory.dmp

          Filesize

          840KB

          Download

        • memory/1228-25-0x0000000140000000-0x00000001400D2000-memory.dmp

          Filesize

          840KB

          Download

        • memory/1228-23-0x0000000140000000-0x00000001400D2000-memory.dmp

          Filesize

          840KB

          Download

        • memory/1228-3-0x0000000077486000-0x0000000077487000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1228-19-0x0000000140000000-0x00000001400D2000-memory.dmp

          Filesize

          840KB

          Download

        • memory/1228-21-0x0000000140000000-0x00000001400D2000-memory.dmp

          Filesize

          840KB

          Download

        • memory/1228-20-0x0000000140000000-0x00000001400D2000-memory.dmp

          Filesize

          840KB

          Download

        • memory/1228-17-0x0000000140000000-0x00000001400D2000-memory.dmp

          Filesize

          840KB

          Download

        • memory/1228-38-0x0000000140000000-0x00000001400D2000-memory.dmp

          Filesize

          840KB

          Download

        • memory/1228-15-0x0000000140000000-0x00000001400D2000-memory.dmp

          Filesize

          840KB

          Download

        • memory/1228-16-0x0000000140000000-0x00000001400D2000-memory.dmp

          Filesize

          840KB

          Download

        • memory/1228-14-0x0000000140000000-0x00000001400D2000-memory.dmp

          Filesize

          840KB

          Download

        • memory/1228-13-0x0000000140000000-0x00000001400D2000-memory.dmp

          Filesize

          840KB

          Download

        • memory/1228-58-0x0000000140000000-0x00000001400D2000-memory.dmp

          Filesize

          840KB

          Download

        • memory/1228-59-0x0000000140000000-0x00000001400D2000-memory.dmp

          Filesize

          840KB

          Download

        • memory/1228-67-0x0000000077486000-0x0000000077487000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1228-24-0x0000000140000000-0x00000001400D2000-memory.dmp

          Filesize

          840KB

          Download

        • memory/1228-9-0x0000000140000000-0x00000001400D2000-memory.dmp

          Filesize

          840KB

          Download

        • memory/1228-10-0x0000000140000000-0x00000001400D2000-memory.dmp

          Filesize

          840KB

          Download

        • memory/1228-11-0x0000000140000000-0x00000001400D2000-memory.dmp

          Filesize

          840KB

          Download

        • memory/1228-12-0x0000000140000000-0x00000001400D2000-memory.dmp

          Filesize

          840KB

          Download

        • memory/1228-8-0x0000000140000000-0x00000001400D2000-memory.dmp

          Filesize

          840KB

          Download

        • memory/1228-26-0x0000000140000000-0x00000001400D2000-memory.dmp

          Filesize

          840KB

          Download

        • memory/1228-4-0x00000000026A0000-0x00000000026A1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1228-6-0x0000000140000000-0x00000001400D2000-memory.dmp

          Filesize

          840KB

          Download

        • memory/1228-7-0x0000000140000000-0x00000001400D2000-memory.dmp

          Filesize

          840KB

          Download

        • memory/1628-97-0x0000000140000000-0x00000001400D3000-memory.dmp

          Filesize

          844KB

          Download

        • memory/1628-92-0x00000000001F0000-0x00000000001F7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2396-109-0x00000000000E0000-0x00000000000E7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2396-111-0x0000000140000000-0x00000001400D4000-memory.dmp

          Filesize

          848KB

          Download

        • memory/2736-1-0x0000000140000000-0x00000001400D2000-memory.dmp

          Filesize

          840KB

          Download

        • memory/2736-0-0x0000000000210000-0x0000000000217000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2736-52-0x0000000140000000-0x00000001400D2000-memory.dmp

          Filesize

          840KB

          Download