Overview

overview

10

Static

static

3

35402b3c98...18.dll

windows7-x64

10

35402b3c98...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11-10-2024 14:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    35402b3c982a44a776ba3dd4be28b519_JaffaCakes118.dll

  • Size

    1.3MB

  • MD5

    35402b3c982a44a776ba3dd4be28b519

  • SHA1

    7a274533a4fea0f23671f61e6b81ad52495a86cb

  • SHA256

    95fbd267e006535acc4bd1284e17c966f7862332aa3978e7008db0113e339616

  • SHA512

    713ba3d9c712d64be42845d5b15c0014e3db2025eba7efb8ea977b4e68fa61d85afc006f1afeeed5f2fed61d33fd24fe2e22c112cbf83e99d1cf48b110eaba25

  • SSDEEP

    12288:sdMIwS97wJs6tSKDXEabXaC+jhc1S8XXk7CZzHsZH9dq0T:eMIJxSDX3bqjhcfHk7MzH6z

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 9 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\35402b3c982a44a776ba3dd4be28b519_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2868
  • C:\Windows\system32\rdrleakdiag.exe
    C:\Windows\system32\rdrleakdiag.exe
    1⤵
      PID:2520
    • C:\Users\Admin\AppData\Local\b7o6QrcD\rdrleakdiag.exe
      C:\Users\Admin\AppData\Local\b7o6QrcD\rdrleakdiag.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2456
    • C:\Windows\system32\dccw.exe
      C:\Windows\system32\dccw.exe
      1⤵
        PID:2536
      • C:\Users\Admin\AppData\Local\dbe\dccw.exe
        C:\Users\Admin\AppData\Local\dbe\dccw.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2920
      • C:\Windows\system32\UI0Detect.exe
        C:\Windows\system32\UI0Detect.exe
        1⤵
          PID:2308
        • C:\Users\Admin\AppData\Local\b9DgKRx7\UI0Detect.exe
          C:\Users\Admin\AppData\Local\b9DgKRx7\UI0Detect.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1760

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\b7o6QrcD\wer.dll
          Filesize

          1.3MB

          MD5

          fdd854430393431e51e311460eb511d6

          SHA1

          107cf0a644bfdb54a8dad06e099ff225ea9f57a6

          SHA256

          c372cbe4282f5e735e3576e2a6ab908b149d0651244fc540f456af9f7d8b1980

          SHA512

          e46e68903e0b042e85d4229110dc5f7ce9dadc8f060a096822380b4cf5814f50752afc1e34980bd63647a17d3824246ee776f9a731e67f098dae3b25664b692b

          Download Submit

        • C:\Users\Admin\AppData\Local\b9DgKRx7\WTSAPI32.dll
          Filesize

          1.3MB

          MD5

          96431625c5155c217e81dcccbd4da920

          SHA1

          925bf85b3e11308d223f42e79cefb5a469915c91

          SHA256

          66d11ad0acc968714c611c7e3275f6813af7c4c38756c145c89a6e61c20c3012

          SHA512

          ceb343e4faba120d2012aaded4bb803029bbe6c7b218a44e016a6d8f675fe3bbe6a655f1c509658bdd68508b86d0b33cd95a134748c67087bdcd36faa5727c4e

          Download Submit

        • C:\Users\Admin\AppData\Local\dbe\mscms.dll
          Filesize

          1.3MB

          MD5

          3c7a62619af95ce451bcb332e3819575

          SHA1

          8fd32dcb4d90bbcbdfd4f496367a792679641bf4

          SHA256

          a836706bbc9d4745922db5dcf7469849b144d8884b33ecd54fb5409cdd18e985

          SHA512

          5c0c8cecd25494b2ac29932c593d63f46aef284df572426d3136d0ba772092f18c2a3ac6b9b47b8b93f270114db4276fddeb1386ec22291caf499d6246623c20

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Lcuygmmobxhxaxh.lnk
          Filesize

          1KB

          MD5

          41be7eec9d438a64d2a5c8a89bb2b328

          SHA1

          f836239288d8421bb458b48e7a724fc6dc3c6eb3

          SHA256

          298e314392862c134dd0bec4b6e054b9676d2bc00cb351822be0bcf6c060221d

          SHA512

          7c729a6dcda1773ef73fc2dbae9e7c91133b896919552a72e18cac66257e37c8f61ba9268fe11ec580567ccae3962e858c82a07951bd23eedd455dc5a7b7a31a

          Download Submit

        • \Users\Admin\AppData\Local\b7o6QrcD\rdrleakdiag.exe
          Filesize

          39KB

          MD5

          5e058566af53848541fa23fba4bb5b81

          SHA1

          769ce3bfc45e4d56ed01dbeeeca7be22f9b9eed6

          SHA256

          ae83b050fa722da7e4b19fc3d534f0126b1ec055643bb1f267b85b55160f4409

          SHA512

          352029cf0af7583a4c525cfd1da7467446bac410a885b2768d8052f39577ccce85b21d5bd946be6bf8341e7308c8e4f645e4d79232b93aaf6a92d6cd55f598d0

          Download Submit

        • \Users\Admin\AppData\Local\b9DgKRx7\UI0Detect.exe
          Filesize

          40KB

          MD5

          3cbdec8d06b9968aba702eba076364a1

          SHA1

          6e0fcaccadbdb5e3293aa3523ec1006d92191c58

          SHA256

          b8dab8aa804fc23021bfebd7ae4d40fbe648d6c6ba21cc008e26d1c084972f9b

          SHA512

          a8e434c925ef849ecef0efcb4873dbb95eea2821c967b05afbbe5733071cc2293fc94e7fdf1fdaee51cbcf9885b3b72bfd4d690f23af34558b056920263e465d

          Download Submit

        • \Users\Admin\AppData\Local\dbe\dccw.exe
          Filesize

          861KB

          MD5

          a46cee731351eb4146db8e8a63a5c520

          SHA1

          8ea441e4a77642e12987ac842b36034230edd731

          SHA256

          283526a98a83524d21ff23f9109754c6587380b67f74cc02a9a4cd56fdb720d5

          SHA512

          3573c0ae21406db0c6fdda7c065fabde03235bde7f5589910822500bdfa37144f59f6e58e753e7347b899998db1dcb28050ac5a4e2c611558ae5fa405fbbc5cc

          Download Submit

        • memory/1204-24-0x0000000140000000-0x000000014014D000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1204-13-0x0000000140000000-0x000000014014D000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1204-10-0x0000000140000000-0x000000014014D000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1204-23-0x0000000140000000-0x000000014014D000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1204-22-0x0000000140000000-0x000000014014D000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1204-21-0x0000000140000000-0x000000014014D000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1204-20-0x0000000140000000-0x000000014014D000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1204-19-0x0000000140000000-0x000000014014D000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1204-18-0x0000000140000000-0x000000014014D000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1204-27-0x0000000140000000-0x000000014014D000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1204-26-0x0000000140000000-0x000000014014D000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1204-42-0x0000000140000000-0x000000014014D000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1204-41-0x0000000002DE0000-0x0000000002DE7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1204-33-0x0000000140000000-0x000000014014D000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1204-31-0x0000000140000000-0x000000014014D000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1204-30-0x0000000140000000-0x000000014014D000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1204-29-0x0000000140000000-0x000000014014D000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1204-28-0x0000000140000000-0x000000014014D000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1204-25-0x0000000140000000-0x000000014014D000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1204-3-0x0000000077136000-0x0000000077137000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1204-17-0x0000000140000000-0x000000014014D000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1204-16-0x0000000140000000-0x000000014014D000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1204-14-0x0000000140000000-0x000000014014D000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1204-7-0x0000000140000000-0x000000014014D000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1204-12-0x0000000140000000-0x000000014014D000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1204-32-0x0000000140000000-0x000000014014D000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1204-11-0x0000000140000000-0x000000014014D000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1204-44-0x00000000773D0000-0x00000000773D2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1204-43-0x00000000773A0000-0x00000000773A2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1204-53-0x0000000140000000-0x000000014014D000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1204-54-0x0000000140000000-0x000000014014D000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1204-4-0x0000000002E00000-0x0000000002E01000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1204-63-0x0000000077136000-0x0000000077137000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1204-15-0x0000000140000000-0x000000014014D000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1204-8-0x0000000140000000-0x000000014014D000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1204-6-0x0000000140000000-0x000000014014D000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1204-9-0x0000000140000000-0x000000014014D000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1760-105-0x0000000000180000-0x0000000000187000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1760-110-0x0000000140000000-0x000000014014E000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2456-76-0x0000000140000000-0x000000014014E000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2456-71-0x0000000000100000-0x0000000000107000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2456-72-0x0000000140000000-0x000000014014E000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2868-62-0x0000000140000000-0x000000014014D000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2868-0-0x0000000140000000-0x000000014014D000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2868-2-0x0000000000110000-0x0000000000117000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2920-90-0x0000000001B40000-0x0000000001B47000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2920-93-0x0000000140000000-0x000000014014E000-memory.dmp

          Filesize

          1.3MB

          Download