Overview

overview

10

Static

static

3

35a49d0b8e...18.dll

windows7-x64

10

35a49d0b8e...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    11-10-2024 16:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    35a49d0b8e5d1748ef8ed60d646e62b0_JaffaCakes118.dll

  • Size

    1.1MB

  • MD5

    35a49d0b8e5d1748ef8ed60d646e62b0

  • SHA1

    4556bb402441ff4ed307b75c4fc54596f78cbd15

  • SHA256

    bad0daeaf20a474f44a060b49aa175aec0145a1a1765881426e1e6781f22b543

  • SHA512

    7bd08faa1a6eb6b5843f78c40d70c4488f1f997c3b099287142c54af0d1d35a57073946ed7700fe832b129599fff895824ba1efea55cde58adeaa668be090b54

  • SSDEEP

    12288:PdMIwS97wJs6tSKDXEabXaC+jhc1S8XXk7CZzHsZH9dq0Ty:VMIJxSDX3bqjhcfHk7MzH6z

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 10 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\35a49d0b8e5d1748ef8ed60d646e62b0_JaffaCakes118.dll
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:2424
  • C:\Windows\system32\mfpmp.exe
    C:\Windows\system32\mfpmp.exe
    1⤵
      PID:2092
    • C:\Users\Admin\AppData\Local\X5ZjDOi\mfpmp.exe
      C:\Users\Admin\AppData\Local\X5ZjDOi\mfpmp.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:1988
    • C:\Windows\system32\psr.exe
      C:\Windows\system32\psr.exe
      1⤵
        PID:2660
      • C:\Users\Admin\AppData\Local\hoKQlZL\psr.exe
        C:\Users\Admin\AppData\Local\hoKQlZL\psr.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2828
      • C:\Windows\system32\DeviceDisplayObjectProvider.exe
        C:\Windows\system32\DeviceDisplayObjectProvider.exe
        1⤵
          PID:2308
        • C:\Users\Admin\AppData\Local\rDrFhAq1\DeviceDisplayObjectProvider.exe
          C:\Users\Admin\AppData\Local\rDrFhAq1\DeviceDisplayObjectProvider.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:3048

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\X5ZjDOi\MFPlat.DLL
          Filesize

          1.1MB

          MD5

          786047cca653d58dd73d83006a5340af

          SHA1

          8397b69a899467f1b96864b9f710497803202f5c

          SHA256

          aff2300fe16aa071c42f50a85d95460823bc823d8dd2f97f36f21b262b175c97

          SHA512

          9a9c53e7168c7c66507a93ba12eb41245ac2f6b59bf8876fb84bd8bad87145cc1ce5bf72b4aceec95dd2468e649fd47b84784bae57f1d5d28bedb47323754bf3

          Download Submit

        • C:\Users\Admin\AppData\Local\hoKQlZL\OLEACC.dll
          Filesize

          1.1MB

          MD5

          f61062a88f9d05c9947500e26bd15d16

          SHA1

          f6911c797b280ae50d274a7ae2dde4df64950515

          SHA256

          921e9e75a0f4feee68b3482dcfb10a239da2305bb8c670328ce0136417ea0cb3

          SHA512

          f875d3e11b94aa2b309842a24a82333078880e704990978a477f0c936b61c630d78bf9052863e863b45587130a762215e02076a91e09ebdaa73f15199eeed76f

          Download Submit

        • C:\Users\Admin\AppData\Local\rDrFhAq1\XmlLite.dll
          Filesize

          1.1MB

          MD5

          72dcae9191ea13ac2f1400978e8ccdc3

          SHA1

          83cd7262fb96fb58400ae040881cae8c685d016f

          SHA256

          7908bba909800aa4455788730a27ad3c5ab9af27e4c4a4a3f75eff6e7b7ad18a

          SHA512

          43e1657f46fb5f89f5b174048acf57a8be6ce4a0ae1ff02479f7b2f0d32dbf8525636c1c250a8ec5e1b487ef83b4cff14dd6754f03b577300281a331dc3a661d

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wkybhziu.lnk
          Filesize

          1KB

          MD5

          1e223c75a88f6f1a7fb19bfe82c26a16

          SHA1

          a67f265e30f7e8403585007ca7e822e5a0a29b65

          SHA256

          bc02819cddb36fd0a0f3b3c95fd09b800dfcf5523e7da17df371ab3c32829471

          SHA512

          0bf6df466b264a430d0ab3d4c199969c8f6107e03f942c813e004178b9f046b89b5f29dc4d741f35a7e29ed4de2665d7b902289921b67b22609d97529eaf0cc4

          Download Submit

        • \Users\Admin\AppData\Local\X5ZjDOi\mfpmp.exe
          Filesize

          24KB

          MD5

          2d8600b94de72a9d771cbb56b9f9c331

          SHA1

          a0e2ac409159546183aa45875497844c4adb5aac

          SHA256

          7d8d8918761b8b6c95758375a6e7cf7fb8e43abfdd3846476219883ef3f8c185

          SHA512

          3aaa6619f29434c294b9b197c3b86fdc5d88b0254c8f35f010c9b5f254fd47fbc3272412907e2a5a4f490bda2acfbbd7a90f968e25067abf921b934d2616eafc

          Download Submit

        • \Users\Admin\AppData\Local\hoKQlZL\psr.exe
          Filesize

          715KB

          MD5

          a80527109d75cba125d940b007eea151

          SHA1

          facf32a9ede6abfaa09368bfdfcfec8554107272

          SHA256

          68910f8aae867e938b6a3b76cdf176898ba275d9ade85b4ce00b03232de4c495

          SHA512

          77b86a597c33af8d3fbd9711f4abe6e0ca33b86279b1d28a25dcf3545a34b221be1ad7d11004d016203809cead1ebfd4b7e889ee9df2efc100eabf77963c1774

          Download Submit

        • \Users\Admin\AppData\Local\rDrFhAq1\DeviceDisplayObjectProvider.exe
          Filesize

          109KB

          MD5

          7e2eb3a4ae11190ef4c8a9b9a9123234

          SHA1

          72e98687a8d28614e2131c300403c2822856e865

          SHA256

          8481a8ec19cb656ce328c877d5817d317203ba34424a2e9d169ddce5bf2cd2b0

          SHA512

          18b1a0637f48929972a463d441182307725ebf1410dd461a1966bd040ac5dcced138155b7c713bfc924ea2f7b39527a084a08b44fa24c3eb9c654871f99caabf

          Download Submit

        • memory/1188-18-0x0000000140000000-0x0000000140115000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1188-13-0x0000000140000000-0x0000000140115000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1188-45-0x0000000077CF0000-0x0000000077CF2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1188-44-0x0000000077CC0000-0x0000000077CC2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1188-43-0x0000000140000000-0x0000000140115000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1188-34-0x0000000140000000-0x0000000140115000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1188-33-0x0000000140000000-0x0000000140115000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1188-32-0x0000000140000000-0x0000000140115000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1188-31-0x0000000140000000-0x0000000140115000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1188-30-0x0000000140000000-0x0000000140115000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1188-29-0x0000000140000000-0x0000000140115000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1188-28-0x0000000140000000-0x0000000140115000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1188-26-0x0000000140000000-0x0000000140115000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1188-24-0x0000000140000000-0x0000000140115000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1188-23-0x0000000140000000-0x0000000140115000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1188-22-0x0000000140000000-0x0000000140115000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1188-21-0x0000000140000000-0x0000000140115000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1188-20-0x0000000140000000-0x0000000140115000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1188-19-0x0000000140000000-0x0000000140115000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1188-3-0x0000000077A56000-0x0000000077A57000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1188-17-0x0000000140000000-0x0000000140115000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1188-16-0x0000000140000000-0x0000000140115000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1188-14-0x0000000140000000-0x0000000140115000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1188-42-0x0000000001CE0000-0x0000000001CE7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1188-12-0x0000000140000000-0x0000000140115000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1188-11-0x0000000140000000-0x0000000140115000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1188-10-0x0000000140000000-0x0000000140115000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1188-9-0x0000000140000000-0x0000000140115000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1188-8-0x0000000140000000-0x0000000140115000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1188-7-0x0000000140000000-0x0000000140115000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1188-54-0x0000000140000000-0x0000000140115000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1188-55-0x0000000140000000-0x0000000140115000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1188-4-0x0000000002BA0000-0x0000000002BA1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1188-64-0x0000000077A56000-0x0000000077A57000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1188-25-0x0000000140000000-0x0000000140115000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1188-27-0x0000000140000000-0x0000000140115000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1188-6-0x0000000140000000-0x0000000140115000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1188-15-0x0000000140000000-0x0000000140115000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1988-77-0x0000000140000000-0x0000000140117000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1988-72-0x00000000000F0000-0x00000000000F7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1988-73-0x0000000140000000-0x0000000140117000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/2424-63-0x0000000140000000-0x0000000140115000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/2424-0-0x0000000000180000-0x0000000000187000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2424-2-0x0000000140000000-0x0000000140115000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/2828-91-0x00000000000E0000-0x00000000000E7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2828-92-0x0000000140000000-0x0000000140116000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/2828-96-0x0000000140000000-0x0000000140116000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3048-116-0x0000000140000000-0x0000000140116000-memory.dmp

          Filesize

          1.1MB

          Download