Overview

overview

10

Static

static

3

65eedb07a6...18.dll

windows7-x64

10

65eedb07a6...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    103s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-10-2024 07:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    65eedb07a6f749ad69bd6a937505442f_JaffaCakes118.dll

  • Size

    816KB

  • MD5

    65eedb07a6f749ad69bd6a937505442f

  • SHA1

    8a37ca00b017b63c3d231302419d2e89a06d5b7d

  • SHA256

    de08365e362b2d95838d2a3a7a3bcae93cde512cbcc6e0cdbf60f2588350a572

  • SHA512

    d9b1bcdd1c5d0f6ee6f8ec326a7a1cf5370241475204d3fc31f91f31ab76b42e3e5b5fec7402335b46405d2fa47ccdab5e719b71502b3075f6802d0a35551512

  • SSDEEP

    12288:XdMIwS97wJs6tSKDXEabXaC+jhc1S8XXk7CZzHsZH9dq0T:tMIJxSDX3bqjhcfHk7MzH6z

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 9 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\65eedb07a6f749ad69bd6a937505442f_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:4088
  • C:\Windows\system32\dxgiadaptercache.exe
    C:\Windows\system32\dxgiadaptercache.exe
    1⤵
      PID:1388
    • C:\Users\Admin\AppData\Local\W3ZDL\dxgiadaptercache.exe
      C:\Users\Admin\AppData\Local\W3ZDL\dxgiadaptercache.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:404
    • C:\Windows\system32\SystemPropertiesHardware.exe
      C:\Windows\system32\SystemPropertiesHardware.exe
      1⤵
        PID:4192
      • C:\Users\Admin\AppData\Local\Oz9tlotl\SystemPropertiesHardware.exe
        C:\Users\Admin\AppData\Local\Oz9tlotl\SystemPropertiesHardware.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:696
      • C:\Windows\system32\mspaint.exe
        C:\Windows\system32\mspaint.exe
        1⤵
          PID:528
        • C:\Users\Admin\AppData\Local\xHwtbucr\mspaint.exe
          C:\Users\Admin\AppData\Local\xHwtbucr\mspaint.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:4520

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Oz9tlotl\SYSDM.CPL
          Filesize

          820KB

          MD5

          e17f63efe15749b7c1f5766ab86a9d53

          SHA1

          322c0fcbdb5196dd73e0d85ec4b4028f3c7522b5

          SHA256

          253a74be8203f8c4dce9c0bfe778617264581fb2000b3cfa2ac12bdcc34d559f

          SHA512

          855346be6966f78e1b137b81d3c2b09db47e5997788031227daa375ff3ba0f7da428b7890c8187d1ca281ec18be0df252d2930ffb7f291abbba8bd0be146f3ba

          Download Submit

        • C:\Users\Admin\AppData\Local\Oz9tlotl\SystemPropertiesHardware.exe
          Filesize

          82KB

          MD5

          bf5bc0d70a936890d38d2510ee07a2cd

          SHA1

          69d5971fd264d8128f5633db9003afef5fad8f10

          SHA256

          c8ebd920399ebcf3ab72bd325b71a6b4c6119dfecea03f25059a920c4d32acc7

          SHA512

          0e129044777cbbf5ea995715159c50773c1818fc5e8faa5c827fd631b44c086b34dfdcbe174b105891ccc3882cc63a8664d189fb6a631d8f589de4e01a862f51

          Download Submit

        • C:\Users\Admin\AppData\Local\W3ZDL\dxgi.dll
          Filesize

          820KB

          MD5

          55c1392c4375b3a14f69cdd75d98e550

          SHA1

          e045915ff38bbb48edc314e6756bc5eda594c5b5

          SHA256

          b35109df9130ed1fb9b42a785a5e0df73b36c12a6c6dfd3451f0b0e86d973ded

          SHA512

          80f26de9451d710384ebd5157c6b5e4626ff30d9ca9e8caa50285948e1814c3c7f180be3eeaaba1f58756192bb1fd9eea4cfdd18eefea77d2ad2eb5e067a9a50

          Download Submit

        • C:\Users\Admin\AppData\Local\W3ZDL\dxgiadaptercache.exe
          Filesize

          230KB

          MD5

          e62f89130b7253f7780a862ed9aff294

          SHA1

          b031e64a36e93f95f2061be5b0383069efac2070

          SHA256

          4bea9f741fe4ca9d6262477849896b9fa6377326d11af044561c31bde2d994b5

          SHA512

          05649d38a0b5d825bb8442549427b0ff77b139c9dd297b04d6c0fb1415504c95ed750cd79efea2ff514abfc5d1003e6251a3cd871d352dcea06be0cdeb0304f7

          Download Submit

        • C:\Users\Admin\AppData\Local\xHwtbucr\MFC42u.dll
          Filesize

          844KB

          MD5

          7c4c707318609e0d3efa89f82e08b143

          SHA1

          3cd70b8c7ae25c1d6bbec72ed5c4086cc00ce217

          SHA256

          6f8a109ce0536e52b8d97ee44159ed5fd3ae5b9ad65a4cc2f1a99d4813cb1a1b

          SHA512

          f546b5cc931335e88fe9c8557cab08894834d2554c9b31712605983360600b6b691806b6ed57cfa383b4461f0fdc2745405cfc280573d3e154998bc94f576816

          Download Submit

        • C:\Users\Admin\AppData\Local\xHwtbucr\mspaint.exe
          Filesize

          965KB

          MD5

          f221a4ccafec690101c59f726c95b646

          SHA1

          2098e4b62eaab213cbee73ba40fe4f1b8901a782

          SHA256

          94aa32a2c9c1d2db78318d9c68262c2f834abe26b6e9a661700324b55fdd5709

          SHA512

          8e3f4e4f68565ef09f5e762d6bb41b160711bbacac9dfcbe33edea9885fd042e6ce9a248bfcc62f9cffdb8e6bbe1b04c89bd41fcd9a373a5c8bc7bbff96dceaf

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Iyqor.lnk
          Filesize

          1KB

          MD5

          157754b07f25d247b62f8b9f61d1b74e

          SHA1

          230356135c7eef89aea0bb5218517472ba34d7d5

          SHA256

          df2fdb3a32a05dd7c09e6c9ad15531d50d47e346dc1cc6c7cc96ac61b5e02797

          SHA512

          5b83eee0d9034e24de559a18c32aa3bf530495b7caae2306bc9d8a5e578ffec2b5b6a2298988999f8dfb9f5edccbb5f5623c04c6230e2a9eadfd23ca947e599c

          Download Submit

        • memory/404-72-0x0000000140000000-0x00000001400CD000-memory.dmp

          Filesize

          820KB

          Download

        • memory/404-68-0x0000000140000000-0x00000001400CD000-memory.dmp

          Filesize

          820KB

          Download

        • memory/404-67-0x00000255FE640000-0x00000255FE647000-memory.dmp

          Filesize

          28KB

          Download

        • memory/696-88-0x0000000140000000-0x00000001400CD000-memory.dmp

          Filesize

          820KB

          Download

        • memory/696-85-0x0000026A26720000-0x0000026A26727000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3476-33-0x0000000140000000-0x00000001400CC000-memory.dmp

          Filesize

          816KB

          Download

        • memory/3476-8-0x0000000140000000-0x00000001400CC000-memory.dmp

          Filesize

          816KB

          Download

        • memory/3476-3-0x0000000003410000-0x0000000003411000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3476-32-0x0000000140000000-0x00000001400CC000-memory.dmp

          Filesize

          816KB

          Download

        • memory/3476-31-0x0000000140000000-0x00000001400CC000-memory.dmp

          Filesize

          816KB

          Download

        • memory/3476-30-0x0000000140000000-0x00000001400CC000-memory.dmp

          Filesize

          816KB

          Download

        • memory/3476-29-0x0000000140000000-0x00000001400CC000-memory.dmp

          Filesize

          816KB

          Download

        • memory/3476-26-0x0000000140000000-0x00000001400CC000-memory.dmp

          Filesize

          816KB

          Download

        • memory/3476-25-0x0000000140000000-0x00000001400CC000-memory.dmp

          Filesize

          816KB

          Download

        • memory/3476-24-0x0000000140000000-0x00000001400CC000-memory.dmp

          Filesize

          816KB

          Download

        • memory/3476-23-0x0000000140000000-0x00000001400CC000-memory.dmp

          Filesize

          816KB

          Download

        • memory/3476-22-0x0000000140000000-0x00000001400CC000-memory.dmp

          Filesize

          816KB

          Download

        • memory/3476-21-0x0000000140000000-0x00000001400CC000-memory.dmp

          Filesize

          816KB

          Download

        • memory/3476-20-0x0000000140000000-0x00000001400CC000-memory.dmp

          Filesize

          816KB

          Download

        • memory/3476-19-0x0000000140000000-0x00000001400CC000-memory.dmp

          Filesize

          816KB

          Download

        • memory/3476-17-0x0000000140000000-0x00000001400CC000-memory.dmp

          Filesize

          816KB

          Download

        • memory/3476-16-0x0000000140000000-0x00000001400CC000-memory.dmp

          Filesize

          816KB

          Download

        • memory/3476-15-0x0000000140000000-0x00000001400CC000-memory.dmp

          Filesize

          816KB

          Download

        • memory/3476-14-0x0000000140000000-0x00000001400CC000-memory.dmp

          Filesize

          816KB

          Download

        • memory/3476-13-0x0000000140000000-0x00000001400CC000-memory.dmp

          Filesize

          816KB

          Download

        • memory/3476-11-0x0000000140000000-0x00000001400CC000-memory.dmp

          Filesize

          816KB

          Download

        • memory/3476-10-0x0000000140000000-0x00000001400CC000-memory.dmp

          Filesize

          816KB

          Download

        • memory/3476-9-0x0000000140000000-0x00000001400CC000-memory.dmp

          Filesize

          816KB

          Download

        • memory/3476-34-0x0000000140000000-0x00000001400CC000-memory.dmp

          Filesize

          816KB

          Download

        • memory/3476-7-0x0000000140000000-0x00000001400CC000-memory.dmp

          Filesize

          816KB

          Download

        • memory/3476-28-0x0000000140000000-0x00000001400CC000-memory.dmp

          Filesize

          816KB

          Download

        • memory/3476-12-0x0000000140000000-0x00000001400CC000-memory.dmp

          Filesize

          816KB

          Download

        • memory/3476-6-0x0000000140000000-0x00000001400CC000-memory.dmp

          Filesize

          816KB

          Download

        • memory/3476-4-0x00007FFACFC2A000-0x00007FFACFC2B000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3476-58-0x0000000140000000-0x00000001400CC000-memory.dmp

          Filesize

          816KB

          Download

        • memory/3476-35-0x0000000140000000-0x00000001400CC000-memory.dmp

          Filesize

          816KB

          Download

        • memory/3476-36-0x0000000140000000-0x00000001400CC000-memory.dmp

          Filesize

          816KB

          Download

        • memory/3476-37-0x0000000140000000-0x00000001400CC000-memory.dmp

          Filesize

          816KB

          Download

        • memory/3476-45-0x0000000001230000-0x0000000001237000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3476-47-0x00007FFACFDA0000-0x00007FFACFDB0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3476-48-0x00007FFACFD90000-0x00007FFACFDA0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3476-46-0x0000000140000000-0x00000001400CC000-memory.dmp

          Filesize

          816KB

          Download

        • memory/3476-27-0x0000000140000000-0x00000001400CC000-memory.dmp

          Filesize

          816KB

          Download

        • memory/3476-18-0x0000000140000000-0x00000001400CC000-memory.dmp

          Filesize

          816KB

          Download

        • memory/4088-56-0x0000000140000000-0x00000001400CC000-memory.dmp

          Filesize

          816KB

          Download

        • memory/4088-1-0x0000000140000000-0x00000001400CC000-memory.dmp

          Filesize

          816KB

          Download

        • memory/4088-2-0x00000245C0890000-0x00000245C0897000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4520-102-0x0000020D68080000-0x0000020D68087000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4520-100-0x0000000140000000-0x00000001400D3000-memory.dmp

          Filesize

          844KB

          Download

        • memory/4520-103-0x0000000140000000-0x00000001400D3000-memory.dmp

          Filesize

          844KB

          Download