Overview

overview

10

Static

static

3

9b736eaf2c...18.dll

windows7-x64

10

9b736eaf2c...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-11-2024 12:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9b736eaf2c05ce53035ffd01e89966ec_JaffaCakes118.dll

  • Size

    908KB

  • MD5

    9b736eaf2c05ce53035ffd01e89966ec

  • SHA1

    c80b5109d5996dec0d4764b3a8524a2f82af1cde

  • SHA256

    cae5ab2ba8aa12b42c216e1d1b3efb016a89826e07e1bba5213e6ede4fb11a00

  • SHA512

    86c87851b5fe98215ab9d835139626c297522761daeb5f753cc998172e36275ceebd997b0f6a6b59da2ec42a8223ab86dfceafbf58ecb3dd6f8a1359df1cd00a

  • SSDEEP

    24576:QKfE4IeyDiRhMnFKO2pS9BDrFYA7CKW5:d3yDiRhYF22B57i5

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex family
    dridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 10 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\9b736eaf2c05ce53035ffd01e89966ec_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1856
  • C:\Windows\system32\DWWIN.EXE
    C:\Windows\system32\DWWIN.EXE
    1⤵
      PID:1920
    • C:\Users\Admin\AppData\Local\9N3SB\DWWIN.EXE
      C:\Users\Admin\AppData\Local\9N3SB\DWWIN.EXE
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:4836
    • C:\Windows\system32\RdpSa.exe
      C:\Windows\system32\RdpSa.exe
      1⤵
        PID:4320
      • C:\Users\Admin\AppData\Local\Ju392pbX\RdpSa.exe
        C:\Users\Admin\AppData\Local\Ju392pbX\RdpSa.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1932
      • C:\Windows\system32\slui.exe
        C:\Windows\system32\slui.exe
        1⤵
          PID:1268
        • C:\Users\Admin\AppData\Local\v61f9ys0\slui.exe
          C:\Users\Admin\AppData\Local\v61f9ys0\slui.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:4208

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\9N3SB\DWWIN.EXE
          Filesize

          229KB

          MD5

          444cc4d3422a0fdd45c1b78070026c60

          SHA1

          97162ff341fff1ec54b827ec02f8b86fd2d41a97

          SHA256

          4b3f620272e709ce3e01ae5b19ef0300bd476f2da6412637f703bbaded2821f0

          SHA512

          21742d330a6a5763ea41a8fed4d71b98e4a1b4c685675c4cfeb7253033c3a208c23902caf0efdf470a85e0770cb8fac8af0eb6d3a8511445b0570054b42d5553

          Download Submit

        • C:\Users\Admin\AppData\Local\9N3SB\wer.dll
          Filesize

          916KB

          MD5

          0e8f2b175e75c218cf6abc5ca2911aad

          SHA1

          5b514df7f9334050f111b7aaf597cfd5398c98cd

          SHA256

          62945399842e133ecd28871d9e0274efa494179df21a3b40d913c6cdbb754c09

          SHA512

          4cfd9eec77df15ba7b2cf9efc8f81fae10b97a3a19747b7cad882994c6541e296dc0d77eb63d8b6b3b8bbf607f8fc9a4749484012626e8ab71a8f6e72c8f7c01

          Download Submit

        • C:\Users\Admin\AppData\Local\Ju392pbX\RdpSa.exe
          Filesize

          56KB

          MD5

          5992f5b5d0b296b83877da15b54dd1b4

          SHA1

          0d87be8d4b7aeada4b55d1d05c0539df892f8f82

          SHA256

          32f60eabe54c4d0cd0f0ec29f48f55ca1ad097bf35097247b186fd70426f847c

          SHA512

          4f6da913af530301da1d0638aa2635ada446ebee6e27b5059db5c2b7fe439162ac3b1a595ecf4163a093890df9ac94d9085a53d8c991e48703f9d2691326e7e6

          Download Submit

        • C:\Users\Admin\AppData\Local\Ju392pbX\WINSTA.dll
          Filesize

          916KB

          MD5

          06e01f35f2721f08bcb0ad54ccbd0e5f

          SHA1

          c0264e9fedff6f2ff13850ce08ae7c8724baf9a1

          SHA256

          3bf0033df8f60d9be9426d9bdbfbd10110e343a1083127666d161a182947e0c8

          SHA512

          ea50ca4c02153ef84ad3dc169e9c48da80f173e1b88d8e2db6897e9e33299f44415c7c5fc78d439b28ffd1eb2c5961ba90878c6f7098df3910f029f9d5516553

          Download Submit

        • C:\Users\Admin\AppData\Local\v61f9ys0\WINBRAND.dll
          Filesize

          912KB

          MD5

          63d129499dc6b31fc3d01d35c66029d0

          SHA1

          2893ddf6d1c8cad08ccc07a3ef4a2dc740cb4719

          SHA256

          15ad43cd6c3368eac78533e7b549db4d2d6b8c7219dc5fbb84d9be748c5269cc

          SHA512

          93cd5e28b19fdbdae6aaf6b967dd9549ccf3ed3827f09816858e29f16766caf110e116f39f90bd64d652286611d20d6ef908de13a29fa61b1c045cc99f13ccaf

          Download Submit

        • C:\Users\Admin\AppData\Local\v61f9ys0\slui.exe
          Filesize

          534KB

          MD5

          eb725ea35a13dc18eac46aa81e7f2841

          SHA1

          c0b3304c970324952e18c4a51073e3bdec73440b

          SHA256

          25e7624d469a592934ab8c509d12c153c2799e604c2a4b8a83650a7268577dff

          SHA512

          39192a1fad29654b3769f007298eff049d0688a3cb51390833ec563f44f9931cd3f6f8693db37b649b061b5aab379b166c15dade56d0fc414375243320375b26

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Zcgcwwxuxxxcbkn.lnk
          Filesize

          1KB

          MD5

          2445c315392dde969dd272acc7ea6058

          SHA1

          de2b0b92a5a7c9850a610b7527e5a40aece951e1

          SHA256

          b78e83fc1ce908f9a9665741c5517662de86a9946b0a6d4b9c654e57a92de8c1

          SHA512

          e03d457a1d36a60818ef2a1ca5c900afdd1fe1693dc34eb905ffcf562d229e29f6ea28ad35ef64d2271def23d62c90d4764097962e455c95b7b6c484ce4dd01e

          Download Submit

        • memory/1856-0-0x0000018681760000-0x0000018681767000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1856-1-0x00007FFD47FB0000-0x00007FFD48093000-memory.dmp

          Filesize

          908KB

          Download

        • memory/1856-41-0x00007FFD47FB0000-0x00007FFD48093000-memory.dmp

          Filesize

          908KB

          Download

        • memory/1932-69-0x00007FFD37CA0000-0x00007FFD37D85000-memory.dmp

          Filesize

          916KB

          Download

        • memory/1932-64-0x00000202C72C0000-0x00000202C72C7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3520-28-0x00007FFD56020000-0x00007FFD56030000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3520-12-0x0000000140000000-0x00000001400E3000-memory.dmp

          Filesize

          908KB

          Download

        • memory/3520-8-0x0000000140000000-0x00000001400E3000-memory.dmp

          Filesize

          908KB

          Download

        • memory/3520-7-0x0000000140000000-0x00000001400E3000-memory.dmp

          Filesize

          908KB

          Download

        • memory/3520-6-0x0000000140000000-0x00000001400E3000-memory.dmp

          Filesize

          908KB

          Download

        • memory/3520-29-0x00007FFD56010000-0x00007FFD56020000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3520-17-0x0000000140000000-0x00000001400E3000-memory.dmp

          Filesize

          908KB

          Download

        • memory/3520-27-0x0000000140000000-0x00000001400E3000-memory.dmp

          Filesize

          908KB

          Download

        • memory/3520-38-0x0000000140000000-0x00000001400E3000-memory.dmp

          Filesize

          908KB

          Download

        • memory/3520-5-0x00007FFD5577A000-0x00007FFD5577B000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3520-3-0x0000000001640000-0x0000000001641000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3520-9-0x0000000140000000-0x00000001400E3000-memory.dmp

          Filesize

          908KB

          Download

        • memory/3520-10-0x0000000140000000-0x00000001400E3000-memory.dmp

          Filesize

          908KB

          Download

        • memory/3520-11-0x0000000140000000-0x00000001400E3000-memory.dmp

          Filesize

          908KB

          Download

        • memory/3520-14-0x0000000140000000-0x00000001400E3000-memory.dmp

          Filesize

          908KB

          Download

        • memory/3520-19-0x0000000140000000-0x00000001400E3000-memory.dmp

          Filesize

          908KB

          Download

        • memory/3520-26-0x0000000001650000-0x0000000001657000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3520-13-0x0000000140000000-0x00000001400E3000-memory.dmp

          Filesize

          908KB

          Download

        • memory/3520-15-0x0000000140000000-0x00000001400E3000-memory.dmp

          Filesize

          908KB

          Download

        • memory/3520-16-0x0000000140000000-0x00000001400E3000-memory.dmp

          Filesize

          908KB

          Download

        • memory/3520-18-0x0000000140000000-0x00000001400E3000-memory.dmp

          Filesize

          908KB

          Download

        • memory/4208-80-0x00007FFD37CA0000-0x00007FFD37D84000-memory.dmp

          Filesize

          912KB

          Download

        • memory/4208-84-0x00007FFD37CA0000-0x00007FFD37D84000-memory.dmp

          Filesize

          912KB

          Download

        • memory/4836-53-0x00007FFD37CA0000-0x00007FFD37D85000-memory.dmp

          Filesize

          916KB

          Download

        • memory/4836-48-0x000002A55C700000-0x000002A55C707000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4836-49-0x00007FFD37CA0000-0x00007FFD37D85000-memory.dmp

          Filesize

          916KB

          Download