Overview

overview

10

Static

static

3

c86e24c2f5...18.dll

windows7-x64

10

c86e24c2f5...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-12-2024 15:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c86e24c2f5b246e9512775e35919b9eb_JaffaCakes118.dll

  • Size

    1.0MB

  • MD5

    c86e24c2f5b246e9512775e35919b9eb

  • SHA1

    cc2857b7f1caec4343c7bbe546ffa295f1da2d88

  • SHA256

    2eb3a650289eae678ad899b34b3a4fe7a7aa813d66df7d41666d459cbf617158

  • SHA512

    5f38c9501496f1613879a97f6c45209635fa80ab85fabe48b4ac353d5dd5181b32da4cc94fe3b32bd518ae84f88f7a75cb4f5b69839db0e94708c588dfcbdbef

  • SSDEEP

    12288:8dMIwS97wJs6tSKDXEabXaC+jhc1S8XXk7CZzHsZH9dq0T:OMIJxSDX3bqjhcfHk7MzH6z

Score
10/10
dridexbotnetevasionpayloadpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex family
    dridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 9 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Event Triggered Execution: Accessibility Features 1 TTPs

    Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.

    persistenceprivilege_escalation
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\c86e24c2f5b246e9512775e35919b9eb_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:4436
  • C:\Windows\system32\RdpSa.exe
    C:\Windows\system32\RdpSa.exe
    1⤵
      PID:2288
    • C:\Users\Admin\AppData\Local\7nvoYD1\RdpSa.exe
      C:\Users\Admin\AppData\Local\7nvoYD1\RdpSa.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:3660
    • C:\Windows\system32\Magnify.exe
      C:\Windows\system32\Magnify.exe
      1⤵
        PID:640
      • C:\Users\Admin\AppData\Local\I63\Magnify.exe
        C:\Users\Admin\AppData\Local\I63\Magnify.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2556
      • C:\Windows\system32\wscript.exe
        C:\Windows\system32\wscript.exe
        1⤵
          PID:1364
        • C:\Users\Admin\AppData\Local\wohmRS0yV\wscript.exe
          C:\Users\Admin\AppData\Local\wohmRS0yV\wscript.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:4288

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\7nvoYD1\RdpSa.exe
          Filesize

          56KB

          MD5

          5992f5b5d0b296b83877da15b54dd1b4

          SHA1

          0d87be8d4b7aeada4b55d1d05c0539df892f8f82

          SHA256

          32f60eabe54c4d0cd0f0ec29f48f55ca1ad097bf35097247b186fd70426f847c

          SHA512

          4f6da913af530301da1d0638aa2635ada446ebee6e27b5059db5c2b7fe439162ac3b1a595ecf4163a093890df9ac94d9085a53d8c991e48703f9d2691326e7e6

          Download Submit

        • C:\Users\Admin\AppData\Local\7nvoYD1\WINSTA.dll
          Filesize

          1.0MB

          MD5

          1ae3e311c879a04629e242a302500011

          SHA1

          8f7a25a7bd8da5bab3241737d87b72e6e3b81e10

          SHA256

          1d586e17df017f59a613dc17824355ddcf16cf1412a6ef5114886da196281fe8

          SHA512

          b9e88413dc955526ef5d1f2589fcbcd9a850b35be9826cb5bcd397bd7638f606d9ecf8684ed4a0a2eef40adaaf86a07797fc673752807e91f53131b122c85c73

          Download Submit

        • C:\Users\Admin\AppData\Local\I63\MAGNIFICATION.dll
          Filesize

          1.0MB

          MD5

          97ecbf8087ccdd207c6a11331257a45b

          SHA1

          8bde26099893344a0cbd31459338d59ef06c0971

          SHA256

          2dfba26e06591ba9ecf1a8faab9ba7098f4e00ec99d7ee7df7df912dd93dfc99

          SHA512

          522ec6f837565b518d1b3a9252b6e97d0e08e4ac87c949659e8ce0634e6f2de8d65f9d0a731c649dee07dc83d4dea58e8ec4ef6522afd757ab04b232b59b4ed5

          Download Submit

        • C:\Users\Admin\AppData\Local\I63\Magnify.exe
          Filesize

          639KB

          MD5

          4029890c147e3b4c6f41dfb5f9834d42

          SHA1

          10d08b3f6dabe8171ca2dd52e5737e3402951c75

          SHA256

          57137f784594793dc0669042ccd3a71ddbfedeb77da6d97173d82613e08add4d

          SHA512

          dbdc60f8692f13c23dbed0b76e9c6758a5b413bd6aaf4e4d0ba74e69c0871eb759da95c3f85a31d972388b545dcf3bb8abbcbedd29a1e7e48c065130b98b893d

          Download Submit

        • C:\Users\Admin\AppData\Local\wohmRS0yV\VERSION.dll
          Filesize

          1.0MB

          MD5

          fc3d7630ee5757a1ade3182262593d3e

          SHA1

          8377e6aef5ee4454a6a9e14e59a5f32823ff1147

          SHA256

          ec351309820265254444cf9e2f953ff61b69daf5cd4685fc4cab0ea07489e848

          SHA512

          c2fe5fda3d75f67a0a704fb0615a0b5f30411ddcf887ae5683827f6484ed36130f394985f1097a67bc7e58bb5fdac59479531403626e813d42e1954381e0ad6d

          Download Submit

        • C:\Users\Admin\AppData\Local\wohmRS0yV\wscript.exe
          Filesize

          166KB

          MD5

          a47cbe969ea935bdd3ab568bb126bc80

          SHA1

          15f2facfd05daf46d2c63912916bf2887cebd98a

          SHA256

          34008e2057df8842df210246995385a0441dc1e081d60ad15bd481e062e7f100

          SHA512

          f5c81e6dc4d916944304fc85136e1ff6dee29a21e50a54fe6280a475343eccbfe094171d62475db5f38e07898c061126158c34d48b9d8f4f57f76d49e564e3fc

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Eswctkc.lnk
          Filesize

          1KB

          MD5

          10852cf60da706157822870cdd833001

          SHA1

          6987b44035bad0e285a37bf83b8353634d8992a9

          SHA256

          8d2a521b03ee57609a274c2ebb5328f0188045485195d73a48d7f451f0798537

          SHA512

          5afa0d8f40f1940942d2c84f72ae20ec11485d4afc71c83d85f9b07dd590f8d5b17f9171db8852eab60baf98590cebf7131bce99b52f3095250a4a7e18b6044d

          Download Submit

        • memory/2556-83-0x0000000140000000-0x0000000140108000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/2556-78-0x0000000140000000-0x0000000140108000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/2556-80-0x000001983A850000-0x000001983A857000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3576-13-0x0000000140000000-0x0000000140107000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/3576-8-0x0000000140000000-0x0000000140107000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/3576-30-0x0000000140000000-0x0000000140107000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/3576-29-0x0000000140000000-0x0000000140107000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/3576-27-0x0000000140000000-0x0000000140107000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/3576-26-0x0000000140000000-0x0000000140107000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/3576-25-0x0000000140000000-0x0000000140107000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/3576-24-0x0000000140000000-0x0000000140107000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/3576-23-0x0000000140000000-0x0000000140107000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/3576-22-0x0000000140000000-0x0000000140107000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/3576-21-0x0000000140000000-0x0000000140107000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/3576-19-0x0000000140000000-0x0000000140107000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/3576-18-0x0000000140000000-0x0000000140107000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/3576-17-0x0000000140000000-0x0000000140107000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/3576-16-0x0000000140000000-0x0000000140107000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/3576-15-0x0000000140000000-0x0000000140107000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/3576-42-0x00007FFBA0540000-0x00007FFBA0550000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3576-11-0x0000000140000000-0x0000000140107000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/3576-10-0x0000000140000000-0x0000000140107000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/3576-32-0x0000000140000000-0x0000000140107000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/3576-9-0x0000000140000000-0x0000000140107000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/3576-41-0x0000000140000000-0x0000000140107000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/3576-28-0x0000000140000000-0x0000000140107000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/3576-7-0x0000000140000000-0x0000000140107000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/3576-6-0x0000000140000000-0x0000000140107000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/3576-12-0x0000000140000000-0x0000000140107000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/3576-5-0x00007FFBA008A000-0x00007FFBA008B000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3576-3-0x0000000002C30000-0x0000000002C31000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3576-14-0x0000000140000000-0x0000000140107000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/3576-52-0x0000000140000000-0x0000000140107000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/3576-43-0x00007FFBA0530000-0x00007FFBA0540000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3576-40-0x0000000002C40000-0x0000000002C47000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3576-31-0x0000000140000000-0x0000000140107000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/3576-20-0x0000000140000000-0x0000000140107000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/3660-67-0x0000000140000000-0x0000000140109000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/3660-64-0x0000020276E10000-0x0000020276E17000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3660-62-0x0000000140000000-0x0000000140109000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/4288-94-0x0000020552670000-0x0000020552677000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4288-99-0x0000000140000000-0x0000000140108000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/4436-0-0x00000244AA7E0000-0x00000244AA7E7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4436-1-0x0000000140000000-0x0000000140107000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/4436-55-0x0000000140000000-0x0000000140107000-memory.dmp

          Filesize

          1.0MB

          Download