Overview

overview

10

Static

static

3

d418d7b35f...18.dll

windows7-x64

10

d418d7b35f...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    07-12-2024 23:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d418d7b35f768c06a4d7efd05dc26667_JaffaCakes118.dll

  • Size

    1.0MB

  • MD5

    d418d7b35f768c06a4d7efd05dc26667

  • SHA1

    8ead726ea63ef0c35da8b7676aa9b01b5e9160a9

  • SHA256

    dc16ed16999422e0b18228f6624b460456b6b7ea294cb0ef42d0056dd34d06e4

  • SHA512

    cc72a2ba2c2691fd2ebf87d79fd1e5a842cab587bc783295310aff940c12ccf13c3549490a5989d58d0bfb98b5bab29791366f7fd5f00964c9897577500e223b

  • SSDEEP

    12288:MdMIwS97wJs6tSKDXEabXaC+jhc1S8XXk7CZzHsZH9dq0T:+MIJxSDX3bqjhcfHk7MzH6z

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex family
    dridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 9 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\d418d7b35f768c06a4d7efd05dc26667_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2968
  • C:\Windows\system32\cmstp.exe
    C:\Windows\system32\cmstp.exe
    1⤵
      PID:3024
    • C:\Users\Admin\AppData\Local\XN04qZws\cmstp.exe
      C:\Users\Admin\AppData\Local\XN04qZws\cmstp.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      PID:2252
    • C:\Windows\system32\sdclt.exe
      C:\Windows\system32\sdclt.exe
      1⤵
        PID:2548
      • C:\Users\Admin\AppData\Local\kSbF\sdclt.exe
        C:\Users\Admin\AppData\Local\kSbF\sdclt.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1664
      • C:\Windows\system32\cttune.exe
        C:\Windows\system32\cttune.exe
        1⤵
          PID:840
        • C:\Users\Admin\AppData\Local\GJCRQ\cttune.exe
          C:\Users\Admin\AppData\Local\GJCRQ\cttune.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2788

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\GJCRQ\UxTheme.dll
          Filesize

          1.0MB

          MD5

          c561fb23565252cb7dbdfe182edc49c4

          SHA1

          5581c3e06025ec1bfc7b1c44d3cf9aa36ae2bd8b

          SHA256

          89858f7bcef25c4f3c1a724fa14e049ce577cf8363b5f85a542fb6e517625769

          SHA512

          0cb6218e0fce5ed7cf8c56c6dbc476a62eca4c4f6086d0871914cdbba7545b5e0e2e70c45d81750b3e71bd01236872692489932259cced261a5e159fd78a1b1b

          Download Submit

        • C:\Users\Admin\AppData\Local\XN04qZws\VERSION.dll
          Filesize

          1.0MB

          MD5

          0be9f677287649ffc8dc62d660ce4d45

          SHA1

          3fa8e5dba49343e603f7a28e8b9a76dc088c3de9

          SHA256

          e40e8b7941b642b448ed604183abd1d772eb94ab8cddc827ec837aad12ef75d1

          SHA512

          70d55552c254bbc412ed474831ce21919a548e1b4c5c2ebf78f4b888efe18c87dc6c622e604e915458718043c60c360be3dff7a59e7421f86ffd3a24081aab23

          Download Submit

        • C:\Users\Admin\AppData\Local\kSbF\Secur32.dll
          Filesize

          1.0MB

          MD5

          be2f9281b31aad368b3ba9bfdc66cc4e

          SHA1

          8ec1637886e37d436519df578b90ae1fb0e6377d

          SHA256

          5594f3290fbddde622bc9f750af1da08a9e9624f7e9c34a2250718e12b9157d4

          SHA512

          986c96ebdc4821886b50414c1c5636f5a3c6c79c42e06fcddfb2dad653ca391d07e97e21e18da79cabb5403ea0acaa9e5c2de0efc6b7f3b8f10341e2a3d4e148

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ukatmrkmywz.lnk
          Filesize

          1KB

          MD5

          c1ac859ee23e497727c8c20d833c7816

          SHA1

          6190b63fa1c06f058e29f1e704c8f09ab687e20f

          SHA256

          4af7ec81dc3b560a21fc3eeeb4a39998c08b405aa4d80fbb49c86f8bbc868652

          SHA512

          0e44b2a80ac5538271f6fe7b50769d1038ae9443da0c336686f59f1d12921efdf4d8622fbe0257f0191cc4695365536f1ba972492f307fdca7a7fd5c31c4b7c5

          Download Submit

        • \Users\Admin\AppData\Local\GJCRQ\cttune.exe
          Filesize

          314KB

          MD5

          7116848fd23e6195fcbbccdf83ce9af4

          SHA1

          35fb16a0b68f8a84d5dfac8c110ef5972f1bee93

          SHA256

          39937665f72725bdb3b82389a5dbd906c63f4c14208312d7f7a59d6067e1cfa6

          SHA512

          e38bf57eee5836b8598dd88dc3d266f497d911419a8426f73df6dcaa503611a965aabbd746181cb19bc38eebdb48db778a17f781a8f9e706cbd7a6ebec38f894

          Download Submit

        • \Users\Admin\AppData\Local\XN04qZws\cmstp.exe
          Filesize

          90KB

          MD5

          74c6da5522f420c394ae34b2d3d677e3

          SHA1

          ba135738ef1fb2f4c2c6c610be2c4e855a526668

          SHA256

          51d298b1a8a2d00d5c608c52dba0655565d021e9798ee171d7fa92cc0de729a6

          SHA512

          bfd76b1c3e677292748f88bf595bfef0b536eb22f2583b028cbf08f6ae4eda1aa3787c4e892aad12b7681fc2363f99250430a0e7019a7498e24db391868e787a

          Download Submit

        • \Users\Admin\AppData\Local\kSbF\sdclt.exe
          Filesize

          1.2MB

          MD5

          cdebd55ffbda3889aa2a8ce52b9dc097

          SHA1

          4b3cbfff5e57fa0cb058e93e445e3851063646cf

          SHA256

          61bd24487c389fc2b939ce000721677cc173bde0edcafccff81069bbd9987bfd

          SHA512

          2af69742e90d3478ae0a770b2630bfdc469077311c1f755f941825399b9a411e3d8d124126f59b01049456cddc01b237a3114847f1fe53f9e7d1a97e4ba36f13

          Download Submit

        • memory/1188-42-0x0000000077B80000-0x0000000077B82000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1188-12-0x0000000140000000-0x0000000140107000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/1188-20-0x0000000140000000-0x0000000140107000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/1188-18-0x0000000140000000-0x0000000140107000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/1188-17-0x0000000140000000-0x0000000140107000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/1188-43-0x0000000077BB0000-0x0000000077BB2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1188-3-0x0000000077916000-0x0000000077917000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1188-41-0x0000000140000000-0x0000000140107000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/1188-40-0x00000000025C0000-0x00000000025C7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1188-31-0x0000000140000000-0x0000000140107000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/1188-30-0x0000000140000000-0x0000000140107000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/1188-29-0x0000000140000000-0x0000000140107000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/1188-28-0x0000000140000000-0x0000000140107000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/1188-27-0x0000000140000000-0x0000000140107000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/1188-26-0x0000000140000000-0x0000000140107000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/1188-25-0x0000000140000000-0x0000000140107000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/1188-24-0x0000000140000000-0x0000000140107000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/1188-23-0x0000000140000000-0x0000000140107000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/1188-22-0x0000000140000000-0x0000000140107000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/1188-16-0x0000000140000000-0x0000000140107000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/1188-15-0x0000000140000000-0x0000000140107000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/1188-14-0x0000000140000000-0x0000000140107000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/1188-13-0x0000000140000000-0x0000000140107000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/1188-21-0x0000000140000000-0x0000000140107000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/1188-11-0x0000000140000000-0x0000000140107000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/1188-10-0x0000000140000000-0x0000000140107000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/1188-9-0x0000000140000000-0x0000000140107000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/1188-7-0x0000000140000000-0x0000000140107000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/1188-54-0x0000000140000000-0x0000000140107000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/1188-52-0x0000000140000000-0x0000000140107000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/1188-5-0x00000000025E0000-0x00000000025E1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1188-62-0x0000000077916000-0x0000000077917000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1188-32-0x0000000140000000-0x0000000140107000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/1188-19-0x0000000140000000-0x0000000140107000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/1188-6-0x0000000140000000-0x0000000140107000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/1188-8-0x0000000140000000-0x0000000140107000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/1664-87-0x0000000000290000-0x0000000000297000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1664-92-0x0000000140000000-0x0000000140108000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/2252-75-0x0000000140000000-0x0000000140108000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/2252-71-0x0000000140000000-0x0000000140108000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/2252-70-0x0000000000280000-0x0000000000287000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2788-106-0x0000000001F10000-0x0000000001F17000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2788-109-0x0000000140000000-0x0000000140108000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/2968-61-0x0000000140000000-0x0000000140107000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/2968-0-0x0000000140000000-0x0000000140107000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/2968-2-0x0000000000120000-0x0000000000127000-memory.dmp

          Filesize

          28KB

          Download