Overview

overview

10

Static

static

3

JaffaCakes...22.dll

windows7-x64

10

JaffaCakes...22.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    31-12-2024 02:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_017b4ac769b9974ed13369628c61fe22.dll

  • Size

    1.3MB

  • MD5

    017b4ac769b9974ed13369628c61fe22

  • SHA1

    79d831636d907bf0dc307de55f54e2204965d99f

  • SHA256

    91d2541d318fb264fad336bc2749717b9eb3daed2ac689213c669e975bf7ac90

  • SHA512

    cd643aa6f4f59811dd939dde388a39b801109a84757ee65d316169db30aff797fa9bdff0610933b5ca44c8b86e1bf1d8f69b82aa26e47add1d570d9e3eff885a

  • SSDEEP

    12288:4VgTshBl6L55p615Xw9sJwgApyUhsRbE8X7xYL0yeYiJh0T:XgxI/c5g6JpAcUIbEN0y4

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex family
    dridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 10 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_017b4ac769b9974ed13369628c61fe22.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2980
  • C:\Windows\system32\tabcal.exe
    C:\Windows\system32\tabcal.exe
    1⤵
      PID:2964
    • C:\Users\Admin\AppData\Local\KnCB\tabcal.exe
      C:\Users\Admin\AppData\Local\KnCB\tabcal.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2388
    • C:\Windows\system32\msdt.exe
      C:\Windows\system32\msdt.exe
      1⤵
        PID:2956
      • C:\Users\Admin\AppData\Local\kkni\msdt.exe
        C:\Users\Admin\AppData\Local\kkni\msdt.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2972
      • C:\Windows\system32\SystemPropertiesProtection.exe
        C:\Windows\system32\SystemPropertiesProtection.exe
        1⤵
          PID:2156
        • C:\Users\Admin\AppData\Local\d5nm7mjw\SystemPropertiesProtection.exe
          C:\Users\Admin\AppData\Local\d5nm7mjw\SystemPropertiesProtection.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1972

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\KnCB\HID.DLL
          Filesize

          1.3MB

          MD5

          a1d544bb3c2fb5efc1316779ccf5467e

          SHA1

          9441a6076e0996440d48099a744802b834a16517

          SHA256

          dc11e6a2f22d48ae4d5bed645d3f0d944a06651164efdcc98a388b2bc68b6734

          SHA512

          7a1aa0a54c04e7d9977cea6ab624e86fb4caffab7ab67c4294880bf64aae6f354e36824e4c7dfa4244437dd4e4ddb936687c3ef765724a8efaab129e4dc94c16

          Download Submit

        • C:\Users\Admin\AppData\Local\KnCB\tabcal.exe
          Filesize

          77KB

          MD5

          98e7911befe83f76777317ce6905666d

          SHA1

          2780088dffe1dd1356c5dd5112a9f04afee3ee8d

          SHA256

          3fe8b63367b4298e70d46e87ce04cc7af5f30dfdb86b79eae41d0731d9415ea1

          SHA512

          fc0226381d9a6984cccac8282697c78966524e1359f7f6044559b8223e773d3c108dda08a2dd283aa171dca3390801f2c92a5d1dbb978dd7f92a67bd8877b8b6

          Download Submit

        • C:\Users\Admin\AppData\Local\d5nm7mjw\SYSDM.CPL
          Filesize

          1.3MB

          MD5

          d6d59cb5f829639f8a95edd6b9bcf8d4

          SHA1

          539f94088348b6c330175087ccba7a46e6ce04f4

          SHA256

          0b82fbf79607bfce64618db9616057338cf80a17c210d30c302769856c0c30a6

          SHA512

          4601b1bd3110df36090ce0d9e9e6fcdc1ea44b472ee4cbaf47807369ea9bb0d00e2cd079d4e219b809b60b0535bc4f1245cc8ef4e592f69378e7459bb57432e6

          Download Submit

        • C:\Users\Admin\AppData\Local\d5nm7mjw\SystemPropertiesProtection.exe
          Filesize

          80KB

          MD5

          05138d8f952d3fff1362f7c50158bc38

          SHA1

          780bc59fcddf06a7494d09771b8340acffdcc720

          SHA256

          753a43d8aa74341d06582bd6b3784dc5f8c6f46174c2a306cf284de238a9c6bd

          SHA512

          27fa8c0af3d01f0816852d04693087f3c25d1307d8857a7ea75b0bb3e0ac927d262f5ac5a335afee150142fa3187354d33ebbcf6c3cd5cc33cb4e6cd00c50255

          Download Submit

        • C:\Users\Admin\AppData\Local\kkni\DUI70.dll
          Filesize

          1.5MB

          MD5

          40654ea534d7ff262455913eab8ec80b

          SHA1

          13ceb8ea3c14912c9769e5f676065ecec45d91b8

          SHA256

          cd6f36a920342e36d3e459a618f445777ff522a16dd7832ac5c910a7c71001fb

          SHA512

          cbe194558ba4b32fcb124dad8e63ca829ac0a9f186eeebb1965d1d2a22ae21b104691df75d39f344830b0fc70a14005fd7392cc603b534c80d137dd48b14571e

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ncfyujonfo.lnk
          Filesize

          1KB

          MD5

          72239683265bd22a58387e1ac01c46a0

          SHA1

          f12f17ab39c2e107c3fd1e0999f208c035918844

          SHA256

          bafb6f28faeb9ab557e94bb3caf71cd62cee79aa2a8e776dd2fa0397736b0e79

          SHA512

          5fbaa38958a952a0ee31aa4349be2a28ac609550e6dc8c27d29096e17d68c391de851b862914d8d65666ec45b0f6049c3dbe389b723db9d64773b598b824b832

          Download Submit

        • \Users\Admin\AppData\Local\kkni\msdt.exe
          Filesize

          1.0MB

          MD5

          aecb7b09566b1f83f61d5a4b44ae9c7e

          SHA1

          3a4a2338c6b5ac833dc87497e04fe89c5481e289

          SHA256

          fbdbe7a2027cab237c4635ef71c1a93cf7afc4b79d56b63a119b7f8e3029ccf5

          SHA512

          6e14200262e0729ebcab2226c3eac729ab5af2a4c6f4f9c3e2950cc203387d9a0a447cf38665c724d4397353931fd10064dc067e043a3579538a6144e33e4746

          Download Submit

        • memory/1196-12-0x0000000140000000-0x0000000140142000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1196-34-0x0000000002170000-0x0000000002177000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1196-20-0x0000000140000000-0x0000000140142000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1196-26-0x0000000140000000-0x0000000140142000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1196-35-0x0000000140000000-0x0000000140142000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1196-25-0x0000000140000000-0x0000000140142000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1196-24-0x0000000140000000-0x0000000140142000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1196-23-0x0000000140000000-0x0000000140142000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1196-22-0x0000000140000000-0x0000000140142000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1196-21-0x0000000140000000-0x0000000140142000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1196-19-0x0000000140000000-0x0000000140142000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1196-16-0x0000000140000000-0x0000000140142000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1196-15-0x0000000140000000-0x0000000140142000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1196-14-0x0000000140000000-0x0000000140142000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1196-13-0x0000000140000000-0x0000000140142000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1196-37-0x0000000077020000-0x0000000077022000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1196-36-0x0000000076FF0000-0x0000000076FF2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1196-3-0x0000000076C86000-0x0000000076C87000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1196-11-0x0000000140000000-0x0000000140142000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1196-10-0x0000000140000000-0x0000000140142000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1196-9-0x0000000140000000-0x0000000140142000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1196-18-0x0000000140000000-0x0000000140142000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1196-47-0x0000000140000000-0x0000000140142000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1196-48-0x0000000140000000-0x0000000140142000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1196-4-0x0000000002190000-0x0000000002191000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1196-56-0x0000000076C86000-0x0000000076C87000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1196-8-0x0000000140000000-0x0000000140142000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1196-17-0x0000000140000000-0x0000000140142000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1196-7-0x0000000140000000-0x0000000140142000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1196-6-0x0000000140000000-0x0000000140142000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1972-100-0x0000000000060000-0x0000000000067000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1972-103-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2388-69-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2388-65-0x0000000140000000-0x0000000140143000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2388-64-0x0000000001B40000-0x0000000001B47000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2972-81-0x0000000000100000-0x0000000000107000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2972-82-0x0000000140000000-0x0000000140176000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/2972-86-0x0000000140000000-0x0000000140176000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/2980-55-0x0000000140000000-0x0000000140142000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2980-2-0x00000000000A0000-0x00000000000A7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2980-0-0x0000000140000000-0x0000000140142000-memory.dmp

          Filesize

          1.3MB

          Download