Overview

overview

10

Static

static

3

JaffaCakes...65.dll

windows7-x64

10

JaffaCakes...65.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    31-12-2024 06:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_09024a26ea677d735c4a1e3041f73765.dll

  • Size

    1.4MB

  • MD5

    09024a26ea677d735c4a1e3041f73765

  • SHA1

    f624aa4dc24cd5df1546737fed4da1bee587a279

  • SHA256

    92a1adc462adbf747ec142eeeab2dc55aa0e809c678116fad23ea8c8a80ad1cf

  • SHA512

    cfe7cc6a44a331b23eecc95af148e9f220b9ac5eb2b0dc241c29499f9f8d16124ff096c56161d824786034fc11ac054ca37e513494d5522505708fc7c3aa5160

  • SSDEEP

    12288:ddMIwS97wJs6tSKDXEabXaC+jhc1S8XXk7CZzHsZH9dq0T:TMIJxSDX3bqjhcfHk7MzH6z

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex family
    dridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 7 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_09024a26ea677d735c4a1e3041f73765.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1724
  • C:\Windows\system32\BdeUISrv.exe
    C:\Windows\system32\BdeUISrv.exe
    1⤵
      PID:1076
    • C:\Users\Admin\AppData\Local\nff\BdeUISrv.exe
      C:\Users\Admin\AppData\Local\nff\BdeUISrv.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      PID:2620
    • C:\Windows\system32\rekeywiz.exe
      C:\Windows\system32\rekeywiz.exe
      1⤵
        PID:844
      • C:\Users\Admin\AppData\Local\nWqVQR\rekeywiz.exe
        C:\Users\Admin\AppData\Local\nWqVQR\rekeywiz.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:3000
      • C:\Windows\system32\psr.exe
        C:\Windows\system32\psr.exe
        1⤵
          PID:3004
        • C:\Users\Admin\AppData\Local\QXdZ1v3Fv\psr.exe
          C:\Users\Admin\AppData\Local\QXdZ1v3Fv\psr.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:880

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\QXdZ1v3Fv\VERSION.dll
          Filesize

          1.4MB

          MD5

          b0bdeed2b8324b1f75e453a5f7fa6b85

          SHA1

          af603be76fed05db201ed22118797f84bf70248e

          SHA256

          a78e09471ff38e0ffa4cc84a3f41591d9e3a60b8f6680311683f325f4b7313e6

          SHA512

          9b493906554108364c84c03d13261368f6a207951b15136dfe94fc61c87832d987730106907c1b091321421a9b04211922c8af1de248d27473dcba5e23153f12

          Download Submit

        • C:\Users\Admin\AppData\Local\nWqVQR\slc.dll
          Filesize

          1.4MB

          MD5

          c43f7d0dba08a38272f905828a269606

          SHA1

          494dbfd0b75f2087022ff9abb464128e39e81aca

          SHA256

          af6d58f1b8ede34ac31a5888a346117454393312c7ef62d62864d6c91160c492

          SHA512

          b4155411da3da6f0bd2e5086fad982f0a40cbc3d20e1274a9da9388eba8bec8908d0ec60edb8080685a7a6134685570c1ae59e3a486cdfbac947eafd08648ec7

          Download Submit

        • C:\Users\Admin\AppData\Local\nff\WTSAPI32.dll
          Filesize

          1.4MB

          MD5

          d8c8cf93a1c0e723fe714e1839e0bf4f

          SHA1

          9c1bc362b00e12c65d2483dc515c1fd02c6594ab

          SHA256

          423b56a9267f8398a6ef601a9210f27bbb1519b2e246a4a77327d1f250bb165e

          SHA512

          b2573cd0e53a5dd9b7d0ceeae400e47b2035cd6bb1a747ea537d561376402b24c4b20f732d950d0b3c4ef40533a3779742d7b70ff87f4ccf8ed8ac8048f581b9

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Gwifj.lnk
          Filesize

          1KB

          MD5

          4f96c919bbf9226532a47d73b6338725

          SHA1

          3e6ed61d278d2ae33a239a2d6bbefe9873e495a8

          SHA256

          0a9453d1c1fae7af3354cbb167e14c7bba4099eb66da1a92a1d6aef5863688a5

          SHA512

          23e3e5f69cbaa69eed47da7f091fdff9f96129ba07ff1ccb02c16ad4598a999694a00c6a1849c354eea205bcc5e5cd348f4686ae8c662637037d887c7083b325

          Download Submit

        • \Users\Admin\AppData\Local\QXdZ1v3Fv\psr.exe
          Filesize

          715KB

          MD5

          a80527109d75cba125d940b007eea151

          SHA1

          facf32a9ede6abfaa09368bfdfcfec8554107272

          SHA256

          68910f8aae867e938b6a3b76cdf176898ba275d9ade85b4ce00b03232de4c495

          SHA512

          77b86a597c33af8d3fbd9711f4abe6e0ca33b86279b1d28a25dcf3545a34b221be1ad7d11004d016203809cead1ebfd4b7e889ee9df2efc100eabf77963c1774

          Download Submit

        • \Users\Admin\AppData\Local\nWqVQR\rekeywiz.exe
          Filesize

          67KB

          MD5

          767c75767b00ccfd41a547bb7b2adfff

          SHA1

          91890853a5476def402910e6507417d400c0d3cb

          SHA256

          bd70e504871a2ac1c883d19b87970c8d1b8b251c784bf777ba77ed764f5f2395

          SHA512

          f096043452a1aa213a5e4d62638de3ee4b0b3ad3d12b7ee0372d8c79e00e2e13b4fd0ebc4206bbdb5124bed292dd5b30ef1641288046ef835f89c332985154f9

          Download Submit

        • \Users\Admin\AppData\Local\nff\BdeUISrv.exe
          Filesize

          47KB

          MD5

          1da6b19be5d4949c868a264bc5e74206

          SHA1

          d5ee86ba03a03ef8c93d93accafe40461084c839

          SHA256

          00330a0e0eb1dbb6ee84997963f8e15c7c15c1df787f1c7f109609d7b31bd35c

          SHA512

          9cee858c55eb0852e5bad53a675a094ae591b46b07afe9fb4224cac32e0be577fe36c1ed3e9f6bda4d4eb0c924a773d00e3181cd97f07e24c6c68c70f2b002c6

          Download Submit

        • memory/880-113-0x0000000000110000-0x0000000000117000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1200-32-0x0000000140000000-0x0000000140163000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1200-62-0x0000000140000000-0x0000000140163000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1200-28-0x0000000140000000-0x0000000140163000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1200-30-0x0000000140000000-0x0000000140163000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1200-36-0x0000000140000000-0x0000000140163000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1200-38-0x0000000140000000-0x0000000140163000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1200-13-0x0000000140000000-0x0000000140163000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1200-12-0x0000000140000000-0x0000000140163000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1200-10-0x0000000140000000-0x0000000140163000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1200-9-0x0000000140000000-0x0000000140163000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1200-51-0x0000000140000000-0x0000000140163000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1200-42-0x0000000140000000-0x0000000140163000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1200-43-0x0000000002E30000-0x0000000002E37000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1200-41-0x0000000140000000-0x0000000140163000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1200-40-0x0000000140000000-0x0000000140163000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1200-39-0x0000000140000000-0x0000000140163000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1200-37-0x0000000140000000-0x0000000140163000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1200-53-0x0000000077630000-0x0000000077632000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1200-52-0x0000000077600000-0x0000000077602000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1200-35-0x0000000140000000-0x0000000140163000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1200-34-0x0000000140000000-0x0000000140163000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1200-33-0x0000000140000000-0x0000000140163000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1200-7-0x0000000140000000-0x0000000140163000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1200-31-0x0000000140000000-0x0000000140163000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1200-63-0x0000000140000000-0x0000000140163000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1200-22-0x0000000140000000-0x0000000140163000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1200-29-0x0000000140000000-0x0000000140163000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1200-27-0x0000000140000000-0x0000000140163000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1200-26-0x0000000140000000-0x0000000140163000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1200-25-0x0000000140000000-0x0000000140163000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1200-24-0x0000000140000000-0x0000000140163000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1200-23-0x0000000140000000-0x0000000140163000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1200-21-0x0000000140000000-0x0000000140163000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1200-20-0x0000000140000000-0x0000000140163000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1200-19-0x0000000140000000-0x0000000140163000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1200-18-0x0000000140000000-0x0000000140163000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1200-17-0x0000000140000000-0x0000000140163000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1200-16-0x0000000140000000-0x0000000140163000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1200-15-0x0000000140000000-0x0000000140163000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1200-14-0x0000000140000000-0x0000000140163000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1200-3-0x0000000077396000-0x0000000077397000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1200-4-0x0000000002E50000-0x0000000002E51000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1200-6-0x0000000140000000-0x0000000140163000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1200-8-0x0000000140000000-0x0000000140163000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1200-11-0x0000000140000000-0x0000000140163000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1724-71-0x0000000140000000-0x0000000140163000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1724-1-0x0000000140000000-0x0000000140163000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1724-0-0x0000000000320000-0x0000000000327000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2620-80-0x0000000140000000-0x0000000140164000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/2620-84-0x0000000140000000-0x0000000140164000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/2620-79-0x0000000000210000-0x0000000000217000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3000-96-0x00000000003F0000-0x00000000003F7000-memory.dmp

          Filesize

          28KB

          Download