Overview

overview

10

Static

static

3

6546ef01ad...18.dll

windows7-x64

10

6546ef01ad...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    22-05-2024 00:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6546ef01ad7cf5ea8767ca35e0a9497d_JaffaCakes118.dll

  • Size

    989KB

  • MD5

    6546ef01ad7cf5ea8767ca35e0a9497d

  • SHA1

    8302c377caccf0332af3c94ef45217a929b61110

  • SHA256

    c9d45c41ecba0e13d08bea6b3393cf730d02482f0923b754a2ab72b9ea9ee361

  • SHA512

    135fc8029dfdcd91fd5ec72b65a8fdd2a240f0627116530cc6fc878045dbce0c92f96d78f2b6faa645a98ae0f3024261199369b59a7b2bd6cb72210172362b24

  • SSDEEP

    24576:xVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:xV8hf6STw1ZlQauvzSq01ICe6zvm

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\6546ef01ad7cf5ea8767ca35e0a9497d_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:3036
  • C:\Windows\system32\rstrui.exe
    C:\Windows\system32\rstrui.exe
    1⤵
      PID:2372
    • C:\Users\Admin\AppData\Local\bwc\rstrui.exe
      C:\Users\Admin\AppData\Local\bwc\rstrui.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2420
    • C:\Windows\system32\sigverif.exe
      C:\Windows\system32\sigverif.exe
      1⤵
        PID:1428
      • C:\Users\Admin\AppData\Local\iXpEZu\sigverif.exe
        C:\Users\Admin\AppData\Local\iXpEZu\sigverif.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1524
      • C:\Windows\system32\notepad.exe
        C:\Windows\system32\notepad.exe
        1⤵
          PID:2664
        • C:\Users\Admin\AppData\Local\T7zD\notepad.exe
          C:\Users\Admin\AppData\Local\T7zD\notepad.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1872

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Initial Access

        Execution

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Privilege Escalation

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Query Registry

        1
        T1012

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Resource Development

        Reconnaissance

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\T7zD\notepad.exe
          Filesize

          189KB

          MD5

          f2c7bb8acc97f92e987a2d4087d021b1

          SHA1

          7eb0139d2175739b3ccb0d1110067820be6abd29

          SHA256

          142e1d688ef0568370c37187fd9f2351d7ddeda574f8bfa9b0fa4ef42db85aa2

          SHA512

          2f37a2e503cffbd7c05c7d8a125b55368ce11aad5b62f17aaac7aaf3391a6886fa6a0fd73223e9f30072419bf5762a8af7958e805a52d788ba41f61eb084bfe8

          Download Submit
        • C:\Users\Admin\AppData\Local\bwc\SPP.dll
          Filesize

          990KB

          MD5

          443fab4ad9d329449bfe1eadb91b0556

          SHA1

          2d4f659f8a6ca4f77ed5ef71b6456c6ce03d6a2c

          SHA256

          7cbdb6ff5d0daf4349c894b954b16734c3a3cbdcd7795d0b6b20da915f8d941a

          SHA512

          4b6e7c50dfade08e52bf4e5cfe3ef24cf62efba11ac9234d89087464f447356d4db6d4fc61703fb948789da1c4b29d74543c6698484f13db7e2d93a996ec737c

          Download Submit
        • C:\Users\Admin\AppData\Local\bwc\rstrui.exe
          Filesize

          290KB

          MD5

          3db5a1eace7f3049ecc49fa64461e254

          SHA1

          7dc64e4f75741b93804cbae365e10dc70592c6a9

          SHA256

          ba8387d4543b8b11e2202919b9608ee614753fe77f967aad9906702841658b49

          SHA512

          ea81e3233e382f1cf2938785c9ded7c8fbbf11a6a6f5cf4323e3211ae66dad4a2c597cb589ff11f9eae79516043aba77d4b24bfa6eb0aa045d405aabdea4a025

          Download Submit
        • C:\Users\Admin\AppData\Local\iXpEZu\VERSION.dll
          Filesize

          990KB

          MD5

          e380ea41db1a81b8e6ff5f6ad78b4ad6

          SHA1

          e4422052eb1952365f3ac944af07241543fff4ab

          SHA256

          8eff13894d1fe7b2d50e64973f1518f1e46a182c62e787b3246c197ea6fe27d5

          SHA512

          3c263a722371d37d825b6c43e426b9d8ef8d304bf705f38fe16c45c4520c74adf30f916b710968e5ff5ee9a07e8333e6e96de9c73e82d4e4c22e58c96ac9a229

          Download Submit
        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Piadwmdtymfdd.lnk
          Filesize

          1KB

          MD5

          91b0677b40ba9b96adc9a8c6f6aff327

          SHA1

          990582b0589400b1a26268c40addec79c7af34f1

          SHA256

          848e86137c6a20814d072bcb83215f4be965afc84e50095d5010abf89af90fe0

          SHA512

          e40bf63345a5660e67be21896e569cc8cb3fb560bd8cf66b215ad285a9bcecc877ece55a0600d8ee32d180e163ea430b0a99abdb2b05c42953ff673b8b83d957

          Download Submit
        • \Users\Admin\AppData\Local\T7zD\VERSION.dll
          Filesize

          990KB

          MD5

          bc0d890e69e3b085e9b0978f7cf02314

          SHA1

          2b7b59261e233b0dc7262778fa4b1fdd9427a804

          SHA256

          9b7bfb6616b7db7fd1fde834c0d8200d2426dca5dbeb58c6d215ef1f5b134d83

          SHA512

          bba7bdbbf420703fe7495dd0a707c5b9c1469c773b6515a1ccdcc728b9de5816a475860e45d9325b601d5fdb77988f5a445336734880a4fa47ec29df222161be

          Download Submit
        • \Users\Admin\AppData\Local\iXpEZu\sigverif.exe
          Filesize

          73KB

          MD5

          e8e95ae5534553fc055051cee99a7f55

          SHA1

          4e0f668849fd546edd083d5981ed685d02a68df4

          SHA256

          9e107fd99892d08b15c223ac17c49af75a4cbca41b5e939bb91c9dca9f0d0bec

          SHA512

          5d3c32d136a264b6d2cfba4602e4d8f75e55ba0e199e0e81d7a515c34d8b9237db29647c10ab79081173010ff8e2c6a59b652c0a9cfa796433aed2d200f02da6

          Download Submit
        • memory/1192-35-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/1192-23-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/1192-13-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/1192-12-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/1192-11-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/1192-9-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/1192-8-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/1192-25-0x00000000771F1000-0x00000000771F2000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1192-26-0x0000000077380000-0x0000000077382000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1192-4-0x00000000770E6000-0x00000000770E7000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1192-36-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/1192-5-0x0000000002510000-0x0000000002511000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1192-24-0x00000000024F0000-0x00000000024F7000-memory.dmp
          Filesize

          28KB

          Download
        • memory/1192-14-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/1192-7-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/1192-10-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/1192-63-0x00000000770E6000-0x00000000770E7000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1524-74-0x00000000000A0000-0x00000000000A7000-memory.dmp
          Filesize

          28KB

          Download
        • memory/1524-77-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/1872-90-0x0000000000290000-0x0000000000297000-memory.dmp
          Filesize

          28KB

          Download
        • memory/1872-95-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/2420-58-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/2420-55-0x0000000000110000-0x0000000000117000-memory.dmp
          Filesize

          28KB

          Download
        • memory/2420-52-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/3036-44-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/3036-3-0x00000000002A0000-0x00000000002A7000-memory.dmp
          Filesize

          28KB

          Download
        • memory/3036-0-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download