Overview

overview

10

Static

static

3

6d0edb0962...18.dll

windows7-x64

10

6d0edb0962...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    24-05-2024 02:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6d0edb09621edea7ddd4aba369632419_JaffaCakes118.dll

  • Size

    991KB

  • MD5

    6d0edb09621edea7ddd4aba369632419

  • SHA1

    90b7eb49388e711347ea0b7541141e6f1c35b4b3

  • SHA256

    2ea3c486674229c106c14ef49ebd4b2757963d866c102e90403c3e20fdb69365

  • SHA512

    e1be1ee0a45ec79c86751f6ba8f608ff98ca0475758bd28b74e6fabf9ce76f5b1f9d26012419e6547557dc93b6e752403a7415a1f59a6dc188391175bbe4dfe6

  • SSDEEP

    24576:yVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:yV8hf6STw1ZlQauvzSq01ICe6zvm

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\6d0edb09621edea7ddd4aba369632419_JaffaCakes118.dll
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:2184
  • C:\Windows\system32\rekeywiz.exe
    C:\Windows\system32\rekeywiz.exe
    1⤵
      PID:2436
    • C:\Users\Admin\AppData\Local\F4lrdL\rekeywiz.exe
      C:\Users\Admin\AppData\Local\F4lrdL\rekeywiz.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2384
    • C:\Windows\system32\mmc.exe
      C:\Windows\system32\mmc.exe
      1⤵
        PID:1844
      • C:\Users\Admin\AppData\Local\Cc5X\mmc.exe
        C:\Users\Admin\AppData\Local\Cc5X\mmc.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2368
      • C:\Windows\system32\icardagt.exe
        C:\Windows\system32\icardagt.exe
        1⤵
          PID:2560
        • C:\Users\Admin\AppData\Local\4gP\icardagt.exe
          C:\Users\Admin\AppData\Local\4gP\icardagt.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1840

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Initial Access

        Execution

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Privilege Escalation

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Query Registry

        1
        T1012

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Resource Development

        Reconnaissance

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\4gP\VERSION.dll
          Filesize

          991KB

          MD5

          e6ea64ba74d95b0af809dc13ffc36cc9

          SHA1

          698e9ae5feb0c893fc4dcef96dc7a3b655a806b9

          SHA256

          9b7c5da1dece53cdb27b4bf3bd5ae503a346e1d259240dd25f3e5de0b8cccf72

          SHA512

          09095e6f682aa764cf525ddc2646b0eb976cb199dfc8ec52db4ad2498bfd79427fb7947c4c15c6c18aabe99bfffae7fc5406b7dd60dc7e9d414777315f425e20

          Download Submit
        • C:\Users\Admin\AppData\Local\Cc5X\UxTheme.dll
          Filesize

          993KB

          MD5

          2090330a89673b387a0386de551ce409

          SHA1

          7e1c53a55ef427582cd931ece935901ab71813b0

          SHA256

          c081d641e5053e93ac95b4a25357bcaedad1516380725234a3ceabaee2d3c297

          SHA512

          c7bfa49e84a35a023d5792695288e585e3ae4339925ae089337d23f8a27fdbc8680800a5af69dc9d8ab66cba0b3d9cb662b9dc1650334202382d562c83b066d3

          Download Submit
        • C:\Users\Admin\AppData\Local\F4lrdL\slc.dll
          Filesize

          992KB

          MD5

          d3a2dca4501fbc869f285e917764e042

          SHA1

          4d832951bf87e2a987aff13a0495e87846b31433

          SHA256

          40a643a88b791d84635a928470dbf1e40da491f41ea830979ed06adfee43971d

          SHA512

          457d6ca6a8fc417e3aa6a8a1b1247959ee13929f0d6bddddbcc1851fc1fd09f3a8b35801b6054e89047f32c45ea6b023a726065d9322d4fb179d8d72e9ed7c01

          Download Submit
        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Piadwmdtymfdd.lnk
          Filesize

          1KB

          MD5

          34e201f150c68db776f70afab95063ba

          SHA1

          5f1534a679d3b4669be0b372408f438c5b14ac13

          SHA256

          9a96221337a6925a1384d46dad53bccb55bc0c6ac66ee82e62865b3d65216009

          SHA512

          39f00457be99dfaf1defe31f076e5410e47a011554970329b780be0abdfd49d5e6c053ecc66692236277fe69ce4113893897a36238c05690f1e5bffa603afe18

          Download Submit
        • \Users\Admin\AppData\Local\4gP\icardagt.exe
          Filesize

          1.3MB

          MD5

          2fe97a3052e847190a9775431292a3a3

          SHA1

          43edc451ac97365600391fa4af15476a30423ff6

          SHA256

          473d17e571d6947ce93103454f1e9fe27136403125152b97acb6cad5cc2a9ac7

          SHA512

          93ed1f9ef6fb256b53df9c6f2ce03301c0d3a0ef49c3f0604872653e4ba3fce369256f50604dd8386f543e1ea9231f5700213e683d3ea9af9e4d6c427a19117a

          Download Submit
        • \Users\Admin\AppData\Local\Cc5X\mmc.exe
          Filesize

          2.0MB

          MD5

          9fea051a9585f2a303d55745b4bf63aa

          SHA1

          f5dc12d658402900a2b01af2f018d113619b96b8

          SHA256

          b212e59e4c7fe77f6f189138d9d8b151e50eb83a35d6eadfb1e4bb0b4262c484

          SHA512

          beba79f0b6710929871fbdf378d3c0a41f230ac30cbfa87173f7b77c35e06425f48db42ed3b16d5d9bcb7ef0098dffcd0d2947da8fb7ec1136ea62205f1afc76

          Download Submit
        • \Users\Admin\AppData\Local\F4lrdL\rekeywiz.exe
          Filesize

          67KB

          MD5

          767c75767b00ccfd41a547bb7b2adfff

          SHA1

          91890853a5476def402910e6507417d400c0d3cb

          SHA256

          bd70e504871a2ac1c883d19b87970c8d1b8b251c784bf777ba77ed764f5f2395

          SHA512

          f096043452a1aa213a5e4d62638de3ee4b0b3ad3d12b7ee0372d8c79e00e2e13b4fd0ebc4206bbdb5124bed292dd5b30ef1641288046ef835f89c332985154f9

          Download Submit
        • memory/1136-35-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/1136-8-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/1136-24-0x0000000002D50000-0x0000000002D57000-memory.dmp
          Filesize

          28KB

          Download
        • memory/1136-23-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/1136-11-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/1136-10-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/1136-9-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/1136-25-0x0000000076F81000-0x0000000076F82000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1136-28-0x0000000077110000-0x0000000077112000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1136-4-0x0000000076D76000-0x0000000076D77000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1136-37-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/1136-5-0x0000000002D70000-0x0000000002D71000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1136-14-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/1136-12-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/1136-7-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/1136-13-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/1136-63-0x0000000076D76000-0x0000000076D77000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1840-94-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/2184-44-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/2184-3-0x00000000001C0000-0x00000000001C7000-memory.dmp
          Filesize

          28KB

          Download
        • memory/2184-0-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/2368-71-0x0000000000370000-0x0000000000377000-memory.dmp
          Filesize

          28KB

          Download
        • memory/2368-77-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/2384-58-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/2384-53-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/2384-52-0x0000000000400000-0x0000000000407000-memory.dmp
          Filesize

          28KB

          Download