Overview

overview

10

Static

static

3

7199547e54...18.dll

windows7-x64

10

7199547e54...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    25-05-2024 10:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7199547e54202ebc6bad47e5cb7ea02e_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    7199547e54202ebc6bad47e5cb7ea02e

  • SHA1

    574ce65b4d1548cafaae88fb14186ffbac7ea9cf

  • SHA256

    a76ff5cfd79b710ffa6ebc30766c92d0230e59e046412e012f6d5d3ff8b0e6eb

  • SHA512

    2e2401e2967a52be847b647e8f2f9e939f2d76ea9f6fae9659829719f291f260cf302328771efc077c7f56c9160e3eb99042728fbc751588052b98e07b013d1f

  • SSDEEP

    24576:CVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:CV8hf6STw1ZlQauvzSq01ICe6zvm

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\7199547e54202ebc6bad47e5cb7ea02e_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:992
  • C:\Windows\system32\mstsc.exe
    C:\Windows\system32\mstsc.exe
    1⤵
      PID:2428
    • C:\Users\Admin\AppData\Local\attD\mstsc.exe
      C:\Users\Admin\AppData\Local\attD\mstsc.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2548
    • C:\Windows\system32\Dxpserver.exe
      C:\Windows\system32\Dxpserver.exe
      1⤵
        PID:2240
      • C:\Users\Admin\AppData\Local\ikN\Dxpserver.exe
        C:\Users\Admin\AppData\Local\ikN\Dxpserver.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2180
      • C:\Windows\system32\DWWIN.EXE
        C:\Windows\system32\DWWIN.EXE
        1⤵
          PID:2764
        • C:\Users\Admin\AppData\Local\VNbqHBsN\DWWIN.EXE
          C:\Users\Admin\AppData\Local\VNbqHBsN\DWWIN.EXE
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2768

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Initial Access

        Execution

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Privilege Escalation

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Query Registry

        1
        T1012

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Resource Development

        Reconnaissance

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\VNbqHBsN\wer.dll
          Filesize

          1.2MB

          MD5

          25d73977dd6c0a52eb8a6455ae8a2d06

          SHA1

          acfe0aefcb76ea9f6d96e3aa339d1b1566674aef

          SHA256

          c4b3d0aaf204f4dbb98f2c432e80c1487a70acf2367ac1827712bf8b14bf4c06

          SHA512

          a18c4f754dfa5a17b9ccf7f1bcd5e913c0ab584819aae4fb28fde541b9d946c96943a4077b548ce8c14f9f879b06d186656d8f857209b6b56a43cd69868c6e98

          Download Submit
        • C:\Users\Admin\AppData\Local\attD\credui.dll
          Filesize

          1.2MB

          MD5

          3af242dc2a9b2f0e45831bdd20e1830b

          SHA1

          dfbbfa165c66c2ef81e0d282d04066474da8661e

          SHA256

          3f1d94cfd3789ea120eedf25d6101f247f21dc47ac534c433e8fb644e164d1f5

          SHA512

          76f7c37e9f9fc4b50ac91f0aaf9a6baba6d233e07b7a9adf058fd5d3a20e82a04eb83f3671d509139660290e2b2a47cb6e01ae3cb824ee02be95444af70cdf19

          Download Submit
        • C:\Users\Admin\AppData\Local\ikN\XmlLite.dll
          Filesize

          1.2MB

          MD5

          56c0593c0a420f5f7df93433e2eb464c

          SHA1

          82d16628ecece4fe13060c8dd19180984ea56947

          SHA256

          10f3086e5c54367bcaa78f29d9846976d8c33c4f8f2adacbf975d71ee0c03aa9

          SHA512

          e09102ddc4a4bf0443e17c82209f6a24b7c75db0b1d33381af090b427bff6439702a12442172cae76e2cce06db50d399923307a70c2c3f67e62dd1741207f5d6

          Download Submit
        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Pclfpjzoauil.lnk
          Filesize

          981B

          MD5

          c3fcc4f8c76447d73ce012e1fb11e32a

          SHA1

          44843f757f7cbb46a9bcb9a85f49c4e390cd29e9

          SHA256

          f1d3b5614d5f2094987d7d5bfdd00b2368f1ac849c0778fa5f9e5ca782b15c73

          SHA512

          4f197f5fc6982da0f53a74b19723a9195983a0f7bc0b1b50fac8174a8b872c9db8e72ad3546323ef1e5fae1910c0cdd9d3a691c8a41dee9689b878f28891d42e

          Download Submit
        • \Users\Admin\AppData\Local\VNbqHBsN\DWWIN.EXE
          Filesize

          149KB

          MD5

          25247e3c4e7a7a73baeea6c0008952b1

          SHA1

          8087adb7a71a696139ddc5c5abc1a84f817ab688

          SHA256

          c740497a7e58f7678e25b68b03573b4136a364464ee97c02ce5e0fe00cec7050

          SHA512

          bc27946894e7775f772ac882740430c8b9d3f37a573e2524207f7bb32f44d4a227cb1e9a555e118d68af7f1e129abd2ac5cabbcd8bbf3551c485bae05108324b

          Download Submit
        • \Users\Admin\AppData\Local\attD\mstsc.exe
          Filesize

          1.1MB

          MD5

          50f739538ef014b2e7ec59431749d838

          SHA1

          b439762b8efe8cfb977e7374c11a7e4d8ed05eb3

          SHA256

          85c510c7fa8d64c70886ea01ec99e7b9064594f021a95b4cf88359421e732be3

          SHA512

          02e231ddc4ac012c597b9db42f8a77fbf35ca8253c030d443a0dd4db3d76a9ee1cced600f12d7bb06305e7a4da4a8fda980faad335adcb12738d80d453cb3cc8

          Download Submit
        • \Users\Admin\AppData\Local\ikN\Dxpserver.exe
          Filesize

          259KB

          MD5

          4d38389fb92e43c77a524fd96dbafd21

          SHA1

          08014e52f6894cad4f1d1e6fc1a703732e9acd19

          SHA256

          070bc95c486c15d2edc3548ba416dc9565ead401cb03a0472f719fb55ac94e73

          SHA512

          02d8d130cff2b8de15139d309e1cd74a2148bb786fd749e5f22775d45e193b0f75adf40274375cabce33576480ff20456f25172d29a034cd134b8084d40a67ba

          Download Submit
        • memory/992-0-0x0000000140000000-0x0000000140142000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/992-3-0x00000000001B0000-0x00000000001B7000-memory.dmp
          Filesize

          28KB

          Download
        • memory/992-45-0x0000000140000000-0x0000000140142000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1120-27-0x00000000778A0000-0x00000000778A2000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1120-9-0x0000000140000000-0x0000000140142000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1120-14-0x0000000140000000-0x0000000140142000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1120-15-0x0000000140000000-0x0000000140142000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1120-25-0x0000000140000000-0x0000000140142000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1120-26-0x0000000077711000-0x0000000077712000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1120-13-0x0000000140000000-0x0000000140142000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1120-37-0x0000000140000000-0x0000000140142000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1120-36-0x0000000140000000-0x0000000140142000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1120-16-0x00000000021D0000-0x00000000021D7000-memory.dmp
          Filesize

          28KB

          Download
        • memory/1120-12-0x0000000140000000-0x0000000140142000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1120-11-0x0000000140000000-0x0000000140142000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1120-4-0x0000000077506000-0x0000000077507000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1120-5-0x0000000003D30000-0x0000000003D31000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1120-7-0x0000000140000000-0x0000000140142000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1120-64-0x0000000077506000-0x0000000077507000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1120-10-0x0000000140000000-0x0000000140142000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1120-8-0x0000000140000000-0x0000000140142000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/2180-78-0x0000000140000000-0x0000000140143000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/2180-72-0x00000000001A0000-0x00000000001A7000-memory.dmp
          Filesize

          28KB

          Download
        • memory/2548-59-0x0000000140000000-0x0000000140143000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/2548-53-0x0000000140000000-0x0000000140143000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/2548-56-0x00000000002A0000-0x00000000002A7000-memory.dmp
          Filesize

          28KB

          Download
        • memory/2768-93-0x0000000000110000-0x0000000000117000-memory.dmp
          Filesize

          28KB

          Download
        • memory/2768-96-0x0000000140000000-0x0000000140143000-memory.dmp
          Filesize

          1.3MB

          Download