Overview

overview

10

Static

static

3

7303cf0368...18.dll

windows7-x64

10

7303cf0368...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    25-05-2024 19:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7303cf03681a2d8ce2bb2394c9ad8b2d_JaffaCakes118.dll

  • Size

    989KB

  • MD5

    7303cf03681a2d8ce2bb2394c9ad8b2d

  • SHA1

    3f05fbfc73e0417121d2136ec9625be7e98b657d

  • SHA256

    d0b3168b35cde2b10104172a2f4ea91ccc3c2fc7adeb848d4db55c48d7a333da

  • SHA512

    f9ccb27b279372bb96cb954359e7343f19be65340aa9aed4d66011f6ac718ac5ef4a42675d08344ad667778bb3a24c9392128a3149a40087d804b93e219063be

  • SSDEEP

    24576:jVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:jV8hf6STw1ZlQauvzSq01ICe6zvm

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\7303cf03681a2d8ce2bb2394c9ad8b2d_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2492
  • C:\Windows\system32\SystemPropertiesProtection.exe
    C:\Windows\system32\SystemPropertiesProtection.exe
    1⤵
      PID:2196
    • C:\Users\Admin\AppData\Local\ydf6LmM\SystemPropertiesProtection.exe
      C:\Users\Admin\AppData\Local\ydf6LmM\SystemPropertiesProtection.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2408
    • C:\Windows\system32\spreview.exe
      C:\Windows\system32\spreview.exe
      1⤵
        PID:340
      • C:\Users\Admin\AppData\Local\IcsCbV\spreview.exe
        C:\Users\Admin\AppData\Local\IcsCbV\spreview.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:760
      • C:\Windows\system32\SystemPropertiesProtection.exe
        C:\Windows\system32\SystemPropertiesProtection.exe
        1⤵
          PID:564
        • C:\Users\Admin\AppData\Local\1F8Rjwf5s\SystemPropertiesProtection.exe
          C:\Users\Admin\AppData\Local\1F8Rjwf5s\SystemPropertiesProtection.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2320

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Initial Access

        Execution

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Privilege Escalation

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Query Registry

        1
        T1012

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Resource Development

        Reconnaissance

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\1F8Rjwf5s\SYSDM.CPL
          Filesize

          989KB

          MD5

          6ab1303775a1076f8f04bef454e78b43

          SHA1

          f61f158ddf6bbf025a2735df9db0da4ef20971bd

          SHA256

          cf4b6a59634f340b55a67539e4590989a9087887a14da4d92c2abee10950ab4a

          SHA512

          140546b6fe1d5d05ad7cc9321087946b7dcd2aab4ab082a3a652361a8a45f31da7f0860aedc53d4346bed9de118f46461a5b06a4aec402ade8030c1e9e5f1342

          Download Submit
        • C:\Users\Admin\AppData\Local\ydf6LmM\SYSDM.CPL
          Filesize

          989KB

          MD5

          b37801529917645d2005f2a337a667f3

          SHA1

          a2e85bdee96d463e41003d8e02cf76bf1eade7a1

          SHA256

          d80964d0462779609c5c2304b62a35b976bd8f6a40504e4fd5ec725037305375

          SHA512

          2fcd91de0c29cd6a5bf8755cfc68a6fe3482a12b8718e607daa6fc03f3840e6c1f2e7594965ed30f17548b1eead0e0a0b83aa96d5ef7787ac130eaa0185de2fa

          Download Submit
        • C:\Users\Admin\AppData\Local\ydf6LmM\SystemPropertiesProtection.exe
          Filesize

          80KB

          MD5

          05138d8f952d3fff1362f7c50158bc38

          SHA1

          780bc59fcddf06a7494d09771b8340acffdcc720

          SHA256

          753a43d8aa74341d06582bd6b3784dc5f8c6f46174c2a306cf284de238a9c6bd

          SHA512

          27fa8c0af3d01f0816852d04693087f3c25d1307d8857a7ea75b0bb3e0ac927d262f5ac5a335afee150142fa3187354d33ebbcf6c3cd5cc33cb4e6cd00c50255

          Download Submit
        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dgsmy.lnk
          Filesize

          1006B

          MD5

          f2406f67f63b43d77ebf6bfe5a99b940

          SHA1

          a1381f0b981ef3c8b322fc2a932fc6f1295f8019

          SHA256

          b0bedda114b43e4c64cfc42ff78ced1928b4307df05c20edbb5fb9cf3a5707e7

          SHA512

          b25d16d5b3c03c25042fa31b88a82ddd3a94ff8c0f7e65e6c8b31d203f323d563a62b6f6620de8e4e0fa20732827be3aeaa5ce4f175f7aad6c27af5a1d7ec02a

          Download Submit
        • \Users\Admin\AppData\Local\IcsCbV\spreview.exe
          Filesize

          294KB

          MD5

          704cd4cac010e8e6d8de9b778ed17773

          SHA1

          81856abf70640f102b8b3defe2cf65669fe8e165

          SHA256

          4307f21d3ec3b51cba6a905a80045314ffccb4c60c11d99a3d77cc8103014208

          SHA512

          b380264276bad01d619a5f1f112791d6bf73dc52cdd5cca0cc1f726a6f66eefc5a78a37646792987c508f9cb5049f0eb86c71fb4c7a2d3e670c0c8623f0522ee

          Download Submit
        • \Users\Admin\AppData\Local\IcsCbV\sqmapi.dll
          Filesize

          991KB

          MD5

          eab2b501248b48b27777254fd2397986

          SHA1

          a5f12f5a93f2921d8b84e2aa0bdec28f92345be8

          SHA256

          424f50c7e5ac2f373758c45418e9895076eb9b0c2e397545840b796456a38388

          SHA512

          304a285ce81563adbf9832d2215f83ea8f5d34aa6cf761eab522278382d66ee79a39b26aa1ccaa47fa59dbb024d2ce499c7c6a70e9e34d726997a548e4cce543

          Download Submit
        • memory/760-77-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/760-71-0x0000000000170000-0x0000000000177000-memory.dmp
          Filesize

          28KB

          Download
        • memory/1192-12-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/1192-70-0x0000000077486000-0x0000000077487000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1192-10-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/1192-9-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/1192-8-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/1192-13-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/1192-25-0x0000000077691000-0x0000000077692000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1192-26-0x0000000077820000-0x0000000077822000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1192-36-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/1192-35-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/1192-4-0x0000000077486000-0x0000000077487000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1192-5-0x0000000002700000-0x0000000002701000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1192-14-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/1192-11-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/1192-7-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/1192-24-0x0000000002210000-0x0000000002217000-memory.dmp
          Filesize

          28KB

          Download
        • memory/1192-23-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/2320-89-0x0000000000270000-0x0000000000277000-memory.dmp
          Filesize

          28KB

          Download
        • memory/2320-95-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/2408-58-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/2408-55-0x0000000000080000-0x0000000000087000-memory.dmp
          Filesize

          28KB

          Download
        • memory/2408-52-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/2492-0-0x0000000000190000-0x0000000000197000-memory.dmp
          Filesize

          28KB

          Download
        • memory/2492-44-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/2492-1-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download