Overview

overview

10

Static

static

3

87c3545cdc...18.dll

windows7-x64

10

87c3545cdc...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    31-05-2024 17:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    87c3545cdce9ac4de4d6b4b059dc87ba_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    87c3545cdce9ac4de4d6b4b059dc87ba

  • SHA1

    59faa155317c706c9cd0898511a9b55266db63d3

  • SHA256

    69410188e366c90d44d0f848b78601bd6174f0fb9825fb449368fc37aa6fb0ef

  • SHA512

    7f9dff0546abea7fb00682599d467f7c37acc4e6cadb59a814d12023eb33e5586a485d2657c6c47a2777198a63083855d5f10a08bbf19b519c93c826d94299ef

  • SSDEEP

    24576:xVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:xV8hf6STw1ZlQauvzSq01ICe6zvm

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\87c3545cdce9ac4de4d6b4b059dc87ba_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1960
  • C:\Windows\system32\notepad.exe
    C:\Windows\system32\notepad.exe
    1⤵
      PID:2824
    • C:\Users\Admin\AppData\Local\ks3eMZO8G\notepad.exe
      C:\Users\Admin\AppData\Local\ks3eMZO8G\notepad.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2416
    • C:\Windows\system32\spinstall.exe
      C:\Windows\system32\spinstall.exe
      1⤵
        PID:2124
      • C:\Users\Admin\AppData\Local\nkhda\spinstall.exe
        C:\Users\Admin\AppData\Local\nkhda\spinstall.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2964
      • C:\Windows\system32\DWWIN.EXE
        C:\Windows\system32\DWWIN.EXE
        1⤵
          PID:2828
        • C:\Users\Admin\AppData\Local\dQVX\DWWIN.EXE
          C:\Users\Admin\AppData\Local\dQVX\DWWIN.EXE
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2816

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Initial Access

        Execution

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Privilege Escalation

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Query Registry

        1
        T1012

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Resource Development

        Reconnaissance

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\dQVX\VERSION.dll
          Filesize

          1.2MB

          MD5

          58e0710c5d877f87ce4811d280cd5290

          SHA1

          41173d4c83535ad441c514952c8ddad094dd8792

          SHA256

          6a6a9c932ebb9e571b538346c9e15b8b1ed9430016c56d512300cc227122f7cd

          SHA512

          1b2ce4cc81ede48787807799d303a40dd4014e9b27c970f857410b54c8ae38ff8c55a0ecb9e82a96a79d8abf16a459696587e7e6af56af3370c2ebc547ef8303

          Download Submit
        • C:\Users\Admin\AppData\Local\ks3eMZO8G\VERSION.dll
          Filesize

          1.2MB

          MD5

          21837545a0ca31263abde8f420e0497a

          SHA1

          a11f8343f0aba188cf8b6c2a29cdc182c14591de

          SHA256

          4247ba17f1163dd1fd045c50ef6302e4335985a70ddfad88e1fdac7d713a54c4

          SHA512

          4f42868bd6fc84dade9d4fa776a3a7a7496b814bb9eff694cdd45c33a0aac885c71ea7e61dc6746c84311e3184d17a268272c9b01343203d735e1c2aebd9de07

          Download Submit
        • C:\Users\Admin\AppData\Local\nkhda\WTSAPI32.dll
          Filesize

          1.2MB

          MD5

          2441e2a622af15cfe10b184fe2ba11de

          SHA1

          75b2b31df185818e599461b4fa270ad75b7080db

          SHA256

          208e9ec7dda58990678b1b607de58ee163d4fd9339a89ad4094c0923527ccf68

          SHA512

          3b5e81b287d4f02ff1abe35011f0649b82ffa37fc3c735c00f80e07db4a1eb4fb70f51aaf1c7a3dfa63edaf303ce8a863d8ab1557d0808eec681ab42a4c15cfe

          Download Submit
        • C:\Users\Admin\AppData\Local\nkhda\spinstall.exe
          Filesize

          584KB

          MD5

          29c1d5b330b802efa1a8357373bc97fe

          SHA1

          90797aaa2c56fc2a667c74475996ea1841bc368f

          SHA256

          048bd22abf158346ab991a377cc6e9d2b20b4d73ccee7656c96a41f657e7be7f

          SHA512

          66f4f75a04340a1dd55dfdcc3ff1103ea34a55295f56c12e88d38d1a41e5be46b67c98bd66ac9f878ce79311773e374ed2bce4dd70e8bb5543e4ec1dd56625ee

          Download Submit
        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Pclfpjzoauil.lnk
          Filesize

          1KB

          MD5

          74dfb62f274aa8778babf5c86a0817ab

          SHA1

          6778656233652e0f2896bed0332849cb5264858c

          SHA256

          5878ba28820eb21d60845a61932f8bf745bf2c053c203cac4f6378e456fa6b36

          SHA512

          2f1f849111f163d9da30cf65b1d5b0030c58cec3f6290c5f24e0e4c059bc1cf3c6a5e14732c92fc6746db6238f3d0c064fc1498939a7c51db679777941e8f8be

          Download Submit
        • \Users\Admin\AppData\Local\dQVX\DWWIN.EXE
          Filesize

          149KB

          MD5

          25247e3c4e7a7a73baeea6c0008952b1

          SHA1

          8087adb7a71a696139ddc5c5abc1a84f817ab688

          SHA256

          c740497a7e58f7678e25b68b03573b4136a364464ee97c02ce5e0fe00cec7050

          SHA512

          bc27946894e7775f772ac882740430c8b9d3f37a573e2524207f7bb32f44d4a227cb1e9a555e118d68af7f1e129abd2ac5cabbcd8bbf3551c485bae05108324b

          Download Submit
        • \Users\Admin\AppData\Local\ks3eMZO8G\notepad.exe
          Filesize

          189KB

          MD5

          f2c7bb8acc97f92e987a2d4087d021b1

          SHA1

          7eb0139d2175739b3ccb0d1110067820be6abd29

          SHA256

          142e1d688ef0568370c37187fd9f2351d7ddeda574f8bfa9b0fa4ef42db85aa2

          SHA512

          2f37a2e503cffbd7c05c7d8a125b55368ce11aad5b62f17aaac7aaf3391a6886fa6a0fd73223e9f30072419bf5762a8af7958e805a52d788ba41f61eb084bfe8

          Download Submit
        • memory/1192-10-0x0000000140000000-0x0000000140143000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1192-7-0x0000000140000000-0x0000000140143000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1192-27-0x0000000077391000-0x0000000077392000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1192-16-0x0000000140000000-0x0000000140143000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1192-15-0x0000000140000000-0x0000000140143000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1192-14-0x0000000140000000-0x0000000140143000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1192-13-0x0000000140000000-0x0000000140143000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1192-12-0x0000000140000000-0x0000000140143000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1192-11-0x0000000140000000-0x0000000140143000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1192-4-0x0000000077186000-0x0000000077187000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1192-26-0x0000000002AD0000-0x0000000002AD7000-memory.dmp
          Filesize

          28KB

          Download
        • memory/1192-38-0x0000000140000000-0x0000000140143000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1192-37-0x0000000140000000-0x0000000140143000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1192-5-0x0000000002D80000-0x0000000002D81000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1192-25-0x0000000140000000-0x0000000140143000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1192-9-0x0000000140000000-0x0000000140143000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1192-8-0x0000000140000000-0x0000000140143000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1192-30-0x0000000077520000-0x0000000077522000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1192-64-0x0000000077186000-0x0000000077187000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1960-46-0x0000000140000000-0x0000000140143000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1960-3-0x0000000000120000-0x0000000000127000-memory.dmp
          Filesize

          28KB

          Download
        • memory/1960-0-0x0000000140000000-0x0000000140143000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/2416-59-0x0000000140000000-0x0000000140144000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/2416-54-0x0000000140000000-0x0000000140144000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/2816-90-0x0000000000110000-0x0000000000117000-memory.dmp
          Filesize

          28KB

          Download
        • memory/2816-96-0x0000000140000000-0x0000000140144000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/2964-72-0x0000000000080000-0x0000000000087000-memory.dmp
          Filesize

          28KB

          Download
        • memory/2964-78-0x0000000140000000-0x0000000140144000-memory.dmp
          Filesize

          1.3MB

          Download