Overview

overview

10

Static

static

3

99daf6981e...18.dll

windows7-x64

10

99daf6981e...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    06-06-2024 03:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    99daf6981ed0868d09623c8463847c9a_JaffaCakes118.dll

  • Size

    987KB

  • MD5

    99daf6981ed0868d09623c8463847c9a

  • SHA1

    ad9ce6e2dc54be25d7b23c8902a549a2897e2fef

  • SHA256

    2f60124860d5be9579a4a37ed8e8800197f77dfa7292ea79215897aa1f5aa81a

  • SHA512

    8e3b74ed0189f0528c398de4772e77c7b9019e1ed6a281bbd41663778990eb4a1d6ba0a0006e15a14e52d3a8d237f8c1981a1447a9a267de50aa8f1ffe776965

  • SSDEEP

    24576:CVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:CV8hf6STw1ZlQauvzSq01ICe6zvm

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\99daf6981ed0868d09623c8463847c9a_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1656
  • C:\Windows\system32\msdtc.exe
    C:\Windows\system32\msdtc.exe
    1⤵
      PID:2488
    • C:\Users\Admin\AppData\Local\Qgqpz9kmV\msdtc.exe
      C:\Users\Admin\AppData\Local\Qgqpz9kmV\msdtc.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2464
    • C:\Windows\system32\rrinstaller.exe
      C:\Windows\system32\rrinstaller.exe
      1⤵
        PID:2324
      • C:\Users\Admin\AppData\Local\qnyzB\rrinstaller.exe
        C:\Users\Admin\AppData\Local\qnyzB\rrinstaller.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2244
      • C:\Windows\system32\DevicePairingWizard.exe
        C:\Windows\system32\DevicePairingWizard.exe
        1⤵
          PID:2440
        • C:\Users\Admin\AppData\Local\8gQP\DevicePairingWizard.exe
          C:\Users\Admin\AppData\Local\8gQP\DevicePairingWizard.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1580

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Initial Access

        Execution

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Privilege Escalation

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Query Registry

        1
        T1012

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Resource Development

        Reconnaissance

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\8gQP\DevicePairingWizard.exe
          Filesize

          73KB

          MD5

          9728725678f32e84575e0cd2d2c58e9b

          SHA1

          dd9505d3548f08e5198a8d6ba6bcd60b1da86d5c

          SHA256

          d95d3aa065a657c354244e3d9d4dc62673dc36c1bed60650fade7d128ddab544

          SHA512

          a5d22240450e7b659cba507f9abe7e6d861e9712ca2335ea5ceb69e3557362b00f5d02bf84c3a6fed82a09eda555866dcab43741ad9c6db96e1e302ef2363377

          Download Submit
        • C:\Users\Admin\AppData\Local\Qgqpz9kmV\msdtc.exe
          Filesize

          138KB

          MD5

          de0ece52236cfa3ed2dbfc03f28253a8

          SHA1

          84bbd2495c1809fcd19b535d41114e4fb101466c

          SHA256

          2fbbec4cacb5161f68d7c2935852a5888945ca0f107cf8a1c01f4528ce407de3

          SHA512

          69386134667626c60c99d941c8ab52f8e5235e3897b5af76965572287afd5dcd42b8207a520587844a57a268e4decb3f3c550e5b7a06230ee677dc5e40c50bb3

          Download Submit
        • C:\Users\Admin\AppData\Local\qnyzB\MFPlat.DLL
          Filesize

          992KB

          MD5

          635b7136675b9d78b6407dd4cd567300

          SHA1

          5c57931b20a5875f26c7661ddc6c7b779e4c5a12

          SHA256

          dfc95451ef5c152ed3b5b94b915cda0ef0a9d505a0f75e59b1f6612019334375

          SHA512

          2738dd57b69a166165373b82d84dee2d3f19fbd96ce785a419322f58e06754c1a12a785b7d59b5334d1cf1b32c7a1d46f0cf0b54e621939d280e625ba0ff3606

          Download Submit
        • C:\Users\Admin\AppData\Local\qnyzB\rrinstaller.exe
          Filesize

          54KB

          MD5

          0d3a73b0b30252680b383532f1758649

          SHA1

          9f098d2037e4dd94eca6d04c37b3d4ad8b0cc931

          SHA256

          fc8a992b6ac311e1b1491ec3e31e273a41f7fdf3f68176321307b68489a03fbc

          SHA512

          a7961f4d8d0e07959d1501d721c7751b01af6704c7da5c1f31e40de5372ee6a1fce2f3e0077c8e6a1bed017e11ce4be9b0d17c04e30b222fb3f0df67b870b2d4

          Download Submit
        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Qscjinkjzo.lnk
          Filesize

          1KB

          MD5

          afd1c4f9202e92a762a39f5d67af752b

          SHA1

          da8f7a68ae9ec4049bd13dddaa0fa2fbcdbc502d

          SHA256

          61c0938d7bb9d9e6d513ca8283e9b338dad6042cd55af9390e6248b305dd4a7f

          SHA512

          264d9db802469b785c984e6903d7ff88911bf45eb0bad5fb57b4743cab5c4ae7b156caf96f4d876d5bd15127ab8b5007ad9fcf13e16cdf06cc12994467e16f23

          Download Submit
        • \Users\Admin\AppData\Local\8gQP\MFC42u.dll
          Filesize

          1014KB

          MD5

          4087da50a811d23279a60f75f8e1b571

          SHA1

          af89a31abec0074fece6e3db0066d87bcc0c49b1

          SHA256

          cba83eadb420350639d0505f7d2930897737cdc46730157f91d5b5abf94e6b3c

          SHA512

          cdd9bbd82398bf8eacb1497079bd253bbd4ebb4f13f901f72dd31a45635e62d81929d716dcd53acd56ec2ab79921579b8d0b48ce0dc7ff56938eb54e408b2c86

          Download Submit
        • \Users\Admin\AppData\Local\Qgqpz9kmV\VERSION.dll
          Filesize

          987KB

          MD5

          7432e227141263e3c186eae6a98dcc59

          SHA1

          5dabdf87b9e6a49b3c9ccc6584f0a38873d3a3d9

          SHA256

          547eec79540f90507499c4e4c29efae4b7e331606ac359f7af3883d8ae7c0086

          SHA512

          d1a4f30e137480f974197f6eb3d6bce06c722b3dd6d43621e3a50b3ffc69e209357cb91a37243a3a11066fbad7764c746a505f352c8927b04d97a904e85919f6

          Download Submit
        • memory/1188-14-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/1188-8-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/1188-35-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/1188-24-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/1188-18-0x0000000002E00000-0x0000000002E07000-memory.dmp
          Filesize

          28KB

          Download
        • memory/1188-12-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/1188-11-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/1188-10-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/1188-9-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/1188-36-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/1188-5-0x0000000002E20000-0x0000000002E21000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1188-13-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/1188-28-0x00000000777F0000-0x00000000777F2000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1188-25-0x0000000077661000-0x0000000077662000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1188-4-0x0000000077456000-0x0000000077457000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1188-62-0x0000000077456000-0x0000000077457000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1188-7-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/1580-92-0x0000000140000000-0x0000000140103000-memory.dmp
          Filesize

          1.0MB

          Download
        • memory/1580-90-0x00000000000F0000-0x00000000000F7000-memory.dmp
          Filesize

          28KB

          Download
        • memory/1580-87-0x0000000140000000-0x0000000140103000-memory.dmp
          Filesize

          1.0MB

          Download
        • memory/1656-44-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/1656-3-0x0000000000320000-0x0000000000327000-memory.dmp
          Filesize

          28KB

          Download
        • memory/1656-0-0x0000000140000000-0x00000001400FC000-memory.dmp
          Filesize

          1008KB

          Download
        • memory/2244-70-0x0000000000290000-0x0000000000297000-memory.dmp
          Filesize

          28KB

          Download
        • memory/2244-71-0x0000000140000000-0x00000001400FE000-memory.dmp
          Filesize

          1016KB

          Download
        • memory/2244-75-0x0000000140000000-0x00000001400FE000-memory.dmp
          Filesize

          1016KB

          Download
        • memory/2464-52-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/2464-57-0x0000000140000000-0x00000001400FD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/2464-55-0x0000000000390000-0x0000000000397000-memory.dmp
          Filesize

          28KB

          Download