Overview

overview

10

Static

static

3

b0386ba950...18.dll

windows7-x64

10

b0386ba950...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    15-06-2024 21:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b0386ba950a1b343ae0b01e8c98e0a4c_JaffaCakes118.dll

  • Size

    1.4MB

  • MD5

    b0386ba950a1b343ae0b01e8c98e0a4c

  • SHA1

    5f2cca191a83203b55710072c5cef194bdfc7b83

  • SHA256

    80945307d35592bafc62a4521f865dccdee21e442dc15d533675207d6c012614

  • SHA512

    088224073d06521d9c43ecea1b493d12bb39ffa3f40db879c0b69c462a621db343cf7c03740304e063158b18d41ab747ecd99980c865068abcb8ced2125eda5c

  • SSDEEP

    24576:4uYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9NP:I9cKrUqZWLAcUH

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\b0386ba950a1b343ae0b01e8c98e0a4c_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1932
  • C:\Windows\system32\DeviceDisplayObjectProvider.exe
    C:\Windows\system32\DeviceDisplayObjectProvider.exe
    1⤵
      PID:2796
    • C:\Users\Admin\AppData\Local\SYAcTUKBo\DeviceDisplayObjectProvider.exe
      C:\Users\Admin\AppData\Local\SYAcTUKBo\DeviceDisplayObjectProvider.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2496
    • C:\Windows\system32\cmstp.exe
      C:\Windows\system32\cmstp.exe
      1⤵
        PID:2524
      • C:\Users\Admin\AppData\Local\Nb2\cmstp.exe
        C:\Users\Admin\AppData\Local\Nb2\cmstp.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2072
      • C:\Windows\system32\dvdupgrd.exe
        C:\Windows\system32\dvdupgrd.exe
        1⤵
          PID:2760
        • C:\Users\Admin\AppData\Local\6F8aweN1\dvdupgrd.exe
          C:\Users\Admin\AppData\Local\6F8aweN1\dvdupgrd.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2780

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Initial Access

        Execution

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Privilege Escalation

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Query Registry

        1
        T1012

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Resource Development

        Reconnaissance

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\6F8aweN1\VERSION.dll
          Filesize

          1.4MB

          MD5

          510ce1d045b3e0a36167aee9e734481d

          SHA1

          055a563d4849305537c004b1edd806ab2120bcd2

          SHA256

          cd47ef32260203cceb27693cc17c040c030be0e41e4a63146a4508b60f1f7468

          SHA512

          c2a7212e97ff57473939a7624038d93b345368eab0b279f71bc173e72ae4788ecfa7843580b8d4243fd2152fc85aa0df945b140d6aac030e3fec4f8400475223

          Download Submit
        • C:\Users\Admin\AppData\Local\6F8aweN1\dvdupgrd.exe
          Filesize

          25KB

          MD5

          75a9b4172eac01d9648c6d2133af952f

          SHA1

          63c7e1af762d2b584e9cc841e8b0100f2a482b81

          SHA256

          18f9f520c7157023b0e7dfe7433a63c4dedd47b04d24aac4038b795893050736

          SHA512

          5a7a2c7f184efd9c84256a1a0a5e7aeb95432d63a567196be54e7a9437a5ada9b922983c5fc0cafb16eab4493665d8e56e2f646f9f6a2d6179986925ffcdf769

          Download Submit
        • C:\Users\Admin\AppData\Local\Nb2\VERSION.dll
          Filesize

          1.4MB

          MD5

          d9b849d487efa79bd64b4a3007201c4e

          SHA1

          c19819086bd6ad6cdcea6c09f67b5810dfbd7e41

          SHA256

          d75174f0eda30f8e2cbd48da11954ea7a05f4237b1d5879410300f3ad22d829e

          SHA512

          863e4fe6eb6aeae48ab58dbd04c5d8bfdb59bb0a5108bc1baafba5d6e793535587f9d8a10e595b54bf991ac9157eb734fde996d3ba680b103576aac794c4f54a

          Download Submit
        • C:\Users\Admin\AppData\Local\SYAcTUKBo\XmlLite.dll
          Filesize

          1.4MB

          MD5

          0480e15546611d496626a7ec1ca5c434

          SHA1

          f406715758013feef0e5a711b641b13df6f4f7b3

          SHA256

          6be3be073e9e5721be067de6d830ea67b48a1b52ac2307b38c268e38841490fe

          SHA512

          ddcdfe3d9af3d9a31ae4f070e70c8cfd0c3c74a32095d9f0fe59ea8d94fabdee55b352cb64d7f02fd1a08b554f41f293b85fcc8bf2abdcfdf3bf473dcbfd858c

          Download Submit
        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Mewsro.lnk
          Filesize

          1000B

          MD5

          dffd958bf2630040e02890afe4fa02cc

          SHA1

          b96a4edc2457aac84c2ebac7f5c5f0890e779db9

          SHA256

          88aa805fb5e305cb02e2791805f377318f5b8ac9b91af5c6c9dd533bb312f5bc

          SHA512

          8d4130ee4c1557aa0c45d8529556904eccd9e957ef4d4775203fd79adf858e6f1b5f9bbb186d01a527f00ad07fbe0c20657a642e177b24fe49a2ba0d71247460

          Download Submit
        • \Users\Admin\AppData\Local\Nb2\cmstp.exe
          Filesize

          90KB

          MD5

          74c6da5522f420c394ae34b2d3d677e3

          SHA1

          ba135738ef1fb2f4c2c6c610be2c4e855a526668

          SHA256

          51d298b1a8a2d00d5c608c52dba0655565d021e9798ee171d7fa92cc0de729a6

          SHA512

          bfd76b1c3e677292748f88bf595bfef0b536eb22f2583b028cbf08f6ae4eda1aa3787c4e892aad12b7681fc2363f99250430a0e7019a7498e24db391868e787a

          Download Submit
        • \Users\Admin\AppData\Local\SYAcTUKBo\DeviceDisplayObjectProvider.exe
          Filesize

          109KB

          MD5

          7e2eb3a4ae11190ef4c8a9b9a9123234

          SHA1

          72e98687a8d28614e2131c300403c2822856e865

          SHA256

          8481a8ec19cb656ce328c877d5817d317203ba34424a2e9d169ddce5bf2cd2b0

          SHA512

          18b1a0637f48929972a463d441182307725ebf1410dd461a1966bd040ac5dcced138155b7c713bfc924ea2f7b39527a084a08b44fa24c3eb9c654871f99caabf

          Download Submit
        • memory/1196-27-0x0000000140000000-0x000000014016E000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/1196-18-0x0000000140000000-0x000000014016E000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/1196-16-0x0000000140000000-0x000000014016E000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/1196-4-0x0000000077A76000-0x0000000077A77000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1196-19-0x0000000140000000-0x000000014016E000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/1196-32-0x0000000077D10000-0x0000000077D12000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1196-31-0x0000000077B81000-0x0000000077B82000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1196-33-0x0000000140000000-0x000000014016E000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/1196-34-0x0000000140000000-0x000000014016E000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/1196-28-0x0000000002AD0000-0x0000000002AD7000-memory.dmp
          Filesize

          28KB

          Download
        • memory/1196-15-0x0000000140000000-0x000000014016E000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/1196-14-0x0000000140000000-0x000000014016E000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/1196-13-0x0000000140000000-0x000000014016E000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/1196-12-0x0000000140000000-0x000000014016E000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/1196-10-0x0000000140000000-0x000000014016E000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/1196-9-0x0000000140000000-0x000000014016E000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/1196-5-0x0000000002E00000-0x0000000002E01000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1196-17-0x0000000140000000-0x000000014016E000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/1196-11-0x0000000140000000-0x000000014016E000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/1196-68-0x0000000077A76000-0x0000000077A77000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1196-8-0x0000000140000000-0x000000014016E000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/1196-7-0x0000000140000000-0x000000014016E000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/1932-42-0x000007FEF67C0000-0x000007FEF692E000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/1932-0-0x000007FEF67C0000-0x000007FEF692E000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/1932-3-0x00000000002B0000-0x00000000002B7000-memory.dmp
          Filesize

          28KB

          Download
        • memory/2072-69-0x0000000000110000-0x0000000000117000-memory.dmp
          Filesize

          28KB

          Download
        • memory/2072-70-0x000007FEF67C0000-0x000007FEF692F000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/2072-75-0x000007FEF67C0000-0x000007FEF692F000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/2496-56-0x000007FEF71D0000-0x000007FEF733F000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/2496-53-0x00000000000F0000-0x00000000000F7000-memory.dmp
          Filesize

          28KB

          Download
        • memory/2496-50-0x000007FEF71D0000-0x000007FEF733F000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/2780-90-0x00000000002A0000-0x00000000002A7000-memory.dmp
          Filesize

          28KB

          Download
        • memory/2780-93-0x000007FEF67C0000-0x000007FEF692F000-memory.dmp
          Filesize

          1.4MB

          Download