Overview

overview

10

Static

static

3

b5cfd98455...18.dll

windows7-x64

10

b5cfd98455...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    16-06-2024 23:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b5cfd9845527c8ffe61743970ecb3358_JaffaCakes118.dll

  • Size

    1.2MB

  • MD5

    b5cfd9845527c8ffe61743970ecb3358

  • SHA1

    1ef2c055ef942f2a098cce8bdbe573ab090d1442

  • SHA256

    859ccbb68d0b4bf473f0778957e8a02bf705c6bdde460b1c7e78097eda1c1018

  • SHA512

    20bbf343af284589ff17b3e5b54c2b3be3da1193cccfb0d49d7c55668235b2aebd871cffcd388c20e3cd47e9899e63b3c7a886597d1de56be57cae56ee5ebce4

  • SSDEEP

    24576:nVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:nV8hf6STw1ZlQauvzSq01ICe6zvm

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\b5cfd9845527c8ffe61743970ecb3358_JaffaCakes118.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2224
  • C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
    C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
    1⤵
      PID:2616
    • C:\Users\Admin\AppData\Local\KK9a\SystemPropertiesDataExecutionPrevention.exe
      C:\Users\Admin\AppData\Local\KK9a\SystemPropertiesDataExecutionPrevention.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2652
    • C:\Windows\system32\wermgr.exe
      C:\Windows\system32\wermgr.exe
      1⤵
        PID:2460
      • C:\Users\Admin\AppData\Local\AyqKZ\wermgr.exe
        C:\Users\Admin\AppData\Local\AyqKZ\wermgr.exe
        1⤵
        • Executes dropped EXE
        PID:1624
      • C:\Windows\system32\OptionalFeatures.exe
        C:\Windows\system32\OptionalFeatures.exe
        1⤵
          PID:2820
        • C:\Users\Admin\AppData\Local\UzjuiS\OptionalFeatures.exe
          C:\Users\Admin\AppData\Local\UzjuiS\OptionalFeatures.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2808
        • C:\Windows\system32\vmicsvc.exe
          C:\Windows\system32\vmicsvc.exe
          1⤵
            PID:1332
          • C:\Users\Admin\AppData\Local\2ut6YjVQ\vmicsvc.exe
            C:\Users\Admin\AppData\Local\2ut6YjVQ\vmicsvc.exe
            1⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Checks whether UAC is enabled
            PID:1504

          Network

          MITRE ATT&CK Matrix ATT&CK v13

          Initial Access

          Execution

          Persistence

          Boot or Logon Autostart Execution

          1
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Privilege Escalation

          Boot or Logon Autostart Execution

          1
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Defense Evasion

          Modify Registry

          1
          T1112

          Credential Access

          Discovery

          System Information Discovery

          1
          T1082

          Query Registry

          1
          T1012

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Resource Development

          Reconnaissance

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\2ut6YjVQ\ACTIVEDS.dll
            Filesize

            1.2MB

            MD5

            3703aae653c16cb63f4432ffb311fff3

            SHA1

            4039fc56edca9bbcc2e3b332ad013705546acc97

            SHA256

            74afa349727fa5d0abcd3df74fc13d0d8e75ab2602d7c9e2e8a0f849fe779a40

            SHA512

            ac0e696808f2845bba6952582d32adbdf6b7f5c68a1ff71c43df1e4d9b4a7e63540c9ba291d0372e7fe765ca4820d5f5fc919f9bda670339b97c1fce523cbe1a

            Download Submit
          • C:\Users\Admin\AppData\Local\KK9a\SYSDM.CPL
            Filesize

            1.2MB

            MD5

            30b5be6c2c1245866b293d7b0da1d6f4

            SHA1

            78d606cccb3d481be9a286f663a67b5dbb1012dc

            SHA256

            9907da8aefc7ddd93dc1d20a2d029890a3fe66dfb021a019ba2e7febbf45eaa9

            SHA512

            ca1933a579ead831169ce44266a332bff711fc7fc540ef9e02673cba4c63fde596443cd134c4f39f83664389d96118665810fd362637119b13cd5f94d20d7f77

            Download Submit
          • C:\Users\Admin\AppData\Local\UzjuiS\appwiz.cpl
            Filesize

            1.2MB

            MD5

            932e5b85930a7bb1becac307b4a41e27

            SHA1

            f1ea6cd2be4b6147cdb7e3044900592d3dc6e266

            SHA256

            39e09dcf5e85bc2cc4347a403cc449ab0660df33d8a6f8bc6230b7d148afd1a5

            SHA512

            1addbef920b9a012f72579a78bcb5261d78cb0f214b74a785e23686f0720d65694012ce42826af28dfca1b910bbd4a4eab525defad3647d5999c5c732e2e37cc

            Download Submit
          • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Egmip.lnk
            Filesize

            1KB

            MD5

            02df597e34c58b3d42fdef761dd20377

            SHA1

            db8160e6bb56aa7bb364b291cb9f54f567cf0852

            SHA256

            2c3d9947b6b248e7c2c0422fef7f9115dae8868facdba8eaf280e2863f7ab91c

            SHA512

            b71f03125c49638c29a398d05777886d058aa440e5685bc81adb8b940e93cd2f32102a84b19a49f5a435e1da05ee026b8b0af48ca4dac602d870773e2b95d6e6

            Download Submit
          • \Users\Admin\AppData\Local\2ut6YjVQ\vmicsvc.exe
            Filesize

            238KB

            MD5

            79e14b291ca96a02f1eb22bd721deccd

            SHA1

            4c8dbff611acd8a92cd2280239f78bebd2a9947e

            SHA256

            d829166db30923406a025bf33d6a0997be0a3df950114d1f34547a9525b749e8

            SHA512

            f3d1fa7732b6b027bbaf22530331d27ede85f92c9fd64f940139fd262bd7468211a8a54c835d3934b1974b3d8ecddefa79ea77901b9ef49ab36069963693f988

            Download Submit
          • \Users\Admin\AppData\Local\AyqKZ\wermgr.exe
            Filesize

            49KB

            MD5

            41df7355a5a907e2c1d7804ec028965d

            SHA1

            453263d230c6317eb4a2eb3aceeec1bbcf5e153d

            SHA256

            207bfec939e7c017c4704ba76172ee2c954f485ba593bc1bc8c7666e78251861

            SHA512

            59c9d69d3942543af4f387137226516adec1a4304bd5696c6c1d338f9e5f40d136450907351cce018563df1358e06a792005167f5c08c689df32d809c4cebdcf

            Download Submit
          • \Users\Admin\AppData\Local\KK9a\SystemPropertiesDataExecutionPrevention.exe
            Filesize

            80KB

            MD5

            e43ff7785fac643093b3b16a9300e133

            SHA1

            a30688e84c0b0a22669148fe87680b34fcca2fba

            SHA256

            c8e1b3ecce673035a934d65b25c43ec23416f5bbf52d772e24e48e6fd3e77e9b

            SHA512

            61260999bb57817dea2d404bcf093820679e597298c752d38db181fe9963b5fa47e070d6a3c7c970905035b396389bb02946b44869dc8b9560acc419b065999a

            Download Submit
          • \Users\Admin\AppData\Local\UzjuiS\OptionalFeatures.exe
            Filesize

            95KB

            MD5

            eae7af6084667c8f05412ddf096167fc

            SHA1

            0dbe8aba001447030e48e8ad5466fd23481e6140

            SHA256

            01feebd3aca961f31ba4eac45347b105d1c5772627b08f5538047721b61ff9bc

            SHA512

            172a8accaa35a6c9f86713a330c5899dfeeffe3b43413a3d276fc16d45cd62ed9237aa6bff29cc60a2022fba8dcc156959723c041df4b7463436a3bdabef2a9d

            Download Submit
          • memory/1356-27-0x0000000077290000-0x0000000077292000-memory.dmp
            Filesize

            8KB

            Download
          • memory/1356-25-0x0000000002A10000-0x0000000002A17000-memory.dmp
            Filesize

            28KB

            Download
          • memory/1356-14-0x0000000140000000-0x0000000140130000-memory.dmp
            Filesize

            1.2MB

            Download
          • memory/1356-13-0x0000000140000000-0x0000000140130000-memory.dmp
            Filesize

            1.2MB

            Download
          • memory/1356-12-0x0000000140000000-0x0000000140130000-memory.dmp
            Filesize

            1.2MB

            Download
          • memory/1356-11-0x0000000140000000-0x0000000140130000-memory.dmp
            Filesize

            1.2MB

            Download
          • memory/1356-9-0x0000000140000000-0x0000000140130000-memory.dmp
            Filesize

            1.2MB

            Download
          • memory/1356-26-0x0000000077101000-0x0000000077102000-memory.dmp
            Filesize

            4KB

            Download
          • memory/1356-4-0x0000000076FF6000-0x0000000076FF7000-memory.dmp
            Filesize

            4KB

            Download
          • memory/1356-37-0x0000000140000000-0x0000000140130000-memory.dmp
            Filesize

            1.2MB

            Download
          • memory/1356-36-0x0000000140000000-0x0000000140130000-memory.dmp
            Filesize

            1.2MB

            Download
          • memory/1356-5-0x0000000002A30000-0x0000000002A31000-memory.dmp
            Filesize

            4KB

            Download
          • memory/1356-24-0x0000000140000000-0x0000000140130000-memory.dmp
            Filesize

            1.2MB

            Download
          • memory/1356-15-0x0000000140000000-0x0000000140130000-memory.dmp
            Filesize

            1.2MB

            Download
          • memory/1356-7-0x0000000140000000-0x0000000140130000-memory.dmp
            Filesize

            1.2MB

            Download
          • memory/1356-10-0x0000000140000000-0x0000000140130000-memory.dmp
            Filesize

            1.2MB

            Download
          • memory/1356-8-0x0000000140000000-0x0000000140130000-memory.dmp
            Filesize

            1.2MB

            Download
          • memory/1356-64-0x0000000076FF6000-0x0000000076FF7000-memory.dmp
            Filesize

            4KB

            Download
          • memory/1504-105-0x0000000140000000-0x0000000140131000-memory.dmp
            Filesize

            1.2MB

            Download
          • memory/2224-45-0x0000000140000000-0x0000000140130000-memory.dmp
            Filesize

            1.2MB

            Download
          • memory/2224-0-0x0000000000110000-0x0000000000117000-memory.dmp
            Filesize

            28KB

            Download
          • memory/2224-1-0x0000000140000000-0x0000000140130000-memory.dmp
            Filesize

            1.2MB

            Download
          • memory/2652-59-0x0000000140000000-0x0000000140131000-memory.dmp
            Filesize

            1.2MB

            Download
          • memory/2652-54-0x0000000140000000-0x0000000140131000-memory.dmp
            Filesize

            1.2MB

            Download
          • memory/2652-53-0x0000000000170000-0x0000000000177000-memory.dmp
            Filesize

            28KB

            Download
          • memory/2808-88-0x0000000140000000-0x0000000140131000-memory.dmp
            Filesize

            1.2MB

            Download