dridex | 339daa6caefda7397da9e0e67e855cacb27afed32537c22bd975e3352f340513

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20-04-2024 08:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc4b33a58a3e5a3d9e79c705f1c4684b_JaffaCakes118.dll
Size

2.0MB
MD5

fc4b33a58a3e5a3d9e79c705f1c4684b
SHA1

7e51a8e6a888eef2018cf6877f715ef75e3f4edb
SHA256

339daa6caefda7397da9e0e67e855cacb27afed32537c22bd975e3352f340513
SHA512

f2ae2697d3b2def9b98fc1a1a9dfe9522befc6b53b477b851f846ac089ea73a354fa9012e4236856608f725d8b18728a2e16d3bdfdbc2007d78443ecb8dbe8fe
SSDEEP

12288:MVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:5fP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1284-5-0x0000000002A10000-0x0000000002A11000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

wusa.exeSystemPropertiesHardware.exerdrleakdiag.exe

pid process

2844 wusa.exe
2224 SystemPropertiesHardware.exe
2496 rdrleakdiag.exe
Loads dropped DLL 7 IoCs

Processes:

wusa.exeSystemPropertiesHardware.exerdrleakdiag.exe

pid process

1284
2844 wusa.exe
1284
2224 SystemPropertiesHardware.exe
1284
2496 rdrleakdiag.exe
1284

pid	process
2844	wusa.exe
2224	SystemPropertiesHardware.exe
2496	rdrleakdiag.exe

pid	process
1284
2844	wusa.exe
1284
2224	SystemPropertiesHardware.exe
1284
2496	rdrleakdiag.exe
1284

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Uxhwu = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\8Fdt78\\SystemPropertiesHardware.exe"

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

wusa.exeSystemPropertiesHardware.exerdrleakdiag.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wusa.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesHardware.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdrleakdiag.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

regsvr32.exe

pid	process
1368	regsvr32.exe
1368	regsvr32.exe
1368	regsvr32.exe
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1284 wrote to memory of 2904	1284	wusa.exe
PID 1284 wrote to memory of 2904	1284	wusa.exe
PID 1284 wrote to memory of 2904	1284	wusa.exe
PID 1284 wrote to memory of 2844	1284	wusa.exe
PID 1284 wrote to memory of 2844	1284	wusa.exe
PID 1284 wrote to memory of 2844	1284	wusa.exe
PID 1284 wrote to memory of 636	1284	SystemPropertiesHardware.exe
PID 1284 wrote to memory of 636	1284	SystemPropertiesHardware.exe
PID 1284 wrote to memory of 636	1284	SystemPropertiesHardware.exe
PID 1284 wrote to memory of 2224	1284	SystemPropertiesHardware.exe
PID 1284 wrote to memory of 2224	1284	SystemPropertiesHardware.exe
PID 1284 wrote to memory of 2224	1284	SystemPropertiesHardware.exe
PID 1284 wrote to memory of 2600	1284	rdrleakdiag.exe
PID 1284 wrote to memory of 2600	1284	rdrleakdiag.exe
PID 1284 wrote to memory of 2600	1284	rdrleakdiag.exe
PID 1284 wrote to memory of 2496	1284	rdrleakdiag.exe
PID 1284 wrote to memory of 2496	1284	rdrleakdiag.exe
PID 1284 wrote to memory of 2496	1284	rdrleakdiag.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\fc4b33a58a3e5a3d9e79c705f1c4684b_JaffaCakes118.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1368

C:\Windows\system32\wusa.exe
C:\Windows\system32\wusa.exe
1⤵
PID:2904

C:\Users\Admin\AppData\Local\8JvPGxxKU\wusa.exe
C:\Users\Admin\AppData\Local\8JvPGxxKU\wusa.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2844

C:\Windows\system32\SystemPropertiesHardware.exe
C:\Windows\system32\SystemPropertiesHardware.exe
1⤵
PID:636

C:\Users\Admin\AppData\Local\xH9\SystemPropertiesHardware.exe
C:\Users\Admin\AppData\Local\xH9\SystemPropertiesHardware.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2224

C:\Windows\system32\rdrleakdiag.exe
C:\Windows\system32\rdrleakdiag.exe
1⤵
PID:2600

C:\Users\Admin\AppData\Local\97h\rdrleakdiag.exe
C:\Users\Admin\AppData\Local\97h\rdrleakdiag.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\8JvPGxxKU\dpx.dll

Filesize
2.0MB

MD5
dc436923cbf87c39ff33bf5c8d814993

SHA1
751c848998a551c4397521e39a337ed5fad3a5dd

SHA256
acaa2a01f1d4ad3e283077b0a5d91049e1f2df7493921735afb48502f43f691d

SHA512
af4c2f722f0ed51045976ca5ae95780e7e3dfdabb97301457880fd91c3f92fab8a9c07a35595eb3539a06dd1a0e227c97b9bc47865a6c624db4ec1e2d157c162

Download Submit
C:\Users\Admin\AppData\Local\8JvPGxxKU\wusa.exe

Filesize
300KB

MD5
c15b3d813f4382ade98f1892350f21c7

SHA1
a45c5abc6751bc8b9041e5e07923fa4fc1b4542b

SHA256
8f067da98eb3ea9f1db2f0063ff54e07d992fbf051779b467e222639be4127e3

SHA512
6d028fe81fe45d0ef291741513ecf939e412912647347d4d5bad89571f33e1084dc0fd26eb7313c7191f938c3f50243f453e2690e2475fc3f5539a20c2ff2f3c

Download Submit
C:\Users\Admin\AppData\Local\97h\VERSION.dll

Filesize
2.0MB

MD5
a4795ea2758f42e8a897516184aacbd0

SHA1
450a9c20124b6ea3793f4cc458a06b2ae853c222

SHA256
b8a2594ea28e4dc4da46ba5e0a13e5e71eb4250d0a677ff9c08da5248244f6da

SHA512
4dd8746845e189562e2d780319c7567088dd9687364e1566c3a991e3298ff1dbafdc65076361b7cf56df81a4febc082960b61cd16f4703ec3204516ee4298d8c

Download Submit
C:\Users\Admin\AppData\Local\xH9\SYSDM.CPL

Filesize
2.0MB

MD5
6b625f7384dc3ebcdb4480534b58c998

SHA1
04273523007680b7e63d6ff84a5de9ebd9508a10

SHA256
b8a5da8ed2c5002e099c717c014f457603429ec1cfc6b9ab5dc39af394d221b3

SHA512
f9fa4e04fd49fa635962303067102970a139bcd6d329647e4d1f410c3ed5dc1de1b509bbfe4b101cb249155425e5c28177dad2b757ae69b24163f35d3808a170

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dgsmy.lnk

Filesize
1KB

MD5
56e6791d0d37f35ab0571776c9b7da2e

SHA1
bc0142a4799ba047e4f5621ce3c61e56cf4fb9d2

SHA256
7a1c06c99168e783d5459533fd96c09a885b48abb6c4001088b6498d27719722

SHA512
09389dac95b06b93fbb561ad79458c4332e757716c5659cd46960f9af87d195b73ca3081ca1bc0adccb12435683511acf9b27376404e74133d618113115d5dbe

Download Submit
\Users\Admin\AppData\Local\97h\rdrleakdiag.exe

Filesize
39KB

MD5
5e058566af53848541fa23fba4bb5b81

SHA1
769ce3bfc45e4d56ed01dbeeeca7be22f9b9eed6

SHA256
ae83b050fa722da7e4b19fc3d534f0126b1ec055643bb1f267b85b55160f4409

SHA512
352029cf0af7583a4c525cfd1da7467446bac410a885b2768d8052f39577ccce85b21d5bd946be6bf8341e7308c8e4f645e4d79232b93aaf6a92d6cd55f598d0

Download Submit
\Users\Admin\AppData\Local\xH9\SystemPropertiesHardware.exe

Filesize
80KB

MD5
c63d722641c417764247f683f9fb43be

SHA1
948ec61ebf241c4d80efca3efdfc33fe746e3b98

SHA256
4759296b421d60c80db0bb112a30425e04883900374602e13ed97f7c03a49df2

SHA512
7223d1c81a4785ed790ec2303d5d9d7ebcae9404d7bf173b3145e51202564de9977e94ac10ab80c6fe49b5f697af3ec70dfd922a891915e8951b5a1b5841c8be

Download Submit
memory/1284-37-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/1284-42-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/1284-18-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/1284-19-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/1284-43-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/1284-16-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/1284-15-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/1284-20-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/1284-25-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/1284-24-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/1284-23-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/1284-22-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/1284-21-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/1284-32-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/1284-33-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/1284-31-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/1284-30-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/1284-29-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/1284-28-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/1284-27-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/1284-26-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/1284-34-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/1284-35-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/1284-36-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/1284-38-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/1284-4-0x0000000077AA6000-0x0000000077AA7000-memory.dmp

Filesize
4KB

Download
memory/1284-39-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/1284-41-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/1284-5-0x0000000002A10000-0x0000000002A11000-memory.dmp

Filesize
4KB

Download
memory/1284-17-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/1284-7-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/1284-45-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/1284-44-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/1284-47-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/1284-46-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/1284-49-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/1284-48-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/1284-50-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/1284-52-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/1284-51-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/1284-54-0x00000000029E0000-0x00000000029E7000-memory.dmp

Filesize
28KB

Download
memory/1284-53-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/1284-61-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/1284-63-0x0000000077D10000-0x0000000077D12000-memory.dmp

Filesize
8KB

Download
memory/1284-62-0x0000000077BB1000-0x0000000077BB2000-memory.dmp

Filesize
4KB

Download
memory/1284-72-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/1284-8-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/1284-11-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/1284-148-0x0000000077AA6000-0x0000000077AA7000-memory.dmp

Filesize
4KB

Download
memory/1284-40-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/1284-10-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/1284-13-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/1284-12-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/1284-14-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/1368-9-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/1368-1-0x00000000000B0000-0x00000000000B7000-memory.dmp

Filesize
28KB

Download
memory/1368-0-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/2224-110-0x0000000000080000-0x0000000000087000-memory.dmp

Filesize
28KB

Download
memory/2496-128-0x0000000000210000-0x0000000000217000-memory.dmp

Filesize
28KB

Download
memory/2844-90-0x00000000000F0000-0x00000000000F7000-memory.dmp

Filesize
28KB

Download