dridex | f2cc03bcfda9a68e8701f34c643a255c1dc72115abf2c260f0a2ca83ec455c81

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
25-05-2024 05:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

70f2afce62d2845fe5b7fabff4224525_JaffaCakes118.dll
Size

992KB
MD5

70f2afce62d2845fe5b7fabff4224525
SHA1

dec3518e540edac940c041da3be9c975b2c2aeae
SHA256

f2cc03bcfda9a68e8701f34c643a255c1dc72115abf2c260f0a2ca83ec455c81
SHA512

8281d550445f0354f7f0c95905cea6b6c399787c4ad43b6880cc042f9ccd1b5bc0ace1dabe39feb631628a62b9031e827abe8df462f0759f7ee69a6ddf921ef2
SSDEEP

24576:4VHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:4V8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1200-5-0x0000000002E40000-0x0000000002E41000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 4 IoCs

Processes:

rdpshell.exeirftp.exejavaws.execmstp.exe

pid process

2552 rdpshell.exe
2080 irftp.exe
2600 javaws.exe
2232 cmstp.exe
Loads dropped DLL 9 IoCs

Processes:

rdpshell.exeirftp.exejavaws.execmstp.exe

pid process

1200
2552 rdpshell.exe
1200
2080 irftp.exe
1200
2600 javaws.exe
1200
2232 cmstp.exe
1200

pid	process
2552	rdpshell.exe
2080	irftp.exe
2600	javaws.exe
2232	cmstp.exe

pid	process
1200
2552	rdpshell.exe
1200
2080	irftp.exe
1200
2600	javaws.exe
1200
2232	cmstp.exe
1200

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mqdbvnnwgmqj = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\MAINTE~1\\kkY\\irftp.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exerdpshell.exeirftp.execmstp.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdpshell.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	irftp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmstp.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2928	rundll32.exe
2928	rundll32.exe
2928	rundll32.exe
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

description	pid	target process
PID 1200 wrote to memory of 2840	1200	rdpshell.exe
PID 1200 wrote to memory of 2840	1200	rdpshell.exe
PID 1200 wrote to memory of 2840	1200	rdpshell.exe
PID 1200 wrote to memory of 2552	1200	rdpshell.exe
PID 1200 wrote to memory of 2552	1200	rdpshell.exe
PID 1200 wrote to memory of 2552	1200	rdpshell.exe
PID 1200 wrote to memory of 2564	1200	irftp.exe
PID 1200 wrote to memory of 2564	1200	irftp.exe
PID 1200 wrote to memory of 2564	1200	irftp.exe
PID 1200 wrote to memory of 2080	1200	irftp.exe
PID 1200 wrote to memory of 2080	1200	irftp.exe
PID 1200 wrote to memory of 2080	1200	irftp.exe
PID 1200 wrote to memory of 2808	1200	javaws.exe
PID 1200 wrote to memory of 2808	1200	javaws.exe
PID 1200 wrote to memory of 2808	1200	javaws.exe
PID 1200 wrote to memory of 2600	1200	javaws.exe
PID 1200 wrote to memory of 2600	1200	javaws.exe
PID 1200 wrote to memory of 2600	1200	javaws.exe
PID 1200 wrote to memory of 756	1200	cmstp.exe
PID 1200 wrote to memory of 756	1200	cmstp.exe
PID 1200 wrote to memory of 756	1200	cmstp.exe
PID 1200 wrote to memory of 2232	1200	cmstp.exe
PID 1200 wrote to memory of 2232	1200	cmstp.exe
PID 1200 wrote to memory of 2232	1200	cmstp.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\70f2afce62d2845fe5b7fabff4224525_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2928

C:\Windows\system32\rdpshell.exe
C:\Windows\system32\rdpshell.exe
1⤵
PID:2840

C:\Users\Admin\AppData\Local\13F\rdpshell.exe
C:\Users\Admin\AppData\Local\13F\rdpshell.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2552

C:\Windows\system32\irftp.exe
C:\Windows\system32\irftp.exe
1⤵
PID:2564

C:\Users\Admin\AppData\Local\eXpqkSrg\irftp.exe
C:\Users\Admin\AppData\Local\eXpqkSrg\irftp.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2080

C:\Windows\system32\javaws.exe
C:\Windows\system32\javaws.exe
1⤵
PID:2808

C:\Users\Admin\AppData\Local\sCR4LG\javaws.exe
C:\Users\Admin\AppData\Local\sCR4LG\javaws.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2600

C:\Windows\system32\cmstp.exe
C:\Windows\system32\cmstp.exe
1⤵
PID:756

C:\Users\Admin\AppData\Local\uWQpENv\cmstp.exe
C:\Users\Admin\AppData\Local\uWQpENv\cmstp.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2232

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\13F\WINSTA.dll
Filesize
997KB

MD5
95db3bfcef8a0a3e204cf7d34f84b102

SHA1
186afd5374022d6c6f1aeb3a93c4c82c44f42701

SHA256
d8048be967793e4e2c9b92cfdb3dcb194bfb6c7f5e5e3666edc6b01d391f85df

SHA512
4cb52711684e91440806420b8daaae32aef3cf96bbe190c71cf60f7b6c65b876bd69e9352edbaf40da84e0b0d0101e71b1258ef24a501bb80832403bf6f4ca4a

Download Submit
C:\Users\Admin\AppData\Local\eXpqkSrg\MFC42u.dll
Filesize
1019KB

MD5
959fb5c9f48491d058bdef9f00b284d8

SHA1
e2f06365c8dcf3ee887fa395d74c4aa13d05ebfb

SHA256
af601746d5dae2f7f21386b1e8dc9c2bbedeffe4be4398135f92889e49952f4a

SHA512
253d4ad11800232eca792baf320d09f1e5699f74c74d793456679ba3c0f3105182cddc01ec5876b31ff9f0ba3c909b7e3193d07a334b691fcf020772ee1f33c5

Download Submit
C:\Users\Admin\AppData\Local\sCR4LG\VERSION.dll
Filesize
992KB

MD5
8d780b1cccfb5fb67e5596918a4afe32

SHA1
47f54bf9c79043b75e7dfb3da82c2970b8154caf

SHA256
3e885ad89634e271a382205f1c4d22894547ffdca527b1af9fc8501d053147cc

SHA512
86c5981fdcca21ad7e4985ef52cdb3a13eb6f6b19a46880d2097316c13bf4855b75068fd4879c71ad5a06fffb7d5de90be17bf323c04c79c4a5bdb0bef9015cb

Download Submit
C:\Users\Admin\AppData\Local\uWQpENv\VERSION.dll
Filesize
992KB

MD5
9cf5fc46bd1a61a9ad3ba2f2a2498f55

SHA1
43fda3f581d514faff687b6170daf532f0fe9b6c

SHA256
e8a8f98f1435218ba2e3011400fdee20a3f0c7cb5aa14e5adbee6a5f9e72aa42

SHA512
678d149e11b74dd854051577c4b8a8765cb06167c37161911ab96dd727223cd9ba6016d7ea257a43a3443a8bb8cead3000a422b710f51cf2f8bdea2716b09936

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Gemerzbimpg.lnk
Filesize
1KB

MD5
785f43fb4ca7bc2553118632f011b309

SHA1
32a50ae416dbeba8580d0461b5c4e1fc363aa428

SHA256
d82d88999a5cdbbf871fc1b054079bf3d36e26450968d37cc0744e3f9a657927

SHA512
55ccfcf9c51c39bcbdd2648c071ac1ab015dca3698746526a00388515ca7c902dbbe8732b5481b4e9df6236e7d6ca487c5c64ce3fd05c5b1026a691c5bf9c159

Download Submit
\Users\Admin\AppData\Local\13F\rdpshell.exe
Filesize
292KB

MD5
a62dfcea3a58ba8fcf32f831f018fe3f

SHA1
75f7690b19866f2c2b3dd3bfdff8a1c6fa8e958b

SHA256
f8346a44f12e5b1ca6beaae5fbdf5f7f494ba204379c21d1875b03ba6da6152e

SHA512
9a3df5be95017c23ab144302d2275654e86193e2cd94957d5f72bda3cb171ec2a6da14e6631a7fd4fd053b4529f4083aa287ada57484ad0ee01a8e5b2b54c603

Download Submit
\Users\Admin\AppData\Local\eXpqkSrg\irftp.exe
Filesize
192KB

MD5
0cae1fb725c56d260bfd6feba7ae9a75

SHA1
102ac676a1de3ec3d56401f8efd518c31c8b0b80

SHA256
312f4107ff37dc988d99c5f56178708bb74a3906740cff4e337c0dde8f1e151d

SHA512
db969064577c4158d6bf925354319766b0d0373ddefb03dbfc9a9d2cadf8ddcd50a7f99b7ddf2ffad5e7fdbb6f02090b5b678bdf792d265054bff3b56ee0b8ec

Download Submit
\Users\Admin\AppData\Local\sCR4LG\javaws.exe
Filesize
312KB

MD5
f94bc1a70c942621c4279236df284e04

SHA1
8f46d89c7db415a7f48ccd638963028f63df4e4f

SHA256
be9f8986a6c86d9f77978105d48b59eebfec3b9732dbf19e0f3d48bf7f20120c

SHA512
60edf20ca3cae9802263446af266568d0b5e0692eddcfcfc3b2f9a39327b3184613ca994460b919d17a6edc5936b4da16d9033f5138bcfd9bc0f09d88c8dcd52

Download Submit
\Users\Admin\AppData\Local\uWQpENv\cmstp.exe
Filesize
90KB

MD5
74c6da5522f420c394ae34b2d3d677e3

SHA1
ba135738ef1fb2f4c2c6c610be2c4e855a526668

SHA256
51d298b1a8a2d00d5c608c52dba0655565d021e9798ee171d7fa92cc0de729a6

SHA512
bfd76b1c3e677292748f88bf595bfef0b536eb22f2583b028cbf08f6ae4eda1aa3787c4e892aad12b7681fc2363f99250430a0e7019a7498e24db391868e787a

Download Submit
memory/1200-8-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1200-13-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1200-10-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1200-9-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1200-25-0x00000000775D1000-0x00000000775D2000-memory.dmp

Filesize
4KB

Download
memory/1200-24-0x0000000002600000-0x0000000002607000-memory.dmp

Filesize
28KB

Download
memory/1200-26-0x0000000077760000-0x0000000077762000-memory.dmp

Filesize
8KB

Download
memory/1200-36-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1200-35-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1200-12-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1200-14-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1200-23-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1200-11-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1200-7-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1200-62-0x00000000773C6000-0x00000000773C7000-memory.dmp

Filesize
4KB

Download
memory/1200-5-0x0000000002E40000-0x0000000002E41000-memory.dmp

Filesize
4KB

Download
memory/1200-4-0x00000000773C6000-0x00000000773C7000-memory.dmp

Filesize
4KB

Download
memory/2080-73-0x0000000000290000-0x0000000000297000-memory.dmp

Filesize
28KB

Download
memory/2080-74-0x0000000140000000-0x0000000140103000-memory.dmp

Filesize
1.0MB

Download
memory/2080-70-0x0000000140000000-0x0000000140103000-memory.dmp

Filesize
1.0MB

Download
memory/2232-97-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/2232-100-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download
memory/2232-103-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/2552-57-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/2552-52-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/2928-1-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/2928-44-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/2928-3-0x00000000001A0000-0x00000000001A7000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads