dridex | bb2072b180f158e3c9473af4d94abe6989741d81f72861e4230c35ca2cb04b04

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
25-07-2024 11:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6f7a623c394f68d9d01256a739dc60b8_JaffaCakes118.dll
Size

816KB
MD5

6f7a623c394f68d9d01256a739dc60b8
SHA1

80236913566d2427f3f39e866340434ba501726b
SHA256

bb2072b180f158e3c9473af4d94abe6989741d81f72861e4230c35ca2cb04b04
SHA512

fbc4702c4005335ab90a6f038d92947050d5626c5560b40ce6bfc07bc1ccd9fe7927879de97717a294349124a37517f4f22850ffb82f42479aedb1eeb56d38e5
SSDEEP

12288:zdMIwS97wJs6tSKDXEabXaC+jhc1S8XXk7CZzHsZH9dq0T:BMIJxSDX3bqjhcfHk7MzH6z

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral1/memory/1180-4-0x00000000025B0000-0x00000000025B1000-memory.dmp	dridex_stager_shellcode

Dridex payload 8 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

resource	yara_rule
behavioral1/memory/2556-0-0x0000000140000000-0x00000001400CC000-memory.dmp	dridex_payload
behavioral1/memory/1180-46-0x0000000140000000-0x00000001400CC000-memory.dmp	dridex_payload
behavioral1/memory/1180-57-0x0000000140000000-0x00000001400CC000-memory.dmp	dridex_payload
behavioral1/memory/1180-59-0x0000000140000000-0x00000001400CC000-memory.dmp	dridex_payload
behavioral1/memory/2556-66-0x0000000140000000-0x00000001400CC000-memory.dmp	dridex_payload
behavioral1/memory/2664-74-0x0000000140000000-0x00000001400CD000-memory.dmp	dridex_payload
behavioral1/memory/2664-79-0x0000000140000000-0x00000001400CD000-memory.dmp	dridex_payload
behavioral1/memory/2164-95-0x0000000140000000-0x00000001400CD000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

pid	Process
2664	DWWIN.EXE
2164	wbengine.exe
1864	wscript.exe

Loads dropped DLL 8 IoCs

pid	Process
1180	Process not Found
2664	DWWIN.EXE
1180	Process not Found
2164	wbengine.exe
1180	Process not Found
1180	Process not Found
1864	wscript.exe
1180	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wqbazsgxtjodx = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\UserData\\ntVg6Q\\wbengine.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DWWIN.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wbengine.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2556	rundll32.exe
2556	rundll32.exe
2556	rundll32.exe
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found
1180	Process not Found

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1180 wrote to memory of 2624	1180	Process not Found	31
PID 1180 wrote to memory of 2624	1180	Process not Found	31
PID 1180 wrote to memory of 2624	1180	Process not Found	31
PID 1180 wrote to memory of 2664	1180	Process not Found	32
PID 1180 wrote to memory of 2664	1180	Process not Found	32
PID 1180 wrote to memory of 2664	1180	Process not Found	32
PID 1180 wrote to memory of 760	1180	Process not Found	33
PID 1180 wrote to memory of 760	1180	Process not Found	33
PID 1180 wrote to memory of 760	1180	Process not Found	33
PID 1180 wrote to memory of 2164	1180	Process not Found	34
PID 1180 wrote to memory of 2164	1180	Process not Found	34
PID 1180 wrote to memory of 2164	1180	Process not Found	34
PID 1180 wrote to memory of 1336	1180	Process not Found	35
PID 1180 wrote to memory of 1336	1180	Process not Found	35
PID 1180 wrote to memory of 1336	1180	Process not Found	35
PID 1180 wrote to memory of 1864	1180	Process not Found	36
PID 1180 wrote to memory of 1864	1180	Process not Found	36
PID 1180 wrote to memory of 1864	1180	Process not Found	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6f7a623c394f68d9d01256a739dc60b8_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2556

C:\Windows\system32\DWWIN.EXE
C:\Windows\system32\DWWIN.EXE
1⤵
PID:2624

C:\Users\Admin\AppData\Local\gbYwjiR\DWWIN.EXE
C:\Users\Admin\AppData\Local\gbYwjiR\DWWIN.EXE
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2664

C:\Windows\system32\wbengine.exe
C:\Windows\system32\wbengine.exe
1⤵
PID:760

C:\Users\Admin\AppData\Local\FKv\wbengine.exe
C:\Users\Admin\AppData\Local\FKv\wbengine.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2164

C:\Windows\system32\wscript.exe
C:\Windows\system32\wscript.exe
1⤵
PID:1336

C:\Users\Admin\AppData\Local\RVckV\wscript.exe
C:\Users\Admin\AppData\Local\RVckV\wscript.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\RVckV\VERSION.dll

Filesize
820KB

MD5
ac5f980cc898d336b8e57813d58fa82d

SHA1
3790fa16287f1c080d573b06629a5b0ce46b6e85

SHA256
29ee767ee9e41aff1d32124a13c7949884fabcce01edd668c64fe56333aea671

SHA512
2a8a771bf9e7ab82c53fb01b3fcc9d2d2adf37651f13d65af3697a670c9dbb94c0849d43b6e970892d68a808e754bbfb6f4b6a01f869b6e417d41bb592de8d0a

Download Submit
C:\Users\Admin\AppData\Local\gbYwjiR\VERSION.dll

Filesize
820KB

MD5
aaee068622c22ce3fe1d96730cb89330

SHA1
a20aa42e8f898e72e5b0d35142fcdb664b8ac0a3

SHA256
b81a8e8e0344ce05883f520ef929d962e06184cc83cde2001a1423b018d03772

SHA512
01fbb8f72506ed29e9ffc96089de5f6069ee12b93b47a5705ab6d2cc1ce970b6cb4140bc9d29d43d9382d807064b96a88de83c93a75c9b746aedd5d8a9e35b21

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Frhyegfvspmw.lnk

Filesize
1KB

MD5
40e44fed3007a5b6c3fa320054e6f36c

SHA1
84f8e185c7fabd7650d3c109327c3a5df62a04ee

SHA256
18913523eabca6e3721f33de544e55fb5c40f2bc74b7a048ed8282955d5c336e

SHA512
ecd68860d3d4c7289e7e8d5bdea864442acb039e53ab44ee5bd4e35da087db5a3d77a04922c42453ce33304eb5c7b89c9ba4c6d499d3a819e590f471e9a4c669

Download Submit
\Users\Admin\AppData\Local\FKv\XmlLite.dll

Filesize
820KB

MD5
d408d37ba09b58b80a90bca869580925

SHA1
4ada6044057114b05527cf0defb73b63f331e5cb

SHA256
8668816ff1e702b683ed7b0fff12e3c11433fe03799e1d2aac1ef2a2b2d39d96

SHA512
bf6d835a3aa2d202c0fad38e457f2f228c58cfd114aa8b82252be3d2de5f42ab9efef01a1c312e380488629738b49180e44c3be758f3368d18ed71238160a2d5

Download Submit
\Users\Admin\AppData\Local\FKv\wbengine.exe

Filesize
1.4MB

MD5
78f4e7f5c56cb9716238eb57da4b6a75

SHA1
98b0b9db6ec5961dbb274eff433a8bc21f7e557b

SHA256
46a4e78ce5f2a4b26f4e9c3ff04a99d9b727a82ac2e390a82a1611c3f6e0c9af

SHA512
1a24ea71624dbbca188ee3b4812e09bc42e7d38ceac02b69940d7693475c792685a23141c8faa85a87ab6aace3f951c1a81facb610d757ac6df37cf2aa65ccd2

Download Submit
\Users\Admin\AppData\Local\RVckV\wscript.exe

Filesize
165KB

MD5
8886e0697b0a93c521f99099ef643450

SHA1
851bd390bf559e702b8323062dbeb251d9f2f6f7

SHA256
d73f7ee4e6e992a618d02580bdbf4fd6ba7c683d110928001092f4073341e95f

SHA512
fc4a176f49a69c5600c427af72d3d274cfeacef48612b18cda966c3b4dda0b9d59c0fe8114d5ed8e0fec780744346e2cd503d1fd15c0c908908d067214b9d837

Download Submit
\Users\Admin\AppData\Local\gbYwjiR\DWWIN.EXE

Filesize
149KB

MD5
25247e3c4e7a7a73baeea6c0008952b1

SHA1
8087adb7a71a696139ddc5c5abc1a84f817ab688

SHA256
c740497a7e58f7678e25b68b03573b4136a364464ee97c02ce5e0fe00cec7050

SHA512
bc27946894e7775f772ac882740430c8b9d3f37a573e2524207f7bb32f44d4a227cb1e9a555e118d68af7f1e129abd2ac5cabbcd8bbf3551c485bae05108324b

Download Submit
memory/1180-28-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/1180-24-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/1180-11-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/1180-10-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/1180-17-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/1180-18-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/1180-16-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/1180-15-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/1180-14-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/1180-13-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/1180-45-0x0000000002590000-0x0000000002597000-memory.dmp

Filesize
28KB

Download
memory/1180-46-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/1180-37-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/1180-36-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/1180-35-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/1180-34-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/1180-33-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/1180-32-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/1180-31-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/1180-30-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/1180-29-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/1180-3-0x0000000076FB6000-0x0000000076FB7000-memory.dmp

Filesize
4KB

Download
memory/1180-27-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/1180-26-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/1180-25-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/1180-12-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/1180-23-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/1180-22-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/1180-21-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/1180-20-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/1180-19-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/1180-47-0x0000000077320000-0x0000000077322000-memory.dmp

Filesize
8KB

Download
memory/1180-48-0x0000000077350000-0x0000000077352000-memory.dmp

Filesize
8KB

Download
memory/1180-57-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/1180-59-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/1180-4-0x00000000025B0000-0x00000000025B1000-memory.dmp

Filesize
4KB

Download
memory/1180-6-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/1180-7-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/1180-100-0x0000000076FB6000-0x0000000076FB7000-memory.dmp

Filesize
4KB

Download
memory/1180-9-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/1180-8-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/1864-113-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download
memory/2164-95-0x0000000140000000-0x00000001400CD000-memory.dmp

Filesize
820KB

Download
memory/2556-66-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/2556-0-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/2556-2-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download
memory/2664-79-0x0000000140000000-0x00000001400CD000-memory.dmp

Filesize
820KB

Download
memory/2664-76-0x0000000000280000-0x0000000000287000-memory.dmp

Filesize
28KB

Download
memory/2664-74-0x0000000140000000-0x00000001400CD000-memory.dmp

Filesize
820KB

Download