dridex | 3fd4e602beb3bc04479f55c761c27cb0ef1d8011db499266eb6615d75d53c067

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
28/07/2024, 10:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1452f13dc50be7b78017d4984f0b98c2_JaffaCakes118.dll
Size

1.2MB
MD5

1452f13dc50be7b78017d4984f0b98c2
SHA1

df176b802a4a5c9d9bad302c5116b7688c219859
SHA256

3fd4e602beb3bc04479f55c761c27cb0ef1d8011db499266eb6615d75d53c067
SHA512

af5e290af613a833236deb680d3bff9be6cfc60a71f0581edc7b15351cf385c79d5053366e39597030334dc6a3d7a62f32cc01ace478b9640c4fa4fdc28e5d4b
SSDEEP

24576:yuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:a9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral1/memory/1188-5-0x0000000002E80000-0x0000000002E81000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
2556	Dxpserver.exe
2420	raserver.exe
1856	mblctr.exe

Loads dropped DLL 7 IoCs

pid	Process
1188	Process not Found
2556	Dxpserver.exe
1188	Process not Found
2420	raserver.exe
1188	Process not Found
1856	mblctr.exe
1188	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\Qdgopofbxbljb = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\NETWOR~1\\lC4QK\\raserver.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Dxpserver.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	raserver.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mblctr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1472	rundll32.exe
1472	rundll32.exe
1472	rundll32.exe
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1188 wrote to memory of 2240	1188	Process not Found	30
PID 1188 wrote to memory of 2240	1188	Process not Found	30
PID 1188 wrote to memory of 2240	1188	Process not Found	30
PID 1188 wrote to memory of 2556	1188	Process not Found	31
PID 1188 wrote to memory of 2556	1188	Process not Found	31
PID 1188 wrote to memory of 2556	1188	Process not Found	31
PID 1188 wrote to memory of 2384	1188	Process not Found	32
PID 1188 wrote to memory of 2384	1188	Process not Found	32
PID 1188 wrote to memory of 2384	1188	Process not Found	32
PID 1188 wrote to memory of 2420	1188	Process not Found	33
PID 1188 wrote to memory of 2420	1188	Process not Found	33
PID 1188 wrote to memory of 2420	1188	Process not Found	33
PID 1188 wrote to memory of 1992	1188	Process not Found	34
PID 1188 wrote to memory of 1992	1188	Process not Found	34
PID 1188 wrote to memory of 1992	1188	Process not Found	34
PID 1188 wrote to memory of 1856	1188	Process not Found	35
PID 1188 wrote to memory of 1856	1188	Process not Found	35
PID 1188 wrote to memory of 1856	1188	Process not Found	35

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1452f13dc50be7b78017d4984f0b98c2_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1472

C:\Windows\system32\Dxpserver.exe
C:\Windows\system32\Dxpserver.exe
1⤵
PID:2240

C:\Users\Admin\AppData\Local\xynJo\Dxpserver.exe
C:\Users\Admin\AppData\Local\xynJo\Dxpserver.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2556

C:\Windows\system32\raserver.exe
C:\Windows\system32\raserver.exe
1⤵
PID:2384

C:\Users\Admin\AppData\Local\bob\raserver.exe
C:\Users\Admin\AppData\Local\bob\raserver.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2420

C:\Windows\system32\mblctr.exe
C:\Windows\system32\mblctr.exe
1⤵
PID:1992

C:\Users\Admin\AppData\Local\R7AazwY\mblctr.exe
C:\Users\Admin\AppData\Local\R7AazwY\mblctr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\R7AazwY\UxTheme.dll

Filesize
1.2MB

MD5
66dcc48d05a7fb4930f9da682a7cd0f4

SHA1
8018924ef9185579e0bf63a17047fc3c98d308db

SHA256
8aa46384c816d8be67a2c234419c8c9f129816c0724c2d9c3ddfc479f3f7ed2b

SHA512
593baed5a4b2f659edcc305ad0428ae1b9051f1a850fa3636ad99dc2ca8cd34c621a6de26ab80451aeb797472e92f185e74dc88914bdb0dce7cd989ace8f55ba

Download Submit
C:\Users\Admin\AppData\Local\R7AazwY\mblctr.exe

Filesize
935KB

MD5
fa4c36b574bf387d9582ed2c54a347a8

SHA1
149077715ee56c668567e3a9cb9842284f4fe678

SHA256
b71cdf708d4a4f045f784de5e5458ebf9a4fa2b188c3f7422e2fbfe19310be3f

SHA512
1f04ce0440eec7477153ebc2ce56eaabcbbac58d9d703c03337f030e160d22cd635ae201752bc2962643c75bbf2036afdd69d97e8cbc81260fd0e2f55946bb55

Download Submit
C:\Users\Admin\AppData\Local\bob\WTSAPI32.dll

Filesize
1.2MB

MD5
8bc0d4886cb6df81b00ee131a64bd609

SHA1
42bf6c733a1b6df1f83a5b885dd41fe81dac7aa2

SHA256
504b7277610bdc88a3b8e4eac673ed964b78a16e865c78d1d0957369118bfa44

SHA512
d570ca3163744baca2cab8f43144807c302d374679e6f9d1dbb0574f7d5c47cfed494434c598b74bee5e43fd4fe2bd512845005c87297ee89c3a37452af20f2f

Download Submit
C:\Users\Admin\AppData\Local\xynJo\dwmapi.dll

Filesize
1.2MB

MD5
663e3b004241099925060936b16efb07

SHA1
de4f677b1be4011385b6dde2337da1d94079a7d0

SHA256
74422e3efd52f4f9f6d4f58f7b7402c3224850b67446dbdb0c1670f19a8d77f1

SHA512
efb664e9baae84fbd36d5ffaf5457f4acbf7863f86c249aba067b5d8e710abf333ae7477ab930c7c947da50219539e980b5d658a5e00792e0b158fb076172080

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dzyzbjcaevupvd.lnk

Filesize
1KB

MD5
4ebbde9be5ec38c5514076dcefdeec66

SHA1
27c4f13e377537b8d4aad3c07aec717d0573761d

SHA256
a6b25372e3137b72f6d076fdfd22a6c50c8a53551c854a6819cdc09df7ed015a

SHA512
a56ce861fe3a19be86e6f42e151ae91b2750bcd1bf31c078b9873947178540ad7ba4b3e84435af9e5667cc6fcf534a08f7cbec278978cf760571a74aa6baf8aa

Download Submit
\Users\Admin\AppData\Local\bob\raserver.exe

Filesize
123KB

MD5
cd0bc0b6b8d219808aea3ecd4e889b19

SHA1
9f8f4071ce2484008e36fdfd963378f4ebad703f

SHA256
16abc530c0367df1ad631f09e14c565cf99561949aa14acc533cd54bf8a5e22c

SHA512
84291ea3fafb38ef96817d5fe4a972475ef8ea24a4353568029e892fa8e15cf8e8f6ef4ff567813cd3b38092f0db4577d9dccb22be755eebdd4f77e623dc80ac

Download Submit
\Users\Admin\AppData\Local\xynJo\Dxpserver.exe

Filesize
259KB

MD5
4d38389fb92e43c77a524fd96dbafd21

SHA1
08014e52f6894cad4f1d1e6fc1a703732e9acd19

SHA256
070bc95c486c15d2edc3548ba416dc9565ead401cb03a0472f719fb55ac94e73

SHA512
02d8d130cff2b8de15139d309e1cd74a2148bb786fd749e5f22775d45e193b0f75adf40274375cabce33576480ff20456f25172d29a034cd134b8084d40a67ba

Download Submit
memory/1188-12-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1188-10-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1188-4-0x0000000077586000-0x0000000077587000-memory.dmp

Filesize
4KB

Download
memory/1188-14-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1188-13-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1188-30-0x0000000077820000-0x0000000077822000-memory.dmp

Filesize
8KB

Download
memory/1188-29-0x0000000077691000-0x0000000077692000-memory.dmp

Filesize
4KB

Download
memory/1188-26-0x0000000002E60000-0x0000000002E67000-memory.dmp

Filesize
28KB

Download
memory/1188-25-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1188-17-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1188-16-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1188-15-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1188-37-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1188-38-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1188-5-0x0000000002E80000-0x0000000002E81000-memory.dmp

Filesize
4KB

Download
memory/1188-11-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1188-8-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1188-75-0x0000000077586000-0x0000000077587000-memory.dmp

Filesize
4KB

Download
memory/1188-7-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1188-9-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1472-46-0x000007FEF6520000-0x000007FEF6652000-memory.dmp

Filesize
1.2MB

Download
memory/1472-0-0x00000000001A0000-0x00000000001A7000-memory.dmp

Filesize
28KB

Download
memory/1472-1-0x000007FEF6520000-0x000007FEF6652000-memory.dmp

Filesize
1.2MB

Download
memory/1856-96-0x000007FEF6520000-0x000007FEF6653000-memory.dmp

Filesize
1.2MB

Download
memory/2420-76-0x0000000000290000-0x0000000000297000-memory.dmp

Filesize
28KB

Download
memory/2420-72-0x000007FEF6520000-0x000007FEF6653000-memory.dmp

Filesize
1.2MB

Download
memory/2420-79-0x000007FEF6520000-0x000007FEF6653000-memory.dmp

Filesize
1.2MB

Download
memory/2556-60-0x000007FEF7550000-0x000007FEF7683000-memory.dmp

Filesize
1.2MB

Download
memory/2556-55-0x000007FEF7550000-0x000007FEF7683000-memory.dmp

Filesize
1.2MB

Download
memory/2556-54-0x0000000000120000-0x0000000000127000-memory.dmp

Filesize
28KB

Download