dridex | 9da5bd994dc18b71c846a1f0b17dcd2c12e40210966e5d8ea4b7fa22b2da8cb1

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
28-07-2024 10:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

14bd37f5d3223dc8f0020dbbadbb42b7_JaffaCakes118.dll
Size

1.2MB
MD5

14bd37f5d3223dc8f0020dbbadbb42b7
SHA1

5a2c292ed148afccce224275633d56e602cc458a
SHA256

9da5bd994dc18b71c846a1f0b17dcd2c12e40210966e5d8ea4b7fa22b2da8cb1
SHA512

b8d3dd1404cf153dc70ff13c4a308e288997991df2912e1261c69c006ab4d63143989922366d20eed846482de5d6a6209b6b3b2fe25e7ab3cdce85b48c406282
SSDEEP

24576:CuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:K9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral1/memory/1260-5-0x0000000002E60000-0x0000000002E61000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
2256	mmc.exe
2880	DevicePairingWizard.exe
1368	SystemPropertiesDataExecutionPrevention.exe

Loads dropped DLL 7 IoCs

pid	Process
1260	Process not Found
2256	mmc.exe
1260	Process not Found
2880	DevicePairingWizard.exe
1260	Process not Found
1368	SystemPropertiesDataExecutionPrevention.exe
1260	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mcbsdqtxprcnbm = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\Wz\\DevicePairingWizard.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DevicePairingWizard.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesDataExecutionPrevention.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mmc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1892	regsvr32.exe
1892	regsvr32.exe
1892	regsvr32.exe
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1260 wrote to memory of 2568	1260	Process not Found	30
PID 1260 wrote to memory of 2568	1260	Process not Found	30
PID 1260 wrote to memory of 2568	1260	Process not Found	30
PID 1260 wrote to memory of 2256	1260	Process not Found	31
PID 1260 wrote to memory of 2256	1260	Process not Found	31
PID 1260 wrote to memory of 2256	1260	Process not Found	31
PID 1260 wrote to memory of 1936	1260	Process not Found	32
PID 1260 wrote to memory of 1936	1260	Process not Found	32
PID 1260 wrote to memory of 1936	1260	Process not Found	32
PID 1260 wrote to memory of 2880	1260	Process not Found	33
PID 1260 wrote to memory of 2880	1260	Process not Found	33
PID 1260 wrote to memory of 2880	1260	Process not Found	33
PID 1260 wrote to memory of 1468	1260	Process not Found	35
PID 1260 wrote to memory of 1468	1260	Process not Found	35
PID 1260 wrote to memory of 1468	1260	Process not Found	35
PID 1260 wrote to memory of 1368	1260	Process not Found	36
PID 1260 wrote to memory of 1368	1260	Process not Found	36
PID 1260 wrote to memory of 1368	1260	Process not Found	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\14bd37f5d3223dc8f0020dbbadbb42b7_JaffaCakes118.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1892

C:\Windows\system32\mmc.exe
C:\Windows\system32\mmc.exe
1⤵
PID:2568

C:\Users\Admin\AppData\Local\C8zTegjMO\mmc.exe
C:\Users\Admin\AppData\Local\C8zTegjMO\mmc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2256

C:\Windows\system32\DevicePairingWizard.exe
C:\Windows\system32\DevicePairingWizard.exe
1⤵
PID:1936

C:\Users\Admin\AppData\Local\Imuho0\DevicePairingWizard.exe
C:\Users\Admin\AppData\Local\Imuho0\DevicePairingWizard.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2880

C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
1⤵
PID:1468

C:\Users\Admin\AppData\Local\ElP\SystemPropertiesDataExecutionPrevention.exe
C:\Users\Admin\AppData\Local\ElP\SystemPropertiesDataExecutionPrevention.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\C8zTegjMO\mmcbase.DLL

Filesize
1.2MB

MD5
9a8ff42038b47f388ca4f3f4fa559d4d

SHA1
ef2c62d5444b0902ebc542fbf1c35857717ffd43

SHA256
d2fc59157542dc25c36f04d5e1caa70a52f48ab89b3b0a64732e0c2e2f08c653

SHA512
6ab871d26766cf9f9ee2f755448c3e5d7b5f3db5e2667a92e8cc6f3257098edfa8ea7a0c2f85260e7956a2720721c4ce5960b15be867c8a8c807df931af9e39c

Download Submit
C:\Users\Admin\AppData\Local\ElP\SYSDM.CPL

Filesize
1.2MB

MD5
a53a95e40370d25773600ef2db5da531

SHA1
60c3782b1dd93eaed149586c120eadb3d90acf23

SHA256
f6ff60a892db41f67fffb54bc966380c6c34fea3f8d59a2ab571059a24332d3a

SHA512
dec0fb99905fbf9195939effce4b1b5c64ab333db1e1ae05d0cb1e9f36deb77c35d560eb725c2099914d897859a49db8b1e42e6e8a6c2076691988775c859da8

Download Submit
C:\Users\Admin\AppData\Local\Imuho0\MFC42u.dll

Filesize
1.2MB

MD5
7ce4d36280c693e0f0dd0fab1c8734f6

SHA1
750d345d8d5ad113d2fe8e9a015122caabfd7f8a

SHA256
ebe43fdbb298efd748afa327076c4a5ec0eb31c1581c8ef8dda0bf274e22a84b

SHA512
180693e9a88c3e64eb679aa9db667a3f5fbe325d14918e9d3fab52f658cdbbbf12c6baf2222d6e296fcf814e4502149d936ad454ff526ae87dc5a15fcf21d113

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ygxjfqh.lnk

Filesize
1KB

MD5
3d778e8952e27aa652a4599a0757cc7b

SHA1
6054fd6cd68afc481d48a2bbe15f6894e63577e4

SHA256
09b12bfd367e2ef2cbe3d81235ebdf316e37dd1391b18b36f95f9ccc7f504398

SHA512
ac1ca1014a1c8e94c51b24905f1ab0036a4577d036afeebb08b0645f6e118702f2c82be3f1600cd484982e1159af13634e7cdb116c7f0de0ed80abc2ea12ed6d

Download Submit
\Users\Admin\AppData\Local\C8zTegjMO\mmc.exe

Filesize
2.0MB

MD5
9fea051a9585f2a303d55745b4bf63aa

SHA1
f5dc12d658402900a2b01af2f018d113619b96b8

SHA256
b212e59e4c7fe77f6f189138d9d8b151e50eb83a35d6eadfb1e4bb0b4262c484

SHA512
beba79f0b6710929871fbdf378d3c0a41f230ac30cbfa87173f7b77c35e06425f48db42ed3b16d5d9bcb7ef0098dffcd0d2947da8fb7ec1136ea62205f1afc76

Download Submit
\Users\Admin\AppData\Local\ElP\SystemPropertiesDataExecutionPrevention.exe

Filesize
80KB

MD5
e43ff7785fac643093b3b16a9300e133

SHA1
a30688e84c0b0a22669148fe87680b34fcca2fba

SHA256
c8e1b3ecce673035a934d65b25c43ec23416f5bbf52d772e24e48e6fd3e77e9b

SHA512
61260999bb57817dea2d404bcf093820679e597298c752d38db181fe9963b5fa47e070d6a3c7c970905035b396389bb02946b44869dc8b9560acc419b065999a

Download Submit
\Users\Admin\AppData\Local\Imuho0\DevicePairingWizard.exe

Filesize
73KB

MD5
9728725678f32e84575e0cd2d2c58e9b

SHA1
dd9505d3548f08e5198a8d6ba6bcd60b1da86d5c

SHA256
d95d3aa065a657c354244e3d9d4dc62673dc36c1bed60650fade7d128ddab544

SHA512
a5d22240450e7b659cba507f9abe7e6d861e9712ca2335ea5ceb69e3557362b00f5d02bf84c3a6fed82a09eda555866dcab43741ad9c6db96e1e302ef2363377

Download Submit
memory/1260-10-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1260-9-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1260-28-0x0000000076FD0000-0x0000000076FD2000-memory.dmp

Filesize
8KB

Download
memory/1260-27-0x0000000076E41000-0x0000000076E42000-memory.dmp

Filesize
4KB

Download
memory/1260-17-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1260-15-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1260-14-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1260-13-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1260-12-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1260-11-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1260-37-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1260-4-0x0000000076D36000-0x0000000076D37000-memory.dmp

Filesize
4KB

Download
memory/1260-26-0x0000000002E40000-0x0000000002E47000-memory.dmp

Filesize
28KB

Download
memory/1260-38-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1260-5-0x0000000002E60000-0x0000000002E61000-memory.dmp

Filesize
4KB

Download
memory/1260-25-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1260-16-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1260-8-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1260-7-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1260-65-0x0000000076D36000-0x0000000076D37000-memory.dmp

Filesize
4KB

Download
memory/1368-91-0x00000000000A0000-0x00000000000A7000-memory.dmp

Filesize
28KB

Download
memory/1368-92-0x000007FEF5CF0000-0x000007FEF5E22000-memory.dmp

Filesize
1.2MB

Download
memory/1368-97-0x000007FEF5CF0000-0x000007FEF5E22000-memory.dmp

Filesize
1.2MB

Download
memory/1892-46-0x000007FEF6570000-0x000007FEF66A1000-memory.dmp

Filesize
1.2MB

Download
memory/1892-0-0x000007FEF6570000-0x000007FEF66A1000-memory.dmp

Filesize
1.2MB

Download
memory/1892-3-0x00000000003C0000-0x00000000003C7000-memory.dmp

Filesize
28KB

Download
memory/2256-58-0x000007FEF5CF0000-0x000007FEF5E23000-memory.dmp

Filesize
1.2MB

Download
memory/2256-55-0x000007FEF5CF0000-0x000007FEF5E23000-memory.dmp

Filesize
1.2MB

Download
memory/2256-54-0x00000000001B0000-0x00000000001B7000-memory.dmp

Filesize
28KB

Download
memory/2880-73-0x000007FEF5CF0000-0x000007FEF5E28000-memory.dmp

Filesize
1.2MB

Download
memory/2880-76-0x0000000000280000-0x0000000000287000-memory.dmp

Filesize
28KB

Download
memory/2880-79-0x000007FEF5CF0000-0x000007FEF5E28000-memory.dmp

Filesize
1.2MB

Download