dridex | 4107c69a51675b589d7d1b9b32b7c3f4f245f25509538e8d546f5ceea0353aad

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
28/07/2024, 10:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15316c0e7c8c689c67f3bef4cec0c488_JaffaCakes118.dll
Size

1.2MB
MD5

15316c0e7c8c689c67f3bef4cec0c488
SHA1

51e5cbc2766b3688c11533cb0cdb5796464c248d
SHA256

4107c69a51675b589d7d1b9b32b7c3f4f245f25509538e8d546f5ceea0353aad
SHA512

404c00a4274ff305cb7e12acde5115d91186fc5be83e1113824234a34541ef54102983a3f944377bae94ff20002d52d4772764674d9ac6d4c73f000ec96a03ce
SSDEEP

24576:UuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N1e:M9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence privilege_escalation trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral1/memory/1268-5-0x0000000002570000-0x0000000002571000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
2832	unregmp2.exe
2864	Dxpserver.exe
1984	DisplaySwitch.exe

Loads dropped DLL 7 IoCs

pid	Process
1268	Process not Found
2832	unregmp2.exe
1268	Process not Found
2864	Dxpserver.exe
1268	Process not Found
1984	DisplaySwitch.exe
1268	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\Lnxdhmhg = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\t6kP\\Dxpserver.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Dxpserver.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DisplaySwitch.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unregmp2.exe

Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1528	regsvr32.exe
1528	regsvr32.exe
1528	regsvr32.exe
1268	Process not Found
1268	Process not Found
1268	Process not Found
1268	Process not Found
1268	Process not Found
1268	Process not Found
1268	Process not Found
1268	Process not Found
1268	Process not Found
1268	Process not Found
1268	Process not Found
1268	Process not Found
1268	Process not Found
1268	Process not Found
1268	Process not Found
1268	Process not Found
1268	Process not Found
1268	Process not Found
1268	Process not Found
1268	Process not Found
1268	Process not Found
1268	Process not Found
1268	Process not Found
1268	Process not Found
1268	Process not Found
1268	Process not Found
1268	Process not Found
1268	Process not Found
1268	Process not Found
1268	Process not Found
1268	Process not Found
1268	Process not Found
1268	Process not Found
1268	Process not Found
1268	Process not Found
1268	Process not Found
1268	Process not Found
1268	Process not Found
1268	Process not Found
1268	Process not Found
1268	Process not Found
1268	Process not Found
1268	Process not Found
1268	Process not Found
1268	Process not Found
1268	Process not Found
1268	Process not Found
1268	Process not Found
1268	Process not Found
1268	Process not Found
1268	Process not Found
1268	Process not Found
1268	Process not Found
1268	Process not Found
1268	Process not Found
1268	Process not Found
1268	Process not Found
1268	Process not Found
1268	Process not Found
1268	Process not Found
1268	Process not Found

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1268 wrote to memory of 2624	1268	Process not Found	31
PID 1268 wrote to memory of 2624	1268	Process not Found	31
PID 1268 wrote to memory of 2624	1268	Process not Found	31
PID 1268 wrote to memory of 2832	1268	Process not Found	32
PID 1268 wrote to memory of 2832	1268	Process not Found	32
PID 1268 wrote to memory of 2832	1268	Process not Found	32
PID 1268 wrote to memory of 3020	1268	Process not Found	33
PID 1268 wrote to memory of 3020	1268	Process not Found	33
PID 1268 wrote to memory of 3020	1268	Process not Found	33
PID 1268 wrote to memory of 2864	1268	Process not Found	34
PID 1268 wrote to memory of 2864	1268	Process not Found	34
PID 1268 wrote to memory of 2864	1268	Process not Found	34
PID 1268 wrote to memory of 1980	1268	Process not Found	35
PID 1268 wrote to memory of 1980	1268	Process not Found	35
PID 1268 wrote to memory of 1980	1268	Process not Found	35
PID 1268 wrote to memory of 1984	1268	Process not Found	36
PID 1268 wrote to memory of 1984	1268	Process not Found	36
PID 1268 wrote to memory of 1984	1268	Process not Found	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\15316c0e7c8c689c67f3bef4cec0c488_JaffaCakes118.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1528

C:\Windows\system32\unregmp2.exe
C:\Windows\system32\unregmp2.exe
1⤵
PID:2624

C:\Users\Admin\AppData\Local\e6kH\unregmp2.exe
C:\Users\Admin\AppData\Local\e6kH\unregmp2.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2832

C:\Windows\system32\Dxpserver.exe
C:\Windows\system32\Dxpserver.exe
1⤵
PID:3020

C:\Users\Admin\AppData\Local\tRF5Q\Dxpserver.exe
C:\Users\Admin\AppData\Local\tRF5Q\Dxpserver.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2864

C:\Windows\system32\DisplaySwitch.exe
C:\Windows\system32\DisplaySwitch.exe
1⤵
PID:1980

C:\Users\Admin\AppData\Local\fsdj\DisplaySwitch.exe
C:\Users\Admin\AppData\Local\fsdj\DisplaySwitch.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\e6kH\slc.dll

Filesize
1.2MB

MD5
38efc35fe134cb45ef094cfb58e970d0

SHA1
4d0053912ab12cbc3d6cbed6f1244b1b95961f30

SHA256
71dd0635e518b535bd7285c91349f4b74f6a1b5fef0fbe397e40a6da48faf607

SHA512
d02b20f126f219a9a71251b0a0db86081f96a9be649c078b04ac141027e56b5adcfd71d080105f271d3e3fd84e38cbfb490a48822a099c29723eb23d357fe091

Download Submit
C:\Users\Admin\AppData\Local\e6kH\unregmp2.exe

Filesize
316KB

MD5
64b328d52dfc8cda123093e3f6e4c37c

SHA1
f68f45b21b911906f3aa982e64504e662a92e5ab

SHA256
7d6be433ba7dd4a2b8f8b79d7b87055da8daafa3e0404432d40469c39c2040e1

SHA512
e29fc068532df36f39c86b79392b5c6191de6f69b7beaba28f9ac96a26089b341b770ff29556eca14f57afd1de59a6f3726818482d6861bdd8ac556ae768df00

Download Submit
C:\Users\Admin\AppData\Local\fsdj\DisplaySwitch.exe

Filesize
517KB

MD5
b795e6138e29a37508285fc31e92bd78

SHA1
d0fe0c38c7c61adbb77e58d48b96cd4bf98ecd4a

SHA256
01a9733871baa8518092bade3fce62dcca14cdf6fc55b98218253580b38d7659

SHA512
8312174a77bab5fef7c4e9efff66c43d3515b02f5766ed1d3b9bd0abb3d7344a9a22cbac228132098428c122293d2b1898b3a2d75f5e4247b1dcb9aa9c7913b1

Download Submit
C:\Users\Admin\AppData\Local\fsdj\slc.dll

Filesize
1.2MB

MD5
c6ca03d8712e330be94fe2b1206d2678

SHA1
53ddc52b266da39b50fd065861caae2b993ecee7

SHA256
8ba4e3d41c06547e75ce46160088e39a62c91b9a3d7721878ceabf33df8392f0

SHA512
35e2f0ebbb6a8d1c2492ecf7202c48a5cb643c5bf55b4a56d88b3c2d230d8f74fcfa3e072784937080b9d7efc3b11e178dd1d6433ff095f34e3eb4ff6751a2a5

Download Submit
C:\Users\Admin\AppData\Local\tRF5Q\XmlLite.dll

Filesize
1.2MB

MD5
0de4c55cf4379ef7d7aa60da895ad6ba

SHA1
01fa04b94c839b1d5c56f018109b80da98c48f86

SHA256
b926cd9233f7f6dfd845a957b2958d3bdb2466a93780790e0f54fe292cdbbb33

SHA512
cd0a37541bf1a81a0bb1115a4cd2a4db741efa4065f462ff7958c3e1ab9b279c2539c99acef21efea38d160157992431df0fbe83d049ee1cbd51236d8fe0925a

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Filabyuswgwl.lnk

Filesize
1KB

MD5
48381d922e40606a8a08440f56ca263b

SHA1
5dfcb183519c48a8548ee9e9f6919c490763bfd7

SHA256
801da5fa9721f26bb0eb0d0c41bc8887cf175e5a6b4bff7b0658867fb0f202c7

SHA512
26f4264d2e7554302847d3001f4503b030638f6607fa0b8125f616cb7e82b2197c1bf50f6bacaf75102f420b6060a4c2e59b3d52560e06d4ba7b04883ea659b3

Download Submit
\Users\Admin\AppData\Local\tRF5Q\Dxpserver.exe

Filesize
259KB

MD5
4d38389fb92e43c77a524fd96dbafd21

SHA1
08014e52f6894cad4f1d1e6fc1a703732e9acd19

SHA256
070bc95c486c15d2edc3548ba416dc9565ead401cb03a0472f719fb55ac94e73

SHA512
02d8d130cff2b8de15139d309e1cd74a2148bb786fd749e5f22775d45e193b0f75adf40274375cabce33576480ff20456f25172d29a034cd134b8084d40a67ba

Download Submit
memory/1268-25-0x0000000002580000-0x0000000002587000-memory.dmp

Filesize
28KB

Download
memory/1268-30-0x0000000077330000-0x0000000077332000-memory.dmp

Filesize
8KB

Download
memory/1268-4-0x0000000076F96000-0x0000000076F97000-memory.dmp

Filesize
4KB

Download
memory/1268-17-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/1268-16-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/1268-15-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/1268-14-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/1268-13-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/1268-12-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/1268-11-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/1268-10-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/1268-9-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/1268-35-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/1268-34-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/1268-5-0x0000000002570000-0x0000000002571000-memory.dmp

Filesize
4KB

Download
memory/1268-29-0x00000000771A1000-0x00000000771A2000-memory.dmp

Filesize
4KB

Download
memory/1268-26-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/1268-68-0x0000000076F96000-0x0000000076F97000-memory.dmp

Filesize
4KB

Download
memory/1268-7-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/1268-8-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/1528-42-0x000007FEF6840000-0x000007FEF6977000-memory.dmp

Filesize
1.2MB

Download
memory/1528-0-0x0000000000150000-0x0000000000157000-memory.dmp

Filesize
28KB

Download
memory/1528-1-0x000007FEF6840000-0x000007FEF6977000-memory.dmp

Filesize
1.2MB

Download
memory/1984-89-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download
memory/1984-93-0x000007FEF62B0000-0x000007FEF63E8000-memory.dmp

Filesize
1.2MB

Download
memory/2832-56-0x000007FEF6840000-0x000007FEF6978000-memory.dmp

Filesize
1.2MB

Download
memory/2832-53-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/2832-50-0x000007FEF6840000-0x000007FEF6978000-memory.dmp

Filesize
1.2MB

Download
memory/2864-69-0x00000000000A0000-0x00000000000A7000-memory.dmp

Filesize
28KB

Download
memory/2864-70-0x000007FEF62B0000-0x000007FEF63E8000-memory.dmp

Filesize
1.2MB

Download
memory/2864-75-0x000007FEF62B0000-0x000007FEF63E8000-memory.dmp

Filesize
1.2MB

Download