dridex | f73f90888a503e9599d2845337707f5d38ac1585fade9bd3eff224e65cbaa340

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
28-07-2024 21:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

246baf200fe0776877875b48895018aa_JaffaCakes118.dll
Size

1.2MB
MD5

246baf200fe0776877875b48895018aa
SHA1

4305c8cdb722247ffebfea9f06b9233339a606f9
SHA256

f73f90888a503e9599d2845337707f5d38ac1585fade9bd3eff224e65cbaa340
SHA512

78947ad93fc4cecb64f9351531519bd04c41f8ddf73cbd1ad3de58ccb027b646f9cff9cdcd438260271c076ae01c846cdecd5c0950b706df597ac88b39ada54c
SSDEEP

24576:kuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:89cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral1/memory/1212-5-0x0000000002E90000-0x0000000002E91000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
752	tcmsetup.exe
2380	SystemPropertiesHardware.exe
2808	winlogon.exe

Loads dropped DLL 7 IoCs

pid	Process
1212	Process not Found
752	tcmsetup.exe
1212	Process not Found
2380	SystemPropertiesHardware.exe
1212	Process not Found
2808	winlogon.exe
1212	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wqbazsgxtjodx = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\0sbkx4gZutk\\SystemPropertiesHardware.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	tcmsetup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesHardware.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2768	rundll32.exe
2768	rundll32.exe
2768	rundll32.exe
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1212 wrote to memory of 988	1212	Process not Found	30
PID 1212 wrote to memory of 988	1212	Process not Found	30
PID 1212 wrote to memory of 988	1212	Process not Found	30
PID 1212 wrote to memory of 752	1212	Process not Found	31
PID 1212 wrote to memory of 752	1212	Process not Found	31
PID 1212 wrote to memory of 752	1212	Process not Found	31
PID 1212 wrote to memory of 2064	1212	Process not Found	32
PID 1212 wrote to memory of 2064	1212	Process not Found	32
PID 1212 wrote to memory of 2064	1212	Process not Found	32
PID 1212 wrote to memory of 2380	1212	Process not Found	33
PID 1212 wrote to memory of 2380	1212	Process not Found	33
PID 1212 wrote to memory of 2380	1212	Process not Found	33
PID 1212 wrote to memory of 1252	1212	Process not Found	34
PID 1212 wrote to memory of 1252	1212	Process not Found	34
PID 1212 wrote to memory of 1252	1212	Process not Found	34
PID 1212 wrote to memory of 2808	1212	Process not Found	35
PID 1212 wrote to memory of 2808	1212	Process not Found	35
PID 1212 wrote to memory of 2808	1212	Process not Found	35

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\246baf200fe0776877875b48895018aa_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2768

C:\Windows\system32\tcmsetup.exe
C:\Windows\system32\tcmsetup.exe
1⤵
PID:988

C:\Users\Admin\AppData\Local\fpGwn\tcmsetup.exe
C:\Users\Admin\AppData\Local\fpGwn\tcmsetup.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:752

C:\Windows\system32\SystemPropertiesHardware.exe
C:\Windows\system32\SystemPropertiesHardware.exe
1⤵
PID:2064

C:\Users\Admin\AppData\Local\54Z0R\SystemPropertiesHardware.exe
C:\Users\Admin\AppData\Local\54Z0R\SystemPropertiesHardware.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2380

C:\Windows\system32\winlogon.exe
C:\Windows\system32\winlogon.exe
1⤵
PID:1252

C:\Users\Admin\AppData\Local\ZRqQ\winlogon.exe
C:\Users\Admin\AppData\Local\ZRqQ\winlogon.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\54Z0R\SYSDM.CPL

Filesize
1.2MB

MD5
c5e59b765aa3799f35efb128d9494af2

SHA1
1f423686678edbfff5232182041303eae4dbda29

SHA256
573eb3ca218858784cde96e7b4a0440b22ad94b035f7d5ef673d268d73e72f33

SHA512
d7bf5831d32848e52aebbc75e52e4198b397f8e4e4f1b1d9e88e61ec84176e8d6c9794f15d8936cbfe44bf27dff8cb2084af2ed487ce0fb18ed449e3034f4076

Download Submit
C:\Users\Admin\AppData\Local\ZRqQ\WINSTA.dll

Filesize
1.2MB

MD5
606410d79111b9c6657ef1421be88ccc

SHA1
dad5cb501b7826abe3f2e8830471c19cc1399573

SHA256
2e3726a03b37e46860f9e1e8475e7b20db6f85633aa9cd908d6a5b22d94f3a00

SHA512
412d393b75f089a271fd9152d93b043a9c11d26e6f6771175fe595f217abef80ef4fff1f4159e6dda24e0423ecc574acd8fa9172e13d62df86cdbc6d34aa1c1e

Download Submit
C:\Users\Admin\AppData\Local\fpGwn\TAPI32.dll

Filesize
1.2MB

MD5
29b01f5434c995ea5caaa3f0e6e90f40

SHA1
ee37bb3f846073ed494942f834c4ad583fe9d31b

SHA256
09ccc7d767d35c25eecf01534d272ae97e51a90a3ceec2328a5f01948e4e01ef

SHA512
bab2d9000880182e232b376d564388521e916360790e207b27bc9b3918947689c65d78403f8b504235feef6c94d2d9333efc5ef8ad7aec271a02c84ad4ffd3c9

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Frhyegfvspmw.lnk

Filesize
1024B

MD5
ef9dcdb238cf9358561be08dcd0196c2

SHA1
9ae7e5a6b3beb89ca0476f0000c0fbfe924d2c8a

SHA256
ca59b4800ca2c9d71ec566f404863ee875f4c66d75378156803aab2810eddd22

SHA512
e72564a292b6d2f0f3eeec134c0d343042e412d06266139b316fa9f93b696ab76ec1f90fa7a0c37aba4a76c429d0c9552cbd74b9738cbbab6b6842bcf9a30b04

Download Submit
\Users\Admin\AppData\Local\54Z0R\SystemPropertiesHardware.exe

Filesize
80KB

MD5
c63d722641c417764247f683f9fb43be

SHA1
948ec61ebf241c4d80efca3efdfc33fe746e3b98

SHA256
4759296b421d60c80db0bb112a30425e04883900374602e13ed97f7c03a49df2

SHA512
7223d1c81a4785ed790ec2303d5d9d7ebcae9404d7bf173b3145e51202564de9977e94ac10ab80c6fe49b5f697af3ec70dfd922a891915e8951b5a1b5841c8be

Download Submit
\Users\Admin\AppData\Local\ZRqQ\winlogon.exe

Filesize
381KB

MD5
1151b1baa6f350b1db6598e0fea7c457

SHA1
434856b834baf163c5ea4d26434eeae775a507fb

SHA256
b1506e0a7e826eff0f5252ef5026070c46e2235438403a9a24d73ee69c0b8a49

SHA512
df728d06238da1dece96f8b8d67a2423ed4dcb344b42d5958768d23bd570a79e7189e7c5ba783c1628fe8ddd1deaebeacb1b471c59c8a7c9beb21b4f1eb9edab

Download Submit
\Users\Admin\AppData\Local\fpGwn\tcmsetup.exe

Filesize
15KB

MD5
0b08315da0da7f9f472fbab510bfe7b8

SHA1
33ba48fd980216becc532466a5ff8476bec0b31c

SHA256
e19556bb7aa39bbd5f0d568a95aec0b3af18dda438cc5737f945243b24d106e7

SHA512
c30501546efe2b0c003ef87ac381e901c69ddfc6791c6a5102cff3a07f56555d94995a4413b93036821aa214fc31501fa87eb519e1890ef75b2ec497983ffd58

Download Submit
memory/752-60-0x000007FEF6D40000-0x000007FEF6E74000-memory.dmp

Filesize
1.2MB

Download
memory/752-55-0x000007FEF6D40000-0x000007FEF6E74000-memory.dmp

Filesize
1.2MB

Download
memory/752-54-0x00000000002A0000-0x00000000002A7000-memory.dmp

Filesize
28KB

Download
memory/1212-28-0x0000000077830000-0x0000000077832000-memory.dmp

Filesize
8KB

Download
memory/1212-38-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1212-14-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1212-13-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1212-12-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1212-10-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1212-9-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1212-8-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1212-4-0x0000000077496000-0x0000000077497000-memory.dmp

Filesize
4KB

Download
memory/1212-15-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1212-37-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1212-5-0x0000000002E90000-0x0000000002E91000-memory.dmp

Filesize
4KB

Download
memory/1212-16-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1212-27-0x00000000776A1000-0x00000000776A2000-memory.dmp

Filesize
4KB

Download
memory/1212-17-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1212-25-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1212-26-0x0000000002E20000-0x0000000002E27000-memory.dmp

Filesize
28KB

Download
memory/1212-65-0x0000000077496000-0x0000000077497000-memory.dmp

Filesize
4KB

Download
memory/1212-11-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1212-7-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/2380-79-0x000007FEF6740000-0x000007FEF6873000-memory.dmp

Filesize
1.2MB

Download
memory/2380-76-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/2380-73-0x000007FEF6740000-0x000007FEF6873000-memory.dmp

Filesize
1.2MB

Download
memory/2768-46-0x000007FEF6740000-0x000007FEF6872000-memory.dmp

Filesize
1.2MB

Download
memory/2768-3-0x00000000001A0000-0x00000000001A7000-memory.dmp

Filesize
28KB

Download
memory/2768-0-0x000007FEF6740000-0x000007FEF6872000-memory.dmp

Filesize
1.2MB

Download
memory/2808-94-0x0000000000120000-0x0000000000127000-memory.dmp

Filesize
28KB

Download
memory/2808-91-0x000007FEF6740000-0x000007FEF6874000-memory.dmp

Filesize
1.2MB

Download
memory/2808-97-0x000007FEF6740000-0x000007FEF6874000-memory.dmp

Filesize
1.2MB

Download