dridex | df363cbf7ba7d2239bdc9e4ea6d89bc8dd24cae14179679808b08bd945cc40cc

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
29-07-2024 01:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2fd82133005480e6e2d63dc37d378b35_JaffaCakes118.dll
Size

1.2MB
MD5

2fd82133005480e6e2d63dc37d378b35
SHA1

3b1e29f059c924bb0fd7186be4752c3dcfc8590c
SHA256

df363cbf7ba7d2239bdc9e4ea6d89bc8dd24cae14179679808b08bd945cc40cc
SHA512

d6b354724a91101e94f3c136b0b45f328d9e03176821b04ae1ebb49f0a603eb70505fc35e9a69a4cd867bf8b31015a229906b050ed0d55bdde1ea0c308ab77bb
SSDEEP

24576:buYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:F9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral1/memory/1208-5-0x0000000002D80000-0x0000000002D81000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
1968	SystemPropertiesPerformance.exe
2520	wscript.exe
2976	p2phost.exe

Loads dropped DLL 8 IoCs

pid	Process
1208	Process not Found
1968	SystemPropertiesPerformance.exe
1208	Process not Found
1208	Process not Found
2520	wscript.exe
1208	Process not Found
2976	p2phost.exe
1208	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\Neewpjodwhuy = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\VN6nZw0y1ZH\\wscript.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesPerformance.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	p2phost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2852	rundll32.exe
2852	rundll32.exe
2852	rundll32.exe
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1208 wrote to memory of 2100	1208	Process not Found	30
PID 1208 wrote to memory of 2100	1208	Process not Found	30
PID 1208 wrote to memory of 2100	1208	Process not Found	30
PID 1208 wrote to memory of 1968	1208	Process not Found	31
PID 1208 wrote to memory of 1968	1208	Process not Found	31
PID 1208 wrote to memory of 1968	1208	Process not Found	31
PID 1208 wrote to memory of 2696	1208	Process not Found	32
PID 1208 wrote to memory of 2696	1208	Process not Found	32
PID 1208 wrote to memory of 2696	1208	Process not Found	32
PID 1208 wrote to memory of 2520	1208	Process not Found	33
PID 1208 wrote to memory of 2520	1208	Process not Found	33
PID 1208 wrote to memory of 2520	1208	Process not Found	33
PID 1208 wrote to memory of 2700	1208	Process not Found	35
PID 1208 wrote to memory of 2700	1208	Process not Found	35
PID 1208 wrote to memory of 2700	1208	Process not Found	35
PID 1208 wrote to memory of 2976	1208	Process not Found	36
PID 1208 wrote to memory of 2976	1208	Process not Found	36
PID 1208 wrote to memory of 2976	1208	Process not Found	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2fd82133005480e6e2d63dc37d378b35_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2852

C:\Windows\system32\SystemPropertiesPerformance.exe
C:\Windows\system32\SystemPropertiesPerformance.exe
1⤵
PID:2100

C:\Users\Admin\AppData\Local\JLT2t1T8\SystemPropertiesPerformance.exe
C:\Users\Admin\AppData\Local\JLT2t1T8\SystemPropertiesPerformance.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1968

C:\Windows\system32\wscript.exe
C:\Windows\system32\wscript.exe
1⤵
PID:2696

C:\Users\Admin\AppData\Local\B0lAS\wscript.exe
C:\Users\Admin\AppData\Local\B0lAS\wscript.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2520

C:\Windows\system32\p2phost.exe
C:\Windows\system32\p2phost.exe
1⤵
PID:2700

C:\Users\Admin\AppData\Local\WVhFSp\p2phost.exe
C:\Users\Admin\AppData\Local\WVhFSp\p2phost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\B0lAS\VERSION.dll

Filesize
1.2MB

MD5
1730fb658b2946bc06f3bb03af329b07

SHA1
072aeac1d0fde64f01c354d60e0e227a8da5b84a

SHA256
023a325915a3a42857de30c55fc3d58f2bdef6e2db69e60043a9fe6acb9f481d

SHA512
d7a38e8c01af579c493ae19b4095f7f63df2823e592ada31fe6e17ce05420e06c237c8ad6b21ed9e476d20a0f412b4c789a3f6a9585cc7f31cf0e170ce28f754

Download Submit
C:\Users\Admin\AppData\Local\JLT2t1T8\SYSDM.CPL

Filesize
1.2MB

MD5
f616b6242d7ad8c2527faec963811590

SHA1
d09e41d6dd125023806ceb66d529cae2c77f7a63

SHA256
4907f30a4e0e081916c95505a22a125ddd0e6529eea5475626c2480272f393ca

SHA512
c6bfc5aa4bf586b1331c208e4e2416fddd7cbeb951ee8aa3b22a6c98b1064004c004df6559c0e32897338d6c2aa26b7c6ac66b4f821aad95812a54d00f28f349

Download Submit
C:\Users\Admin\AppData\Local\WVhFSp\P2P.dll

Filesize
1.2MB

MD5
6f7b2684a153f7443a7bb5232b278141

SHA1
043396135e40efb7da445b4626c569e7f0fc12b9

SHA256
0b5dee48b41098f4c5fa353ac96578ea03934b8c1fb42b36f5908a21fcfecb49

SHA512
e347513ad3df78d2325386f1988222b4901397dd54240387a1b3e5869ecce891ca7b426118bcdb8ffe7166c5fcef991df3df010879657ebaab2120a8f6536b63

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ngqpewzrrtyksiv.lnk

Filesize
1KB

MD5
8f53250fdc4c852acdc0a0ea980af26f

SHA1
bc0a446bf5d75bf44a9d62d22e4141cdf32ecfc4

SHA256
fb456c04834c789bc41faa956303c225eba691c095ee9f9875d0170d7c37d7a8

SHA512
f41b0fb3f324c687351c027465f859f42ad809361b07af5086e3a5bb07079b41e56c65f6b90d1eb6e414b55a72fe07ed4c93ccd757b9c89cd008f7719c9fdeb9

Download Submit
\Users\Admin\AppData\Local\B0lAS\wscript.exe

Filesize
165KB

MD5
8886e0697b0a93c521f99099ef643450

SHA1
851bd390bf559e702b8323062dbeb251d9f2f6f7

SHA256
d73f7ee4e6e992a618d02580bdbf4fd6ba7c683d110928001092f4073341e95f

SHA512
fc4a176f49a69c5600c427af72d3d274cfeacef48612b18cda966c3b4dda0b9d59c0fe8114d5ed8e0fec780744346e2cd503d1fd15c0c908908d067214b9d837

Download Submit
\Users\Admin\AppData\Local\JLT2t1T8\SystemPropertiesPerformance.exe

Filesize
80KB

MD5
870726cdcc241a92785572628b89cc07

SHA1
63d47cc4fe9beb75862add1abca1d8ae8235710a

SHA256
1ab77fa1ee0cbe59ca185c228c3c11abeba2b2008a162c91a06d3c40542e7fc6

SHA512
89b961c2a2716fe0800e54e0206c8b349a26f1bc2a463ec9bd12f3ab22bfcb13e6402b4c20ddcf284d838a3c66e73335af8f6dc4554d76646382e387242c6f72

Download Submit
\Users\Admin\AppData\Local\WVhFSp\p2phost.exe

Filesize
172KB

MD5
0dbd420477352b278dfdc24f4672b79c

SHA1
df446f25be33ac60371557717073249a64e04bb2

SHA256
1baba169de6c8f3b3c33cea96314c67b709a171bdc8ea9c250a0d016db767345

SHA512
84014b2dcc00f9fa1a337089ad4d4abcaa9e3155171978ec07bc155ddaebebfabb529d8de3578e564b3aae59545f52d71af173ebb50d2af252f219ac60b453d1

Download Submit
memory/1208-24-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1208-10-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1208-4-0x0000000076E86000-0x0000000076E87000-memory.dmp

Filesize
4KB

Download
memory/1208-15-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1208-14-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1208-13-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1208-12-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1208-11-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1208-9-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1208-26-0x0000000077091000-0x0000000077092000-memory.dmp

Filesize
4KB

Download
memory/1208-27-0x0000000077220000-0x0000000077222000-memory.dmp

Filesize
8KB

Download
memory/1208-36-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1208-37-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1208-5-0x0000000002D80000-0x0000000002D81000-memory.dmp

Filesize
4KB

Download
memory/1208-16-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1208-25-0x0000000002D60000-0x0000000002D67000-memory.dmp

Filesize
28KB

Download
memory/1208-7-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1208-8-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1208-64-0x0000000076E86000-0x0000000076E87000-memory.dmp

Filesize
4KB

Download
memory/1968-59-0x000007FEF67C0000-0x000007FEF68F1000-memory.dmp

Filesize
1.2MB

Download
memory/1968-54-0x000007FEF67C0000-0x000007FEF68F1000-memory.dmp

Filesize
1.2MB

Download
memory/1968-53-0x0000000000390000-0x0000000000397000-memory.dmp

Filesize
28KB

Download
memory/2520-75-0x0000000000210000-0x0000000000217000-memory.dmp

Filesize
28KB

Download
memory/2520-76-0x000007FEF61A0000-0x000007FEF62D1000-memory.dmp

Filesize
1.2MB

Download
memory/2520-82-0x000007FEF61A0000-0x000007FEF62D1000-memory.dmp

Filesize
1.2MB

Download
memory/2520-81-0x00000000FFCB0000-0x00000000FFCDC000-memory.dmp

Filesize
176KB

Download
memory/2852-45-0x000007FEF61B0000-0x000007FEF62E0000-memory.dmp

Filesize
1.2MB

Download
memory/2852-0-0x000007FEF61B0000-0x000007FEF62E0000-memory.dmp

Filesize
1.2MB

Download
memory/2852-3-0x0000000000130000-0x0000000000137000-memory.dmp

Filesize
28KB

Download
memory/2976-97-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/2976-100-0x000007FEF61A0000-0x000007FEF62D1000-memory.dmp

Filesize
1.2MB

Download