dridex | a969bed6f7448696349028d766d421094510c7759828473a4a3dd8baf7fa37dd

Analysis

max time kernel
149s
max time network
18s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
31-07-2024 12:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7c53147993a66509bf7cc0e461f60b57_JaffaCakes118.dll
Size

1.2MB
MD5

7c53147993a66509bf7cc0e461f60b57
SHA1

333cbc00c5d645ddf2394199163d10dbeba29af5
SHA256

a969bed6f7448696349028d766d421094510c7759828473a4a3dd8baf7fa37dd
SHA512

fa9fe560b9afc4cb01f8e7d950ebc8325c4b18e81942a391b3b58c4d1f8bf52a46a5e42dc4939f3d0432eb3189a8342d59cf02139dbc3c3f7104ff891258dde1
SSDEEP

24576:WuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:W9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1428-5-0x00000000020C0000-0x00000000020C1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

SystemPropertiesRemote.exeStikyNot.exeComputerDefaults.exe

pid	Process
2584	SystemPropertiesRemote.exe
416	StikyNot.exe
1984	ComputerDefaults.exe

Loads dropped DLL 7 IoCs

Processes:

SystemPropertiesRemote.exeStikyNot.exeComputerDefaults.exe

pid	Process
1428
2584	SystemPropertiesRemote.exe
1428
416	StikyNot.exe
1428
1984	ComputerDefaults.exe
1428

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wsagbppvydnjcs = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-2257386474-3982792636-3902186748-1000\\uI\\StikyNot.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeSystemPropertiesRemote.exeStikyNot.exeComputerDefaults.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesRemote.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	StikyNot.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ComputerDefaults.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	Process
2000	rundll32.exe
2000	rundll32.exe
2000	rundll32.exe
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	procid_target
PID 1428 wrote to memory of 2540	1428	30
PID 1428 wrote to memory of 2540	1428	30
PID 1428 wrote to memory of 2540	1428	30
PID 1428 wrote to memory of 2584	1428	31
PID 1428 wrote to memory of 2584	1428	31
PID 1428 wrote to memory of 2584	1428	31
PID 1428 wrote to memory of 1744	1428	32
PID 1428 wrote to memory of 1744	1428	32
PID 1428 wrote to memory of 1744	1428	32
PID 1428 wrote to memory of 416	1428	33
PID 1428 wrote to memory of 416	1428	33
PID 1428 wrote to memory of 416	1428	33
PID 1428 wrote to memory of 2120	1428	34
PID 1428 wrote to memory of 2120	1428	34
PID 1428 wrote to memory of 2120	1428	34
PID 1428 wrote to memory of 1984	1428	35
PID 1428 wrote to memory of 1984	1428	35
PID 1428 wrote to memory of 1984	1428	35

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7c53147993a66509bf7cc0e461f60b57_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2000

C:\Windows\system32\SystemPropertiesRemote.exe
C:\Windows\system32\SystemPropertiesRemote.exe
1⤵
PID:2540

C:\Users\Admin\AppData\Local\G79rFjRX\SystemPropertiesRemote.exe
C:\Users\Admin\AppData\Local\G79rFjRX\SystemPropertiesRemote.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2584

C:\Windows\system32\StikyNot.exe
C:\Windows\system32\StikyNot.exe
1⤵
PID:1744

C:\Users\Admin\AppData\Local\Znd2WPB\StikyNot.exe
C:\Users\Admin\AppData\Local\Znd2WPB\StikyNot.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:416

C:\Windows\system32\ComputerDefaults.exe
C:\Windows\system32\ComputerDefaults.exe
1⤵
PID:2120

C:\Users\Admin\AppData\Local\4yQY5FMs\ComputerDefaults.exe
C:\Users\Admin\AppData\Local\4yQY5FMs\ComputerDefaults.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\4yQY5FMs\appwiz.cpl

Filesize
1.2MB

MD5
b1299a6b01b924b317a864c01dc3d7ac

SHA1
e5a7da571f078e89766b5ca0f02cf311bd3dc81c

SHA256
8f49959dda088f7f7aca0edc1d4e0a5318a5a66858055495a279fc3677c7739e

SHA512
0e81ca3aed1b50bf664e66590a18357f80fd75be2b5905c2dbc4867607ba17c260b202d885b652d0b5df48df00cfee901e9043f931151fceae592dc8bf4235ee

Download Submit
C:\Users\Admin\AppData\Local\G79rFjRX\SYSDM.CPL

Filesize
1.2MB

MD5
afe01af2e64039f8c217300e9a25d3a6

SHA1
b129cc2d0059273da826bab8bd6ab3d8c9981fe4

SHA256
f689b0a2fb642ff7d6cff1389731103e68020973b623ae1111ecbd4814217294

SHA512
65ec1eb10b44966441860432051016148cfe0050843143981a226ebaf3361297556878ef7b270f8dd982c03b8bb5721a11d3899af8dbe928fb857fdd751b020e

Download Submit
C:\Users\Admin\AppData\Local\G79rFjRX\SystemPropertiesRemote.exe

Filesize
80KB

MD5
d0d7ac869aa4e179da2cc333f0440d71

SHA1
e7b9a58f5bfc1ec321f015641a60978c0c683894

SHA256
5762e1570de6ca4ff4254d03c8f6e572f3b9c065bf5c78fd5a9ea3769c33818a

SHA512
1808b10dc85f8755a0074d1ea00794b46b4254573b6862c2813a89ca171ad94f95262e8b59a8f9a596c9bd6a724f440a14a813eab93aa140e818ee97af106db7

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ewnqrlgibmqii.lnk

Filesize
1KB

MD5
d6cfb8f7f0a7735a79c075c5a0b2e37b

SHA1
fd6f65540aaa3723f6aa13e42db520c593d9a858

SHA256
df96d7cd4fd5e3ef97672bb6ef1c77b3cf7a2be86f657fbf258b4d2f5d758d38

SHA512
bea5d647e3f932fd71ed35d8619a23739121d098381abe4a7b7edd617d419c15edaf9eba9d95660853eebbe55ea42c06b57d66c17d9b9ae3b619e7cd1b6fe3d0

Download Submit
\Users\Admin\AppData\Local\4yQY5FMs\ComputerDefaults.exe

Filesize
36KB

MD5
86bd981f55341273753ac42ea200a81e

SHA1
14fe410efc9aeb0a905b984ac27719ff0dd10ea7

SHA256
40b194be2bad2d3d4d1b69f9aec2853c8b663130810a11607ff72a9e3a06d5b3

SHA512
49bb6d4bf7a9356fadde7f6165af6973630827d28b69db10ad477a84d98b08fb82e4daae777166e1ddddb5b5efcdf634e4e9bd34b255dae87462ba32e8bba143

Download Submit
\Users\Admin\AppData\Local\Znd2WPB\StikyNot.exe

Filesize
417KB

MD5
b22cb67919ebad88b0e8bb9cda446010

SHA1
423a794d26d96d9f812d76d75fa89bffdc07d468

SHA256
2f744feac48ede7d6b6d2727f7ddfa80b26d9e3b0009741b00992b19ad85e128

SHA512
f40aad2a381b766aae0a353fae3ab759d5c536b2d00d135527bba37b601d2f24323f079bd09600355d79404d574ac59201d415ef64c1568877ad0ce0da2dd1d5

Download Submit
\Users\Admin\AppData\Local\Znd2WPB\UxTheme.dll

Filesize
1.2MB

MD5
bd8ef762634188b14f594e17f34a93c2

SHA1
39670ec98285d3764245e24a1dd76dc63f82422e

SHA256
168b5ddbc1d62246a8a618fa06e6bf44a097f16b412864f9a057074293fe7ec7

SHA512
e377791064cc83f081a112a6a084f8a7d3a60788222eebf89865e5685fdf330c2bb3f9bf104167028ae22a8d7584c43760f8d6d8a62b58ce8ea2ef27dfe44598

Download Submit
memory/416-79-0x000007FEF7B70000-0x000007FEF7CA2000-memory.dmp

Filesize
1.2MB

Download
memory/416-73-0x000007FEF7B70000-0x000007FEF7CA2000-memory.dmp

Filesize
1.2MB

Download
memory/416-76-0x0000000000120000-0x0000000000127000-memory.dmp

Filesize
28KB

Download
memory/1428-9-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1428-24-0x00000000020A0000-0x00000000020A7000-memory.dmp

Filesize
28KB

Download
memory/1428-15-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1428-14-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1428-13-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1428-12-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1428-11-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1428-10-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1428-4-0x00000000777D6000-0x00000000777D7000-memory.dmp

Filesize
4KB

Download
memory/1428-37-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1428-38-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1428-5-0x00000000020C0000-0x00000000020C1000-memory.dmp

Filesize
4KB

Download
memory/1428-17-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1428-16-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1428-7-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1428-8-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1428-30-0x0000000077A70000-0x0000000077A72000-memory.dmp

Filesize
8KB

Download
memory/1428-65-0x00000000777D6000-0x00000000777D7000-memory.dmp

Filesize
4KB

Download
memory/1428-26-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1428-29-0x00000000778E1000-0x00000000778E2000-memory.dmp

Filesize
4KB

Download
memory/1984-94-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/1984-97-0x000007FEF7B70000-0x000007FEF7CA2000-memory.dmp

Filesize
1.2MB

Download
memory/2000-46-0x000007FEF7B80000-0x000007FEF7CB1000-memory.dmp

Filesize
1.2MB

Download
memory/2000-3-0x00000000003A0000-0x00000000003A7000-memory.dmp

Filesize
28KB

Download
memory/2000-0-0x000007FEF7B80000-0x000007FEF7CB1000-memory.dmp

Filesize
1.2MB

Download
memory/2584-60-0x000007FEF7CC0000-0x000007FEF7DF2000-memory.dmp

Filesize
1.2MB

Download
memory/2584-54-0x00000000002A0000-0x00000000002A7000-memory.dmp

Filesize
28KB

Download
memory/2584-55-0x000007FEF7CC0000-0x000007FEF7DF2000-memory.dmp

Filesize
1.2MB

Download