dridex | c239b07bc04c591ebb22d3ec9be5a81b73b5b36b80b867e49447284c180ad00d

Analysis

max time kernel
149s
max time network
16s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
31-07-2024 14:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7cb39a958205ae575a11bcfbecd2923b_JaffaCakes118.dll
Size

1.2MB
MD5

7cb39a958205ae575a11bcfbecd2923b
SHA1

c098dbee02a9f5b0185a097d2907d05611c06d5d
SHA256

c239b07bc04c591ebb22d3ec9be5a81b73b5b36b80b867e49447284c180ad00d
SHA512

6897ce3683f63a898fb5859a8641833cc0bf230275f1cf5d8d1741b483ef660ab5ba7c323fecd9c8f28abcf5d606c4098a2e12dc9779c0016bae9eee43e06f34
SSDEEP

24576:5uYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:r9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral1/memory/1252-5-0x0000000002DE0000-0x0000000002DE1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
2784	dccw.exe
880	msra.exe
1628	dccw.exe

Loads dropped DLL 7 IoCs

pid	Process
1252	Process not Found
2784	dccw.exe
1252	Process not Found
880	msra.exe
1252	Process not Found
1628	dccw.exe
1252	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mkmfyiwmvqjxba = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\Dk1amB\\msra.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dccw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msra.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dccw.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2324	rundll32.exe
2324	rundll32.exe
2324	rundll32.exe
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1252 wrote to memory of 2640	1252	Process not Found	29
PID 1252 wrote to memory of 2640	1252	Process not Found	29
PID 1252 wrote to memory of 2640	1252	Process not Found	29
PID 1252 wrote to memory of 2784	1252	Process not Found	30
PID 1252 wrote to memory of 2784	1252	Process not Found	30
PID 1252 wrote to memory of 2784	1252	Process not Found	30
PID 1252 wrote to memory of 2848	1252	Process not Found	31
PID 1252 wrote to memory of 2848	1252	Process not Found	31
PID 1252 wrote to memory of 2848	1252	Process not Found	31
PID 1252 wrote to memory of 880	1252	Process not Found	32
PID 1252 wrote to memory of 880	1252	Process not Found	32
PID 1252 wrote to memory of 880	1252	Process not Found	32
PID 1252 wrote to memory of 2144	1252	Process not Found	33
PID 1252 wrote to memory of 2144	1252	Process not Found	33
PID 1252 wrote to memory of 2144	1252	Process not Found	33
PID 1252 wrote to memory of 1628	1252	Process not Found	34
PID 1252 wrote to memory of 1628	1252	Process not Found	34
PID 1252 wrote to memory of 1628	1252	Process not Found	34

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7cb39a958205ae575a11bcfbecd2923b_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2324

C:\Windows\system32\dccw.exe
C:\Windows\system32\dccw.exe
1⤵
PID:2640

C:\Users\Admin\AppData\Local\OACT\dccw.exe
C:\Users\Admin\AppData\Local\OACT\dccw.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2784

C:\Windows\system32\msra.exe
C:\Windows\system32\msra.exe
1⤵
PID:2848

C:\Users\Admin\AppData\Local\vI0iG\msra.exe
C:\Users\Admin\AppData\Local\vI0iG\msra.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:880

C:\Windows\system32\dccw.exe
C:\Windows\system32\dccw.exe
1⤵
PID:2144

C:\Users\Admin\AppData\Local\6LrK08N\dccw.exe
C:\Users\Admin\AppData\Local\6LrK08N\dccw.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\6LrK08N\dxva2.dll

Filesize
1.2MB

MD5
c591c329dec1c7dd84586f2691c8b08f

SHA1
c88f4b0ae9380c291e6e3050422d3818fc5f720c

SHA256
d508507066e1706a80ba95640a18afc536ed427ffc95fb3dd37c87a4566fe14e

SHA512
c823f38b145c1844dfc0c765aa4da0a58d970dab1bf0a795ada27e54ddf59a943162caf385ac32d25b4a5a113de3988a1456f8fdfb34ef99ff12be5be5f9c4d0

Download Submit
C:\Users\Admin\AppData\Local\OACT\mscms.dll

Filesize
1.2MB

MD5
70e6927c4cf1aae23756a6bb0f0f050f

SHA1
38932a0982df881c37ce39f5db2e680e377835d3

SHA256
54eccb537a68682dc2a51458ed555efff43a2f40b2c8a47da9caaef81527e17a

SHA512
487ac9c533208dae4a6f7cab90dcb6d37e4678241d5f2316a3df4a7806d72aa3dee7f2d0b67dbbe3c1efa606cf610fe0b4a5eb1f2370c2016f3aa3b742e1417a

Download Submit
C:\Users\Admin\AppData\Local\vI0iG\Secur32.dll

Filesize
1.2MB

MD5
9439bc3bd165ca329f089c796bd604db

SHA1
4b2eb467130e281a678dd00670899acc29d25262

SHA256
70c4041788507ff4fb3ebfd63e804198d2266f836fe0c3fa6d717dcb04c9f18b

SHA512
c90db3a5a0c6bb6e6e92f66a18ab6c07099fee6e6b37120d47961c7a85bdd58e888110b1200dd6d6c657fc109f00a474536d71d577040920ec1d4191d13d19f7

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ppapbotpack.lnk

Filesize
1KB

MD5
c99c222a6a561f2681613216d45c053b

SHA1
01303c2517218dab08c3b9481efd8c4d43d9bf75

SHA256
9c497b5a0811299168d58f71cd07644ea49f7cc30b082200bd19709999039580

SHA512
082da017faff7e590c13c91e91a4be099eef2aac3905c8cb686ec3058137d03651e8c65a1f6ca3ff9128816e3c285b7f730d7829c9e36d81a81107fa685ae39d

Download Submit
\Users\Admin\AppData\Local\OACT\dccw.exe

Filesize
861KB

MD5
a46cee731351eb4146db8e8a63a5c520

SHA1
8ea441e4a77642e12987ac842b36034230edd731

SHA256
283526a98a83524d21ff23f9109754c6587380b67f74cc02a9a4cd56fdb720d5

SHA512
3573c0ae21406db0c6fdda7c065fabde03235bde7f5589910822500bdfa37144f59f6e58e753e7347b899998db1dcb28050ac5a4e2c611558ae5fa405fbbc5cc

Download Submit
\Users\Admin\AppData\Local\vI0iG\msra.exe

Filesize
636KB

MD5
e79df53bad587e24b3cf965a5746c7b6

SHA1
87a97ec159a3fc1db211f3c2c62e4d60810e7a70

SHA256
4e7c22648acf664ab13dfeb2dc062ae90af1e6c621186981f395fb279bbc9b9d

SHA512
9a329c39ce0bc5aede01e96c4190cc7ccd17729fbc3a2b6df73057be8efaa3fa92cfef6e26a25bde6f7f94f64f6d6d0e4c5459aef2aead367e43178dd275acfb

Download Submit
memory/880-77-0x000007FEF7B10000-0x000007FEF7C42000-memory.dmp

Filesize
1.2MB

Download
memory/880-71-0x000007FEF7B10000-0x000007FEF7C42000-memory.dmp

Filesize
1.2MB

Download
memory/1252-9-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1252-16-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1252-27-0x00000000777C0000-0x00000000777C2000-memory.dmp

Filesize
8KB

Download
memory/1252-26-0x0000000077631000-0x0000000077632000-memory.dmp

Filesize
4KB

Download
memory/1252-15-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1252-14-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1252-13-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1252-12-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1252-4-0x0000000077526000-0x0000000077527000-memory.dmp

Filesize
4KB

Download
memory/1252-8-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1252-37-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1252-36-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1252-5-0x0000000002DE0000-0x0000000002DE1000-memory.dmp

Filesize
4KB

Download
memory/1252-24-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1252-10-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1252-74-0x0000000077526000-0x0000000077527000-memory.dmp

Filesize
4KB

Download
memory/1252-7-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1252-11-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1252-25-0x0000000002DC0000-0x0000000002DC7000-memory.dmp

Filesize
28KB

Download
memory/1628-94-0x000007FEF7B10000-0x000007FEF7C42000-memory.dmp

Filesize
1.2MB

Download
memory/2324-45-0x000007FEF7B00000-0x000007FEF7C31000-memory.dmp

Filesize
1.2MB

Download
memory/2324-3-0x0000000001FD0000-0x0000000001FD7000-memory.dmp

Filesize
28KB

Download
memory/2324-0-0x000007FEF7B00000-0x000007FEF7C31000-memory.dmp

Filesize
1.2MB

Download
memory/2784-57-0x000007FEF7C40000-0x000007FEF7D72000-memory.dmp

Filesize
1.2MB

Download
memory/2784-54-0x000007FEF7C40000-0x000007FEF7D72000-memory.dmp

Filesize
1.2MB

Download
memory/2784-53-0x0000000000120000-0x0000000000127000-memory.dmp

Filesize
28KB

Download