dridex | 2f443db9f9fc25883037a0bf7b22ce1a62c2bc507bde6377337cced692e7b2b1

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
31-07-2024 16:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7d1d5e824e0aef34e48a227d488b888b_JaffaCakes118.dll
Size

1.2MB
MD5

7d1d5e824e0aef34e48a227d488b888b
SHA1

682317d1da0374c00dd29ea14f4f310e84abd8c3
SHA256

2f443db9f9fc25883037a0bf7b22ce1a62c2bc507bde6377337cced692e7b2b1
SHA512

3bfc039ef2440ea24cd143d480e7d512ef95de46d5b680a9013e0cbe29bf17df2fb1da385788002578e73c535ff564bf6877213063f7f53e3d5244104bd79a24
SSDEEP

24576:WuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:W9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1240-5-0x00000000024D0000-0x00000000024D1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

DevicePairingWizard.exexpsrchvw.execonsent.exe

pid	Process
2828	DevicePairingWizard.exe
1528	xpsrchvw.exe
332	consent.exe

Loads dropped DLL 7 IoCs

Processes:

DevicePairingWizard.exexpsrchvw.execonsent.exe

pid	Process
1240
2828	DevicePairingWizard.exe
1240
1528	xpsrchvw.exe
1240
332	consent.exe
1240

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\Tlngny = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\xT\\xpsrchvw.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeDevicePairingWizard.exexpsrchvw.execonsent.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DevicePairingWizard.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	xpsrchvw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	consent.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	Process
2988	rundll32.exe
2988	rundll32.exe
2988	rundll32.exe
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	procid_target
PID 1240 wrote to memory of 2644	1240	31
PID 1240 wrote to memory of 2644	1240	31
PID 1240 wrote to memory of 2644	1240	31
PID 1240 wrote to memory of 2828	1240	32
PID 1240 wrote to memory of 2828	1240	32
PID 1240 wrote to memory of 2828	1240	32
PID 1240 wrote to memory of 2340	1240	33
PID 1240 wrote to memory of 2340	1240	33
PID 1240 wrote to memory of 2340	1240	33
PID 1240 wrote to memory of 1528	1240	34
PID 1240 wrote to memory of 1528	1240	34
PID 1240 wrote to memory of 1528	1240	34
PID 1240 wrote to memory of 1740	1240	35
PID 1240 wrote to memory of 1740	1240	35
PID 1240 wrote to memory of 1740	1240	35
PID 1240 wrote to memory of 332	1240	36
PID 1240 wrote to memory of 332	1240	36
PID 1240 wrote to memory of 332	1240	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7d1d5e824e0aef34e48a227d488b888b_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2988

C:\Windows\system32\DevicePairingWizard.exe
C:\Windows\system32\DevicePairingWizard.exe
1⤵
PID:2644

C:\Users\Admin\AppData\Local\X4gvGeQc\DevicePairingWizard.exe
C:\Users\Admin\AppData\Local\X4gvGeQc\DevicePairingWizard.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2828

C:\Windows\system32\xpsrchvw.exe
C:\Windows\system32\xpsrchvw.exe
1⤵
PID:2340

C:\Users\Admin\AppData\Local\uXcQx9L7m\xpsrchvw.exe
C:\Users\Admin\AppData\Local\uXcQx9L7m\xpsrchvw.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1528

C:\Windows\system32\consent.exe
C:\Windows\system32\consent.exe
1⤵
PID:1740

C:\Users\Admin\AppData\Local\4E2\consent.exe
C:\Users\Admin\AppData\Local\4E2\consent.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\4E2\WMsgAPI.dll

Filesize
1.2MB

MD5
023849d2fe2aee851cc9c96dbf7566f6

SHA1
62b9ba58c7e874c7674300a09015fa110dea1fad

SHA256
2ef529aa0242c9cbdc5104c8441a85b72c1379605ab313cccc9d333ce38e9952

SHA512
1c9e79345375379534bb3f50710473e12a7c03d0d8bac8c6411693079886d874cb0811f205045dc3cd194d58a90aada4bbc45648a02d1b55948a466dc151552c

Download Submit
C:\Users\Admin\AppData\Local\X4gvGeQc\MFC42u.dll

Filesize
1.2MB

MD5
c003b88ba2dc448ea507d161390399ae

SHA1
e7640a98aba5a9b688d9be19a3dfcc4513536d6e

SHA256
09121d793422726501d61cb781e5c91556c3eac2a4be5fd6f74842cdb86e5116

SHA512
bef93b35995d7e88ae4e90c23b5433696de7f883c0382998a6f177f0e7f445e8bdb909057b2f3a0d2f3a85a8bf63f4a9cd84a796273c0e6f429d346a97e78a84

Download Submit
C:\Users\Admin\AppData\Local\uXcQx9L7m\WINMM.dll

Filesize
1.2MB

MD5
51936630bcd853ba9737718b7a721529

SHA1
923c539f8bbdb7a1d3b8fe48dd75a73ca20bcbff

SHA256
2cae05ad5dbb1ba63f7e7854ffb3c7ac6f67312c6c488adedacfd458e72da402

SHA512
2539502e567d257e0dcebe37487ede5750cba769ff1fd2de4f90e729e7d8f8b16b00a0529020d8069a818bd10f38e946c32ca08ac34f08757d00821afe4a4fb2

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Mityoyoyxpr.lnk

Filesize
740B

MD5
5457870140ea7e1fb06f79f2cab11630

SHA1
713c934a30aeed059ae30e6ee98f57f88764f280

SHA256
4fb8d367cbd52c501649d3d55ccef58cf5aa4c23c22b3a662e12cbaf690155b5

SHA512
befae368643f1dd68ce24f474bc5dc3db4ed33248452c3533299bb0b1fcaac47395101d28cabf010b720fa881455fdd9b109fcf4feff6e554fd82984da50fd97

Download Submit
\Users\Admin\AppData\Local\4E2\consent.exe

Filesize
109KB

MD5
0b5511674394666e9d221f8681b2c2e6

SHA1
6e4e720dfc424a12383f0b8194e4477e3bc346dc

SHA256
ccad775decb5aec98118b381eeccc6d540928035cfb955abcb4ad3ded390b79b

SHA512
00d28a00fd3ceaeae42ba6882ffb42aa4cc8b92b07a10f28df8e1931df4b806aebdcfab1976bf8d5ce0b98c64da19d4ee06a6315734fa5f885ecd1f6e1ff16a7

Download Submit
\Users\Admin\AppData\Local\X4gvGeQc\DevicePairingWizard.exe

Filesize
73KB

MD5
9728725678f32e84575e0cd2d2c58e9b

SHA1
dd9505d3548f08e5198a8d6ba6bcd60b1da86d5c

SHA256
d95d3aa065a657c354244e3d9d4dc62673dc36c1bed60650fade7d128ddab544

SHA512
a5d22240450e7b659cba507f9abe7e6d861e9712ca2335ea5ceb69e3557362b00f5d02bf84c3a6fed82a09eda555866dcab43741ad9c6db96e1e302ef2363377

Download Submit
\Users\Admin\AppData\Local\uXcQx9L7m\xpsrchvw.exe

Filesize
4.6MB

MD5
492cb6a624d5dad73ee0294b5db37dd6

SHA1
e74806af04a5147ccabfb5b167eb95a0177c43b3

SHA256
ccb4ecd48561ce024ea176b7036f0f2713b98bc82aa37347a30d8187762a8784

SHA512
63bf2931764efe767fb42f9576702dd585a032f74ad2be2481eaf309f34950f05974d77b5cb220a3ff89c92af0c7693dc558f8e3a3ee2a0be6c5c07171d03835

Download Submit
memory/332-95-0x000007FEF61C0000-0x000007FEF62F1000-memory.dmp

Filesize
1.2MB

Download
memory/332-90-0x000007FEF61C0000-0x000007FEF62F1000-memory.dmp

Filesize
1.2MB

Download
memory/1240-25-0x00000000024B0000-0x00000000024B7000-memory.dmp

Filesize
28KB

Download
memory/1240-24-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1240-16-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1240-15-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1240-14-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1240-13-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1240-12-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1240-11-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1240-27-0x00000000772D0000-0x00000000772D2000-memory.dmp

Filesize
8KB

Download
memory/1240-36-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1240-37-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1240-4-0x0000000076F36000-0x0000000076F37000-memory.dmp

Filesize
4KB

Download
memory/1240-5-0x00000000024D0000-0x00000000024D1000-memory.dmp

Filesize
4KB

Download
memory/1240-26-0x0000000077141000-0x0000000077142000-memory.dmp

Filesize
4KB

Download
memory/1240-7-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1240-10-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1240-9-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1240-64-0x0000000076F36000-0x0000000076F37000-memory.dmp

Filesize
4KB

Download
memory/1240-8-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1528-75-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download
memory/1528-72-0x000007FEF61C0000-0x000007FEF62F2000-memory.dmp

Filesize
1.2MB

Download
memory/1528-78-0x000007FEF61C0000-0x000007FEF62F2000-memory.dmp

Filesize
1.2MB

Download
memory/2828-56-0x0000000000080000-0x0000000000087000-memory.dmp

Filesize
28KB

Download
memory/2828-59-0x000007FEF67C0000-0x000007FEF68F7000-memory.dmp

Filesize
1.2MB

Download
memory/2828-53-0x000007FEF67C0000-0x000007FEF68F7000-memory.dmp

Filesize
1.2MB

Download
memory/2988-0-0x000007FEF61D0000-0x000007FEF6300000-memory.dmp

Filesize
1.2MB

Download
memory/2988-45-0x000007FEF61D0000-0x000007FEF6300000-memory.dmp

Filesize
1.2MB

Download
memory/2988-3-0x00000000002A0000-0x00000000002A7000-memory.dmp

Filesize
28KB

Download