dridex | 568409d2fe2b02aff5e1b17110ae744f95d9ec7a4f4f977026585845e2b428db

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
12-08-2024 08:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8e19a8bb88b3a6f49c0280001d3d9048_JaffaCakes118.dll
Size

1.2MB
MD5

8e19a8bb88b3a6f49c0280001d3d9048
SHA1

c50c2ba966058ea5951583dbccd7b89fbeefad55
SHA256

568409d2fe2b02aff5e1b17110ae744f95d9ec7a4f4f977026585845e2b428db
SHA512

dbf21ae29251ca3aad7f084485f6f2362b03dc4cdbccc5f3d0566c37bb949537202638c57476f83b98f913fd60754e14dad052059835907ca177e41f3317d56a
SSDEEP

24576:GuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:m9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1200-5-0x00000000021F0000-0x00000000021F1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

msinfo32.exewscript.exeirftp.exe

pid	Process
2552	msinfo32.exe
2256	wscript.exe
2800	irftp.exe

Loads dropped DLL 8 IoCs

Processes:

msinfo32.exewscript.exeirftp.exe

pid	Process
1200
2552	msinfo32.exe
1200
1200
2256	wscript.exe
1200
2800	irftp.exe
1200

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\Qntpnaypazzlupr = "C:\\Users\\Admin\\AppData\\Roaming\\MACROM~1\\FLASHP~1\\MACROM~1.COM\\ctia\\wscript.exe"

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

msinfo32.exewscript.exeirftp.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	irftp.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

regsvr32.exe

pid	Process
2112	regsvr32.exe
2112	regsvr32.exe
2112	regsvr32.exe
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	procid_target
PID 1200 wrote to memory of 2732	1200	30
PID 1200 wrote to memory of 2732	1200	30
PID 1200 wrote to memory of 2732	1200	30
PID 1200 wrote to memory of 2552	1200	31
PID 1200 wrote to memory of 2552	1200	31
PID 1200 wrote to memory of 2552	1200	31
PID 1200 wrote to memory of 2944	1200	32
PID 1200 wrote to memory of 2944	1200	32
PID 1200 wrote to memory of 2944	1200	32
PID 1200 wrote to memory of 2256	1200	33
PID 1200 wrote to memory of 2256	1200	33
PID 1200 wrote to memory of 2256	1200	33
PID 1200 wrote to memory of 2264	1200	34
PID 1200 wrote to memory of 2264	1200	34
PID 1200 wrote to memory of 2264	1200	34
PID 1200 wrote to memory of 2800	1200	35
PID 1200 wrote to memory of 2800	1200	35
PID 1200 wrote to memory of 2800	1200	35

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\8e19a8bb88b3a6f49c0280001d3d9048_JaffaCakes118.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2112

C:\Windows\system32\msinfo32.exe
C:\Windows\system32\msinfo32.exe
1⤵
PID:2732

C:\Users\Admin\AppData\Local\td2oZS9h\msinfo32.exe
C:\Users\Admin\AppData\Local\td2oZS9h\msinfo32.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2552

C:\Windows\system32\wscript.exe
C:\Windows\system32\wscript.exe
1⤵
PID:2944

C:\Users\Admin\AppData\Local\gryQY9\wscript.exe
C:\Users\Admin\AppData\Local\gryQY9\wscript.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2256

C:\Windows\system32\irftp.exe
C:\Windows\system32\irftp.exe
1⤵
PID:2264

C:\Users\Admin\AppData\Local\4rdh2\irftp.exe
C:\Users\Admin\AppData\Local\4rdh2\irftp.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\4rdh2\WINMM.dll

Filesize
1.2MB

MD5
021e3f56f34cf8d1b1943c5e8caa8177

SHA1
c88f32451233fe2a15d4e98828b5d5714a552dc2

SHA256
b255c47c1de1c29f9ee2a47481ff159e01b232a85e24df948492b4dbb0c3a585

SHA512
1b13aae6531a443c1c7559ca0eb1ce6ab32554ffe924ef5ad7bb4e2c4ee01462b7fb3c7a6373363e3d9ed8babed4a5877c0b61326803d660e744c27ee83705d9

Download Submit
C:\Users\Admin\AppData\Local\gryQY9\VERSION.dll

Filesize
1.2MB

MD5
69811becc8c14de49e69471e1cfa4cac

SHA1
44b6852f1455c69c9928d19fd264eebca1bd0850

SHA256
33393ce9a4ad2f0a138f6f711c07741651480dcaf8970852c17e3af810e32422

SHA512
5450e6e4266e024427ad28cf095131ae55342e80a2e9ce076b6540495d12b507975d8a4459b6ad5a6a42a7dcfd85b4b703f6f161498f117e5d3157b4cb06fa25

Download Submit
C:\Users\Admin\AppData\Local\td2oZS9h\MFC42u.dll

Filesize
1.2MB

MD5
38c52d0bf6ff41bd98f4241b93ad12fa

SHA1
ded8316d2b3befb130c3d7a5a8735789caec5696

SHA256
0b4357344ecc98427f42a3cc3b6d43393226651ab6d1131809d2486c9e89e140

SHA512
336853f6fbea349816ee9a98d69d559938308189d8b592825e5e16a848a8c2393ff3553b5f33b3363ea550f0a5f17f553e84ec237a0b30b060ed85720d5c8a54

Download Submit
C:\Users\Admin\AppData\Local\td2oZS9h\msinfo32.exe

Filesize
370KB

MD5
d291620d4c51c5f5ffa62ccdc52c5c13

SHA1
2081c97f15b1c2a2eadce366baf3c510da553cc7

SHA256
76e959dd7db31726c040d46cfa86b681479967aea36db5f625e80bd36422e8ae

SHA512
75f9bcce4c596dae1f4d78e13d9d53b0c31988d2170c3d9f5db352b8c8a1c8ca58f4a002b30a4b328b8f4769008b750b8a1c9fda44a582e11c3adc38345c334b

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Joeqzcwrjre.lnk

Filesize
1015B

MD5
201b2f5cb292b6b3d3dd156fddb00727

SHA1
26c431014bd0e9d28fa40d3d3fcaab7380a518a8

SHA256
24b40be6b00f65a845ea61c7b44ece8ad887593584da58a94f110bd73a7d617c

SHA512
ba9a6ccf3d98d08f3eb57a0ed69d3f3b17f4cb97c105f1efd81ff4bd1b6aec4beed0ae0ff9033fc35efbdebb695d202efafd45e62de24a5037f5eb3f4ad3a6f2

Download Submit
\Users\Admin\AppData\Local\4rdh2\irftp.exe

Filesize
192KB

MD5
0cae1fb725c56d260bfd6feba7ae9a75

SHA1
102ac676a1de3ec3d56401f8efd518c31c8b0b80

SHA256
312f4107ff37dc988d99c5f56178708bb74a3906740cff4e337c0dde8f1e151d

SHA512
db969064577c4158d6bf925354319766b0d0373ddefb03dbfc9a9d2cadf8ddcd50a7f99b7ddf2ffad5e7fdbb6f02090b5b678bdf792d265054bff3b56ee0b8ec

Download Submit
\Users\Admin\AppData\Local\gryQY9\wscript.exe

Filesize
165KB

MD5
8886e0697b0a93c521f99099ef643450

SHA1
851bd390bf559e702b8323062dbeb251d9f2f6f7

SHA256
d73f7ee4e6e992a618d02580bdbf4fd6ba7c683d110928001092f4073341e95f

SHA512
fc4a176f49a69c5600c427af72d3d274cfeacef48612b18cda966c3b4dda0b9d59c0fe8114d5ed8e0fec780744346e2cd503d1fd15c0c908908d067214b9d837

Download Submit
memory/1200-25-0x00000000021D0000-0x00000000021D7000-memory.dmp

Filesize
28KB

Download
memory/1200-27-0x0000000077931000-0x0000000077932000-memory.dmp

Filesize
4KB

Download
memory/1200-4-0x0000000077726000-0x0000000077727000-memory.dmp

Filesize
4KB

Download
memory/1200-17-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1200-16-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1200-15-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1200-14-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1200-13-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1200-12-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1200-11-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1200-10-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1200-9-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1200-35-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1200-34-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1200-5-0x00000000021F0000-0x00000000021F1000-memory.dmp

Filesize
4KB

Download
memory/1200-26-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1200-28-0x0000000077AC0000-0x0000000077AC2000-memory.dmp

Filesize
8KB

Download
memory/1200-71-0x0000000077726000-0x0000000077727000-memory.dmp

Filesize
4KB

Download
memory/1200-7-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1200-8-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/2112-42-0x000007FEF7CB0000-0x000007FEF7DE1000-memory.dmp

Filesize
1.2MB

Download
memory/2112-3-0x0000000000140000-0x0000000000147000-memory.dmp

Filesize
28KB

Download
memory/2112-0-0x000007FEF7CB0000-0x000007FEF7DE1000-memory.dmp

Filesize
1.2MB

Download
memory/2256-72-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download
memory/2256-73-0x000007FEF7BE0000-0x000007FEF7D12000-memory.dmp

Filesize
1.2MB

Download
memory/2256-78-0x000007FEF7BE0000-0x000007FEF7D12000-memory.dmp

Filesize
1.2MB

Download
memory/2552-56-0x000007FEF7D10000-0x000007FEF7E48000-memory.dmp

Filesize
1.2MB

Download
memory/2552-53-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download
memory/2552-50-0x000007FEF7D10000-0x000007FEF7E48000-memory.dmp

Filesize
1.2MB

Download
memory/2800-93-0x0000000000130000-0x0000000000137000-memory.dmp

Filesize
28KB

Download
memory/2800-90-0x000007FEF6A40000-0x000007FEF6B73000-memory.dmp

Filesize
1.2MB

Download
memory/2800-96-0x000007FEF6A40000-0x000007FEF6B73000-memory.dmp

Filesize
1.2MB

Download