dridex | b85dc997c286d5e1c94c544310837a28f8b7376d5ff40fbf0af80af9cc43cc8f

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
12-08-2024 13:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8edbc8966c7188e465581d36300c7352_JaffaCakes118.dll
Size

1.2MB
MD5

8edbc8966c7188e465581d36300c7352
SHA1

659416a2b57a6473f69f7ec5d31c8126f4e00ba5
SHA256

b85dc997c286d5e1c94c544310837a28f8b7376d5ff40fbf0af80af9cc43cc8f
SHA512

fc026ad358a33716ee1bab7f8ebe962c6b2350d3ce6f100c92d35ed69a6d2c6f8a4e95d9b59c1dfa9d00e8513dbd4cfef34df0b045344d8b08ec8820a6fb5d1f
SSDEEP

24576:fuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:h9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence privilege_escalation trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral1/memory/1192-5-0x0000000002D40000-0x0000000002D41000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
2244	rekeywiz.exe
2320	DisplaySwitch.exe
2668	vmicsvc.exe

Loads dropped DLL 7 IoCs

pid	Process
1192	Process not Found
2244	rekeywiz.exe
1192	Process not Found
2320	DisplaySwitch.exe
1192	Process not Found
2668	vmicsvc.exe
1192	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rjrgyymfyoxefs = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\hCHs\\DisplaySwitch.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rekeywiz.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DisplaySwitch.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vmicsvc.exe

Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2536	rundll32.exe
2536	rundll32.exe
2536	rundll32.exe
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1192 wrote to memory of 2724	1192	Process not Found	31
PID 1192 wrote to memory of 2724	1192	Process not Found	31
PID 1192 wrote to memory of 2724	1192	Process not Found	31
PID 1192 wrote to memory of 2244	1192	Process not Found	32
PID 1192 wrote to memory of 2244	1192	Process not Found	32
PID 1192 wrote to memory of 2244	1192	Process not Found	32
PID 1192 wrote to memory of 2728	1192	Process not Found	33
PID 1192 wrote to memory of 2728	1192	Process not Found	33
PID 1192 wrote to memory of 2728	1192	Process not Found	33
PID 1192 wrote to memory of 2320	1192	Process not Found	34
PID 1192 wrote to memory of 2320	1192	Process not Found	34
PID 1192 wrote to memory of 2320	1192	Process not Found	34
PID 1192 wrote to memory of 280	1192	Process not Found	35
PID 1192 wrote to memory of 280	1192	Process not Found	35
PID 1192 wrote to memory of 280	1192	Process not Found	35
PID 1192 wrote to memory of 2668	1192	Process not Found	36
PID 1192 wrote to memory of 2668	1192	Process not Found	36
PID 1192 wrote to memory of 2668	1192	Process not Found	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\8edbc8966c7188e465581d36300c7352_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2536

C:\Windows\system32\rekeywiz.exe
C:\Windows\system32\rekeywiz.exe
1⤵
PID:2724

C:\Users\Admin\AppData\Local\978\rekeywiz.exe
C:\Users\Admin\AppData\Local\978\rekeywiz.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2244

C:\Windows\system32\DisplaySwitch.exe
C:\Windows\system32\DisplaySwitch.exe
1⤵
PID:2728

C:\Users\Admin\AppData\Local\FIi2oK\DisplaySwitch.exe
C:\Users\Admin\AppData\Local\FIi2oK\DisplaySwitch.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2320

C:\Windows\system32\vmicsvc.exe
C:\Windows\system32\vmicsvc.exe
1⤵
PID:280

C:\Users\Admin\AppData\Local\6nmpcZ\vmicsvc.exe
C:\Users\Admin\AppData\Local\6nmpcZ\vmicsvc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\6nmpcZ\ACTIVEDS.dll

Filesize
1.2MB

MD5
3cf43100d71477a4bfd35cf82a3dcb6a

SHA1
2d945bd636e6ec810b15af5e5ea81417bbecde1b

SHA256
5dd4ad26832984925d8c39d90817a13f6ad4ccfdbd0d0c54aa1dd53db5cf3454

SHA512
9edd1e2e3ce166093e4696005f06aeb21022a4b740f8758a91fe255d8ef51b3f24e4cdcefc8c89b046b04ef6f8f7090aa8056f4a6055d189dda6fc8958d94a50

Download Submit
C:\Users\Admin\AppData\Local\978\rekeywiz.exe

Filesize
67KB

MD5
767c75767b00ccfd41a547bb7b2adfff

SHA1
91890853a5476def402910e6507417d400c0d3cb

SHA256
bd70e504871a2ac1c883d19b87970c8d1b8b251c784bf777ba77ed764f5f2395

SHA512
f096043452a1aa213a5e4d62638de3ee4b0b3ad3d12b7ee0372d8c79e00e2e13b4fd0ebc4206bbdb5124bed292dd5b30ef1641288046ef835f89c332985154f9

Download Submit
C:\Users\Admin\AppData\Local\978\slc.dll

Filesize
1.2MB

MD5
4ff512e1884ddced70a6e78c86ac220f

SHA1
b1ff88a2ec33aaf73fee1c6f63be2e84285019cb

SHA256
f580948587b0554bbbb51648f0f5588584309e9467530e6ea97e372cf38c9764

SHA512
c278ee92974d546ed051a7dfd6f88fff2aed50d09fba89b60183fa4b3cc358975d8a660b5ac791328fcf8951a89a76a414a990d4e93136874d386a33b880176c

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dwxzrb.lnk

Filesize
1KB

MD5
8f2e67646b9a95244901f861cf41f84b

SHA1
a7bc2daf4bcff6902e3a272264df716e5cf9f313

SHA256
8600638c71de3db09c3ce1671b8563d95065ebbaaa409baef9ddf4da17bda608

SHA512
fb3d51acde324113b081efdb8aa456983912f10d8a2a4709601bbfc4c8e98d66eead659f2fbd8ca69d9887eb116a12bc7ecb72d9dd71a57c30b705ca26ef4602

Download Submit
\Users\Admin\AppData\Local\6nmpcZ\vmicsvc.exe

Filesize
238KB

MD5
79e14b291ca96a02f1eb22bd721deccd

SHA1
4c8dbff611acd8a92cd2280239f78bebd2a9947e

SHA256
d829166db30923406a025bf33d6a0997be0a3df950114d1f34547a9525b749e8

SHA512
f3d1fa7732b6b027bbaf22530331d27ede85f92c9fd64f940139fd262bd7468211a8a54c835d3934b1974b3d8ecddefa79ea77901b9ef49ab36069963693f988

Download Submit
\Users\Admin\AppData\Local\FIi2oK\DisplaySwitch.exe

Filesize
517KB

MD5
b795e6138e29a37508285fc31e92bd78

SHA1
d0fe0c38c7c61adbb77e58d48b96cd4bf98ecd4a

SHA256
01a9733871baa8518092bade3fce62dcca14cdf6fc55b98218253580b38d7659

SHA512
8312174a77bab5fef7c4e9efff66c43d3515b02f5766ed1d3b9bd0abb3d7344a9a22cbac228132098428c122293d2b1898b3a2d75f5e4247b1dcb9aa9c7913b1

Download Submit
\Users\Admin\AppData\Local\FIi2oK\slc.dll

Filesize
1.2MB

MD5
4f08cc0aa6c25daccad2ff10768d598d

SHA1
7f44fb0f3303a17ac6b2e62155965f757819348a

SHA256
d8e00ac88316b9d0d0a12eaab4721b58f687eb70f644100c258d029f6cb8f293

SHA512
fbf082815cee82d46f78370be5afeb35fe0245653dd5a2d281394a4d611f9380f9d9bf48aa4aadbdb9442bc73c18a21559546c3ce783fee36287131dff9286ad

Download Submit
memory/1192-12-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1192-16-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1192-4-0x00000000770F6000-0x00000000770F7000-memory.dmp

Filesize
4KB

Download
memory/1192-11-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1192-10-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1192-32-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1192-8-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1192-29-0x0000000077490000-0x0000000077492000-memory.dmp

Filesize
8KB

Download
memory/1192-28-0x0000000077301000-0x0000000077302000-memory.dmp

Filesize
4KB

Download
memory/1192-25-0x0000000002D20000-0x0000000002D27000-memory.dmp

Filesize
28KB

Download
memory/1192-24-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1192-15-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1192-34-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1192-5-0x0000000002D40000-0x0000000002D41000-memory.dmp

Filesize
4KB

Download
memory/1192-14-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1192-13-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1192-70-0x00000000770F6000-0x00000000770F7000-memory.dmp

Filesize
4KB

Download
memory/1192-7-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1192-9-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/2244-55-0x000007FEF61C0000-0x000007FEF62F1000-memory.dmp

Filesize
1.2MB

Download
memory/2244-52-0x0000000000210000-0x0000000000217000-memory.dmp

Filesize
28KB

Download
memory/2244-49-0x000007FEF61C0000-0x000007FEF62F1000-memory.dmp

Filesize
1.2MB

Download
memory/2320-67-0x000007FEF6280000-0x000007FEF63B1000-memory.dmp

Filesize
1.2MB

Download
memory/2320-71-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/2320-74-0x000007FEF6280000-0x000007FEF63B1000-memory.dmp

Filesize
1.2MB

Download
memory/2536-41-0x000007FEF6290000-0x000007FEF63C0000-memory.dmp

Filesize
1.2MB

Download
memory/2536-0-0x0000000001D00000-0x0000000001D07000-memory.dmp

Filesize
28KB

Download
memory/2536-1-0x000007FEF6290000-0x000007FEF63C0000-memory.dmp

Filesize
1.2MB

Download
memory/2668-86-0x0000000001C80000-0x0000000001C87000-memory.dmp

Filesize
28KB

Download
memory/2668-92-0x000007FEF6280000-0x000007FEF63B1000-memory.dmp

Filesize
1.2MB

Download