dridex | baff5c31fbc24802e6699a7b10eb759d7555eb590d051c768980a2fafbf4265c

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
13-08-2024 03:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9178704734b911ca29d7dc5c900578fc_JaffaCakes118.dll
Size

1.2MB
MD5

9178704734b911ca29d7dc5c900578fc
SHA1

0cf6ddebd252f71169e021735ed2cefa724ebd12
SHA256

baff5c31fbc24802e6699a7b10eb759d7555eb590d051c768980a2fafbf4265c
SHA512

9fe6a6b935c4cae65dbcaef7bd292c4a2c7ad47ee83db4b5abec59a7cda5701521493f66aa0f0739aadb1577c54e431f3fba153bea54fae0a1c9f623a6ab6891
SSDEEP

24576:VuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:v9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1200-5-0x0000000002D00000-0x0000000002D01000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 4 IoCs

Processes:

wermgr.exeSystemPropertiesComputerName.exeSystemPropertiesHardware.exetaskmgr.exe

pid	Process
2552	wermgr.exe
2780	SystemPropertiesComputerName.exe
2932	SystemPropertiesHardware.exe
2908	taskmgr.exe

Loads dropped DLL 8 IoCs

Processes:

SystemPropertiesComputerName.exeSystemPropertiesHardware.exetaskmgr.exe

pid	Process
1200
1200
2780	SystemPropertiesComputerName.exe
1200
2932	SystemPropertiesHardware.exe
1200
2908	taskmgr.exe
1200

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\Neewpjodwhuy = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\USERPI~1\\JDrQ\\SYSTEM~1.EXE"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeSystemPropertiesComputerName.exeSystemPropertiesHardware.exetaskmgr.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesComputerName.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesHardware.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	Process
2416	rundll32.exe
2416	rundll32.exe
2416	rundll32.exe
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

description	pid	procid_target
PID 1200 wrote to memory of 2724	1200	31
PID 1200 wrote to memory of 2724	1200	31
PID 1200 wrote to memory of 2724	1200	31
PID 1200 wrote to memory of 2552	1200	32
PID 1200 wrote to memory of 2552	1200	32
PID 1200 wrote to memory of 2552	1200	32
PID 1200 wrote to memory of 320	1200	33
PID 1200 wrote to memory of 320	1200	33
PID 1200 wrote to memory of 320	1200	33
PID 1200 wrote to memory of 2780	1200	34
PID 1200 wrote to memory of 2780	1200	34
PID 1200 wrote to memory of 2780	1200	34
PID 1200 wrote to memory of 2044	1200	35
PID 1200 wrote to memory of 2044	1200	35
PID 1200 wrote to memory of 2044	1200	35
PID 1200 wrote to memory of 2932	1200	36
PID 1200 wrote to memory of 2932	1200	36
PID 1200 wrote to memory of 2932	1200	36
PID 1200 wrote to memory of 1828	1200	37
PID 1200 wrote to memory of 1828	1200	37
PID 1200 wrote to memory of 1828	1200	37
PID 1200 wrote to memory of 2908	1200	38
PID 1200 wrote to memory of 2908	1200	38
PID 1200 wrote to memory of 2908	1200	38

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9178704734b911ca29d7dc5c900578fc_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2416

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
1⤵
PID:2724

C:\Users\Admin\AppData\Local\igL\wermgr.exe
C:\Users\Admin\AppData\Local\igL\wermgr.exe
1⤵
- Executes dropped EXE
PID:2552

C:\Windows\system32\SystemPropertiesComputerName.exe
C:\Windows\system32\SystemPropertiesComputerName.exe
1⤵
PID:320

C:\Users\Admin\AppData\Local\ZLb9\SystemPropertiesComputerName.exe
C:\Users\Admin\AppData\Local\ZLb9\SystemPropertiesComputerName.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2780

C:\Windows\system32\SystemPropertiesHardware.exe
C:\Windows\system32\SystemPropertiesHardware.exe
1⤵
PID:2044

C:\Users\Admin\AppData\Local\anEJ7\SystemPropertiesHardware.exe
C:\Users\Admin\AppData\Local\anEJ7\SystemPropertiesHardware.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2932

C:\Windows\system32\taskmgr.exe
C:\Windows\system32\taskmgr.exe
1⤵
PID:1828

C:\Users\Admin\AppData\Local\5NRpDU\taskmgr.exe
C:\Users\Admin\AppData\Local\5NRpDU\taskmgr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\5NRpDU\Secur32.dll

Filesize
1.2MB

MD5
19dd9480ad2329238d885745a05845c5

SHA1
41d6ca22a7e974f7b93d7b18bb2ac924580ec7ae

SHA256
566b98429aba3eea2cf18b84c19cf44c0c39801156e9f920a92ebd4e1e68966a

SHA512
7ef6f15b4d2f2d7a17ffecf83b5550e8fea14d3cfa0e31ce00b96a40164f7f946258c368073b6c736a80008dc5f0eb12cc323a4d7ccef458ec2c1a344230b121

Download Submit
C:\Users\Admin\AppData\Local\ZLb9\SYSDM.CPL

Filesize
1.2MB

MD5
a409b992a8765ba01819fafa9fd4eb48

SHA1
21befb4c5404b5232bc6ea42531ed35267099a04

SHA256
03a70caa2a09a7ddbc481bba1a343ad2114fd4137f17cbe8e22ae8c8e786c7d1

SHA512
27f663244057e4f843c32e77b3a41c404d30b6fa983b23eab6e96e7fdee3b99aca58fc661ff47cd31bf1a5e2a95e6a4adda67ecec5d7f7992ba03259e3a11f7e

Download Submit
C:\Users\Admin\AppData\Local\anEJ7\SYSDM.CPL

Filesize
1.2MB

MD5
d9d72b0744042ec61167c808119344a6

SHA1
988ef0407262db30f492f787ed2c65814a538f5a

SHA256
25a60423b9ee48188318fbce140c6df3389b4bb5ebc447a9dfe3597377c40632

SHA512
6b43f3f7c9f79a97274b6f817837a783e672e4b38ba64b9420c0ba7fa0b46a09f89aa35339cd94b586260ed96a73421f28009b59c132ecbd2a2b5bc73a7e998e

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ngqpewzrrtyksiv.lnk

Filesize
1KB

MD5
36d27559bae1fd4d8b66976b7e179ae8

SHA1
93cf66e2a51bc7e5d6a758e7ca9637244e7a2782

SHA256
ddb793ef1360136fbb7f2d97345fecaa62d54c6165f2572669fb9ecc3e6149f7

SHA512
5a5ba7a1d55c7555957db157b39bc00b99a76ebe5916118d4788404733b86eb494720b26814daac964333823319574b10bb6818a7494420365770167363436bd

Download Submit
\Users\Admin\AppData\Local\5NRpDU\taskmgr.exe

Filesize
251KB

MD5
09f7401d56f2393c6ca534ff0241a590

SHA1
e8b4d84a28e5ea17272416ec45726964fdf25883

SHA256
6766717b8afafe46b5fd66c7082ccce6b382cbea982c73cb651e35dc8187ace1

SHA512
7187a27cd32c1b295c74e36e1b6148a31d602962448b18395a44a721d17daa7271d0cd198edb2ed05ace439746517ffb1bcc11c7f682e09b025c950ea7b83192

Download Submit
\Users\Admin\AppData\Local\ZLb9\SystemPropertiesComputerName.exe

Filesize
80KB

MD5
bd889683916aa93e84e1a75802918acf

SHA1
5ee66571359178613a4256a7470c2c3e6dd93cfa

SHA256
0e22894595891a9ff9706e03b3db31a751541c4a773f82420fce57237d6c47cf

SHA512
9d76de848b319f44657fb7fbe5a3b927774ae999362ff811a199002ffa77ad9e1638a65a271388e605ab5e5a7cb6ce5aa7fcabc3ed583ade00eaa4c265552026

Download Submit
\Users\Admin\AppData\Local\anEJ7\SystemPropertiesHardware.exe

Filesize
80KB

MD5
c63d722641c417764247f683f9fb43be

SHA1
948ec61ebf241c4d80efca3efdfc33fe746e3b98

SHA256
4759296b421d60c80db0bb112a30425e04883900374602e13ed97f7c03a49df2

SHA512
7223d1c81a4785ed790ec2303d5d9d7ebcae9404d7bf173b3145e51202564de9977e94ac10ab80c6fe49b5f697af3ec70dfd922a891915e8951b5a1b5841c8be

Download Submit
\Users\Admin\AppData\Local\igL\wermgr.exe

Filesize
49KB

MD5
41df7355a5a907e2c1d7804ec028965d

SHA1
453263d230c6317eb4a2eb3aceeec1bbcf5e153d

SHA256
207bfec939e7c017c4704ba76172ee2c954f485ba593bc1bc8c7666e78251861

SHA512
59c9d69d3942543af4f387137226516adec1a4304bd5696c6c1d338f9e5f40d136450907351cce018563df1358e06a792005167f5c08c689df32d809c4cebdcf

Download Submit
memory/1200-30-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1200-16-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1200-28-0x0000000076EB1000-0x0000000076EB2000-memory.dmp

Filesize
4KB

Download
memory/1200-25-0x0000000002CE0000-0x0000000002CE7000-memory.dmp

Filesize
28KB

Download
memory/1200-14-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1200-13-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1200-12-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1200-11-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1200-10-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1200-8-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1200-4-0x0000000076CA6000-0x0000000076CA7000-memory.dmp

Filesize
4KB

Download
memory/1200-31-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1200-5-0x0000000002D00000-0x0000000002D01000-memory.dmp

Filesize
4KB

Download
memory/1200-24-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1200-15-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1200-29-0x0000000077040000-0x0000000077042000-memory.dmp

Filesize
8KB

Download
memory/1200-7-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1200-9-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1200-67-0x0000000076CA6000-0x0000000076CA7000-memory.dmp

Filesize
4KB

Download
memory/2416-39-0x000007FEF5E90000-0x000007FEF5FC0000-memory.dmp

Filesize
1.2MB

Download
memory/2416-0-0x0000000001D00000-0x0000000001D07000-memory.dmp

Filesize
28KB

Download
memory/2416-1-0x000007FEF5E90000-0x000007FEF5FC0000-memory.dmp

Filesize
1.2MB

Download
memory/2780-62-0x000007FEF65C0000-0x000007FEF66F1000-memory.dmp

Filesize
1.2MB

Download
memory/2780-57-0x000007FEF65C0000-0x000007FEF66F1000-memory.dmp

Filesize
1.2MB

Download
memory/2780-56-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download
memory/2908-95-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/2908-98-0x000007FEF5E80000-0x000007FEF5FB1000-memory.dmp

Filesize
1.2MB

Download
memory/2932-75-0x000007FEF5E80000-0x000007FEF5FB1000-memory.dmp

Filesize
1.2MB

Download
memory/2932-80-0x000007FEF5E80000-0x000007FEF5FB1000-memory.dmp

Filesize
1.2MB

Download