dridex | 9fd6fe428a4723bc8b7e93fdec36e2740ec2973c80ac7e4b4ef29ac12f3fe1f1

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
14-08-2024 22:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97da975cf879ff9210ee322317dc6f66_JaffaCakes118.dll
Size

1.2MB
MD5

97da975cf879ff9210ee322317dc6f66
SHA1

6c77c4d5ad998f662900f663f4087ddc7179730a
SHA256

9fd6fe428a4723bc8b7e93fdec36e2740ec2973c80ac7e4b4ef29ac12f3fe1f1
SHA512

3f9a7edf37144094c5bf0ef12e4a00a53a8cca689c4da886a15870c1fd6572c98cfea5a99c22fff4788620acae9cabe604de2d7d2ae6c7dc1f3fbbc7015bdd07
SSDEEP

24576:uuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9Nf:O9cKrUqZWLAcUX

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral1/memory/1196-5-0x0000000002910000-0x0000000002911000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
2520	slui.exe
2108	SystemPropertiesPerformance.exe
2208	mfpmp.exe

Loads dropped DLL 7 IoCs

pid	Process
1196	Process not Found
2520	slui.exe
1196	Process not Found
2108	SystemPropertiesPerformance.exe
1196	Process not Found
2208	mfpmp.exe
1196	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Madzpveq = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Excel\\DKd217yB2TH\\SystemPropertiesPerformance.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	slui.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesPerformance.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mfpmp.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2356	rundll32.exe
2356	rundll32.exe
2356	rundll32.exe
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1196 wrote to memory of 2592	1196	Process not Found	30
PID 1196 wrote to memory of 2592	1196	Process not Found	30
PID 1196 wrote to memory of 2592	1196	Process not Found	30
PID 1196 wrote to memory of 2520	1196	Process not Found	31
PID 1196 wrote to memory of 2520	1196	Process not Found	31
PID 1196 wrote to memory of 2520	1196	Process not Found	31
PID 1196 wrote to memory of 2544	1196	Process not Found	32
PID 1196 wrote to memory of 2544	1196	Process not Found	32
PID 1196 wrote to memory of 2544	1196	Process not Found	32
PID 1196 wrote to memory of 2108	1196	Process not Found	33
PID 1196 wrote to memory of 2108	1196	Process not Found	33
PID 1196 wrote to memory of 2108	1196	Process not Found	33
PID 1196 wrote to memory of 1988	1196	Process not Found	34
PID 1196 wrote to memory of 1988	1196	Process not Found	34
PID 1196 wrote to memory of 1988	1196	Process not Found	34
PID 1196 wrote to memory of 2208	1196	Process not Found	35
PID 1196 wrote to memory of 2208	1196	Process not Found	35
PID 1196 wrote to memory of 2208	1196	Process not Found	35

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\97da975cf879ff9210ee322317dc6f66_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2356

C:\Windows\system32\slui.exe
C:\Windows\system32\slui.exe
1⤵
PID:2592

C:\Users\Admin\AppData\Local\JTh\slui.exe
C:\Users\Admin\AppData\Local\JTh\slui.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2520

C:\Windows\system32\SystemPropertiesPerformance.exe
C:\Windows\system32\SystemPropertiesPerformance.exe
1⤵
PID:2544

C:\Users\Admin\AppData\Local\Xnaz\SystemPropertiesPerformance.exe
C:\Users\Admin\AppData\Local\Xnaz\SystemPropertiesPerformance.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2108

C:\Windows\system32\mfpmp.exe
C:\Windows\system32\mfpmp.exe
1⤵
PID:1988

C:\Users\Admin\AppData\Local\r97JbotX\mfpmp.exe
C:\Users\Admin\AppData\Local\r97JbotX\mfpmp.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\JTh\WINBRAND.dll

Filesize
1.2MB

MD5
6fefac39c6ace41f427674ce9abe247d

SHA1
bfeace86585bbec017e08e1236729506ceb74de2

SHA256
9a8421dca236378dd8b0951ff2631e8ab7e080b7a10efdb6a3ef47b0d9858ec2

SHA512
9c2ff1646074ec4a3d9a60a6070702f75becef47d6a217915fccda795bf11aa26b2e759c9e34987c842862ae90b28cc25a6b0278722d11f5e872acf800a49cef

Download Submit
C:\Users\Admin\AppData\Local\Xnaz\SYSDM.CPL

Filesize
1.2MB

MD5
412d31e69440213444ca32c289b84d2f

SHA1
f15fb5a9cdef6053e3d8f99535eaba617f325702

SHA256
eec32834a85b73a590a8d0fbf9ffaf704074bb298ed5e15df6cb486aad3f100e

SHA512
40f70bdc0f2138481a12a61b258944936b370ff0f14616fe85bf516144ea78b2bd7472f23634b1772a0c621e0ec08f9ee65d272de3113039e53296a219df2fed

Download Submit
C:\Users\Admin\AppData\Local\r97JbotX\MFPlat.DLL

Filesize
1.2MB

MD5
d2b9f872fe656b1bdbd41975f138bf55

SHA1
b5c8e1ee75e5098850d7a1e6b01a9b4a50232587

SHA256
c53a63095a6d86c48015f75825bab2de3b234d314dbc0006dcf8e0ad5356912e

SHA512
7cc1810cfcc42bd529f7261c54c0f8f57cf866c712e60302c00baf2e693414e412768b5c85afbb907452aaa72eb6331bc1e47cd305a77331dc2c783cc8ce05fc

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Rinzzkcfiw.lnk

Filesize
1KB

MD5
c876da4181a8bdcb22c73c907c36929c

SHA1
25f95d93fec5748fc01927a5dee212f32c176bda

SHA256
2fd2f502a6ab5f1720c96a707197b7f90d3043c600100ce4e6d5f90dc87c6e1b

SHA512
606d8612505919a9bbd0e09dea68e5dd31e9569e9f5dea45a2cc5779b4cb2aedb42488d78de6b3c0fe3d0d584379466879c1941529a7e6a7b4fd91e1562881a2

Download Submit
\Users\Admin\AppData\Local\JTh\slui.exe

Filesize
341KB

MD5
c5ce5ce799387e82b7698a0ee5544a6d

SHA1
ed37fdb169bb539271c117d3e8a5f14fd8df1c0d

SHA256
34aa7ca0ea833263a6883827e161a5c218576c5ad97e0ce386fad4250676b42c

SHA512
79453b45e1f38d164ee3dbc232f774ff121d4394c22783140f5c8c722f184a69f499f2fb9621bdb28f565065b791883526e1a1d4abef9df82289613c2ce97a5c

Download Submit
\Users\Admin\AppData\Local\Xnaz\SystemPropertiesPerformance.exe

Filesize
80KB

MD5
870726cdcc241a92785572628b89cc07

SHA1
63d47cc4fe9beb75862add1abca1d8ae8235710a

SHA256
1ab77fa1ee0cbe59ca185c228c3c11abeba2b2008a162c91a06d3c40542e7fc6

SHA512
89b961c2a2716fe0800e54e0206c8b349a26f1bc2a463ec9bd12f3ab22bfcb13e6402b4c20ddcf284d838a3c66e73335af8f6dc4554d76646382e387242c6f72

Download Submit
\Users\Admin\AppData\Local\r97JbotX\mfpmp.exe

Filesize
24KB

MD5
2d8600b94de72a9d771cbb56b9f9c331

SHA1
a0e2ac409159546183aa45875497844c4adb5aac

SHA256
7d8d8918761b8b6c95758375a6e7cf7fb8e43abfdd3846476219883ef3f8c185

SHA512
3aaa6619f29434c294b9b197c3b86fdc5d88b0254c8f35f010c9b5f254fd47fbc3272412907e2a5a4f490bda2acfbbd7a90f968e25067abf921b934d2616eafc

Download Submit
memory/1196-17-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1196-30-0x0000000077120000-0x0000000077122000-memory.dmp

Filesize
8KB

Download
memory/1196-4-0x0000000076E86000-0x0000000076E87000-memory.dmp

Filesize
4KB

Download
memory/1196-16-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1196-15-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1196-14-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1196-13-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1196-11-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1196-10-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1196-9-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1196-8-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1196-25-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1196-38-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1196-37-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1196-5-0x0000000002910000-0x0000000002911000-memory.dmp

Filesize
4KB

Download
memory/1196-29-0x0000000076F91000-0x0000000076F92000-memory.dmp

Filesize
4KB

Download
memory/1196-26-0x0000000002920000-0x0000000002927000-memory.dmp

Filesize
28KB

Download
memory/1196-7-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1196-12-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1196-64-0x0000000076E86000-0x0000000076E87000-memory.dmp

Filesize
4KB

Download
memory/2108-72-0x0000000000280000-0x0000000000287000-memory.dmp

Filesize
28KB

Download
memory/2108-73-0x000007FEF73A0000-0x000007FEF74D2000-memory.dmp

Filesize
1.2MB

Download
memory/2108-78-0x000007FEF73A0000-0x000007FEF74D2000-memory.dmp

Filesize
1.2MB

Download
memory/2208-91-0x000007FEF73A0000-0x000007FEF74D3000-memory.dmp

Filesize
1.2MB

Download
memory/2208-90-0x00000000000F0000-0x00000000000F7000-memory.dmp

Filesize
28KB

Download
memory/2208-96-0x000007FEF73A0000-0x000007FEF74D3000-memory.dmp

Filesize
1.2MB

Download
memory/2356-46-0x000007FEF7390000-0x000007FEF74C1000-memory.dmp

Filesize
1.2MB

Download
memory/2356-1-0x000007FEF7390000-0x000007FEF74C1000-memory.dmp

Filesize
1.2MB

Download
memory/2356-3-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download
memory/2520-59-0x000007FEF74D0000-0x000007FEF7602000-memory.dmp

Filesize
1.2MB

Download
memory/2520-55-0x000007FEF74D0000-0x000007FEF7602000-memory.dmp

Filesize
1.2MB

Download