dridex | 580717185d7152b8d9b743535f769b840dc8387ed3fc4cf61d411a6733afef1d

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
16-08-2024 03:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9cdb43c23cbe72a36e8ace440955fbb8_JaffaCakes118.dll
Size

1.2MB
MD5

9cdb43c23cbe72a36e8ace440955fbb8
SHA1

738d4cbc3da26c3dce6efe3f42d960cb6d504ac6
SHA256

580717185d7152b8d9b743535f769b840dc8387ed3fc4cf61d411a6733afef1d
SHA512

6ff44db456afbc663d751af9984f037dcdf2fb8b70de6141748904508e0f730375b1f6b7903031c617336048187c955efe48a6082f31edfedea6583baf5d430f
SSDEEP

24576:2uYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:29cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral1/memory/1200-5-0x0000000002E00000-0x0000000002E01000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
2756	dwm.exe
3064	DevicePairingWizard.exe
1700	DevicePairingWizard.exe

Loads dropped DLL 7 IoCs

pid	Process
1200	Process not Found
2756	dwm.exe
1200	Process not Found
3064	DevicePairingWizard.exe
1200	Process not Found
1700	DevicePairingWizard.exe
1200	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wqbazsgxtjodx = "C:\\Users\\Admin\\AppData\\Roaming\\MACROM~1\\FLASHP~1\\MACROM~1.COM\\NQHIVQ~1\\DEVICE~1.EXE"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DevicePairingWizard.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DevicePairingWizard.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2968	rundll32.exe
2968	rundll32.exe
2968	rundll32.exe
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1200 wrote to memory of 2612	1200	Process not Found	31
PID 1200 wrote to memory of 2612	1200	Process not Found	31
PID 1200 wrote to memory of 2612	1200	Process not Found	31
PID 1200 wrote to memory of 2756	1200	Process not Found	32
PID 1200 wrote to memory of 2756	1200	Process not Found	32
PID 1200 wrote to memory of 2756	1200	Process not Found	32
PID 1200 wrote to memory of 2996	1200	Process not Found	33
PID 1200 wrote to memory of 2996	1200	Process not Found	33
PID 1200 wrote to memory of 2996	1200	Process not Found	33
PID 1200 wrote to memory of 3064	1200	Process not Found	34
PID 1200 wrote to memory of 3064	1200	Process not Found	34
PID 1200 wrote to memory of 3064	1200	Process not Found	34
PID 1200 wrote to memory of 1964	1200	Process not Found	35
PID 1200 wrote to memory of 1964	1200	Process not Found	35
PID 1200 wrote to memory of 1964	1200	Process not Found	35
PID 1200 wrote to memory of 1700	1200	Process not Found	36
PID 1200 wrote to memory of 1700	1200	Process not Found	36
PID 1200 wrote to memory of 1700	1200	Process not Found	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9cdb43c23cbe72a36e8ace440955fbb8_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2968

C:\Windows\system32\dwm.exe
C:\Windows\system32\dwm.exe
1⤵
PID:2612

C:\Users\Admin\AppData\Local\oit\dwm.exe
C:\Users\Admin\AppData\Local\oit\dwm.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2756

C:\Windows\system32\DevicePairingWizard.exe
C:\Windows\system32\DevicePairingWizard.exe
1⤵
PID:2996

C:\Users\Admin\AppData\Local\CR0Au\DevicePairingWizard.exe
C:\Users\Admin\AppData\Local\CR0Au\DevicePairingWizard.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3064

C:\Windows\system32\DevicePairingWizard.exe
C:\Windows\system32\DevicePairingWizard.exe
1⤵
PID:1964

C:\Users\Admin\AppData\Local\KnNNy\DevicePairingWizard.exe
C:\Users\Admin\AppData\Local\KnNNy\DevicePairingWizard.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\CR0Au\MFC42u.dll

Filesize
1.2MB

MD5
60a8241d279e4f30f1104df97b0ba755

SHA1
7b5c22f8d54f11a564b74edc62cecfc7e4d54808

SHA256
156b619f014906072716e1c4984e1cc54ffbc14f3e19392e49c16e3be12a3e29

SHA512
1b1865f5ce77bd25bb1bc054318c0849c15a003c2bb2b1f4daffe200f2bdb082aca5a3fd731fccd6fe439eeaa090e8fb13030ed2128eee5fe1c8a4eca63099c2

Download Submit
C:\Users\Admin\AppData\Local\KnNNy\MFC42u.dll

Filesize
1.2MB

MD5
83a6f56a5ce90e180219d4e1e6883102

SHA1
bd4343ceace5ef656e89e6b5c4799dbe2657eb9c

SHA256
a15ae0c359ebc0e2425d18347947df30e35a4e8e2c843c5a62e0ec6272c55ada

SHA512
1e50ab8589296dd343aa46af1ad971ea08853b4dc747ecc240bc8bde33e8c81721c70a708c97a684f7309667e3d59729cf6b24759049519bcee320f3fe79b35a

Download Submit
C:\Users\Admin\AppData\Local\oit\UxTheme.dll

Filesize
1.2MB

MD5
bdfecd6b365c6a83b3b134f4738ec168

SHA1
3316501b7e43758c1220626033551c484d454f76

SHA256
82bb8387adbd786730e6efa8aeac8d84d9b6194ae8cbaac516664c9dd412978f

SHA512
e762eb4231169fd211cff2d6f200a08ce7b54db579ef41bc1f6ab840406aa17a0ea27273280d8e01f21694149ea26c26cf484b88d95e54a2c887d54df9ef8283

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Frhyegfvspmw.lnk

Filesize
1KB

MD5
38a0694ceac228e58d8558b57fa831e8

SHA1
bbbc2760c1a4674738a26273c954e1a43b62696c

SHA256
8fc1f50d5e41252d516e116bb81dc23c6a51e1cc51f8351b791386f08c6609fb

SHA512
bf1c71832f5d047e8c0681f338b893562b51f8f23dab20ce918eed370cab2d8d526b7cf5c72894ee563e4ebf62094e79809be8740ba326c0244fec0a665a8633

Download Submit
\Users\Admin\AppData\Local\CR0Au\DevicePairingWizard.exe

Filesize
73KB

MD5
9728725678f32e84575e0cd2d2c58e9b

SHA1
dd9505d3548f08e5198a8d6ba6bcd60b1da86d5c

SHA256
d95d3aa065a657c354244e3d9d4dc62673dc36c1bed60650fade7d128ddab544

SHA512
a5d22240450e7b659cba507f9abe7e6d861e9712ca2335ea5ceb69e3557362b00f5d02bf84c3a6fed82a09eda555866dcab43741ad9c6db96e1e302ef2363377

Download Submit
\Users\Admin\AppData\Local\oit\dwm.exe

Filesize
117KB

MD5
f162d5f5e845b9dc352dd1bad8cef1bc

SHA1
35bc294b7e1f062ef5cb5fa1bd3fc942a3e37ae2

SHA256
8a7b7528db30ab123b060d8e41954d95913c07bb40cdae32e97f9edb0baf79c7

SHA512
7077e800453a4564a24af022636a2f6547bdae2c9c6f4ed080d0c98415ecc4fbf538109cbebd456e321b9b74a00613d647b63998e31925fbd841fc9d4613e851

Download Submit
memory/1200-9-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1200-7-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1200-26-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1200-24-0x0000000002DE0000-0x0000000002DE7000-memory.dmp

Filesize
28KB

Download
memory/1200-17-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1200-16-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1200-15-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1200-14-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1200-13-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1200-12-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1200-11-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1200-10-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1200-4-0x0000000077196000-0x0000000077197000-memory.dmp

Filesize
4KB

Download
memory/1200-37-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1200-38-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1200-5-0x0000000002E00000-0x0000000002E01000-memory.dmp

Filesize
4KB

Download
memory/1200-47-0x0000000077196000-0x0000000077197000-memory.dmp

Filesize
4KB

Download
memory/1200-30-0x0000000077530000-0x0000000077532000-memory.dmp

Filesize
8KB

Download
memory/1200-8-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1200-29-0x00000000773A1000-0x00000000773A2000-memory.dmp

Filesize
4KB

Download
memory/1700-88-0x0000000000080000-0x0000000000087000-memory.dmp

Filesize
28KB

Download
memory/1700-94-0x000007FEF6440000-0x000007FEF6578000-memory.dmp

Filesize
1.2MB

Download
memory/2756-56-0x000007FEF6AD0000-0x000007FEF6C02000-memory.dmp

Filesize
1.2MB

Download
memory/2756-60-0x000007FEF6AD0000-0x000007FEF6C02000-memory.dmp

Filesize
1.2MB

Download
memory/2756-55-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/2968-46-0x000007FEF6440000-0x000007FEF6571000-memory.dmp

Filesize
1.2MB

Download
memory/2968-0-0x00000000001A0000-0x00000000001A7000-memory.dmp

Filesize
28KB

Download
memory/2968-1-0x000007FEF6440000-0x000007FEF6571000-memory.dmp

Filesize
1.2MB

Download
memory/3064-71-0x000007FEF6440000-0x000007FEF6578000-memory.dmp

Filesize
1.2MB

Download
memory/3064-73-0x0000000000170000-0x0000000000177000-memory.dmp

Filesize
28KB

Download
memory/3064-76-0x000007FEF6440000-0x000007FEF6578000-memory.dmp

Filesize
1.2MB

Download