dridex | f0e9f3d5fced9258fdb6791c781c6844a172502786b058db47ce483493b1941d

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
16-08-2024 17:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9f37c38c61838641d596841f6a1232ff_JaffaCakes118.dll
Size

1.4MB
MD5

9f37c38c61838641d596841f6a1232ff
SHA1

3334ad56daf32d68440ffcd6c838142c5822e650
SHA256

f0e9f3d5fced9258fdb6791c781c6844a172502786b058db47ce483493b1941d
SHA512

5fe41be56f5c65084cf13892da63eb9b33d6ef39a0214c14ea242d12aecdeeb85609cd2fc0638834bcbd4353ae087f1da443de756aeb00d586803f9629c0ab76
SSDEEP

24576:guYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9Ns:w9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral1/memory/1208-5-0x0000000002F10000-0x0000000002F11000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
2664	DWWIN.EXE
752	SystemPropertiesDataExecutionPrevention.exe
2512	spinstall.exe

Loads dropped DLL 7 IoCs

pid	Process
1208	Process not Found
2664	DWWIN.EXE
1208	Process not Found
752	SystemPropertiesDataExecutionPrevention.exe
1208	Process not Found
2512	spinstall.exe
1208	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mkmfyiwmvqjxba = "C:\\Users\\Admin\\AppData\\Roaming\\MACROM~1\\FLASHP~1\\MACROM~1.COM\\support\\vjA\\SYSTEM~1.EXE"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DWWIN.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesDataExecutionPrevention.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spinstall.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2384	rundll32.exe
2384	rundll32.exe
2384	rundll32.exe
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1208 wrote to memory of 2788	1208	Process not Found	31
PID 1208 wrote to memory of 2788	1208	Process not Found	31
PID 1208 wrote to memory of 2788	1208	Process not Found	31
PID 1208 wrote to memory of 2664	1208	Process not Found	32
PID 1208 wrote to memory of 2664	1208	Process not Found	32
PID 1208 wrote to memory of 2664	1208	Process not Found	32
PID 1208 wrote to memory of 2020	1208	Process not Found	33
PID 1208 wrote to memory of 2020	1208	Process not Found	33
PID 1208 wrote to memory of 2020	1208	Process not Found	33
PID 1208 wrote to memory of 752	1208	Process not Found	34
PID 1208 wrote to memory of 752	1208	Process not Found	34
PID 1208 wrote to memory of 752	1208	Process not Found	34
PID 1208 wrote to memory of 1120	1208	Process not Found	35
PID 1208 wrote to memory of 1120	1208	Process not Found	35
PID 1208 wrote to memory of 1120	1208	Process not Found	35
PID 1208 wrote to memory of 2512	1208	Process not Found	36
PID 1208 wrote to memory of 2512	1208	Process not Found	36
PID 1208 wrote to memory of 2512	1208	Process not Found	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9f37c38c61838641d596841f6a1232ff_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2384

C:\Windows\system32\DWWIN.EXE
C:\Windows\system32\DWWIN.EXE
1⤵
PID:2788

C:\Users\Admin\AppData\Local\Wud62\DWWIN.EXE
C:\Users\Admin\AppData\Local\Wud62\DWWIN.EXE
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2664

C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
1⤵
PID:2020

C:\Users\Admin\AppData\Local\DG6HCSy\SystemPropertiesDataExecutionPrevention.exe
C:\Users\Admin\AppData\Local\DG6HCSy\SystemPropertiesDataExecutionPrevention.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:752

C:\Windows\system32\spinstall.exe
C:\Windows\system32\spinstall.exe
1⤵
PID:1120

C:\Users\Admin\AppData\Local\jOKfg\spinstall.exe
C:\Users\Admin\AppData\Local\jOKfg\spinstall.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\DG6HCSy\SYSDM.CPL

Filesize
1.4MB

MD5
be13c95e115857b1e4d3c3a75ce995ac

SHA1
6cb41c3c758b783331a15f7ecc998780e19fb325

SHA256
515727a1b1ea1d67d87fdebe56560ff5da1ac8cadda4f464c64bbd0bcec72458

SHA512
560474a0688fb3c7792e23d6eadb14a1876c85baeb36e6702d3c776c4fa8d9e85689af671509af0a0dc669c2de07c3f4fc93ac0239b10b5dd4b27ecdf73799a0

Download Submit
C:\Users\Admin\AppData\Local\Wud62\VERSION.dll

Filesize
1.4MB

MD5
06a87ad14a64cc4db3c29198e1704593

SHA1
f406a7a49b591623d4dd64619f3cdcd8d30d3a82

SHA256
3656b1f92ab44b5a1d3084c704aadcc5161ea0377a18f22ff0eda3c8843e52fb

SHA512
2e779d20196406d090d402afc9adc1167356dab87563bc50bc0d91c8bc948a47582c4ad6830ec022afcd474c051e4df0ae2881522a7d100e6d8f8a4191630955

Download Submit
C:\Users\Admin\AppData\Local\jOKfg\WINBRAND.dll

Filesize
1.4MB

MD5
2dc73b4bd92d65754d794e616af26d1e

SHA1
f6bface46c83708328b5b6737c069b3906f9f0ba

SHA256
8cde61901bff9cc3de19d4b38d344c8a7da58065bb68de80944e5cb16c82a42f

SHA512
c5aab0713974c7a0cd76309107e8512fc5990c1210c2e020863a9410a7b82a5bd310ed04bf60f1b93c4c5c10d31fe20b6ac03ac153d60afe5ac9526ab64cf1b9

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ppapbotpack.lnk

Filesize
1KB

MD5
85f01d4b24fa135259567cdb080fcaa2

SHA1
84282446b8030bcc0e6e6ec335845b21cd7562bb

SHA256
66cd3efc0642582f706ea2ba6eeff66fed55c850d6915baf7be03c243df3820b

SHA512
414a7918bd879cc015ee45de7ee14b25269e7c530447c37d98b4ce719f58e6a7af42a02c320953187519ba978c1a5ed70cd1a9f4f629e5d861cc7e317217d451

Download Submit
\Users\Admin\AppData\Local\DG6HCSy\SystemPropertiesDataExecutionPrevention.exe

Filesize
80KB

MD5
e43ff7785fac643093b3b16a9300e133

SHA1
a30688e84c0b0a22669148fe87680b34fcca2fba

SHA256
c8e1b3ecce673035a934d65b25c43ec23416f5bbf52d772e24e48e6fd3e77e9b

SHA512
61260999bb57817dea2d404bcf093820679e597298c752d38db181fe9963b5fa47e070d6a3c7c970905035b396389bb02946b44869dc8b9560acc419b065999a

Download Submit
\Users\Admin\AppData\Local\Wud62\DWWIN.EXE

Filesize
149KB

MD5
25247e3c4e7a7a73baeea6c0008952b1

SHA1
8087adb7a71a696139ddc5c5abc1a84f817ab688

SHA256
c740497a7e58f7678e25b68b03573b4136a364464ee97c02ce5e0fe00cec7050

SHA512
bc27946894e7775f772ac882740430c8b9d3f37a573e2524207f7bb32f44d4a227cb1e9a555e118d68af7f1e129abd2ac5cabbcd8bbf3551c485bae05108324b

Download Submit
\Users\Admin\AppData\Local\jOKfg\spinstall.exe

Filesize
584KB

MD5
29c1d5b330b802efa1a8357373bc97fe

SHA1
90797aaa2c56fc2a667c74475996ea1841bc368f

SHA256
048bd22abf158346ab991a377cc6e9d2b20b4d73ccee7656c96a41f657e7be7f

SHA512
66f4f75a04340a1dd55dfdcc3ff1103ea34a55295f56c12e88d38d1a41e5be46b67c98bd66ac9f878ce79311773e374ed2bce4dd70e8bb5543e4ec1dd56625ee

Download Submit
memory/752-79-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/752-78-0x000007FEF7420000-0x000007FEF7584000-memory.dmp

Filesize
1.4MB

Download
memory/752-73-0x000007FEF7420000-0x000007FEF7584000-memory.dmp

Filesize
1.4MB

Download
memory/1208-37-0x0000000140000000-0x0000000140163000-memory.dmp

Filesize
1.4MB

Download
memory/1208-25-0x0000000002E70000-0x0000000002E77000-memory.dmp

Filesize
28KB

Download
memory/1208-13-0x0000000140000000-0x0000000140163000-memory.dmp

Filesize
1.4MB

Download
memory/1208-12-0x0000000140000000-0x0000000140163000-memory.dmp

Filesize
1.4MB

Download
memory/1208-11-0x0000000140000000-0x0000000140163000-memory.dmp

Filesize
1.4MB

Download
memory/1208-10-0x0000000140000000-0x0000000140163000-memory.dmp

Filesize
1.4MB

Download
memory/1208-9-0x0000000140000000-0x0000000140163000-memory.dmp

Filesize
1.4MB

Download
memory/1208-27-0x0000000077E60000-0x0000000077E62000-memory.dmp

Filesize
8KB

Download
memory/1208-4-0x0000000077BC6000-0x0000000077BC7000-memory.dmp

Filesize
4KB

Download
memory/1208-36-0x0000000140000000-0x0000000140163000-memory.dmp

Filesize
1.4MB

Download
memory/1208-5-0x0000000002F10000-0x0000000002F11000-memory.dmp

Filesize
4KB

Download
memory/1208-46-0x0000000077BC6000-0x0000000077BC7000-memory.dmp

Filesize
4KB

Download
memory/1208-15-0x0000000140000000-0x0000000140163000-memory.dmp

Filesize
1.4MB

Download
memory/1208-14-0x0000000140000000-0x0000000140163000-memory.dmp

Filesize
1.4MB

Download
memory/1208-8-0x0000000140000000-0x0000000140163000-memory.dmp

Filesize
1.4MB

Download
memory/1208-7-0x0000000140000000-0x0000000140163000-memory.dmp

Filesize
1.4MB

Download
memory/1208-16-0x0000000140000000-0x0000000140163000-memory.dmp

Filesize
1.4MB

Download
memory/1208-24-0x0000000140000000-0x0000000140163000-memory.dmp

Filesize
1.4MB

Download
memory/1208-26-0x0000000077CD1000-0x0000000077CD2000-memory.dmp

Filesize
4KB

Download
memory/2384-45-0x000007FEF7420000-0x000007FEF7583000-memory.dmp

Filesize
1.4MB

Download
memory/2384-0-0x000007FEF7420000-0x000007FEF7583000-memory.dmp

Filesize
1.4MB

Download
memory/2384-3-0x00000000001A0000-0x00000000001A7000-memory.dmp

Filesize
28KB

Download
memory/2512-97-0x00000000000F0000-0x00000000000F7000-memory.dmp

Filesize
28KB

Download
memory/2512-96-0x000007FEF7420000-0x000007FEF7584000-memory.dmp

Filesize
1.4MB

Download
memory/2664-61-0x0000000000120000-0x0000000000127000-memory.dmp

Filesize
28KB

Download
memory/2664-60-0x000007FEF7AD0000-0x000007FEF7C34000-memory.dmp

Filesize
1.4MB

Download
memory/2664-54-0x0000000000120000-0x0000000000127000-memory.dmp

Filesize
28KB

Download
memory/2664-55-0x000007FEF7AD0000-0x000007FEF7C34000-memory.dmp

Filesize
1.4MB

Download