dridex | 9d825d941408f6e8d7d47ced824b3e78a5346d0bc899f41ea51d53abbe5d5a13

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
17-08-2024 09:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a20721654c3fced2cf5ecc9bed5fd3a3_JaffaCakes118.dll
Size

1.2MB
MD5

a20721654c3fced2cf5ecc9bed5fd3a3
SHA1

e1bc4896d120d6ebaf569f6c0a1f8f3fe3b2ae2b
SHA256

9d825d941408f6e8d7d47ced824b3e78a5346d0bc899f41ea51d53abbe5d5a13
SHA512

434b92c682705ea985f15a39d6771865d3449fea6cd6941604dfce800d95285833ba3b0532d088497867032d6e8680288302acbe866229822280dbc00c940211
SSDEEP

24576:CuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:K9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1192-5-0x0000000002DF0000-0x0000000002DF1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

irftp.exeDxpserver.exemsdt.exe

pid	Process
2560	irftp.exe
2900	Dxpserver.exe
744	msdt.exe

Loads dropped DLL 7 IoCs

Processes:

irftp.exeDxpserver.exemsdt.exe

pid	Process
1192
2560	irftp.exe
1192
2900	Dxpserver.exe
1192
744	msdt.exe
1192

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wqbazsgxtjodx = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\uPsBppXEak\\Dxpserver.exe"

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

Dxpserver.exemsdt.exeirftp.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Dxpserver.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msdt.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	irftp.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

regsvr32.exe

pid	Process
2172	regsvr32.exe
2172	regsvr32.exe
2172	regsvr32.exe
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	procid_target
PID 1192 wrote to memory of 2544	1192	30
PID 1192 wrote to memory of 2544	1192	30
PID 1192 wrote to memory of 2544	1192	30
PID 1192 wrote to memory of 2560	1192	31
PID 1192 wrote to memory of 2560	1192	31
PID 1192 wrote to memory of 2560	1192	31
PID 1192 wrote to memory of 1472	1192	32
PID 1192 wrote to memory of 1472	1192	32
PID 1192 wrote to memory of 1472	1192	32
PID 1192 wrote to memory of 2900	1192	33
PID 1192 wrote to memory of 2900	1192	33
PID 1192 wrote to memory of 2900	1192	33
PID 1192 wrote to memory of 2348	1192	34
PID 1192 wrote to memory of 2348	1192	34
PID 1192 wrote to memory of 2348	1192	34
PID 1192 wrote to memory of 744	1192	35
PID 1192 wrote to memory of 744	1192	35
PID 1192 wrote to memory of 744	1192	35

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\a20721654c3fced2cf5ecc9bed5fd3a3_JaffaCakes118.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2172

C:\Windows\system32\irftp.exe
C:\Windows\system32\irftp.exe
1⤵
PID:2544

C:\Users\Admin\AppData\Local\2FAN4EjM\irftp.exe
C:\Users\Admin\AppData\Local\2FAN4EjM\irftp.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2560

C:\Windows\system32\Dxpserver.exe
C:\Windows\system32\Dxpserver.exe
1⤵
PID:1472

C:\Users\Admin\AppData\Local\nBJs\Dxpserver.exe
C:\Users\Admin\AppData\Local\nBJs\Dxpserver.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2900

C:\Windows\system32\msdt.exe
C:\Windows\system32\msdt.exe
1⤵
PID:2348

C:\Users\Admin\AppData\Local\prMGCmTSp\msdt.exe
C:\Users\Admin\AppData\Local\prMGCmTSp\msdt.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\2FAN4EjM\WINMM.dll

Filesize
1.2MB

MD5
bfc7d8eff2a790a03aaa190162b1ae74

SHA1
fc7b794a575abf148a8ed6bb30229e7c9dbe0bc7

SHA256
e10d976b7e09424243454adfb4c5c6f5135e1977a07d74cabe0d9a8b7f0730fe

SHA512
83022ce12d55b0c687445a14e8adddd50a781b3acc2dd595fd33541815dc18c10237f92eb4c4c9e0ed34af09770f387a06dcd439bedfb51d8abdf98c37a617c2

Download Submit
C:\Users\Admin\AppData\Local\nBJs\dwmapi.dll

Filesize
1.2MB

MD5
6fc0bfe09bbb6e6aa42738c0e5547cb1

SHA1
b85df3a184a1681ab25c114f4199ca8afa1ac383

SHA256
e5958941de6531893a0a9c49c92bc898e9d9d0e8e4c539b33eba871c85927f4c

SHA512
7f458cbcca6744e2aaaeec21539948b418d14b2bb37876be712b318fab1114e983f79e7f95723a477e14e3924d9990405e2b2d66b3d5b9884f580c3d922a6efb

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Frhyegfvspmw.lnk

Filesize
1KB

MD5
92467c756671d3ee4961489f0cfd1242

SHA1
22ba6eca6dc78ba4b045d71a3829261b38c8dc40

SHA256
cc89978b59263f914c0bfc0dc4e582355e1c3d9a4a1c4953fe4cbe7220b5acb9

SHA512
90971759c349aa063cab0052dbb9ff905c86aba18d967bd8928a4ea08c6144b6a625d602f1837f7b2fd02fc5589747449ed2793ba7f2119872397567efe26e71

Download Submit
\Users\Admin\AppData\Local\2FAN4EjM\irftp.exe

Filesize
192KB

MD5
0cae1fb725c56d260bfd6feba7ae9a75

SHA1
102ac676a1de3ec3d56401f8efd518c31c8b0b80

SHA256
312f4107ff37dc988d99c5f56178708bb74a3906740cff4e337c0dde8f1e151d

SHA512
db969064577c4158d6bf925354319766b0d0373ddefb03dbfc9a9d2cadf8ddcd50a7f99b7ddf2ffad5e7fdbb6f02090b5b678bdf792d265054bff3b56ee0b8ec

Download Submit
\Users\Admin\AppData\Local\nBJs\Dxpserver.exe

Filesize
259KB

MD5
4d38389fb92e43c77a524fd96dbafd21

SHA1
08014e52f6894cad4f1d1e6fc1a703732e9acd19

SHA256
070bc95c486c15d2edc3548ba416dc9565ead401cb03a0472f719fb55ac94e73

SHA512
02d8d130cff2b8de15139d309e1cd74a2148bb786fd749e5f22775d45e193b0f75adf40274375cabce33576480ff20456f25172d29a034cd134b8084d40a67ba

Download Submit
\Users\Admin\AppData\Local\prMGCmTSp\DUI70.dll

Filesize
1.4MB

MD5
2fb5be405b7947b30ad887e51392f7d6

SHA1
679222e3eb99443e43dffc39b585dea577bb9413

SHA256
7d6cbd710ba2132a39a46f5934310a939d61e80714addd5afc7578305741758b

SHA512
dd7e33298b22edd2c77562c09a21b4d0427e673e907134fbd499afcad06c6870e6fa39c2b8220e6a6796ab2038f12a0bf6d0256d2fa4a7e8624aba0601bc14ef

Download Submit
\Users\Admin\AppData\Local\prMGCmTSp\msdt.exe

Filesize
1.0MB

MD5
aecb7b09566b1f83f61d5a4b44ae9c7e

SHA1
3a4a2338c6b5ac833dc87497e04fe89c5481e289

SHA256
fbdbe7a2027cab237c4635ef71c1a93cf7afc4b79d56b63a119b7f8e3029ccf5

SHA512
6e14200262e0729ebcab2226c3eac729ab5af2a4c6f4f9c3e2950cc203387d9a0a447cf38665c724d4397353931fd10064dc067e043a3579538a6144e33e4746

Download Submit
memory/744-92-0x000007FEF7E00000-0x000007FEF7F65000-memory.dmp

Filesize
1.4MB

Download
memory/744-87-0x000007FEF7E00000-0x000007FEF7F65000-memory.dmp

Filesize
1.4MB

Download
memory/1192-9-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1192-29-0x0000000077B81000-0x0000000077B82000-memory.dmp

Filesize
4KB

Download
memory/1192-16-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1192-15-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1192-14-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1192-13-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1192-12-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1192-11-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1192-10-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1192-4-0x0000000077976000-0x0000000077977000-memory.dmp

Filesize
4KB

Download
memory/1192-33-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1192-34-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1192-5-0x0000000002DF0000-0x0000000002DF1000-memory.dmp

Filesize
4KB

Download
memory/1192-43-0x0000000077976000-0x0000000077977000-memory.dmp

Filesize
4KB

Download
memory/1192-17-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1192-18-0x0000000002B80000-0x0000000002B87000-memory.dmp

Filesize
28KB

Download
memory/1192-7-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1192-8-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1192-26-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1192-30-0x0000000077D10000-0x0000000077D12000-memory.dmp

Filesize
8KB

Download
memory/2172-42-0x000007FEF7F00000-0x000007FEF8031000-memory.dmp

Filesize
1.2MB

Download
memory/2172-0-0x000007FEF7F00000-0x000007FEF8031000-memory.dmp

Filesize
1.2MB

Download
memory/2172-3-0x00000000004C0000-0x00000000004C7000-memory.dmp

Filesize
28KB

Download
memory/2560-57-0x000007FEF7200000-0x000007FEF7333000-memory.dmp

Filesize
1.2MB

Download
memory/2560-52-0x000007FEF7200000-0x000007FEF7333000-memory.dmp

Filesize
1.2MB

Download
memory/2560-51-0x00000000002C0000-0x00000000002C7000-memory.dmp

Filesize
28KB

Download
memory/2900-70-0x000007FEF7E30000-0x000007FEF7F62000-memory.dmp

Filesize
1.2MB

Download
memory/2900-69-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download
memory/2900-75-0x000007FEF7E30000-0x000007FEF7F62000-memory.dmp

Filesize
1.2MB

Download