dridex | 33143ae3dad7d48a7b60f534dda386fe9ca6451864b50facc77d50c41cb7d704

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
17-08-2024 10:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a236617cba1842bc67dd010ff75e0165_JaffaCakes118.dll
Size

1.2MB
MD5

a236617cba1842bc67dd010ff75e0165
SHA1

45c927cb4e54935e080eb289d6b3873599f326aa
SHA256

33143ae3dad7d48a7b60f534dda386fe9ca6451864b50facc77d50c41cb7d704
SHA512

fc2a47558586c1af2621d6eb12c0d1a418117f3291a04a8a4744e276514f71851d399da19cb7e873a0826c40e136b605cab83500447e89a7c476736164a02168
SSDEEP

24576:HuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N3:p9cKrUqZWLAcUv

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1324-5-0x0000000002530000-0x0000000002531000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

mmc.exedialer.exemsdtc.exe

pid	Process
2740	mmc.exe
2628	dialer.exe
1256	msdtc.exe

Loads dropped DLL 7 IoCs

Processes:

mmc.exedialer.exemsdtc.exe

pid	Process
1324
2740	mmc.exe
1324
2628	dialer.exe
1324
1256	msdtc.exe
1324

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\Qntpnaypazzlupr = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\xm\\dialer.exe"

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

mmc.exedialer.exemsdtc.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mmc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dialer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msdtc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

regsvr32.exe

pid	Process
2200	regsvr32.exe
2200	regsvr32.exe
2200	regsvr32.exe
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324
1324

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	procid_target
PID 1324 wrote to memory of 2724	1324	30
PID 1324 wrote to memory of 2724	1324	30
PID 1324 wrote to memory of 2724	1324	30
PID 1324 wrote to memory of 2740	1324	31
PID 1324 wrote to memory of 2740	1324	31
PID 1324 wrote to memory of 2740	1324	31
PID 1324 wrote to memory of 2556	1324	32
PID 1324 wrote to memory of 2556	1324	32
PID 1324 wrote to memory of 2556	1324	32
PID 1324 wrote to memory of 2628	1324	33
PID 1324 wrote to memory of 2628	1324	33
PID 1324 wrote to memory of 2628	1324	33
PID 1324 wrote to memory of 2216	1324	34
PID 1324 wrote to memory of 2216	1324	34
PID 1324 wrote to memory of 2216	1324	34
PID 1324 wrote to memory of 1256	1324	35
PID 1324 wrote to memory of 1256	1324	35
PID 1324 wrote to memory of 1256	1324	35

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\a236617cba1842bc67dd010ff75e0165_JaffaCakes118.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2200

C:\Windows\system32\mmc.exe
C:\Windows\system32\mmc.exe
1⤵
PID:2724

C:\Users\Admin\AppData\Local\GXjD\mmc.exe
C:\Users\Admin\AppData\Local\GXjD\mmc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2740

C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
1⤵
PID:2556

C:\Users\Admin\AppData\Local\HFMj1i\dialer.exe
C:\Users\Admin\AppData\Local\HFMj1i\dialer.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2628

C:\Windows\system32\msdtc.exe
C:\Windows\system32\msdtc.exe
1⤵
PID:2216

C:\Users\Admin\AppData\Local\V1f2\msdtc.exe
C:\Users\Admin\AppData\Local\V1f2\msdtc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\GXjD\DUser.dll

Filesize
1.2MB

MD5
12ce6aa24ad4c70768199a32558af01c

SHA1
9160328ccf95de5f0df89eac5334e33e2fc10a30

SHA256
5b2dfef5bc256609105874d6000108804292f4c418003671fbffe8d9c0ae94ce

SHA512
7b1227dedc7fdc50bfa19544a4b0b671e915ec7c5a871dd77bfce762d3da61216080661128f59088096c3570479cdebdde68ebd75179dae1009e85b02141583c

Download Submit
C:\Users\Admin\AppData\Local\HFMj1i\TAPI32.dll

Filesize
1.2MB

MD5
75ec53a76d96bac97a8c1f41ac2bc570

SHA1
822d05b7a4cf564c98a81b8758496b72d7c581cf

SHA256
41bcf12138e222cb6002e81f181824a9463dfa99775b0442fb756a28e12ca66e

SHA512
22555c4c0936ea25190201c899312a81914701c511faa88068823c083ebcca2b2e5fd0a6ffe1f989da145d87db65ac3f13b027a7ee1c295b16d4b7bba13538c9

Download Submit
C:\Users\Admin\AppData\Local\V1f2\VERSION.dll

Filesize
1.2MB

MD5
0104beec717d69d2d1655afa6d200da4

SHA1
77f5a4b79ba50876f6d2aabb74dc533d4baa3d4c

SHA256
2b3e13624bf2fbbfd58bfa2765a526bb615504e4cd9fe574e244b10a1db2bb43

SHA512
bd32cf56eb5d73aa237363bf7dfddf4e12169407d37703201ee8316da521c07ca134aade8ce07b2e76758c5c7dd6e1c971e50b14f6f0cb1f4a9091e0e9d83113

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Joeqzcwrjre.lnk

Filesize
1KB

MD5
54d3723a7f96f4c3825ca730c8819592

SHA1
78a46e2330166a54ee048cf67b1391961f7e9534

SHA256
eb5faaa288176b8331f9b20cd2f498fd30a0bbfc1c34ef21561a794383f2b552

SHA512
f54d32d07843764152f458db82d75f29266287a9474bf75121df41c1cf933716217692c7dd35089694c16ab56d863d2646816ef858d6decf0897c0591dd47629

Download Submit
\Users\Admin\AppData\Local\GXjD\mmc.exe

Filesize
2.0MB

MD5
9fea051a9585f2a303d55745b4bf63aa

SHA1
f5dc12d658402900a2b01af2f018d113619b96b8

SHA256
b212e59e4c7fe77f6f189138d9d8b151e50eb83a35d6eadfb1e4bb0b4262c484

SHA512
beba79f0b6710929871fbdf378d3c0a41f230ac30cbfa87173f7b77c35e06425f48db42ed3b16d5d9bcb7ef0098dffcd0d2947da8fb7ec1136ea62205f1afc76

Download Submit
\Users\Admin\AppData\Local\HFMj1i\dialer.exe

Filesize
34KB

MD5
46523e17ee0f6837746924eda7e9bac9

SHA1
d6b2a9cc6bd3588fa9804ada5197afda6a9e034b

SHA256
23d8a6a1d847a324c556c30e10c8f63c2004aeb42ac3f5a5ca362077f1517382

SHA512
c7117c3778650864e685bd89df599d7cdd9319d757344ddc7cfd9403d6673964127f6ff0c5ac48455fd3097af31a6ff09173f85dfa7be2d25f395cdf3692bb9a

Download Submit
\Users\Admin\AppData\Local\V1f2\msdtc.exe

Filesize
138KB

MD5
de0ece52236cfa3ed2dbfc03f28253a8

SHA1
84bbd2495c1809fcd19b535d41114e4fb101466c

SHA256
2fbbec4cacb5161f68d7c2935852a5888945ca0f107cf8a1c01f4528ce407de3

SHA512
69386134667626c60c99d941c8ab52f8e5235e3897b5af76965572287afd5dcd42b8207a520587844a57a268e4decb3f3c550e5b7a06230ee677dc5e40c50bb3

Download Submit
memory/1256-95-0x000007FEF65B0000-0x000007FEF66E7000-memory.dmp

Filesize
1.2MB

Download
memory/1256-90-0x000007FEF65B0000-0x000007FEF66E7000-memory.dmp

Filesize
1.2MB

Download
memory/1324-26-0x0000000077921000-0x0000000077922000-memory.dmp

Filesize
4KB

Download
memory/1324-25-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/1324-15-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/1324-14-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/1324-13-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/1324-12-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/1324-11-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/1324-10-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/1324-9-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/1324-37-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/1324-36-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/1324-4-0x0000000077816000-0x0000000077817000-memory.dmp

Filesize
4KB

Download
memory/1324-46-0x0000000077816000-0x0000000077817000-memory.dmp

Filesize
4KB

Download
memory/1324-5-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/1324-27-0x0000000077AB0000-0x0000000077AB2000-memory.dmp

Filesize
8KB

Download
memory/1324-7-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/1324-8-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/1324-16-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/1324-23-0x0000000002510000-0x0000000002517000-memory.dmp

Filesize
28KB

Download
memory/2200-0-0x000007FEF7050000-0x000007FEF7186000-memory.dmp

Filesize
1.2MB

Download
memory/2200-45-0x000007FEF7050000-0x000007FEF7186000-memory.dmp

Filesize
1.2MB

Download
memory/2200-3-0x00000000001D0000-0x00000000001D7000-memory.dmp

Filesize
28KB

Download
memory/2628-72-0x000007FEF6800000-0x000007FEF6938000-memory.dmp

Filesize
1.2MB

Download
memory/2628-75-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download
memory/2628-78-0x000007FEF6800000-0x000007FEF6938000-memory.dmp

Filesize
1.2MB

Download
memory/2740-60-0x000007FEF6740000-0x000007FEF6877000-memory.dmp

Filesize
1.2MB

Download
memory/2740-55-0x000007FEF6740000-0x000007FEF6877000-memory.dmp

Filesize
1.2MB

Download
memory/2740-54-0x00000000001F0000-0x00000000001F7000-memory.dmp

Filesize
28KB

Download