dridex | 5b2a5ca7d07b80fd01e348dce440046244cc407a5fdee053c21cf5de1a4e7c4e

Analysis

max time kernel
149s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
17-08-2024 15:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a30b4899908225a2b29ef1b14acef84a_JaffaCakes118.dll
Size

1.2MB
MD5

a30b4899908225a2b29ef1b14acef84a
SHA1

c35339f69cb4da6c1c36771a3bd6711f142fdec1
SHA256

5b2a5ca7d07b80fd01e348dce440046244cc407a5fdee053c21cf5de1a4e7c4e
SHA512

eb177eda0a91949f37c296ed66899a03e7ef9f9ffd90b203486631379ebdd441ce7a936452c3476c6c4bcf3d4842ad51f25d4ba09c783209e5077eb83c37618e
SSDEEP

24576:ruYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:19cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1428-5-0x0000000002E00000-0x0000000002E01000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

MpSigStub.exerdpinit.exerrinstaller.exe

pid	Process
2644	MpSigStub.exe
1592	rdpinit.exe
2620	rrinstaller.exe

Loads dropped DLL 7 IoCs

Processes:

MpSigStub.exerdpinit.exerrinstaller.exe

pid	Process
1428
2644	MpSigStub.exe
1428
1592	rdpinit.exe
1428
2620	rrinstaller.exe
1428

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wsagbppvydnjcs = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\FLASHP~1\\RX\\rdpinit.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeMpSigStub.exerdpinit.exerrinstaller.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MpSigStub.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdpinit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rrinstaller.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	Process
2584	rundll32.exe
2584	rundll32.exe
2584	rundll32.exe
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	procid_target
PID 1428 wrote to memory of 1264	1428	29
PID 1428 wrote to memory of 1264	1428	29
PID 1428 wrote to memory of 1264	1428	29
PID 1428 wrote to memory of 2644	1428	30
PID 1428 wrote to memory of 2644	1428	30
PID 1428 wrote to memory of 2644	1428	30
PID 1428 wrote to memory of 756	1428	31
PID 1428 wrote to memory of 756	1428	31
PID 1428 wrote to memory of 756	1428	31
PID 1428 wrote to memory of 1592	1428	32
PID 1428 wrote to memory of 1592	1428	32
PID 1428 wrote to memory of 1592	1428	32
PID 1428 wrote to memory of 2160	1428	33
PID 1428 wrote to memory of 2160	1428	33
PID 1428 wrote to memory of 2160	1428	33
PID 1428 wrote to memory of 2620	1428	34
PID 1428 wrote to memory of 2620	1428	34
PID 1428 wrote to memory of 2620	1428	34

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a30b4899908225a2b29ef1b14acef84a_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2584

C:\Windows\system32\MpSigStub.exe
C:\Windows\system32\MpSigStub.exe
1⤵
PID:1264

C:\Users\Admin\AppData\Local\OzpwdwQ\MpSigStub.exe
C:\Users\Admin\AppData\Local\OzpwdwQ\MpSigStub.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2644

C:\Windows\system32\rdpinit.exe
C:\Windows\system32\rdpinit.exe
1⤵
PID:756

C:\Users\Admin\AppData\Local\cOx\rdpinit.exe
C:\Users\Admin\AppData\Local\cOx\rdpinit.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1592

C:\Windows\system32\rrinstaller.exe
C:\Windows\system32\rrinstaller.exe
1⤵
PID:2160

C:\Users\Admin\AppData\Local\zxosGYc\rrinstaller.exe
C:\Users\Admin\AppData\Local\zxosGYc\rrinstaller.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\OzpwdwQ\MpSigStub.exe

Filesize
264KB

MD5
2e6bd16aa62e5e95c7b256b10d637f8f

SHA1
350be084477b1fe581af83ca79eb58d4defe260f

SHA256
d795968b8067bb610033fa4a5b21eb2f96cef61513aba62912b8eb5c6a5ff7b3

SHA512
1f37150f6bcbe0df54bb85a5ad585824cea9332baa9be1649a95c1dfb41723de85c09d98fb2ca8261a49c2184d3bda638b84b2b7b60b97fe42a15ab1620a2542

Download Submit
C:\Users\Admin\AppData\Local\OzpwdwQ\VERSION.dll

Filesize
1.2MB

MD5
23d4c59e1b61e1ec34bd4d6f48e39a01

SHA1
ba056941d9e3c998f0a998028c7d59f84fdac1be

SHA256
d6ee43222bd7eaaec260c2053229112176e915d9f9a53e477636f5e65062f1a7

SHA512
7aa81be54f413306b814a7cb74dc1acb99ad63dbd454d028bfcb8cb8dcb0c8c66d58668d04c5aa1336ac5ca6964f270633053286944aea8454bcb19c8edff7b1

Download Submit
C:\Users\Admin\AppData\Local\cOx\slc.dll

Filesize
1.2MB

MD5
8e3f1cef46a56fa8de40cd74311d3107

SHA1
79f9e83ac63a36fbf84b3a2118db78376958bcd2

SHA256
9680cac72e9df9652ab094657003045162c9da414955b94696815594cc4b76b2

SHA512
f648c3f095c13b58cd9d380a304d5cd6b16cefa443096e9d90c97abbbd6eee588dd223837f478516d1ea9c0d5d537df4a805ba90fb5bd187b33991201bf65948

Download Submit
C:\Users\Admin\AppData\Local\zxosGYc\MFPlat.DLL

Filesize
1.2MB

MD5
7f9136b2002154c7cff8802af28dd43d

SHA1
d98d39db41f94f89ed1d391c67fb68e843adb741

SHA256
424f5ebfad014182bd9fa55d33e3a931e7683fbfc8481bb40f7cd23cf61b5346

SHA512
abf2019dc503f420dda607ec39a6156ce5bb2122b54d1a8713dd87fb1c838b9ea66e841582f9d29db66aa24fba45f5e010a53ec40ce192237f96b76146493e68

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ewnqrlgibmqii.lnk

Filesize
943B

MD5
ce73ea3ef7ea72dd119ae88efdc0011a

SHA1
a70e81c2729a271c0efbea1c1dde7936b4673cad

SHA256
8af7b25e7446ef95120c363f8e64d36cecc669ee604b8b97b83d2db966f70807

SHA512
f10f0ba19a70c8e3d64263975ea30384de0467ead9283558eea5e32b7dd904abbe1e2bf4ca536eda5e536b0855fdc5e12dd61d5d3f9b69544c7719c7d692472b

Download Submit
\Users\Admin\AppData\Local\cOx\rdpinit.exe

Filesize
174KB

MD5
664e12e0ea009cc98c2b578ff4983c62

SHA1
27b302c0108851ac6cc37e56590dd9074b09c3c9

SHA256
00bd9c3c941a5a9b4fc8594d7b985f5f1ac48f0ba7495a728b8fa42b4b48a332

SHA512
f5eee4e924dcc3cf5e82eff36543e9d0e9c17dc2272b403cf30f8d2da42312821f5566249a98a952f5441b1f0d6d61a86b5c5198bc598d65ea9d4fb35822505d

Download Submit
\Users\Admin\AppData\Local\zxosGYc\rrinstaller.exe

Filesize
54KB

MD5
0d3a73b0b30252680b383532f1758649

SHA1
9f098d2037e4dd94eca6d04c37b3d4ad8b0cc931

SHA256
fc8a992b6ac311e1b1491ec3e31e273a41f7fdf3f68176321307b68489a03fbc

SHA512
a7961f4d8d0e07959d1501d721c7751b01af6704c7da5c1f31e40de5372ee6a1fce2f3e0077c8e6a1bed017e11ce4be9b0d17c04e30b222fb3f0df67b870b2d4

Download Submit
memory/1428-8-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1428-9-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1428-4-0x0000000077AC6000-0x0000000077AC7000-memory.dmp

Filesize
4KB

Download
memory/1428-7-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1428-15-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1428-14-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1428-25-0x0000000002DE0000-0x0000000002DE7000-memory.dmp

Filesize
28KB

Download
memory/1428-24-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1428-16-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1428-27-0x0000000077E60000-0x0000000077E62000-memory.dmp

Filesize
8KB

Download
memory/1428-26-0x0000000077CD1000-0x0000000077CD2000-memory.dmp

Filesize
4KB

Download
memory/1428-36-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1428-37-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1428-5-0x0000000002E00000-0x0000000002E01000-memory.dmp

Filesize
4KB

Download
memory/1428-46-0x0000000077AC6000-0x0000000077AC7000-memory.dmp

Filesize
4KB

Download
memory/1428-13-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1428-10-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1428-12-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1428-11-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1592-73-0x000007FEF7100000-0x000007FEF7231000-memory.dmp

Filesize
1.2MB

Download
memory/1592-72-0x0000000000120000-0x0000000000127000-memory.dmp

Filesize
28KB

Download
memory/1592-78-0x000007FEF7100000-0x000007FEF7231000-memory.dmp

Filesize
1.2MB

Download
memory/2584-45-0x000007FEF7110000-0x000007FEF7240000-memory.dmp

Filesize
1.2MB

Download
memory/2584-2-0x00000000004A0000-0x00000000004A7000-memory.dmp

Filesize
28KB

Download
memory/2584-1-0x000007FEF7110000-0x000007FEF7240000-memory.dmp

Filesize
1.2MB

Download
memory/2620-90-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download
memory/2620-91-0x000007FEF7100000-0x000007FEF7232000-memory.dmp

Filesize
1.2MB

Download
memory/2620-96-0x000007FEF7100000-0x000007FEF7232000-memory.dmp

Filesize
1.2MB

Download
memory/2644-60-0x000007FEF73C0000-0x000007FEF74F1000-memory.dmp

Filesize
1.2MB

Download
memory/2644-54-0x00000000000F0000-0x00000000000F7000-memory.dmp

Filesize
28KB

Download
memory/2644-55-0x000007FEF73C0000-0x000007FEF74F1000-memory.dmp

Filesize
1.2MB

Download