dridex | 9cf326ccaee343e0bd17b36bc073ea0ec4db6dc32f1596d69f018f67f3f30055

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
17-08-2024 15:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a32e85a3e9c4f38f9b6bc91063dd086c_JaffaCakes118.dll
Size

1.2MB
MD5

a32e85a3e9c4f38f9b6bc91063dd086c
SHA1

207a0c9c977e931bd533ec62761e9ecee2238ddf
SHA256

9cf326ccaee343e0bd17b36bc073ea0ec4db6dc32f1596d69f018f67f3f30055
SHA512

e1b749cbaec8b8b2f47f9376b2c88eab169735b7516d38ec388c7a54f637293d9adc7784a42b41d780ede176697b2d7f0fcc7df1405e15fead901232dedfa2de
SSDEEP

24576:9uYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:X9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1196-5-0x0000000002910000-0x0000000002911000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

calc.exedwm.exemsdtc.exe

pid	Process
2592	calc.exe
2988	dwm.exe
2856	msdtc.exe

Loads dropped DLL 7 IoCs

Processes:

calc.exedwm.exemsdtc.exe

pid	Process
1196
2592	calc.exe
1196
2988	dwm.exe
1196
2856	msdtc.exe
1196

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Madzpveq = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\iD0b\\dwm.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.execalc.exedwm.exemsdtc.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	calc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msdtc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	Process
2356	rundll32.exe
2356	rundll32.exe
2356	rundll32.exe
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	procid_target
PID 1196 wrote to memory of 2528	1196	30
PID 1196 wrote to memory of 2528	1196	30
PID 1196 wrote to memory of 2528	1196	30
PID 1196 wrote to memory of 2592	1196	31
PID 1196 wrote to memory of 2592	1196	31
PID 1196 wrote to memory of 2592	1196	31
PID 1196 wrote to memory of 2456	1196	32
PID 1196 wrote to memory of 2456	1196	32
PID 1196 wrote to memory of 2456	1196	32
PID 1196 wrote to memory of 2988	1196	33
PID 1196 wrote to memory of 2988	1196	33
PID 1196 wrote to memory of 2988	1196	33
PID 1196 wrote to memory of 2848	1196	34
PID 1196 wrote to memory of 2848	1196	34
PID 1196 wrote to memory of 2848	1196	34
PID 1196 wrote to memory of 2856	1196	35
PID 1196 wrote to memory of 2856	1196	35
PID 1196 wrote to memory of 2856	1196	35

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a32e85a3e9c4f38f9b6bc91063dd086c_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2356

C:\Windows\system32\calc.exe
C:\Windows\system32\calc.exe
1⤵
PID:2528

C:\Users\Admin\AppData\Local\2Pj\calc.exe
C:\Users\Admin\AppData\Local\2Pj\calc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2592

C:\Windows\system32\dwm.exe
C:\Windows\system32\dwm.exe
1⤵
PID:2456

C:\Users\Admin\AppData\Local\PGs4t\dwm.exe
C:\Users\Admin\AppData\Local\PGs4t\dwm.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2988

C:\Windows\system32\msdtc.exe
C:\Windows\system32\msdtc.exe
1⤵
PID:2848

C:\Users\Admin\AppData\Local\W4SKr8\msdtc.exe
C:\Users\Admin\AppData\Local\W4SKr8\msdtc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\2Pj\UxTheme.dll

Filesize
1.2MB

MD5
0ed9446e5b6d6b5b14ff9c3d860282ed

SHA1
591afcff8d86c4dc7abb644a87342525bc76a2bf

SHA256
2f612a8db065fafa6b465c8423257bb63d5fa1573418adeb8e5f3170330be600

SHA512
cbf6b5c3a11ec221160478989bccc1033c94e742d99da8a604f7be03f1404a1c5ed933abbcd3e84b80b1eb9e211355ccd7aa0b7c21323b4ac2e5ed937c378b39

Download Submit
C:\Users\Admin\AppData\Local\PGs4t\UxTheme.dll

Filesize
1.2MB

MD5
cea4d9396d9dab04d803417f0a0e2edc

SHA1
9756ce4dd475be7144704935f9eb1893f89333ff

SHA256
7dd5a87c9e2a908b541cd68c94a01125cf3f39837609141e592f58398ce3905b

SHA512
7980dcef0e26d90f35766fa26c752943b2e3c169ac0f5885347b8cca4927b71881663b702b664837c8f393fd4a324880d9556cea39efd2d44e12b01a844b0199

Download Submit
C:\Users\Admin\AppData\Local\W4SKr8\VERSION.dll

Filesize
1.2MB

MD5
f60443d2de9dec8f0c65af0222ee7153

SHA1
0d3e47bee9a3026be45d053d8e024e32de561b32

SHA256
b6f89c58956d7712c95b1b3f4db2eb1fdf7a0c36315fe87564774318ae4df691

SHA512
7deb29111a125573abf7d0807bf7441c0cba490b5b83a8c31dfbe8a157eb92d5dd67ea6e9ff458d50564abeb3a1b6f1582b1a156421b8949a56d01662f768ae1

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Rinzzkcfiw.lnk

Filesize
1KB

MD5
8b1741784ccc1b809c3fe8fd77c3a739

SHA1
5a9312f1131d0f7565b6961a9b2f15c8df900517

SHA256
df599f46c9a09c465507bad2ff8da4188e921803d95d4389ffb5417e8ec2ef19

SHA512
02c5f773a4aa3661cc0558596543132f410f8361da3365d2bdb817a680d19f96e12e990a3f6a2f5114af7a580b34b3f49de54d787cf9cbcdfd3c8b523b6c91af

Download Submit
\Users\Admin\AppData\Local\2Pj\calc.exe

Filesize
897KB

MD5
10e4a1d2132ccb5c6759f038cdb6f3c9

SHA1
42d36eeb2140441b48287b7cd30b38105986d68f

SHA256
c6a91cba00bf87cdb064c49adaac82255cbec6fdd48fd21f9b3b96abf019916b

SHA512
9bd44afb164ab3e09a784c765cd03838d2e5f696c549fc233eb5a69cada47a8e1fb62095568cb272a80da579d9d0e124b1c27cf61bb2ac8cf6e584a722d8864d

Download Submit
\Users\Admin\AppData\Local\PGs4t\dwm.exe

Filesize
117KB

MD5
f162d5f5e845b9dc352dd1bad8cef1bc

SHA1
35bc294b7e1f062ef5cb5fa1bd3fc942a3e37ae2

SHA256
8a7b7528db30ab123b060d8e41954d95913c07bb40cdae32e97f9edb0baf79c7

SHA512
7077e800453a4564a24af022636a2f6547bdae2c9c6f4ed080d0c98415ecc4fbf538109cbebd456e321b9b74a00613d647b63998e31925fbd841fc9d4613e851

Download Submit
\Users\Admin\AppData\Local\W4SKr8\msdtc.exe

Filesize
138KB

MD5
de0ece52236cfa3ed2dbfc03f28253a8

SHA1
84bbd2495c1809fcd19b535d41114e4fb101466c

SHA256
2fbbec4cacb5161f68d7c2935852a5888945ca0f107cf8a1c01f4528ce407de3

SHA512
69386134667626c60c99d941c8ab52f8e5235e3897b5af76965572287afd5dcd42b8207a520587844a57a268e4decb3f3c550e5b7a06230ee677dc5e40c50bb3

Download Submit
memory/1196-16-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1196-29-0x0000000077120000-0x0000000077122000-memory.dmp

Filesize
8KB

Download
memory/1196-4-0x0000000076E86000-0x0000000076E87000-memory.dmp

Filesize
4KB

Download
memory/1196-15-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1196-13-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1196-12-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1196-11-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1196-10-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1196-9-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1196-8-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1196-14-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1196-5-0x0000000002910000-0x0000000002911000-memory.dmp

Filesize
4KB

Download
memory/1196-33-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1196-34-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1196-42-0x0000000076E86000-0x0000000076E87000-memory.dmp

Filesize
4KB

Download
memory/1196-28-0x0000000076F91000-0x0000000076F92000-memory.dmp

Filesize
4KB

Download
memory/1196-25-0x0000000002920000-0x0000000002927000-memory.dmp

Filesize
28KB

Download
memory/1196-7-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1196-24-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/2356-30-0x000007FEF73B0000-0x000007FEF74E0000-memory.dmp

Filesize
1.2MB

Download
memory/2356-0-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download
memory/2356-2-0x000007FEF73B0000-0x000007FEF74E0000-memory.dmp

Filesize
1.2MB

Download
memory/2592-56-0x000007FEF74D0000-0x000007FEF7601000-memory.dmp

Filesize
1.2MB

Download
memory/2592-50-0x0000000000170000-0x0000000000177000-memory.dmp

Filesize
28KB

Download
memory/2592-51-0x000007FEF74D0000-0x000007FEF7601000-memory.dmp

Filesize
1.2MB

Download
memory/2856-83-0x000007FEF5F80000-0x000007FEF60B1000-memory.dmp

Filesize
1.2MB

Download
memory/2856-88-0x000007FEF5F80000-0x000007FEF60B1000-memory.dmp

Filesize
1.2MB

Download
memory/2988-68-0x0000000000270000-0x0000000000277000-memory.dmp

Filesize
28KB

Download
memory/2988-70-0x000007FEF73A0000-0x000007FEF74D1000-memory.dmp

Filesize
1.2MB

Download
memory/2988-73-0x000007FEF73A0000-0x000007FEF74D1000-memory.dmp

Filesize
1.2MB

Download