dridex | e60597f976b7078f5ece1f0aca1aba18b9da2e87de3d24d02fb7468b943a0582

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
18-08-2024 15:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a74387fec59971d9727daedf1772f601_JaffaCakes118.dll
Size

1.2MB
MD5

a74387fec59971d9727daedf1772f601
SHA1

96920b5c184bc122065cb5b0601cad3d86b0d04a
SHA256

e60597f976b7078f5ece1f0aca1aba18b9da2e87de3d24d02fb7468b943a0582
SHA512

466b131ccc8fd9f59d029dbcd7110c097e4e8b1216b0597329c986a082bcd05a4e707994a885feecb841c6baf157f541bb153b2df062aea539ce3e49fbf02eaf
SSDEEP

24576:buYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N/:F9cKrUqZWLAcUH

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1188-5-0x0000000002500000-0x0000000002501000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

p2phost.exeSystemPropertiesDataExecutionPrevention.exenotepad.exe

pid	Process
2640	p2phost.exe
2252	SystemPropertiesDataExecutionPrevention.exe
1652	notepad.exe

Loads dropped DLL 7 IoCs

Processes:

p2phost.exeSystemPropertiesDataExecutionPrevention.exenotepad.exe

pid	Process
1188
2640	p2phost.exe
1188
2252	SystemPropertiesDataExecutionPrevention.exe
1188
1652	notepad.exe
1188

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\Neewpjodwhuy = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\FLASHP~1\\ASSETC~1\\rUk\\SYSTEM~1.EXE"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

notepad.exerundll32.exep2phost.exeSystemPropertiesDataExecutionPrevention.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	notepad.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	p2phost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesDataExecutionPrevention.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	Process
1952	rundll32.exe
1952	rundll32.exe
1952	rundll32.exe
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	procid_target
PID 1188 wrote to memory of 2720	1188	31
PID 1188 wrote to memory of 2720	1188	31
PID 1188 wrote to memory of 2720	1188	31
PID 1188 wrote to memory of 2640	1188	32
PID 1188 wrote to memory of 2640	1188	32
PID 1188 wrote to memory of 2640	1188	32
PID 1188 wrote to memory of 2724	1188	33
PID 1188 wrote to memory of 2724	1188	33
PID 1188 wrote to memory of 2724	1188	33
PID 1188 wrote to memory of 2252	1188	34
PID 1188 wrote to memory of 2252	1188	34
PID 1188 wrote to memory of 2252	1188	34
PID 1188 wrote to memory of 3000	1188	35
PID 1188 wrote to memory of 3000	1188	35
PID 1188 wrote to memory of 3000	1188	35
PID 1188 wrote to memory of 1652	1188	36
PID 1188 wrote to memory of 1652	1188	36
PID 1188 wrote to memory of 1652	1188	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a74387fec59971d9727daedf1772f601_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1952

C:\Windows\system32\p2phost.exe
C:\Windows\system32\p2phost.exe
1⤵
PID:2720

C:\Users\Admin\AppData\Local\5brIl\p2phost.exe
C:\Users\Admin\AppData\Local\5brIl\p2phost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2640

C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
1⤵
PID:2724

C:\Users\Admin\AppData\Local\LBK\SystemPropertiesDataExecutionPrevention.exe
C:\Users\Admin\AppData\Local\LBK\SystemPropertiesDataExecutionPrevention.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2252

C:\Windows\system32\notepad.exe
C:\Windows\system32\notepad.exe
1⤵
PID:3000

C:\Users\Admin\AppData\Local\tWDMUHJ\notepad.exe
C:\Users\Admin\AppData\Local\tWDMUHJ\notepad.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\5brIl\P2PCOLLAB.dll

Filesize
1.2MB

MD5
602d3c64bce6829b572016443e64b4f4

SHA1
5c35f97f182cb6d5f0a51ee5af98e6c15cd2ac18

SHA256
52d236491e398b8c7edcfdb9b6423909647fddafd2c9d0e120486d541f32cb2c

SHA512
4970d9b3840b19654bbffed38643190da52a856c557f8dbd914092e9467115e753d4fad4c0d5c5485d2bdf85b380812e5893066df2fd7ba94e93548f6ebcbb33

Download Submit
C:\Users\Admin\AppData\Local\5brIl\p2phost.exe

Filesize
172KB

MD5
0dbd420477352b278dfdc24f4672b79c

SHA1
df446f25be33ac60371557717073249a64e04bb2

SHA256
1baba169de6c8f3b3c33cea96314c67b709a171bdc8ea9c250a0d016db767345

SHA512
84014b2dcc00f9fa1a337089ad4d4abcaa9e3155171978ec07bc155ddaebebfabb529d8de3578e564b3aae59545f52d71af173ebb50d2af252f219ac60b453d1

Download Submit
C:\Users\Admin\AppData\Local\LBK\SYSDM.CPL

Filesize
1.2MB

MD5
2989327476260afdd2bf25a3745c7fc2

SHA1
e7dda0c98fee24d19e264361e316ee37828534ed

SHA256
9a86202ddf21f81aac5f0a3d57f1c1a3dbacb69594849f9c2f55d78d31e35a7d

SHA512
8ded94df072c0994a2bca9a8cd5361d1e585d97dbaaedf8758ef1f3d6f0f500dae5549b50e619cbf34004ea5d2c2d338935367e8e8d8aa9c99d5ebd2f9ba99cb

Download Submit
C:\Users\Admin\AppData\Local\tWDMUHJ\VERSION.dll

Filesize
1.2MB

MD5
0f51dffd4c14bc5c8e0c2fca11eeec4f

SHA1
90bdcf8b3544655451e579211a77a7cd80254011

SHA256
85353c55f3b598868ddce72ae07429434d1589b52016ec7f733e2079d1e1e898

SHA512
7a579a7e4bf9e2d1139ae0035acc30965c8d028eb41c8531385c8ec23b0acbe38e1a5a7b98888dd6e7d494706efdad5a76ce625f9b74326516c5c056cb50c2cf

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ngqpewzrrtyksiv.lnk

Filesize
1KB

MD5
6a7d94269e894e38155ce63cb79c7b63

SHA1
a48e6f02b8c76f93d35a6528c44e10322d40d100

SHA256
d8e038e06cdbc242f8d44d56b8d56d81989c9603b2480d84896d224cf9ef72b3

SHA512
321c9e400d9c8fae98ac668d51aefae9a7bc3c56b92d7e0cb8779c6147fe9f097eb324eb41421afd6dbea19eabac7b369c0ff1117f56ae12984cf16dcbce0f89

Download Submit
\Users\Admin\AppData\Local\LBK\SystemPropertiesDataExecutionPrevention.exe

Filesize
80KB

MD5
e43ff7785fac643093b3b16a9300e133

SHA1
a30688e84c0b0a22669148fe87680b34fcca2fba

SHA256
c8e1b3ecce673035a934d65b25c43ec23416f5bbf52d772e24e48e6fd3e77e9b

SHA512
61260999bb57817dea2d404bcf093820679e597298c752d38db181fe9963b5fa47e070d6a3c7c970905035b396389bb02946b44869dc8b9560acc419b065999a

Download Submit
\Users\Admin\AppData\Local\tWDMUHJ\notepad.exe

Filesize
189KB

MD5
f2c7bb8acc97f92e987a2d4087d021b1

SHA1
7eb0139d2175739b3ccb0d1110067820be6abd29

SHA256
142e1d688ef0568370c37187fd9f2351d7ddeda574f8bfa9b0fa4ef42db85aa2

SHA512
2f37a2e503cffbd7c05c7d8a125b55368ce11aad5b62f17aaac7aaf3391a6886fa6a0fd73223e9f30072419bf5762a8af7958e805a52d788ba41f61eb084bfe8

Download Submit
memory/1188-8-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1188-10-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1188-4-0x0000000076DB6000-0x0000000076DB7000-memory.dmp

Filesize
4KB

Download
memory/1188-27-0x0000000077050000-0x0000000077052000-memory.dmp

Filesize
8KB

Download
memory/1188-26-0x0000000076EC1000-0x0000000076EC2000-memory.dmp

Filesize
4KB

Download
memory/1188-25-0x00000000024E0000-0x00000000024E7000-memory.dmp

Filesize
28KB

Download
memory/1188-24-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1188-16-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1188-15-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1188-14-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1188-13-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1188-37-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1188-36-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1188-5-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/1188-46-0x0000000076DB6000-0x0000000076DB7000-memory.dmp

Filesize
4KB

Download
memory/1188-9-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1188-11-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1188-7-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1188-12-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1652-92-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download
memory/1652-98-0x000007FEF5F60000-0x000007FEF6091000-memory.dmp

Filesize
1.2MB

Download
memory/1952-45-0x000007FEF5F70000-0x000007FEF60A0000-memory.dmp

Filesize
1.2MB

Download
memory/1952-1-0x000007FEF5F70000-0x000007FEF60A0000-memory.dmp

Filesize
1.2MB

Download
memory/1952-2-0x00000000002A0000-0x00000000002A7000-memory.dmp

Filesize
28KB

Download
memory/2252-72-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/2252-73-0x000007FEF5F60000-0x000007FEF6091000-memory.dmp

Filesize
1.2MB

Download
memory/2252-78-0x000007FEF5F60000-0x000007FEF6091000-memory.dmp

Filesize
1.2MB

Download
memory/2640-60-0x000007FEF6560000-0x000007FEF6691000-memory.dmp

Filesize
1.2MB

Download
memory/2640-55-0x000007FEF6560000-0x000007FEF6691000-memory.dmp

Filesize
1.2MB

Download
memory/2640-54-0x00000000001A0000-0x00000000001A7000-memory.dmp

Filesize
28KB

Download