dridex | 38d90b577fe406506b98dcfa44671fb4623e64a226880bbf52658901e4c9bf0e

Analysis

max time kernel
149s
max time network
16s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
19-08-2024 10:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aabbda269fc690bf1270e2f2a727030f_JaffaCakes118.dll
Size

1.2MB
MD5

aabbda269fc690bf1270e2f2a727030f
SHA1

1169a82250440dc8ce225e7f936c47e05b1b858e
SHA256

38d90b577fe406506b98dcfa44671fb4623e64a226880bbf52658901e4c9bf0e
SHA512

e524f3c97d7492ffadfac9fdb6e5adcf90d9583e8c9262544757fa43902f715656c14c7ae33f1982930e454174dc703bc24bd4a963aa1479de992bb93b39fee8
SSDEEP

24576:nuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9NGpt:J9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1200-5-0x0000000002B00000-0x0000000002B01000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

irftp.exeRDVGHelper.exevmicsvc.exe

pid	Process
2600	irftp.exe
1040	RDVGHelper.exe
552	vmicsvc.exe

Loads dropped DLL 7 IoCs

Processes:

irftp.exeRDVGHelper.exevmicsvc.exe

pid	Process
1200
2600	irftp.exe
1200
1040	RDVGHelper.exe
1200
552	vmicsvc.exe
1200

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wsagbppvydnjcs = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\ACCESS~1\\R3A2ON~1\\RDVGHE~1.EXE"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

RDVGHelper.exevmicsvc.exerundll32.exeirftp.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RDVGHelper.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vmicsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	irftp.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	Process
2688	rundll32.exe
2688	rundll32.exe
2688	rundll32.exe
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	procid_target
PID 1200 wrote to memory of 2648	1200	30
PID 1200 wrote to memory of 2648	1200	30
PID 1200 wrote to memory of 2648	1200	30
PID 1200 wrote to memory of 2600	1200	31
PID 1200 wrote to memory of 2600	1200	31
PID 1200 wrote to memory of 2600	1200	31
PID 1200 wrote to memory of 2540	1200	32
PID 1200 wrote to memory of 2540	1200	32
PID 1200 wrote to memory of 2540	1200	32
PID 1200 wrote to memory of 1040	1200	33
PID 1200 wrote to memory of 1040	1200	33
PID 1200 wrote to memory of 1040	1200	33
PID 1200 wrote to memory of 1748	1200	34
PID 1200 wrote to memory of 1748	1200	34
PID 1200 wrote to memory of 1748	1200	34
PID 1200 wrote to memory of 552	1200	35
PID 1200 wrote to memory of 552	1200	35
PID 1200 wrote to memory of 552	1200	35

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\aabbda269fc690bf1270e2f2a727030f_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2688

C:\Windows\system32\irftp.exe
C:\Windows\system32\irftp.exe
1⤵
PID:2648

C:\Users\Admin\AppData\Local\EH0uft0\irftp.exe
C:\Users\Admin\AppData\Local\EH0uft0\irftp.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2600

C:\Windows\system32\RDVGHelper.exe
C:\Windows\system32\RDVGHelper.exe
1⤵
PID:2540

C:\Users\Admin\AppData\Local\FZVTGiO\RDVGHelper.exe
C:\Users\Admin\AppData\Local\FZVTGiO\RDVGHelper.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1040

C:\Windows\system32\vmicsvc.exe
C:\Windows\system32\vmicsvc.exe
1⤵
PID:1748

C:\Users\Admin\AppData\Local\UTTi5jaar\vmicsvc.exe
C:\Users\Admin\AppData\Local\UTTi5jaar\vmicsvc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\EH0uft0\WTSAPI32.dll

Filesize
1.2MB

MD5
094d5f8ea54a2caef10faea078cec357

SHA1
a47be4c72138341a2b30c70cd07912755a42343c

SHA256
8dcd78e20c2b707970a27fee01e57407b94bd74f179a4d09a203362d5637d602

SHA512
67e79117b19cf566da5ca974594406486cfcf6e90c21e077a4c8da4dd6abb7fb53fb58148328fea472ae6e0c7ad0b6d56c28367196a2664b6a8c53dc286e02c2

Download Submit
C:\Users\Admin\AppData\Local\FZVTGiO\dwmapi.dll

Filesize
1.2MB

MD5
1d12e3991a09b805617c607bb8ef5c5f

SHA1
9c7eef1b98a6b0d46d9c48194cc72b86d47850e4

SHA256
11ec5da03e140336ad590252beca2b22eef8740c45d3f761ca60259762dd8ed7

SHA512
9b888f31dfbd90770d7f9f06c10153d456399d5b0d0dfd5ab8517202bb2a0447bac51a52b38af725fc4c7df3e59060df9ace12bf2478c35bc40d4ce4a060d9f9

Download Submit
C:\Users\Admin\AppData\Local\UTTi5jaar\ACTIVEDS.dll

Filesize
1.2MB

MD5
4de94599e6e0f45709a510c52fa05b3c

SHA1
82b1ef7adf1a3b05d7996072bb433b6288634ef8

SHA256
8e36840f312944d6cefa4fbc11ec348798eaa8b443b957f9c334e8daf50cfb96

SHA512
2b63be17ac852376e93841eb20b17a9894723bc4ad895c54da36362c3d0878ad48b8b1c9196ab1e94aa5cf598496dd35ff6ded8384b310251d37c04684205904

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ewnqrlgibmqii.lnk

Filesize
1KB

MD5
f45e011d2e820973746cab6d7ac39999

SHA1
15a9c56b8fdbb0d0ed1d6f7c6801be6347c8c7e7

SHA256
fca883e1bd73cc5b445d7b43b0b487855bdbbde4dc810b61f25e7b028140f28d

SHA512
7f2dd79f7f8e4606d62cc3fa5fee24bd6753f04de37951b4769fe8c9a89a11834c55ff9df69349871ef87992d1fbf1457b2adb15d8068a6e1b942fdbc7b07009

Download Submit
\Users\Admin\AppData\Local\EH0uft0\irftp.exe

Filesize
192KB

MD5
0cae1fb725c56d260bfd6feba7ae9a75

SHA1
102ac676a1de3ec3d56401f8efd518c31c8b0b80

SHA256
312f4107ff37dc988d99c5f56178708bb74a3906740cff4e337c0dde8f1e151d

SHA512
db969064577c4158d6bf925354319766b0d0373ddefb03dbfc9a9d2cadf8ddcd50a7f99b7ddf2ffad5e7fdbb6f02090b5b678bdf792d265054bff3b56ee0b8ec

Download Submit
\Users\Admin\AppData\Local\FZVTGiO\RDVGHelper.exe

Filesize
93KB

MD5
53fda4af81e7c4895357a50e848b7cfe

SHA1
01fb2d0210f1c47aaf684e31a9fb78f89bba9c0f

SHA256
62ab8c2c5b5bd84fd07e96b6a3b87a4ea56946107ed9b7f8076580ae1fefd038

SHA512
dbbda90a57d27160c5a3a5e4e94cfc43b1663fcbfe424fdec851e52356f61492bdcf677c46be8aa4e8ccc8be7c389b6aa7bbbce8447e1fae32f03e5e409f4051

Download Submit
\Users\Admin\AppData\Local\UTTi5jaar\vmicsvc.exe

Filesize
238KB

MD5
79e14b291ca96a02f1eb22bd721deccd

SHA1
4c8dbff611acd8a92cd2280239f78bebd2a9947e

SHA256
d829166db30923406a025bf33d6a0997be0a3df950114d1f34547a9525b749e8

SHA512
f3d1fa7732b6b027bbaf22530331d27ede85f92c9fd64f940139fd262bd7468211a8a54c835d3934b1974b3d8ecddefa79ea77901b9ef49ab36069963693f988

Download Submit
memory/552-96-0x000007FEF7AE0000-0x000007FEF7C11000-memory.dmp

Filesize
1.2MB

Download
memory/552-90-0x0000000000180000-0x0000000000187000-memory.dmp

Filesize
28KB

Download
memory/1040-78-0x000007FEF7AE0000-0x000007FEF7C11000-memory.dmp

Filesize
1.2MB

Download
memory/1040-73-0x000007FEF7AE0000-0x000007FEF7C11000-memory.dmp

Filesize
1.2MB

Download
memory/1040-72-0x0000000000170000-0x0000000000177000-memory.dmp

Filesize
28KB

Download
memory/1200-27-0x0000000077720000-0x0000000077722000-memory.dmp

Filesize
8KB

Download
memory/1200-15-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1200-12-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1200-11-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1200-10-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1200-9-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1200-36-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1200-38-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1200-4-0x0000000077486000-0x0000000077487000-memory.dmp

Filesize
4KB

Download
memory/1200-46-0x0000000077486000-0x0000000077487000-memory.dmp

Filesize
4KB

Download
memory/1200-14-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1200-24-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1200-5-0x0000000002B00000-0x0000000002B01000-memory.dmp

Filesize
4KB

Download
memory/1200-8-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1200-7-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1200-26-0x0000000077591000-0x0000000077592000-memory.dmp

Filesize
4KB

Download
memory/1200-13-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1200-25-0x0000000002610000-0x0000000002617000-memory.dmp

Filesize
28KB

Download
memory/1200-16-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/2600-60-0x000007FEF6CA0000-0x000007FEF6DD1000-memory.dmp

Filesize
1.2MB

Download
memory/2600-55-0x000007FEF6CA0000-0x000007FEF6DD1000-memory.dmp

Filesize
1.2MB

Download
memory/2600-54-0x00000000002A0000-0x00000000002A7000-memory.dmp

Filesize
28KB

Download
memory/2688-0-0x000007FEF7AF0000-0x000007FEF7C20000-memory.dmp

Filesize
1.2MB

Download
memory/2688-45-0x000007FEF7AF0000-0x000007FEF7C20000-memory.dmp

Filesize
1.2MB

Download
memory/2688-3-0x00000000001A0000-0x00000000001A7000-memory.dmp

Filesize
28KB

Download