dridex | b60a23eefd0b5d0fd235560023c71b4370ebd54e66785b7d30647e974ff29ada

Analysis

max time kernel
149s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
19-08-2024 18:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac0d85bfe7f5dfb252cbd397cf450e04_JaffaCakes118.dll
Size

1.2MB
MD5

ac0d85bfe7f5dfb252cbd397cf450e04
SHA1

c0b7faa33688049c254764a8b918a7643ed1205c
SHA256

b60a23eefd0b5d0fd235560023c71b4370ebd54e66785b7d30647e974ff29ada
SHA512

f6bff5dc86b31140b866b443c9a26f40b907f737611b9a08b70de894a7b3d97d82040d8014071ddc3b6f12c0a83bf053555d1918b1f184bb6b35d3838a0e4d6d
SSDEEP

24576:muYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:G9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1212-5-0x00000000024F0000-0x00000000024F1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

dialer.exewusa.exenotepad.exe

pid	Process
2776	dialer.exe
1444	wusa.exe
2252	notepad.exe

Loads dropped DLL 7 IoCs

Processes:

dialer.exewusa.exenotepad.exe

pid	Process
1212
2776	dialer.exe
1212
1444	wusa.exe
1212
2252	notepad.exe
1212

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mkmfyiwmvqjxba = "C:\\Users\\Admin\\AppData\\Roaming\\MACROM~1\\FLASHP~1\\MACROM~1.COM\\support\\FLASHP~1\\sys\\RFHC8O~1\\wusa.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exedialer.exewusa.exenotepad.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dialer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wusa.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	notepad.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	Process
2540	rundll32.exe
2540	rundll32.exe
2540	rundll32.exe
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	procid_target
PID 1212 wrote to memory of 2716	1212	29
PID 1212 wrote to memory of 2716	1212	29
PID 1212 wrote to memory of 2716	1212	29
PID 1212 wrote to memory of 2776	1212	30
PID 1212 wrote to memory of 2776	1212	30
PID 1212 wrote to memory of 2776	1212	30
PID 1212 wrote to memory of 2620	1212	31
PID 1212 wrote to memory of 2620	1212	31
PID 1212 wrote to memory of 2620	1212	31
PID 1212 wrote to memory of 1444	1212	32
PID 1212 wrote to memory of 1444	1212	32
PID 1212 wrote to memory of 1444	1212	32
PID 1212 wrote to memory of 2268	1212	33
PID 1212 wrote to memory of 2268	1212	33
PID 1212 wrote to memory of 2268	1212	33
PID 1212 wrote to memory of 2252	1212	34
PID 1212 wrote to memory of 2252	1212	34
PID 1212 wrote to memory of 2252	1212	34

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ac0d85bfe7f5dfb252cbd397cf450e04_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2540

C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
1⤵
PID:2716

C:\Users\Admin\AppData\Local\iwdl1i\dialer.exe
C:\Users\Admin\AppData\Local\iwdl1i\dialer.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2776

C:\Windows\system32\wusa.exe
C:\Windows\system32\wusa.exe
1⤵
PID:2620

C:\Users\Admin\AppData\Local\RmrTH\wusa.exe
C:\Users\Admin\AppData\Local\RmrTH\wusa.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1444

C:\Windows\system32\notepad.exe
C:\Windows\system32\notepad.exe
1⤵
PID:2268

C:\Users\Admin\AppData\Local\i4eDi\notepad.exe
C:\Users\Admin\AppData\Local\i4eDi\notepad.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\RmrTH\WTSAPI32.dll

Filesize
1.2MB

MD5
ad8648cda7b539fe9e811bb2a5c67326

SHA1
8b5fd82ceead81b5b1a8ae7bdb67fdab3d93a2e5

SHA256
1cb4663dcc8bbad5a0fc40d71cee82e713b355cc9111a4aade6a89e786cc3a54

SHA512
29e836642380bc660f912b470407962263480fb71f58e19e0f2347a37ab35a71ddcaba7dfc6483ea001dfb010c775e301a62284ce273cd7c2e4face1d9ff394e

Download Submit
C:\Users\Admin\AppData\Local\i4eDi\VERSION.dll

Filesize
1.2MB

MD5
5c7e6b4f76484a8868551e42ece076f3

SHA1
f364ac73ec107334962c2dfc572aa17954b03671

SHA256
45f4baf8b01d92b43f5769e749ac7101818c648d003d41aab5304c013194dada

SHA512
ef4e5090f226b94c625c72a1a0fb82d022df74cc49d48e6962b3a529488436cd9adf4339112059dfb7a67ea25b655bc15b585e343812c230b36b7635f1fb86c6

Download Submit
C:\Users\Admin\AppData\Local\iwdl1i\TAPI32.dll

Filesize
1.2MB

MD5
ec509320805b65c8c93282c30ec0932f

SHA1
9ee128219f619daf534df4dba41a54b878a4b0ea

SHA256
e68a9a50adec042142e95c49ce4f44c27783118a38380e4e62930cc490e24209

SHA512
91aef77f29d11a58b08f8c8b2a3a7dcc93b2ee3381b38c70c2f37a9132b3d36fae6c2ff9db4978ea7343d9e3c2a33d9c354c39b7fccbbc69cc90fabadafb632a

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ppapbotpack.lnk

Filesize
1KB

MD5
8e03e01b2ec9f7ce8f883dc62e226d4b

SHA1
31b03ccf051e41df88cc9238fd9befe2bfc19f84

SHA256
cb7678be0af4df42ff70a648fb9e3cf3e09925302825ef0f8e0993d7a6c42af5

SHA512
6f03a3a8aaa52ee65857b028ba3869998e72b997e752279ce0ee70b59be350799cccda5efaa32daef95135aeadbf20bbbedcda867e8a0940e98216be73b689b5

Download Submit
\Users\Admin\AppData\Local\RmrTH\wusa.exe

Filesize
300KB

MD5
c15b3d813f4382ade98f1892350f21c7

SHA1
a45c5abc6751bc8b9041e5e07923fa4fc1b4542b

SHA256
8f067da98eb3ea9f1db2f0063ff54e07d992fbf051779b467e222639be4127e3

SHA512
6d028fe81fe45d0ef291741513ecf939e412912647347d4d5bad89571f33e1084dc0fd26eb7313c7191f938c3f50243f453e2690e2475fc3f5539a20c2ff2f3c

Download Submit
\Users\Admin\AppData\Local\i4eDi\notepad.exe

Filesize
189KB

MD5
f2c7bb8acc97f92e987a2d4087d021b1

SHA1
7eb0139d2175739b3ccb0d1110067820be6abd29

SHA256
142e1d688ef0568370c37187fd9f2351d7ddeda574f8bfa9b0fa4ef42db85aa2

SHA512
2f37a2e503cffbd7c05c7d8a125b55368ce11aad5b62f17aaac7aaf3391a6886fa6a0fd73223e9f30072419bf5762a8af7958e805a52d788ba41f61eb084bfe8

Download Submit
\Users\Admin\AppData\Local\iwdl1i\dialer.exe

Filesize
34KB

MD5
46523e17ee0f6837746924eda7e9bac9

SHA1
d6b2a9cc6bd3588fa9804ada5197afda6a9e034b

SHA256
23d8a6a1d847a324c556c30e10c8f63c2004aeb42ac3f5a5ca362077f1517382

SHA512
c7117c3778650864e685bd89df599d7cdd9319d757344ddc7cfd9403d6673964127f6ff0c5ac48455fd3097af31a6ff09173f85dfa7be2d25f395cdf3692bb9a

Download Submit
memory/1212-28-0x0000000076F70000-0x0000000076F72000-memory.dmp

Filesize
8KB

Download
memory/1212-47-0x0000000076BD6000-0x0000000076BD7000-memory.dmp

Filesize
4KB

Download
memory/1212-26-0x0000000002500000-0x0000000002507000-memory.dmp

Filesize
28KB

Download
memory/1212-16-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1212-15-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1212-14-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1212-13-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1212-12-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1212-11-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1212-10-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1212-9-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1212-4-0x0000000076BD6000-0x0000000076BD7000-memory.dmp

Filesize
4KB

Download
memory/1212-38-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1212-37-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1212-5-0x00000000024F0000-0x00000000024F1000-memory.dmp

Filesize
4KB

Download
memory/1212-27-0x0000000076DE1000-0x0000000076DE2000-memory.dmp

Filesize
4KB

Download
memory/1212-17-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1212-25-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1212-7-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1212-8-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1444-73-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/1444-74-0x000007FEF72A0000-0x000007FEF73D2000-memory.dmp

Filesize
1.2MB

Download
memory/1444-79-0x000007FEF72A0000-0x000007FEF73D2000-memory.dmp

Filesize
1.2MB

Download
memory/2252-91-0x0000000000290000-0x0000000000297000-memory.dmp

Filesize
28KB

Download
memory/2252-97-0x000007FEF72A0000-0x000007FEF73D2000-memory.dmp

Filesize
1.2MB

Download
memory/2540-46-0x000007FEF7290000-0x000007FEF73C1000-memory.dmp

Filesize
1.2MB

Download
memory/2540-0-0x000007FEF7290000-0x000007FEF73C1000-memory.dmp

Filesize
1.2MB

Download
memory/2540-3-0x00000000002A0000-0x00000000002A7000-memory.dmp

Filesize
28KB

Download
memory/2776-61-0x000007FEF73D0000-0x000007FEF7503000-memory.dmp

Filesize
1.2MB

Download
memory/2776-57-0x00000000000A0000-0x00000000000A7000-memory.dmp

Filesize
28KB

Download
memory/2776-55-0x000007FEF73D0000-0x000007FEF7503000-memory.dmp

Filesize
1.2MB

Download