dridex | 8d46559c1484cdb308e3dbf6daf26b638c4a1f9c5b7f1ae5b45b1eed697b7f05

Analysis

max time kernel
150s
max time network
127s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
20-08-2024 13:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af5c2d09865cacfddffbd020fab2f575_JaffaCakes118.dll
Size

1.2MB
MD5

af5c2d09865cacfddffbd020fab2f575
SHA1

403d2773b863288241f94f736194c5e014871c4e
SHA256

8d46559c1484cdb308e3dbf6daf26b638c4a1f9c5b7f1ae5b45b1eed697b7f05
SHA512

bb376f1b674507dcc41c6a8b30fd8926410adfdbb3a6f8dd9b999b90402d8a19f8499266d3c1d3305fe40d2d7095cef2e34a1f10ccfd6a73d71dd3b54eec156e
SSDEEP

24576:HuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:p9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1236-5-0x0000000002DB0000-0x0000000002DB1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

rrinstaller.exedccw.exeBitLockerWizard.exe

pid	Process
480	rrinstaller.exe
2704	dccw.exe
1956	BitLockerWizard.exe

Loads dropped DLL 7 IoCs

Processes:

rrinstaller.exedccw.exeBitLockerWizard.exe

pid	Process
1236
480	rrinstaller.exe
1236
2704	dccw.exe
1236
1956	BitLockerWizard.exe
1236

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\Lnxdhmhg = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\UserData\\GX\\dccw.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exerrinstaller.exedccw.exeBitLockerWizard.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rrinstaller.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dccw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BitLockerWizard.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	Process
2928	rundll32.exe
2928	rundll32.exe
2928	rundll32.exe
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	procid_target
PID 1236 wrote to memory of 580	1236	30
PID 1236 wrote to memory of 580	1236	30
PID 1236 wrote to memory of 580	1236	30
PID 1236 wrote to memory of 480	1236	31
PID 1236 wrote to memory of 480	1236	31
PID 1236 wrote to memory of 480	1236	31
PID 1236 wrote to memory of 2492	1236	32
PID 1236 wrote to memory of 2492	1236	32
PID 1236 wrote to memory of 2492	1236	32
PID 1236 wrote to memory of 2704	1236	33
PID 1236 wrote to memory of 2704	1236	33
PID 1236 wrote to memory of 2704	1236	33
PID 1236 wrote to memory of 2804	1236	34
PID 1236 wrote to memory of 2804	1236	34
PID 1236 wrote to memory of 2804	1236	34
PID 1236 wrote to memory of 1956	1236	35
PID 1236 wrote to memory of 1956	1236	35
PID 1236 wrote to memory of 1956	1236	35

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\af5c2d09865cacfddffbd020fab2f575_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2928

C:\Windows\system32\rrinstaller.exe
C:\Windows\system32\rrinstaller.exe
1⤵
PID:580

C:\Users\Admin\AppData\Local\1G3iW\rrinstaller.exe
C:\Users\Admin\AppData\Local\1G3iW\rrinstaller.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:480

C:\Windows\system32\dccw.exe
C:\Windows\system32\dccw.exe
1⤵
PID:2492

C:\Users\Admin\AppData\Local\3ZCqCWHB\dccw.exe
C:\Users\Admin\AppData\Local\3ZCqCWHB\dccw.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2704

C:\Windows\system32\BitLockerWizard.exe
C:\Windows\system32\BitLockerWizard.exe
1⤵
PID:2804

C:\Users\Admin\AppData\Local\G5BlMKTf\BitLockerWizard.exe
C:\Users\Admin\AppData\Local\G5BlMKTf\BitLockerWizard.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\1G3iW\MFPlat.DLL

Filesize
1.2MB

MD5
12fdfc0a33eac387550c4261301b7595

SHA1
d78f8f256d916ed2c453a4bc21d4f0280b0374cd

SHA256
19c851f78d2ff84bf49be42863c3a3530fb42d4b91ce154c939c9897ec240322

SHA512
bca41247473e7287aba7228b07e0e85f2b060584da61747e0b3b86241cdcb62ed883b7f37b33fb90b202cfee7d62cd2d4a04852dbd0185e23d13c3429ffba204

Download Submit
C:\Users\Admin\AppData\Local\3ZCqCWHB\dxva2.dll

Filesize
1.2MB

MD5
63bd5040e4fd834d19cb29c5d6e7228e

SHA1
c333a37748408cad309288d1380c2415fee0ea22

SHA256
babf365c8023168b91e67c22b38920257d9893f85c2e40c757ccab3990685474

SHA512
94ba28f9757f5dd5fdb3dd8da3210473cbcc2811a04527ee4f8eb6c4cc7584e3637336d596e5653c63ae9d4e1526a962c53d2adab50e0161c08a9a1289b3b840

Download Submit
C:\Users\Admin\AppData\Local\G5BlMKTf\FVEWIZ.dll

Filesize
1.2MB

MD5
336f860af323ce823253e05099b0a89b

SHA1
05e2aca7d59e0e188b3baf3affd0a28e5d68d559

SHA256
6aadf2c7e93872f94888247abfd0e1fc3628eccbee385e8c36b4f79fd2fa7c60

SHA512
5dd7e24bc789443f1e168ab3eaa87280c8340e9fb49092132469baa8ce179238f8b951dc88f64006731b36f538d65d7d3b68acd49d5ec0b27f10e71b245f33c5

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Filabyuswgwl.lnk

Filesize
1KB

MD5
20e0c27237e6ee695cd4075bcc0409d1

SHA1
6551c1e61d64533809313abe514745737bf2a6f2

SHA256
5d7475eb651a1f07580d1b721a283bd88b680c0886e690a66f35d68408603a86

SHA512
681a9acb5eefa2bb50c4d1cb98827263d9624f25364d44c984c75f91a025a84c6080b9efa16a4d63b15349f25089261026564c42b0137b672d52c7f1ff175434

Download Submit
\Users\Admin\AppData\Local\1G3iW\rrinstaller.exe

Filesize
54KB

MD5
0d3a73b0b30252680b383532f1758649

SHA1
9f098d2037e4dd94eca6d04c37b3d4ad8b0cc931

SHA256
fc8a992b6ac311e1b1491ec3e31e273a41f7fdf3f68176321307b68489a03fbc

SHA512
a7961f4d8d0e07959d1501d721c7751b01af6704c7da5c1f31e40de5372ee6a1fce2f3e0077c8e6a1bed017e11ce4be9b0d17c04e30b222fb3f0df67b870b2d4

Download Submit
\Users\Admin\AppData\Local\3ZCqCWHB\dccw.exe

Filesize
861KB

MD5
a46cee731351eb4146db8e8a63a5c520

SHA1
8ea441e4a77642e12987ac842b36034230edd731

SHA256
283526a98a83524d21ff23f9109754c6587380b67f74cc02a9a4cd56fdb720d5

SHA512
3573c0ae21406db0c6fdda7c065fabde03235bde7f5589910822500bdfa37144f59f6e58e753e7347b899998db1dcb28050ac5a4e2c611558ae5fa405fbbc5cc

Download Submit
\Users\Admin\AppData\Local\G5BlMKTf\BitLockerWizard.exe

Filesize
98KB

MD5
08a761595ad21d152db2417d6fdb239a

SHA1
d84c1bc2e8c9afce9fb79916df9bca169f93a936

SHA256
ec0b9e5f29a43f9db44fa76b85701058f26776ab974044c1d4741591b74d0620

SHA512
8b07828e9c0edf09277f89294b8e1a54816f6f3d1fe132b3eb70370b81feb82d056ec31566793bd6f451725f79c3b4aeedb15a83216115e00943e0c19cab37c9

Download Submit
memory/480-60-0x000007FEF6960000-0x000007FEF6A93000-memory.dmp

Filesize
1.2MB

Download
memory/480-55-0x000007FEF6960000-0x000007FEF6A93000-memory.dmp

Filesize
1.2MB

Download
memory/480-54-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/1236-27-0x00000000779E0000-0x00000000779E2000-memory.dmp

Filesize
8KB

Download
memory/1236-46-0x0000000077746000-0x0000000077747000-memory.dmp

Filesize
4KB

Download
memory/1236-13-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1236-12-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1236-11-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1236-10-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1236-9-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1236-25-0x0000000002D90000-0x0000000002D97000-memory.dmp

Filesize
28KB

Download
memory/1236-38-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1236-36-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1236-4-0x0000000077746000-0x0000000077747000-memory.dmp

Filesize
4KB

Download
memory/1236-5-0x0000000002DB0000-0x0000000002DB1000-memory.dmp

Filesize
4KB

Download
memory/1236-16-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1236-14-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1236-24-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1236-26-0x0000000077851000-0x0000000077852000-memory.dmp

Filesize
4KB

Download
memory/1236-15-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1236-7-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1236-8-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1956-89-0x0000000000120000-0x0000000000127000-memory.dmp

Filesize
28KB

Download
memory/1956-95-0x000007FEF6960000-0x000007FEF6A92000-memory.dmp

Filesize
1.2MB

Download
memory/2704-72-0x000007FEF6960000-0x000007FEF6A92000-memory.dmp

Filesize
1.2MB

Download
memory/2704-77-0x000007FEF6960000-0x000007FEF6A92000-memory.dmp

Filesize
1.2MB

Download
memory/2928-0-0x000007FEF6960000-0x000007FEF6A91000-memory.dmp

Filesize
1.2MB

Download
memory/2928-45-0x000007FEF6960000-0x000007FEF6A91000-memory.dmp

Filesize
1.2MB

Download
memory/2928-3-0x00000000002B0000-0x00000000002B7000-memory.dmp

Filesize
28KB

Download