dridex | 9eee24f1910adf2f9f51d20686490ef331245fa9272895d3aba8a62f8f190c69

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
21-08-2024 23:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b57ee7b1519ce4f80831dcedad7662fe_JaffaCakes118.dll
Size

1.2MB
MD5

b57ee7b1519ce4f80831dcedad7662fe
SHA1

772b5c112e52bb186fc006785765902f62325c87
SHA256

9eee24f1910adf2f9f51d20686490ef331245fa9272895d3aba8a62f8f190c69
SHA512

899ce395891a99312f1cb2fe1ae190456d611af9a5d56ad9a83bc8d46a8836db762566ab13703c774aaf5045e96fc06972cc5df3c5b1ef90f91d6807c2c226a6
SSDEEP

24576:0uYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:s9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1192-5-0x0000000002DF0000-0x0000000002DF1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

PresentationSettings.execmstp.exedccw.exe

pid	Process
2592	PresentationSettings.exe
1628	cmstp.exe
112	dccw.exe

Loads dropped DLL 7 IoCs

Processes:

PresentationSettings.execmstp.exedccw.exe

pid	Process
1192
2592	PresentationSettings.exe
1192
1628	cmstp.exe
1192
112	dccw.exe
1192

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wqbazsgxtjodx = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Extensions\\w3BkrBL9k\\cmstp.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

PresentationSettings.execmstp.exedccw.exerundll32.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	PresentationSettings.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmstp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dccw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	Process
2172	rundll32.exe
2172	rundll32.exe
2172	rundll32.exe
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	procid_target
PID 1192 wrote to memory of 2556	1192	30
PID 1192 wrote to memory of 2556	1192	30
PID 1192 wrote to memory of 2556	1192	30
PID 1192 wrote to memory of 2592	1192	31
PID 1192 wrote to memory of 2592	1192	31
PID 1192 wrote to memory of 2592	1192	31
PID 1192 wrote to memory of 2900	1192	32
PID 1192 wrote to memory of 2900	1192	32
PID 1192 wrote to memory of 2900	1192	32
PID 1192 wrote to memory of 1628	1192	33
PID 1192 wrote to memory of 1628	1192	33
PID 1192 wrote to memory of 1628	1192	33
PID 1192 wrote to memory of 744	1192	34
PID 1192 wrote to memory of 744	1192	34
PID 1192 wrote to memory of 744	1192	34
PID 1192 wrote to memory of 112	1192	35
PID 1192 wrote to memory of 112	1192	35
PID 1192 wrote to memory of 112	1192	35

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b57ee7b1519ce4f80831dcedad7662fe_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2172

C:\Windows\system32\PresentationSettings.exe
C:\Windows\system32\PresentationSettings.exe
1⤵
PID:2556

C:\Users\Admin\AppData\Local\i2G\PresentationSettings.exe
C:\Users\Admin\AppData\Local\i2G\PresentationSettings.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2592

C:\Windows\system32\cmstp.exe
C:\Windows\system32\cmstp.exe
1⤵
PID:2900

C:\Users\Admin\AppData\Local\l69ZSR\cmstp.exe
C:\Users\Admin\AppData\Local\l69ZSR\cmstp.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1628

C:\Windows\system32\dccw.exe
C:\Windows\system32\dccw.exe
1⤵
PID:744

C:\Users\Admin\AppData\Local\it8FuwSM\dccw.exe
C:\Users\Admin\AppData\Local\it8FuwSM\dccw.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\l69ZSR\VERSION.dll

Filesize
1.2MB

MD5
7ae2b60f4227acc581722df79bb6bae2

SHA1
c403dc3a2de0689c69b99e5e8cb606df235022b3

SHA256
4b983c93d558022ed28b88d242064a495abebc344a50b59a7980ab29b6d466c4

SHA512
d1ef7f426a8291aa9c0d97d503f427f6217d78b4deab511f3b283657894d4c91b29f882bc16285a09c993435c2a74784f5dfacab4665f144b103ee12456b6d05

Download Submit
C:\Users\Admin\AppData\Local\l69ZSR\cmstp.exe

Filesize
90KB

MD5
74c6da5522f420c394ae34b2d3d677e3

SHA1
ba135738ef1fb2f4c2c6c610be2c4e855a526668

SHA256
51d298b1a8a2d00d5c608c52dba0655565d021e9798ee171d7fa92cc0de729a6

SHA512
bfd76b1c3e677292748f88bf595bfef0b536eb22f2583b028cbf08f6ae4eda1aa3787c4e892aad12b7681fc2363f99250430a0e7019a7498e24db391868e787a

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Frhyegfvspmw.lnk

Filesize
1KB

MD5
4eb134ce16b5a25ef6ffee8b42b8977b

SHA1
86fbb130b04858c8af1d2b6716a2b16fd9471dc0

SHA256
2bb7bbad3a69cc1571241b17a3864c07336ed3eb2b339acd0959cb94ab914dfe

SHA512
75cf841eb19553741fc548b6bcd78d3b86c67b2bf2749ddcf25e75b4e86e75f3531bd4eb57f92e8a29770089d3abbfff4bb948a56ce379f8fe95d3c1fd25ed60

Download Submit
\Users\Admin\AppData\Local\i2G\PresentationSettings.exe

Filesize
172KB

MD5
a6f8d318f6041334889481b472000081

SHA1
b8cf08ec17b30c8811f2514246fcdff62731dd58

SHA256
208b94fd66a6ce266c3195f87029a41a0622fff47f2a5112552cb087adbb1258

SHA512
60f70fa8a19e6ea6f08f4907dd7fede3665ad3f2e013d49f6649442ea5871a967b9a53ec4d3328a06cb83b69be1b7af1bb14bf122b568bd1f8432ee1d0bfee69

Download Submit
\Users\Admin\AppData\Local\i2G\slc.dll

Filesize
1.2MB

MD5
f579845227ce54f7c809ee414f144892

SHA1
185061535bc81817f19b33b94b374f1e7a4bdfd3

SHA256
34dda46412a969c61232b80aab32791da37ecabf957afa49d89beeeab82649b7

SHA512
a44b59b7b42fd255b3f4e5b2872f72bf8a76c29544dc93cc5fecdf154d56bd0a39b2eb3243afa1faee4594d05650999335f02000b4ea18ede96c67cda42d56ab

Download Submit
\Users\Admin\AppData\Local\it8FuwSM\dccw.exe

Filesize
861KB

MD5
a46cee731351eb4146db8e8a63a5c520

SHA1
8ea441e4a77642e12987ac842b36034230edd731

SHA256
283526a98a83524d21ff23f9109754c6587380b67f74cc02a9a4cd56fdb720d5

SHA512
3573c0ae21406db0c6fdda7c065fabde03235bde7f5589910822500bdfa37144f59f6e58e753e7347b899998db1dcb28050ac5a4e2c611558ae5fa405fbbc5cc

Download Submit
\Users\Admin\AppData\Local\it8FuwSM\mscms.dll

Filesize
1.2MB

MD5
9bab3d287816a8518afad61215213a12

SHA1
dd2c049ddca0696c9264c08a08ec9a120c839688

SHA256
c1cdf66b4c8086e41e807b741a4e45a92e8d3c864d352ff57bc44f13449a1d8f

SHA512
b6023d7a1102b921e70951ef2c3074df22d877e474d77fec186865d0c40376077b459f13d84951ee7c69a956b2e90cd0c99c81a343333c5847b43a57ed2a1ed7

Download Submit
memory/112-97-0x000007FEF7E00000-0x000007FEF7F33000-memory.dmp

Filesize
1.2MB

Download
memory/112-91-0x000007FEF7E00000-0x000007FEF7F33000-memory.dmp

Filesize
1.2MB

Download
memory/112-94-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/1192-14-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1192-4-0x0000000077976000-0x0000000077977000-memory.dmp

Filesize
4KB

Download
memory/1192-29-0x0000000077B81000-0x0000000077B82000-memory.dmp

Filesize
4KB

Download
memory/1192-26-0x0000000002B80000-0x0000000002B87000-memory.dmp

Filesize
28KB

Download
memory/1192-25-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1192-17-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1192-16-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1192-15-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1192-30-0x0000000077D10000-0x0000000077D12000-memory.dmp

Filesize
8KB

Download
memory/1192-37-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1192-38-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1192-8-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1192-47-0x0000000077976000-0x0000000077977000-memory.dmp

Filesize
4KB

Download
memory/1192-13-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1192-12-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1192-5-0x0000000002DF0000-0x0000000002DF1000-memory.dmp

Filesize
4KB

Download
memory/1192-7-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1192-9-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1192-11-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1192-10-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1628-76-0x00000000001A0000-0x00000000001A7000-memory.dmp

Filesize
28KB

Download
memory/1628-73-0x000007FEF7E30000-0x000007FEF7F63000-memory.dmp

Filesize
1.2MB

Download
memory/1628-79-0x000007FEF7E30000-0x000007FEF7F63000-memory.dmp

Filesize
1.2MB

Download
memory/2172-0-0x00000000002A0000-0x00000000002A7000-memory.dmp

Filesize
28KB

Download
memory/2172-46-0x000007FEF7E20000-0x000007FEF7F52000-memory.dmp

Filesize
1.2MB

Download
memory/2172-1-0x000007FEF7E20000-0x000007FEF7F52000-memory.dmp

Filesize
1.2MB

Download
memory/2592-61-0x000007FEF7F60000-0x000007FEF8093000-memory.dmp

Filesize
1.2MB

Download
memory/2592-56-0x000007FEF7F60000-0x000007FEF8093000-memory.dmp

Filesize
1.2MB

Download
memory/2592-55-0x0000000001AC0000-0x0000000001AC7000-memory.dmp

Filesize
28KB

Download