dridex | 1420e1c8cabda4b1e776f53d3da09b518192642228c48f781ef4db55e8da11e3

Analysis

max time kernel
150s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
21-08-2024 20:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b4ef573d73853151ed754c832c6b07d0_JaffaCakes118.dll
Size

1.2MB
MD5

b4ef573d73853151ed754c832c6b07d0
SHA1

5004eb22738a95e3b67020f946e585c73fc47d89
SHA256

1420e1c8cabda4b1e776f53d3da09b518192642228c48f781ef4db55e8da11e3
SHA512

b82eea4718ce1cb783f7bdcf29a3cf9bc1eeaf53624efedd0ec368588f13e473d33dcd697274a89e0201d55cbb277f97da246e3be29087351d73cbe027f0933a
SSDEEP

24576:tuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:n9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1252-5-0x0000000002990000-0x0000000002991000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

dccw.exefveprompt.exedwm.exe

pid	Process
2700	dccw.exe
2488	fveprompt.exe
2096	dwm.exe

Loads dropped DLL 7 IoCs

Processes:

dccw.exefveprompt.exedwm.exe

pid	Process
1252
2700	dccw.exe
1252
2488	fveprompt.exe
1252
2096	dwm.exe
1252

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Madzpveq = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\PRINTE~1\\qEJR6oro\\FVEPRO~1.EXE"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exedccw.exefveprompt.exedwm.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dccw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fveprompt.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	Process
828	rundll32.exe
828	rundll32.exe
828	rundll32.exe
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	procid_target
PID 1252 wrote to memory of 2652	1252	30
PID 1252 wrote to memory of 2652	1252	30
PID 1252 wrote to memory of 2652	1252	30
PID 1252 wrote to memory of 2700	1252	31
PID 1252 wrote to memory of 2700	1252	31
PID 1252 wrote to memory of 2700	1252	31
PID 1252 wrote to memory of 344	1252	32
PID 1252 wrote to memory of 344	1252	32
PID 1252 wrote to memory of 344	1252	32
PID 1252 wrote to memory of 2488	1252	33
PID 1252 wrote to memory of 2488	1252	33
PID 1252 wrote to memory of 2488	1252	33
PID 1252 wrote to memory of 1684	1252	34
PID 1252 wrote to memory of 1684	1252	34
PID 1252 wrote to memory of 1684	1252	34
PID 1252 wrote to memory of 2096	1252	35
PID 1252 wrote to memory of 2096	1252	35
PID 1252 wrote to memory of 2096	1252	35

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b4ef573d73853151ed754c832c6b07d0_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:828

C:\Windows\system32\dccw.exe
C:\Windows\system32\dccw.exe
1⤵
PID:2652

C:\Users\Admin\AppData\Local\uqjPLL8\dccw.exe
C:\Users\Admin\AppData\Local\uqjPLL8\dccw.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2700

C:\Windows\system32\fveprompt.exe
C:\Windows\system32\fveprompt.exe
1⤵
PID:344

C:\Users\Admin\AppData\Local\DLqzJh\fveprompt.exe
C:\Users\Admin\AppData\Local\DLqzJh\fveprompt.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2488

C:\Windows\system32\dwm.exe
C:\Windows\system32\dwm.exe
1⤵
PID:1684

C:\Users\Admin\AppData\Local\kxIQfSKX\dwm.exe
C:\Users\Admin\AppData\Local\kxIQfSKX\dwm.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\DLqzJh\slc.dll

Filesize
1.2MB

MD5
70c3cdc6a88cd94bfca877b445ab033d

SHA1
3e7338f01c41372fde4a8c69eada19b3b2672088

SHA256
25b1904647e980a5fdd81a3d4f7e318e378b57acf14d33671c939ff81ea63625

SHA512
fbca04a94bd9fe08ae10ad2f9de45b2d2e36ccc477e2bb554cd5bc22d0ede2934c76d5b105c928f3bac0a93f05ce22c053c16b8cbc8f733af65bcc18ce8c755c

Download Submit
C:\Users\Admin\AppData\Local\kxIQfSKX\UxTheme.dll

Filesize
1.2MB

MD5
4da90da1b32962f6d047f523af6b0f0c

SHA1
e787d1756d3cf932af74fb048201496c1c504651

SHA256
d3b5393d8bbaf336917ae78da42bba95f87ee5bc63a7a414355d44b23a9b0d20

SHA512
e85d10cd09c2ebe484a75a5e1c6598c319d866caf819edba9331953d38d1dc5c15e459b75b840fa972da2dd26973e2afcd6dbf70ca2abb292b3e0adcfa1ec406

Download Submit
C:\Users\Admin\AppData\Local\uqjPLL8\mscms.dll

Filesize
1.2MB

MD5
293958095314d07a9195736c7df5acad

SHA1
54fab803864b05199b8dea1bb3b0b1a047b57f14

SHA256
64b4b1b0a4498be138bdacbe39e4f5598f0cab200d77f7861e78b66f99548b5e

SHA512
90963a25f38938066ea6d8cea30dde87fc03753c3ebf82718c1b18d08e27a80a750339be5b8a4a3b9d4d2f6ef9293ee808fa00565495a1a0504309d9ae7eeaaa

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Rinzzkcfiw.lnk

Filesize
1KB

MD5
c2ee8fea7b34b88c8c2a75e504bfb7ec

SHA1
bb49cdaa7d1076cbc85a37411772e44e4195c9f5

SHA256
f9610c3e3c10a35f55f6ea60426d8e9875841e967bf6b3b60e220263a7c5d1e5

SHA512
46b7b0e5de064ff4f7dd20a479cbd22b132419c70e329942f6d5c9ebd41f9efc204c2908c3f76de2c6bd0b13b8e3fd1b1f326b7c04080cb87060ca0b57e826cb

Download Submit
\Users\Admin\AppData\Local\DLqzJh\fveprompt.exe

Filesize
104KB

MD5
dc2c44a23b2cd52bd53accf389ae14b2

SHA1
e36c7b6f328aa2ab2f52478169c52c1916f04b5f

SHA256
7f5b19f2c6a94833196ee1929d48094889b33b504d73d3af88dd857ceaf67921

SHA512
ff083f74777a9cfc940d4e0cb55886397e27c85f867de9a5dd9ea2c2751d2a77bf75fe0734e424d9678c83e927788d07d0b3072024f7e5a9848c7ff1aa4090dc

Download Submit
\Users\Admin\AppData\Local\kxIQfSKX\dwm.exe

Filesize
117KB

MD5
f162d5f5e845b9dc352dd1bad8cef1bc

SHA1
35bc294b7e1f062ef5cb5fa1bd3fc942a3e37ae2

SHA256
8a7b7528db30ab123b060d8e41954d95913c07bb40cdae32e97f9edb0baf79c7

SHA512
7077e800453a4564a24af022636a2f6547bdae2c9c6f4ed080d0c98415ecc4fbf538109cbebd456e321b9b74a00613d647b63998e31925fbd841fc9d4613e851

Download Submit
\Users\Admin\AppData\Local\uqjPLL8\dccw.exe

Filesize
861KB

MD5
a46cee731351eb4146db8e8a63a5c520

SHA1
8ea441e4a77642e12987ac842b36034230edd731

SHA256
283526a98a83524d21ff23f9109754c6587380b67f74cc02a9a4cd56fdb720d5

SHA512
3573c0ae21406db0c6fdda7c065fabde03235bde7f5589910822500bdfa37144f59f6e58e753e7347b899998db1dcb28050ac5a4e2c611558ae5fa405fbbc5cc

Download Submit
memory/828-0-0x000007FEF7DD0000-0x000007FEF7F01000-memory.dmp

Filesize
1.2MB

Download
memory/828-1-0x00000000000A0000-0x00000000000A7000-memory.dmp

Filesize
28KB

Download
memory/828-44-0x000007FEF7DD0000-0x000007FEF7F01000-memory.dmp

Filesize
1.2MB

Download
memory/1252-28-0x0000000077B80000-0x0000000077B82000-memory.dmp

Filesize
8KB

Download
memory/1252-25-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1252-13-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1252-12-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1252-11-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1252-9-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1252-26-0x0000000002200000-0x0000000002207000-memory.dmp

Filesize
28KB

Download
memory/1252-27-0x00000000779F1000-0x00000000779F2000-memory.dmp

Filesize
4KB

Download
memory/1252-15-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1252-37-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1252-38-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1252-17-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1252-47-0x00000000777E6000-0x00000000777E7000-memory.dmp

Filesize
4KB

Download
memory/1252-14-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1252-16-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1252-4-0x00000000777E6000-0x00000000777E7000-memory.dmp

Filesize
4KB

Download
memory/1252-5-0x0000000002990000-0x0000000002991000-memory.dmp

Filesize
4KB

Download
memory/1252-7-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1252-10-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1252-8-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/2096-95-0x000007FEF7DD0000-0x000007FEF7F02000-memory.dmp

Filesize
1.2MB

Download
memory/2488-73-0x0000000000290000-0x0000000000297000-memory.dmp

Filesize
28KB

Download
memory/2488-74-0x000007FEF7DD0000-0x000007FEF7F02000-memory.dmp

Filesize
1.2MB

Download
memory/2488-79-0x000007FEF7DD0000-0x000007FEF7F02000-memory.dmp

Filesize
1.2MB

Download
memory/2700-59-0x000007FEFB630000-0x000007FEFB762000-memory.dmp

Filesize
1.2MB

Download
memory/2700-58-0x00000000000F0000-0x00000000000F7000-memory.dmp

Filesize
28KB

Download
memory/2700-55-0x000007FEFB630000-0x000007FEFB762000-memory.dmp

Filesize
1.2MB

Download