dridex | e302306cb2efdb2aa9c986801e8e5b7f74a8ef7216020e69cb4048515109d09c

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
22-08-2024 05:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b67e1a99078ceeb5362a14bce73556dd_JaffaCakes118.dll
Size

1.2MB
MD5

b67e1a99078ceeb5362a14bce73556dd
SHA1

ee4555a24557d837ffd2dc0fa43179df48458700
SHA256

e302306cb2efdb2aa9c986801e8e5b7f74a8ef7216020e69cb4048515109d09c
SHA512

a7bb236f33933955dd4f274f9828bd1026b8a8ca94ebc40efec8ffcf2e3c3223c48416c212602c8aade8ec8eeedacce1cac8425908799cc7d3b539c2bdcda6ce
SSDEEP

24576:uuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:O9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral1/memory/1204-5-0x0000000002E00000-0x0000000002E01000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
2560	wusa.exe
2700	TpmInit.exe
1508	msdtc.exe

Loads dropped DLL 7 IoCs

pid	Process
1204	Process not Found
2560	wusa.exe
1204	Process not Found
2700	TpmInit.exe
1204	Process not Found
1508	msdtc.exe
1204	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\Tlngny = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\IEtQS8dy\\TpmInit.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wusa.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	TpmInit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msdtc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2336	rundll32.exe
2336	rundll32.exe
2336	rundll32.exe
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found
1204	Process not Found

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1204 wrote to memory of 2784	1204	Process not Found	31
PID 1204 wrote to memory of 2784	1204	Process not Found	31
PID 1204 wrote to memory of 2784	1204	Process not Found	31
PID 1204 wrote to memory of 2560	1204	Process not Found	32
PID 1204 wrote to memory of 2560	1204	Process not Found	32
PID 1204 wrote to memory of 2560	1204	Process not Found	32
PID 1204 wrote to memory of 2604	1204	Process not Found	33
PID 1204 wrote to memory of 2604	1204	Process not Found	33
PID 1204 wrote to memory of 2604	1204	Process not Found	33
PID 1204 wrote to memory of 2700	1204	Process not Found	34
PID 1204 wrote to memory of 2700	1204	Process not Found	34
PID 1204 wrote to memory of 2700	1204	Process not Found	34
PID 1204 wrote to memory of 1856	1204	Process not Found	35
PID 1204 wrote to memory of 1856	1204	Process not Found	35
PID 1204 wrote to memory of 1856	1204	Process not Found	35
PID 1204 wrote to memory of 1508	1204	Process not Found	36
PID 1204 wrote to memory of 1508	1204	Process not Found	36
PID 1204 wrote to memory of 1508	1204	Process not Found	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b67e1a99078ceeb5362a14bce73556dd_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2336

C:\Windows\system32\wusa.exe
C:\Windows\system32\wusa.exe
1⤵
PID:2784

C:\Users\Admin\AppData\Local\xeVPsQVbG\wusa.exe
C:\Users\Admin\AppData\Local\xeVPsQVbG\wusa.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2560

C:\Windows\system32\TpmInit.exe
C:\Windows\system32\TpmInit.exe
1⤵
PID:2604

C:\Users\Admin\AppData\Local\G4GeducmA\TpmInit.exe
C:\Users\Admin\AppData\Local\G4GeducmA\TpmInit.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2700

C:\Windows\system32\msdtc.exe
C:\Windows\system32\msdtc.exe
1⤵
PID:1856

C:\Users\Admin\AppData\Local\VKGwbm\msdtc.exe
C:\Users\Admin\AppData\Local\VKGwbm\msdtc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\G4GeducmA\Secur32.dll

Filesize
1.2MB

MD5
e5fe0033a5ee62bd4ed946d79545f525

SHA1
cb9a1f7dc5d583b1104e2201ad161aeceab4ea3d

SHA256
78839d87af09b50640f4326e231312127ab30ed2fe45a7d13599771ebe802951

SHA512
8789ece904bb7104e1e501268b8fb390dc43603e052a82f088190eb2d0f20b2441404040a6af618e6a9f878ee7d8745105a74d0228ff58f8555e4ab7dfd8cb32

Download Submit
C:\Users\Admin\AppData\Local\G4GeducmA\TpmInit.exe

Filesize
112KB

MD5
8b5eb38e08a678afa129e23129ca1e6d

SHA1
a27d30bb04f9fabdb5c92d5150661a75c5c7bc42

SHA256
4befa614e1b434b2f58c9e7ce947a946b1cf1834b219caeff42b3e36f22fd97c

SHA512
a7245cde299c68db85370ae1bdf32a26208e2cda1311afd06b0efd410664f36cafb62bf4b7ce058e203dcc515c45ebdef01543779ead864f3154175b7b36647d

Download Submit
C:\Users\Admin\AppData\Local\VKGwbm\VERSION.dll

Filesize
1.2MB

MD5
1d6ca56bf62e11157b86bd5829ac87b8

SHA1
de74c9d7e8d9748a6e4d4b93d73a00b829188283

SHA256
536b16b27a41b1dded3fd0fbcdc7574790847a39960fe4cd16e5d70adf96535b

SHA512
bb492dd3a1edf07ea32a9151992bbab050888bc9120bef18c43ef1893ca80f9946ce7e4416c62712a2f1094c0cf3a5ce0d8235b39b757fdcc3e9a2ba1d535b4c

Download Submit
C:\Users\Admin\AppData\Local\xeVPsQVbG\WTSAPI32.dll

Filesize
1.2MB

MD5
be60d3a38332f96ad465d3f1b06ee516

SHA1
bc2e47fb84105e6ada997ca829e40b72b12d53a5

SHA256
d0b68e79fce1f0e7ebe11fffe79848a2a68e7f27d7df4d5f0c663aa80963a418

SHA512
9f337914871c2900c5702435c57d54153a1a51b77240c1d3b47eabb30d6059f026eca6b12fd12628fbd700f0a1ed1995b83c0c944c3fc8999463b5cd86f382e0

Download Submit
C:\Users\Admin\AppData\Local\xeVPsQVbG\wusa.exe

Filesize
300KB

MD5
c15b3d813f4382ade98f1892350f21c7

SHA1
a45c5abc6751bc8b9041e5e07923fa4fc1b4542b

SHA256
8f067da98eb3ea9f1db2f0063ff54e07d992fbf051779b467e222639be4127e3

SHA512
6d028fe81fe45d0ef291741513ecf939e412912647347d4d5bad89571f33e1084dc0fd26eb7313c7191f938c3f50243f453e2690e2475fc3f5539a20c2ff2f3c

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Mityoyoyxpr.lnk

Filesize
1KB

MD5
5e1afb630417b93c3d1efe4546ecc7c4

SHA1
6080f80333d9d987f9cc2ec57061daca18bedadb

SHA256
8a2d20654d56663fd6c0570e3c453019f35c41d7141db333f3dc5f2dbcbd1926

SHA512
1f4669f15cf04286201444a3e9d3d18f26da1c2c6c646d308d7a770411e4c77b4408b5cc2c5aa3aa22e91cdb90898d0baf7c05a4c584384be40e519d91bf5bbc

Download Submit
\Users\Admin\AppData\Local\VKGwbm\msdtc.exe

Filesize
138KB

MD5
de0ece52236cfa3ed2dbfc03f28253a8

SHA1
84bbd2495c1809fcd19b535d41114e4fb101466c

SHA256
2fbbec4cacb5161f68d7c2935852a5888945ca0f107cf8a1c01f4528ce407de3

SHA512
69386134667626c60c99d941c8ab52f8e5235e3897b5af76965572287afd5dcd42b8207a520587844a57a268e4decb3f3c550e5b7a06230ee677dc5e40c50bb3

Download Submit
memory/1204-30-0x0000000077300000-0x0000000077302000-memory.dmp

Filesize
8KB

Download
memory/1204-47-0x0000000076F66000-0x0000000076F67000-memory.dmp

Filesize
4KB

Download
memory/1204-26-0x0000000002610000-0x0000000002617000-memory.dmp

Filesize
28KB

Download
memory/1204-15-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1204-13-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1204-12-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1204-11-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1204-10-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1204-9-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1204-25-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1204-16-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1204-4-0x0000000076F66000-0x0000000076F67000-memory.dmp

Filesize
4KB

Download
memory/1204-38-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1204-37-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1204-5-0x0000000002E00000-0x0000000002E01000-memory.dmp

Filesize
4KB

Download
memory/1204-29-0x0000000077171000-0x0000000077172000-memory.dmp

Filesize
4KB

Download
memory/1204-17-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1204-14-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1204-8-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1204-7-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1508-91-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download
memory/1508-92-0x000007FEF5F30000-0x000007FEF6062000-memory.dmp

Filesize
1.2MB

Download
memory/1508-97-0x000007FEF5F30000-0x000007FEF6062000-memory.dmp

Filesize
1.2MB

Download
memory/2336-46-0x000007FEF60C0000-0x000007FEF61F1000-memory.dmp

Filesize
1.2MB

Download
memory/2336-0-0x0000000001ED0000-0x0000000001ED7000-memory.dmp

Filesize
28KB

Download
memory/2336-1-0x000007FEF60C0000-0x000007FEF61F1000-memory.dmp

Filesize
1.2MB

Download
memory/2560-61-0x000007FEF6FE0000-0x000007FEF7112000-memory.dmp

Filesize
1.2MB

Download
memory/2560-56-0x000007FEF6FE0000-0x000007FEF7112000-memory.dmp

Filesize
1.2MB

Download
memory/2560-55-0x00000000000A0000-0x00000000000A7000-memory.dmp

Filesize
28KB

Download
memory/2700-73-0x000007FEF60C0000-0x000007FEF61F2000-memory.dmp

Filesize
1.2MB

Download
memory/2700-76-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/2700-79-0x000007FEF60C0000-0x000007FEF61F2000-memory.dmp

Filesize
1.2MB

Download