dridex | fae74f1cdc0e33a7bef8b67415b052be1cccb05d1f420a1ca2e03a9928c02280

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
22-08-2024 16:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b8582e40b778541ea3445524e95735f2_JaffaCakes118.dll
Size

1.2MB
MD5

b8582e40b778541ea3445524e95735f2
SHA1

bc13cb980db1cac969ca37b8bdcf9dc7226940d5
SHA256

fae74f1cdc0e33a7bef8b67415b052be1cccb05d1f420a1ca2e03a9928c02280
SHA512

8a66492bad9431a5a928cce016d4639a011161fcd9caa35bc74cffce4dd1f73e2ed8b79cf0599128ebaa05f298bc88821751b63938d90059347dd1e4848a541a
SSDEEP

24576:DuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:t9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral1/memory/1244-5-0x0000000002530000-0x0000000002531000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
2644	notepad.exe
540	dialer.exe
1004	sdclt.exe

Loads dropped DLL 7 IoCs

pid	Process
1244	Process not Found
2644	notepad.exe
1244	Process not Found
540	dialer.exe
1244	Process not Found
1004	sdclt.exe
1244	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\Qntpnaypazzlupr = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\JIYI\\dialer.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	notepad.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dialer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sdclt.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2028	regsvr32.exe
2028	regsvr32.exe
2028	regsvr32.exe
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1244 wrote to memory of 2764	1244	Process not Found	31
PID 1244 wrote to memory of 2764	1244	Process not Found	31
PID 1244 wrote to memory of 2764	1244	Process not Found	31
PID 1244 wrote to memory of 2644	1244	Process not Found	32
PID 1244 wrote to memory of 2644	1244	Process not Found	32
PID 1244 wrote to memory of 2644	1244	Process not Found	32
PID 1244 wrote to memory of 1792	1244	Process not Found	33
PID 1244 wrote to memory of 1792	1244	Process not Found	33
PID 1244 wrote to memory of 1792	1244	Process not Found	33
PID 1244 wrote to memory of 540	1244	Process not Found	34
PID 1244 wrote to memory of 540	1244	Process not Found	34
PID 1244 wrote to memory of 540	1244	Process not Found	34
PID 1244 wrote to memory of 332	1244	Process not Found	35
PID 1244 wrote to memory of 332	1244	Process not Found	35
PID 1244 wrote to memory of 332	1244	Process not Found	35
PID 1244 wrote to memory of 1004	1244	Process not Found	36
PID 1244 wrote to memory of 1004	1244	Process not Found	36
PID 1244 wrote to memory of 1004	1244	Process not Found	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\b8582e40b778541ea3445524e95735f2_JaffaCakes118.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2028

C:\Windows\system32\notepad.exe
C:\Windows\system32\notepad.exe
1⤵
PID:2764

C:\Users\Admin\AppData\Local\fBX2qav\notepad.exe
C:\Users\Admin\AppData\Local\fBX2qav\notepad.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2644

C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
1⤵
PID:1792

C:\Users\Admin\AppData\Local\iZyAbmCQg\dialer.exe
C:\Users\Admin\AppData\Local\iZyAbmCQg\dialer.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:540

C:\Windows\system32\sdclt.exe
C:\Windows\system32\sdclt.exe
1⤵
PID:332

C:\Users\Admin\AppData\Local\Y4iY\sdclt.exe
C:\Users\Admin\AppData\Local\Y4iY\sdclt.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Y4iY\SPP.dll

Filesize
1.2MB

MD5
752fa7602da2a13e20398516f4c725dc

SHA1
32b403fa48d6541c6cad866de51791c2b92eaafb

SHA256
c12f8c8c2cefe07efeb601d76ca5f5830463b4c0c0bcfeab406340fd1c06e30f

SHA512
9893eb3ef0b16ef47398fb9cc6960bb29d96e1ea5aff5143f4fe38c0284775db9240f938ef175e9fef21c3a519ce82dfa346cf4c5462522361f07ba0223477ea

Download Submit
C:\Users\Admin\AppData\Local\fBX2qav\VERSION.dll

Filesize
1.2MB

MD5
59d4d83382a2154adaf498335a93012f

SHA1
a7e1df292f9d2338f592d8f368125bae62b0edcd

SHA256
264242f056ae9ae10650db004380adab28b51c10a0d990d1087a6c4b6c094154

SHA512
af30363246eaa22a435abe26e1c54cd27a08c038fdcd8d9188605984c89e79201d95e498c66772094004f5cbfeb2ca49302955dbb9843ad4b702d83658e81c30

Download Submit
C:\Users\Admin\AppData\Local\fBX2qav\notepad.exe

Filesize
189KB

MD5
f2c7bb8acc97f92e987a2d4087d021b1

SHA1
7eb0139d2175739b3ccb0d1110067820be6abd29

SHA256
142e1d688ef0568370c37187fd9f2351d7ddeda574f8bfa9b0fa4ef42db85aa2

SHA512
2f37a2e503cffbd7c05c7d8a125b55368ce11aad5b62f17aaac7aaf3391a6886fa6a0fd73223e9f30072419bf5762a8af7958e805a52d788ba41f61eb084bfe8

Download Submit
C:\Users\Admin\AppData\Local\iZyAbmCQg\TAPI32.dll

Filesize
1.2MB

MD5
8e650945ae54d9c7f14f8e5b555932e0

SHA1
b7877d706496cff10f7d212e862c3d72229b2b35

SHA256
215663cc51048af13eb031a99dc260790c971b9d9d6628bba3cee2116c1464fa

SHA512
ef3dc416789f4d3c904e37e75c95b7191a2b12ea20f4d8433a080d9b3ff3e6a59333741393b90fdfb62283fa5deb12b11935cebf6347a261f210f3aa53203027

Download Submit
C:\Users\Admin\AppData\Local\iZyAbmCQg\dialer.exe

Filesize
34KB

MD5
46523e17ee0f6837746924eda7e9bac9

SHA1
d6b2a9cc6bd3588fa9804ada5197afda6a9e034b

SHA256
23d8a6a1d847a324c556c30e10c8f63c2004aeb42ac3f5a5ca362077f1517382

SHA512
c7117c3778650864e685bd89df599d7cdd9319d757344ddc7cfd9403d6673964127f6ff0c5ac48455fd3097af31a6ff09173f85dfa7be2d25f395cdf3692bb9a

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Joeqzcwrjre.lnk

Filesize
1KB

MD5
d4fe5dae5ba99d67a7df3e202d99d64d

SHA1
ae558d22578d310f3256265eb12b02091ec148c2

SHA256
5eab417b37d37459d8e7ef5a7ffe87d8a4c41a23744eb82511bddda1da863112

SHA512
6c964eafdcbd4b9abcaf4c980f0b0538e57dafda3b47d3b3600d65fd9c209c687da0695dccdf09835148123a1f3a21c211cd640b2f37dde9e05d2f827f978783

Download Submit
\Users\Admin\AppData\Local\Y4iY\sdclt.exe

Filesize
1.2MB

MD5
cdebd55ffbda3889aa2a8ce52b9dc097

SHA1
4b3cbfff5e57fa0cb058e93e445e3851063646cf

SHA256
61bd24487c389fc2b939ce000721677cc173bde0edcafccff81069bbd9987bfd

SHA512
2af69742e90d3478ae0a770b2630bfdc469077311c1f755f941825399b9a411e3d8d124126f59b01049456cddc01b237a3114847f1fe53f9e7d1a97e4ba36f13

Download Submit
memory/540-72-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/540-73-0x000007FEF6C90000-0x000007FEF6DC8000-memory.dmp

Filesize
1.2MB

Download
memory/540-78-0x000007FEF6C90000-0x000007FEF6DC8000-memory.dmp

Filesize
1.2MB

Download
memory/1004-90-0x00000000001A0000-0x00000000001A7000-memory.dmp

Filesize
28KB

Download
memory/1004-91-0x000007FEF6C90000-0x000007FEF6DC7000-memory.dmp

Filesize
1.2MB

Download
memory/1004-96-0x000007FEF6C90000-0x000007FEF6DC7000-memory.dmp

Filesize
1.2MB

Download
memory/1244-12-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/1244-15-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/1244-26-0x0000000077BF1000-0x0000000077BF2000-memory.dmp

Filesize
4KB

Download
memory/1244-25-0x0000000002510000-0x0000000002517000-memory.dmp

Filesize
28KB

Download
memory/1244-24-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/1244-37-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/1244-36-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/1244-27-0x0000000077D80000-0x0000000077D82000-memory.dmp

Filesize
8KB

Download
memory/1244-46-0x00000000779E6000-0x00000000779E7000-memory.dmp

Filesize
4KB

Download
memory/1244-9-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/1244-16-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/1244-4-0x00000000779E6000-0x00000000779E7000-memory.dmp

Filesize
4KB

Download
memory/1244-5-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/1244-11-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/1244-14-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/1244-13-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/1244-10-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/1244-7-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/1244-8-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2028-45-0x000007FEF72C0000-0x000007FEF73F6000-memory.dmp

Filesize
1.2MB

Download
memory/2028-0-0x000007FEF72C0000-0x000007FEF73F6000-memory.dmp

Filesize
1.2MB

Download
memory/2028-3-0x0000000000150000-0x0000000000157000-memory.dmp

Filesize
28KB

Download
memory/2644-60-0x000007FEF7320000-0x000007FEF7457000-memory.dmp

Filesize
1.2MB

Download
memory/2644-55-0x000007FEF7320000-0x000007FEF7457000-memory.dmp

Filesize
1.2MB

Download
memory/2644-54-0x0000000000290000-0x0000000000297000-memory.dmp

Filesize
28KB

Download