dridex | f8dee334edc64c7632389ce96664ef1abdedd74e8aa1f499f08e238dd913dba4

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
23-08-2024 23:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bd883d954444136909950a6421d4dd98_JaffaCakes118.dll
Size

1.2MB
MD5

bd883d954444136909950a6421d4dd98
SHA1

fbdc18ca772d8ddd7c2304e52ed35c2c98769d42
SHA256

f8dee334edc64c7632389ce96664ef1abdedd74e8aa1f499f08e238dd913dba4
SHA512

9adef86f3bc2f49ecae239cbd5f24ae5dbd7811ca8ba0cd6cf15cbe06d62ebc0e22719b5834fee5c0c7cf1f1b14add43c5ab4dd751040799d7f0ea1eb312d65d
SSDEEP

24576:rVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:rV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1176-5-0x00000000024D0000-0x00000000024D1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

SystemPropertiesProtection.exespinstall.exexpsrchvw.exe

pid	Process
2652	SystemPropertiesProtection.exe
344	spinstall.exe
2852	xpsrchvw.exe

Loads dropped DLL 7 IoCs

Processes:

SystemPropertiesProtection.exespinstall.exexpsrchvw.exe

pid	Process
1176
2652	SystemPropertiesProtection.exe
1176
344	spinstall.exe
1176
2852	xpsrchvw.exe
1176

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\Neewpjodwhuy = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\MAINTE~1\\AFjYewz\\SPINST~1.EXE"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

spinstall.exexpsrchvw.exerundll32.exeSystemPropertiesProtection.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spinstall.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	xpsrchvw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesProtection.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	Process
1648	rundll32.exe
1648	rundll32.exe
1648	rundll32.exe
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176
1176

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	procid_target
PID 1176 wrote to memory of 2928	1176	31
PID 1176 wrote to memory of 2928	1176	31
PID 1176 wrote to memory of 2928	1176	31
PID 1176 wrote to memory of 2652	1176	32
PID 1176 wrote to memory of 2652	1176	32
PID 1176 wrote to memory of 2652	1176	32
PID 1176 wrote to memory of 704	1176	33
PID 1176 wrote to memory of 704	1176	33
PID 1176 wrote to memory of 704	1176	33
PID 1176 wrote to memory of 344	1176	34
PID 1176 wrote to memory of 344	1176	34
PID 1176 wrote to memory of 344	1176	34
PID 1176 wrote to memory of 780	1176	35
PID 1176 wrote to memory of 780	1176	35
PID 1176 wrote to memory of 780	1176	35
PID 1176 wrote to memory of 2852	1176	36
PID 1176 wrote to memory of 2852	1176	36
PID 1176 wrote to memory of 2852	1176	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\bd883d954444136909950a6421d4dd98_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1648

C:\Windows\system32\SystemPropertiesProtection.exe
C:\Windows\system32\SystemPropertiesProtection.exe
1⤵
PID:2928

C:\Users\Admin\AppData\Local\4Gc5df1W\SystemPropertiesProtection.exe
C:\Users\Admin\AppData\Local\4Gc5df1W\SystemPropertiesProtection.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2652

C:\Windows\system32\spinstall.exe
C:\Windows\system32\spinstall.exe
1⤵
PID:704

C:\Users\Admin\AppData\Local\OzdRvs1d\spinstall.exe
C:\Users\Admin\AppData\Local\OzdRvs1d\spinstall.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:344

C:\Windows\system32\xpsrchvw.exe
C:\Windows\system32\xpsrchvw.exe
1⤵
PID:780

C:\Users\Admin\AppData\Local\V6IO1rm\xpsrchvw.exe
C:\Users\Admin\AppData\Local\V6IO1rm\xpsrchvw.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\4Gc5df1W\SYSDM.CPL

Filesize
1.2MB

MD5
1ad5a36d03cc54aeaba40177583921d8

SHA1
f051063d2c109758485abf3c92cb66066fd71564

SHA256
e9ab8a0c7980e8173713f2946a4d041e81b062b72c69868e88bb61fac893e5c7

SHA512
8b932544fb468d783499882b24cea9904f8d97e60bb2e09bd5590c79d9317ccbc97787a69d5f774dfeca587f3ed3d6aa198df61bf0ce9f67ec3b2aae5f214d8a

Download Submit
C:\Users\Admin\AppData\Local\OzdRvs1d\WINBRAND.dll

Filesize
1.2MB

MD5
131555fd662401ce9a80578f7372d546

SHA1
575b23fe2c8fa00b0bc200d5bf922280148754bc

SHA256
385dca92ece9eb3dd71d1c954bfcde37704dc4c70bafae202e4a60fc01ffdcd2

SHA512
bc38fc84ede3f20af9c3cdcae9cc9f793a6fe9f1f604de1f8abed3d4fe49034c725e6d92f766886b11a87544c1967cc8a9190e1244aa809ab5abed41d8b173cd

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ngqpewzrrtyksiv.lnk

Filesize
1KB

MD5
2e9fac474481621c6a7906580d045636

SHA1
176b3a288d162af1c9db29a356e258c84f2cad96

SHA256
17fe85e73c35312d9dd2c9d0aa012f63a89e13227872bcf6f0641193a34bccb6

SHA512
5a3d8c7238ada27377082d9f26dbd3fdbbd404e153e7366530fd0736e2e6fc1f4b57948c69560bafde7bcd0021d58141236c2ef1821497077a5c4b3c292cc7f1

Download Submit
\Users\Admin\AppData\Local\4Gc5df1W\SystemPropertiesProtection.exe

Filesize
80KB

MD5
05138d8f952d3fff1362f7c50158bc38

SHA1
780bc59fcddf06a7494d09771b8340acffdcc720

SHA256
753a43d8aa74341d06582bd6b3784dc5f8c6f46174c2a306cf284de238a9c6bd

SHA512
27fa8c0af3d01f0816852d04693087f3c25d1307d8857a7ea75b0bb3e0ac927d262f5ac5a335afee150142fa3187354d33ebbcf6c3cd5cc33cb4e6cd00c50255

Download Submit
\Users\Admin\AppData\Local\OzdRvs1d\spinstall.exe

Filesize
584KB

MD5
29c1d5b330b802efa1a8357373bc97fe

SHA1
90797aaa2c56fc2a667c74475996ea1841bc368f

SHA256
048bd22abf158346ab991a377cc6e9d2b20b4d73ccee7656c96a41f657e7be7f

SHA512
66f4f75a04340a1dd55dfdcc3ff1103ea34a55295f56c12e88d38d1a41e5be46b67c98bd66ac9f878ce79311773e374ed2bce4dd70e8bb5543e4ec1dd56625ee

Download Submit
\Users\Admin\AppData\Local\V6IO1rm\WINMM.dll

Filesize
1.2MB

MD5
a3fb9d53ac5038a77555517bdbda3bba

SHA1
f33715698dd9216d89590fc42dfd2c3303171922

SHA256
d1eadcfb7f0e7a50150ebb29d9968f0d12cf7cf7bce7ac36c4afdc688ffeb313

SHA512
24fef6b3a7ef1818b1393941f2e3d3aa643e192ea1691d458c370efde8ebb32f3686fa1693ead6625f4cb8f645adf4f0fbab6606ac2b30c4d34f2f81f264f5e5

Download Submit
\Users\Admin\AppData\Local\V6IO1rm\xpsrchvw.exe

Filesize
4.6MB

MD5
492cb6a624d5dad73ee0294b5db37dd6

SHA1
e74806af04a5147ccabfb5b167eb95a0177c43b3

SHA256
ccb4ecd48561ce024ea176b7036f0f2713b98bc82aa37347a30d8187762a8784

SHA512
63bf2931764efe767fb42f9576702dd585a032f74ad2be2481eaf309f34950f05974d77b5cb220a3ff89c92af0c7693dc558f8e3a3ee2a0be6c5c07171d03835

Download Submit
memory/344-81-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/344-75-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download
memory/1176-27-0x0000000077421000-0x0000000077422000-memory.dmp

Filesize
4KB

Download
memory/1176-25-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1176-13-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1176-12-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1176-11-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1176-10-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1176-9-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1176-8-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1176-28-0x00000000775B0000-0x00000000775B2000-memory.dmp

Filesize
8KB

Download
memory/1176-37-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1176-38-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1176-4-0x0000000077216000-0x0000000077217000-memory.dmp

Filesize
4KB

Download
memory/1176-47-0x0000000077216000-0x0000000077217000-memory.dmp

Filesize
4KB

Download
memory/1176-5-0x00000000024D0000-0x00000000024D1000-memory.dmp

Filesize
4KB

Download
memory/1176-15-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1176-7-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1176-14-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1176-26-0x00000000024B0000-0x00000000024B7000-memory.dmp

Filesize
28KB

Download
memory/1176-16-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1648-0-0x0000000001E00000-0x0000000001E07000-memory.dmp

Filesize
28KB

Download
memory/1648-46-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1648-1-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/2652-61-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/2652-56-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/2652-55-0x0000000000290000-0x0000000000297000-memory.dmp

Filesize
28KB

Download
memory/2852-93-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2852-97-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download