dridex | 2483394b81137cb8a95584ee70556b2624b4ec757cea17624f2b17b8c975e3c6

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
26-08-2024 22:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c3f2ded942c2442b77fd47ce652bb792_JaffaCakes118.dll
Size

1.2MB
MD5

c3f2ded942c2442b77fd47ce652bb792
SHA1

b411d07b595927f4ff541b513faca778a85d38f3
SHA256

2483394b81137cb8a95584ee70556b2624b4ec757cea17624f2b17b8c975e3c6
SHA512

0926a6344d42a0f09262a7ce2e1b99f7009f8ab01b897dfde65a7e2df7e0ab192fd6f6d7b353303c10114e83d5d3d926cbd5c94e4f3ddf05b1a16231b3819977
SSDEEP

24576:iuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:q9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral1/memory/1188-5-0x0000000002530000-0x0000000002531000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
2776	rrinstaller.exe
2736	notepad.exe
1928	EhStorAuthn.exe

Loads dropped DLL 7 IoCs

pid	Process
1188	Process not Found
2776	rrinstaller.exe
1188	Process not Found
2736	notepad.exe
1188	Process not Found
1928	EhStorAuthn.exe
1188	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mcbsdqtxprcnbm = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\MAINTE~1\\4yIH\\notepad.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rrinstaller.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	notepad.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	EhStorAuthn.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2076	rundll32.exe
2076	rundll32.exe
2076	rundll32.exe
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1188 wrote to memory of 3020	1188	Process not Found	31
PID 1188 wrote to memory of 3020	1188	Process not Found	31
PID 1188 wrote to memory of 3020	1188	Process not Found	31
PID 1188 wrote to memory of 2776	1188	Process not Found	32
PID 1188 wrote to memory of 2776	1188	Process not Found	32
PID 1188 wrote to memory of 2776	1188	Process not Found	32
PID 1188 wrote to memory of 2664	1188	Process not Found	33
PID 1188 wrote to memory of 2664	1188	Process not Found	33
PID 1188 wrote to memory of 2664	1188	Process not Found	33
PID 1188 wrote to memory of 2736	1188	Process not Found	34
PID 1188 wrote to memory of 2736	1188	Process not Found	34
PID 1188 wrote to memory of 2736	1188	Process not Found	34
PID 1188 wrote to memory of 2364	1188	Process not Found	35
PID 1188 wrote to memory of 2364	1188	Process not Found	35
PID 1188 wrote to memory of 2364	1188	Process not Found	35
PID 1188 wrote to memory of 1928	1188	Process not Found	36
PID 1188 wrote to memory of 1928	1188	Process not Found	36
PID 1188 wrote to memory of 1928	1188	Process not Found	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c3f2ded942c2442b77fd47ce652bb792_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2076

C:\Windows\system32\rrinstaller.exe
C:\Windows\system32\rrinstaller.exe
1⤵
PID:3020

C:\Users\Admin\AppData\Local\MYDsju\rrinstaller.exe
C:\Users\Admin\AppData\Local\MYDsju\rrinstaller.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2776

C:\Windows\system32\notepad.exe
C:\Windows\system32\notepad.exe
1⤵
PID:2664

C:\Users\Admin\AppData\Local\GPt\notepad.exe
C:\Users\Admin\AppData\Local\GPt\notepad.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2736

C:\Windows\system32\EhStorAuthn.exe
C:\Windows\system32\EhStorAuthn.exe
1⤵
PID:2364

C:\Users\Admin\AppData\Local\tfG\EhStorAuthn.exe
C:\Users\Admin\AppData\Local\tfG\EhStorAuthn.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\GPt\VERSION.dll

Filesize
1.2MB

MD5
913de00551b4dcf062b59d383e1f35e1

SHA1
7c128d23db421c06dcc85cbff7e11e2a7bff1d43

SHA256
fe6df807fd7feecf2fb983caf46866b41d35132748c42acb007b3e6cc8c2f826

SHA512
689d0f1ee3cae3dc7ac74ef2861738e83969839f4b2b874e407c03109d6ac3a1c93354f997a541b319f83d559eb5847eaed91642dc82b1f5be6a020177e83a9b

Download Submit
C:\Users\Admin\AppData\Local\MYDsju\MFPlat.DLL

Filesize
1.2MB

MD5
1fa74c90aea9b5ba77620ea9accfc6c7

SHA1
31f1dce0d551b20abe64a92aa9ee05d1fd995c92

SHA256
35bf737b8057bfebf1ee61b749da429d1ee7e0c6df645f01d3a62fcb95796871

SHA512
24e5017a608309be9b50637c476bd7e6b1c10039914e417eb2f8d4a5a8e6e7985010bc1b51903f8f02b50fba5bd0d12736ef5e795d48e77c8e504416b94170ae

Download Submit
C:\Users\Admin\AppData\Local\tfG\UxTheme.dll

Filesize
1.2MB

MD5
a30198f3d2359d80a08abb9a19331793

SHA1
e4e52a9b3c330b3cefd0c521352dac19408d93ec

SHA256
79f30115f992264e7a5e365a45d39e4daa613baf3110e8eb128eaf7bd011844c

SHA512
52cab32a0e8a4409f49b92b67b252972c48c85289fbec837ca8aaf0ce3cec25ed3a17e5e14a066a134537d1dcccdc1e77e118b7f664273b27e40511f94a3efa3

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ygxjfqh.lnk

Filesize
1KB

MD5
9c6373d5bd0d36a0ed199e30d9a7b246

SHA1
c8caba674691e3dff64300c648d21e37b0b4a78d

SHA256
ab2d471e13ee7be52239eb133bc43d801be4f35b31a197cf55fba985af855090

SHA512
dfc8ff68503c5b95705e3e73ff9b9640a2562982de9bc0afc02b67410bac8dc73b66b880713a84d750eb709d60184a3e0ba0038f2e4d4e117896a9ad0dda69d3

Download Submit
\Users\Admin\AppData\Local\GPt\notepad.exe

Filesize
189KB

MD5
f2c7bb8acc97f92e987a2d4087d021b1

SHA1
7eb0139d2175739b3ccb0d1110067820be6abd29

SHA256
142e1d688ef0568370c37187fd9f2351d7ddeda574f8bfa9b0fa4ef42db85aa2

SHA512
2f37a2e503cffbd7c05c7d8a125b55368ce11aad5b62f17aaac7aaf3391a6886fa6a0fd73223e9f30072419bf5762a8af7958e805a52d788ba41f61eb084bfe8

Download Submit
\Users\Admin\AppData\Local\MYDsju\rrinstaller.exe

Filesize
54KB

MD5
0d3a73b0b30252680b383532f1758649

SHA1
9f098d2037e4dd94eca6d04c37b3d4ad8b0cc931

SHA256
fc8a992b6ac311e1b1491ec3e31e273a41f7fdf3f68176321307b68489a03fbc

SHA512
a7961f4d8d0e07959d1501d721c7751b01af6704c7da5c1f31e40de5372ee6a1fce2f3e0077c8e6a1bed017e11ce4be9b0d17c04e30b222fb3f0df67b870b2d4

Download Submit
\Users\Admin\AppData\Local\tfG\EhStorAuthn.exe

Filesize
137KB

MD5
3abe95d92c80dc79707d8e168d79a994

SHA1
64b10c17f602d3f21c84954541e7092bc55bb5ab

SHA256
2159d9d5c9355521de859d1c40907fcdfef19f8cf68eda7485b89e9aa119e3ad

SHA512
70fee5e87121229bba5c5e5aaa9f028ac0546dc9d38b7a00a81b882c8f8ce4abfdc364a598976b1463cca05e9400db715f8a4478ec61b03a693bbeee18c6ae5c

Download Submit
memory/1188-13-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1188-10-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1188-4-0x0000000076BE6000-0x0000000076BE7000-memory.dmp

Filesize
4KB

Download
memory/1188-25-0x0000000002510000-0x0000000002517000-memory.dmp

Filesize
28KB

Download
memory/1188-24-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1188-16-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1188-15-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1188-14-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1188-12-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1188-26-0x0000000076DF1000-0x0000000076DF2000-memory.dmp

Filesize
4KB

Download
memory/1188-27-0x0000000076F80000-0x0000000076F82000-memory.dmp

Filesize
8KB

Download
memory/1188-37-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1188-36-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1188-5-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/1188-46-0x0000000076BE6000-0x0000000076BE7000-memory.dmp

Filesize
4KB

Download
memory/1188-11-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1188-8-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1188-7-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1188-9-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1928-95-0x000007FEF5E70000-0x000007FEF5FA2000-memory.dmp

Filesize
1.2MB

Download
memory/2076-45-0x000007FEF5E70000-0x000007FEF5FA1000-memory.dmp

Filesize
1.2MB

Download
memory/2076-0-0x00000000001A0000-0x00000000001A7000-memory.dmp

Filesize
28KB

Download
memory/2076-1-0x000007FEF5E70000-0x000007FEF5FA1000-memory.dmp

Filesize
1.2MB

Download
memory/2736-72-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/2736-73-0x000007FEF5E70000-0x000007FEF5FA2000-memory.dmp

Filesize
1.2MB

Download
memory/2736-78-0x000007FEF5E70000-0x000007FEF5FA2000-memory.dmp

Filesize
1.2MB

Download
memory/2776-60-0x000007FEF5E70000-0x000007FEF5FA3000-memory.dmp

Filesize
1.2MB

Download
memory/2776-55-0x000007FEF5E70000-0x000007FEF5FA3000-memory.dmp

Filesize
1.2MB

Download
memory/2776-54-0x0000000000120000-0x0000000000127000-memory.dmp

Filesize
28KB

Download