dridex | ff1da268d8bd85b1009b4525397bac1bfa6b6fe374ffe2e30d527c6e2d1acd3e

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
27-08-2024 00:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c41468fe40e62c704e9673588d427a42_JaffaCakes118.dll
Size

1.2MB
MD5

c41468fe40e62c704e9673588d427a42
SHA1

e093530b29fe73210618c713883b1e14cbe05bdd
SHA256

ff1da268d8bd85b1009b4525397bac1bfa6b6fe374ffe2e30d527c6e2d1acd3e
SHA512

6b1b319d4b7540ab2c66c4baa6c373f204b28d3dd7e4fc3fd5344620232581d56a2abba694acc2112a70773fe32894bae44ed77c6fdd6403e8eaa41111d388f1
SSDEEP

24576:buYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:F9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1216-5-0x00000000021B0000-0x00000000021B1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

raserver.exeUI0Detect.exeperfmon.exe

pid	Process
2628	raserver.exe
2052	UI0Detect.exe
1136	perfmon.exe

Loads dropped DLL 7 IoCs

Processes:

raserver.exeUI0Detect.exeperfmon.exe

pid	Process
1216
2628	raserver.exe
1216
2052	UI0Detect.exe
1216
1136	perfmon.exe
1216

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\Tlngny = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\ACCESS~1\\tsPe\\UI0DET~1.EXE"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

UI0Detect.exeperfmon.exerundll32.exeraserver.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	UI0Detect.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	perfmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	raserver.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	Process
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	procid_target
PID 1216 wrote to memory of 2860	1216	31
PID 1216 wrote to memory of 2860	1216	31
PID 1216 wrote to memory of 2860	1216	31
PID 1216 wrote to memory of 2628	1216	32
PID 1216 wrote to memory of 2628	1216	32
PID 1216 wrote to memory of 2628	1216	32
PID 1216 wrote to memory of 2256	1216	33
PID 1216 wrote to memory of 2256	1216	33
PID 1216 wrote to memory of 2256	1216	33
PID 1216 wrote to memory of 2052	1216	34
PID 1216 wrote to memory of 2052	1216	34
PID 1216 wrote to memory of 2052	1216	34
PID 1216 wrote to memory of 2876	1216	35
PID 1216 wrote to memory of 2876	1216	35
PID 1216 wrote to memory of 2876	1216	35
PID 1216 wrote to memory of 1136	1216	36
PID 1216 wrote to memory of 1136	1216	36
PID 1216 wrote to memory of 1136	1216	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c41468fe40e62c704e9673588d427a42_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1688

C:\Windows\system32\raserver.exe
C:\Windows\system32\raserver.exe
1⤵
PID:2860

C:\Users\Admin\AppData\Local\0m5pQQ7\raserver.exe
C:\Users\Admin\AppData\Local\0m5pQQ7\raserver.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2628

C:\Windows\system32\UI0Detect.exe
C:\Windows\system32\UI0Detect.exe
1⤵
PID:2256

C:\Users\Admin\AppData\Local\n0b14K\UI0Detect.exe
C:\Users\Admin\AppData\Local\n0b14K\UI0Detect.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2052

C:\Windows\system32\perfmon.exe
C:\Windows\system32\perfmon.exe
1⤵
PID:2876

C:\Users\Admin\AppData\Local\fK9IXf\perfmon.exe
C:\Users\Admin\AppData\Local\fK9IXf\perfmon.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\0m5pQQ7\WTSAPI32.dll

Filesize
1.2MB

MD5
623e4a10abcf69b9b47487e4caeda2f2

SHA1
48fe52a389120a189b5b007ad0fd04e1b1db6f57

SHA256
43936ece19951fc702ed666443c6fe08c8693180c1034e7318e1a0c8751ce7e6

SHA512
73ef2cc970310471dc3f779df86d59cc3bddccf01f512fbeeecf7fc8c265e37d5c1fd1fad5a7b756a1d68b0998726d2fae32011317ce4d0b905eab7cd7da6c28

Download Submit
C:\Users\Admin\AppData\Local\n0b14K\WTSAPI32.dll

Filesize
1.2MB

MD5
410d0bd0c1efeb4047515931a58a4a5b

SHA1
d318cd0703c93c1e9047ceab6acc9334fcb7a91a

SHA256
d771718cf20acb8224e22ceaa569e0ef9f80a41fe9f500eed9480e00d4222335

SHA512
be37bd629add931dab8027096a5ab397f53a2979f986ca86dd79c461cb80fb843307ba7dba497712c8ae7765331875eda1d756b1dc93252a3ea285c627acaf82

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Mityoyoyxpr.lnk

Filesize
1KB

MD5
e9995d7fa36c7ed59ba2fa536635031e

SHA1
0173477ca0fd40b6ed24d02494546090bd982f84

SHA256
1af7116e121a5d3b149329f9f680aa1f844a2dbf4e20e61c926661c2299858dd

SHA512
f1a1dcc98e31a7ea14e9580b72e42f9a8b968d61e581e314877203a207e34d4512755319b479d1428568ca09d159eb14fadf3a778d87fbb463a4e81321d0f2ae

Download Submit
\Users\Admin\AppData\Local\0m5pQQ7\raserver.exe

Filesize
123KB

MD5
cd0bc0b6b8d219808aea3ecd4e889b19

SHA1
9f8f4071ce2484008e36fdfd963378f4ebad703f

SHA256
16abc530c0367df1ad631f09e14c565cf99561949aa14acc533cd54bf8a5e22c

SHA512
84291ea3fafb38ef96817d5fe4a972475ef8ea24a4353568029e892fa8e15cf8e8f6ef4ff567813cd3b38092f0db4577d9dccb22be755eebdd4f77e623dc80ac

Download Submit
\Users\Admin\AppData\Local\fK9IXf\credui.dll

Filesize
1.2MB

MD5
24d7b2618bd3853f9d81acc40c3055a9

SHA1
2cac1fd9973dc5cbb5f3d9bbc91529d093ea1068

SHA256
6d002e3a33b8426811043ce1b585bede8e53bd08a69fe65bf37ad02f9fd7b732

SHA512
c8733db83610ca273263fce1a741fc73235f7007fb4aeac72ba5da8da1724c8e3cd646eeed13806f8a49306b9482664f5f26d63d97cc7d46b448054b350e6008

Download Submit
\Users\Admin\AppData\Local\fK9IXf\perfmon.exe

Filesize
168KB

MD5
3eb98cff1c242167df5fdbc6441ce3c5

SHA1
730b27a1c92e8df1e60db5a6fc69ea1b24f68a69

SHA256
6d8d5a244bb5a23c95653853fec3d04d2bdd2df5cff8cffb9848bddeb6adb081

SHA512
f42be2a52d97fd1db2ed5a1a1a81a186a0aab41204980a103df33a4190632ba03f3cbb88fcea8da7ed9a5e15f60732d49a924b025fe6d3e623195ec1d37dfb35

Download Submit
\Users\Admin\AppData\Local\n0b14K\UI0Detect.exe

Filesize
40KB

MD5
3cbdec8d06b9968aba702eba076364a1

SHA1
6e0fcaccadbdb5e3293aa3523ec1006d92191c58

SHA256
b8dab8aa804fc23021bfebd7ae4d40fbe648d6c6ba21cc008e26d1c084972f9b

SHA512
a8e434c925ef849ecef0efcb4873dbb95eea2821c967b05afbbe5733071cc2293fc94e7fdf1fdaee51cbcf9885b3b72bfd4d690f23af34558b056920263e465d

Download Submit
memory/1136-95-0x000007FEF6060000-0x000007FEF6191000-memory.dmp

Filesize
1.2MB

Download
memory/1136-89-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/1216-10-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1216-9-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1216-24-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1216-16-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1216-15-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1216-14-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1216-13-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1216-26-0x0000000076F51000-0x0000000076F52000-memory.dmp

Filesize
4KB

Download
memory/1216-27-0x00000000770E0000-0x00000000770E2000-memory.dmp

Filesize
8KB

Download
memory/1216-36-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1216-37-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1216-4-0x0000000076D46000-0x0000000076D47000-memory.dmp

Filesize
4KB

Download
memory/1216-46-0x0000000076D46000-0x0000000076D47000-memory.dmp

Filesize
4KB

Download
memory/1216-5-0x00000000021B0000-0x00000000021B1000-memory.dmp

Filesize
4KB

Download
memory/1216-11-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1216-7-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1216-8-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1216-25-0x0000000002190000-0x0000000002197000-memory.dmp

Filesize
28KB

Download
memory/1216-12-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1688-0-0x000007FEF6070000-0x000007FEF61A0000-memory.dmp

Filesize
1.2MB

Download
memory/1688-45-0x000007FEF6070000-0x000007FEF61A0000-memory.dmp

Filesize
1.2MB

Download
memory/1688-3-0x00000000001A0000-0x00000000001A7000-memory.dmp

Filesize
28KB

Download
memory/2052-72-0x000007FEF6060000-0x000007FEF6191000-memory.dmp

Filesize
1.2MB

Download
memory/2052-77-0x000007FEF6060000-0x000007FEF6191000-memory.dmp

Filesize
1.2MB

Download
memory/2628-60-0x000007FEF6680000-0x000007FEF67B1000-memory.dmp

Filesize
1.2MB

Download
memory/2628-55-0x000007FEF6680000-0x000007FEF67B1000-memory.dmp

Filesize
1.2MB

Download
memory/2628-54-0x00000000002A0000-0x00000000002A7000-memory.dmp

Filesize
28KB

Download