dridex | 85c13dbe9f69e69df02a7b9a97fdfea89e59ef6749f2594d320bb81a6b935142

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
27-08-2024 06:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c475c91a904071b04d95d5a7014606ef_JaffaCakes118.dll
Size

1.2MB
MD5

c475c91a904071b04d95d5a7014606ef
SHA1

286435d35c1b37e4763a51151eef94b6d2daf663
SHA256

85c13dbe9f69e69df02a7b9a97fdfea89e59ef6749f2594d320bb81a6b935142
SHA512

6435bd692cfdb0027f0697b25355f393d57e627148c9776abc24c9856609dc334fd12fdd2434c120465aa84f7755a0a09ba5bf0e26c5bd5108d1a39e5cd7c01c
SSDEEP

24576:FuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:/9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1216-5-0x0000000002E20000-0x0000000002E21000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

msconfig.exeSystemPropertiesComputerName.exewextract.exe

pid	Process
2636	msconfig.exe
1004	SystemPropertiesComputerName.exe
2864	wextract.exe

Loads dropped DLL 7 IoCs

Processes:

msconfig.exeSystemPropertiesComputerName.exewextract.exe

pid	Process
1216
2636	msconfig.exe
1216
1004	SystemPropertiesComputerName.exe
1216
2864	wextract.exe
1216

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mcbsdqtxprcnbm = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\AddIns\\cBU\\SystemPropertiesComputerName.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

SystemPropertiesComputerName.exewextract.exerundll32.exemsconfig.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesComputerName.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wextract.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msconfig.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	Process
2280	rundll32.exe
2280	rundll32.exe
2280	rundll32.exe
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	procid_target
PID 1216 wrote to memory of 2920	1216	30
PID 1216 wrote to memory of 2920	1216	30
PID 1216 wrote to memory of 2920	1216	30
PID 1216 wrote to memory of 2636	1216	31
PID 1216 wrote to memory of 2636	1216	31
PID 1216 wrote to memory of 2636	1216	31
PID 1216 wrote to memory of 860	1216	33
PID 1216 wrote to memory of 860	1216	33
PID 1216 wrote to memory of 860	1216	33
PID 1216 wrote to memory of 1004	1216	34
PID 1216 wrote to memory of 1004	1216	34
PID 1216 wrote to memory of 1004	1216	34
PID 1216 wrote to memory of 2672	1216	35
PID 1216 wrote to memory of 2672	1216	35
PID 1216 wrote to memory of 2672	1216	35
PID 1216 wrote to memory of 2864	1216	36
PID 1216 wrote to memory of 2864	1216	36
PID 1216 wrote to memory of 2864	1216	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c475c91a904071b04d95d5a7014606ef_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2280

C:\Windows\system32\msconfig.exe
C:\Windows\system32\msconfig.exe
1⤵
PID:2920

C:\Users\Admin\AppData\Local\vL6BgXei\msconfig.exe
C:\Users\Admin\AppData\Local\vL6BgXei\msconfig.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2636

C:\Windows\system32\SystemPropertiesComputerName.exe
C:\Windows\system32\SystemPropertiesComputerName.exe
1⤵
PID:860

C:\Users\Admin\AppData\Local\61UlIgA\SystemPropertiesComputerName.exe
C:\Users\Admin\AppData\Local\61UlIgA\SystemPropertiesComputerName.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1004

C:\Windows\system32\wextract.exe
C:\Windows\system32\wextract.exe
1⤵
PID:2672

C:\Users\Admin\AppData\Local\8a8IbH\wextract.exe
C:\Users\Admin\AppData\Local\8a8IbH\wextract.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\61UlIgA\SYSDM.CPL

Filesize
1.2MB

MD5
fa7c8a38201eddc34911a9014d4b179e

SHA1
677657e3a598795078d11a96b598bb65a657b6fe

SHA256
a60c3e8b22f8c69256517d0b85a0ff1e6b8224fec72923ac02399e6173eb47c3

SHA512
c5849df7fdb0869fcca25ed53cddc765f63c1b25102cab3ce103d3e6b47849c1998be6625a4c1470d0641a39201cec9c59ce11a29f61e49feb6d12551dcad351

Download Submit
C:\Users\Admin\AppData\Local\8a8IbH\VERSION.dll

Filesize
1.2MB

MD5
e50790f6d86c75ab0779b7fa2a278655

SHA1
5d364edbd522de704bad96d84f1407bd03552569

SHA256
a5c71f9ecac13789062927815e1bde8dff1f64e916e2702f0b83b2c6239ea614

SHA512
bc904a26c1e1b5064f037d5db899d14ce609f20827e14ce4a230d3f398979c7f0481db9a85f5ebee7ddc9456b99dac2eef84a35c0b192afca0070b8887a05ee0

Download Submit
C:\Users\Admin\AppData\Local\vL6BgXei\VERSION.dll

Filesize
1.2MB

MD5
32e2f96959875f12b5d7a4b8622f04ec

SHA1
258b0619033dab35b83d2092704e34dbdcccd2a6

SHA256
2b3444914e4b753266018b3d4f8570becda1522f77cb6ff6bf2c7f2bf34dbb68

SHA512
41f6875bf861d46176c6ccc2b8befe0f4421bd92f8b704690280f10240fb9ee79fa3783eeb59156cd38289f7c405aaf59aa8efc2f7b511d83de8d3380f893a04

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ygxjfqh.lnk

Filesize
1KB

MD5
95612d3e43d9d907263f61a8f03664b8

SHA1
0645ec64ed25f139e974f4ad68e1f88ad4788119

SHA256
eb30ab9f393943bc9877b322963f0920d02553a7bd74c9956b70d945b100f23c

SHA512
5cde89f27a734408aebb4c19f24e82d65718002d656ea2e0af99eded8acfd587a016cd78e3b310c65d5ca92c4f8ada06b721701faacea2051af37bb9fb49e57f

Download Submit
\Users\Admin\AppData\Local\61UlIgA\SystemPropertiesComputerName.exe

Filesize
80KB

MD5
bd889683916aa93e84e1a75802918acf

SHA1
5ee66571359178613a4256a7470c2c3e6dd93cfa

SHA256
0e22894595891a9ff9706e03b3db31a751541c4a773f82420fce57237d6c47cf

SHA512
9d76de848b319f44657fb7fbe5a3b927774ae999362ff811a199002ffa77ad9e1638a65a271388e605ab5e5a7cb6ce5aa7fcabc3ed583ade00eaa4c265552026

Download Submit
\Users\Admin\AppData\Local\8a8IbH\wextract.exe

Filesize
140KB

MD5
1ea6500c25a80e8bdb65099c509af993

SHA1
6a090ef561feb4ae1c6794de5b19c5e893c4aafc

SHA256
99123d4e7bf93aa7f3315a432307c8b0cbaf24ad2cfb46edc149edbe24de4ca2

SHA512
b8f9f1ab48671e382d1385c34f0f19fc52fc0061e00db53bbbc2cdaee6d8a3f245707329f98e9167c53721aeaddcebfe66632729b6bcc98892031fd9914fb1fb

Download Submit
\Users\Admin\AppData\Local\vL6BgXei\msconfig.exe

Filesize
293KB

MD5
e19d102baf266f34592f7c742fbfa886

SHA1
c9c9c45b7e97bb7a180064d0a1962429f015686d

SHA256
f3c8bb430f9c33e6caf06aaebde17b7fddcc55e8bb36cec2b9379038f1fca0b1

SHA512
1b9f1880dd3c26ae790b8eead641e73264f90dc7aa2645acc530aad20ad9d247db613e1725282c85bca98c4428ac255752a4f5c9b2a97f90908b7fe4167bb283

Download Submit
memory/1004-79-0x000007FEF5DF0000-0x000007FEF5F22000-memory.dmp

Filesize
1.2MB

Download
memory/1004-73-0x000007FEF5DF0000-0x000007FEF5F22000-memory.dmp

Filesize
1.2MB

Download
memory/1004-76-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download
memory/1216-9-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1216-28-0x0000000076F90000-0x0000000076F92000-memory.dmp

Filesize
8KB

Download
memory/1216-25-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1216-15-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1216-13-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1216-12-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1216-11-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1216-10-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1216-4-0x0000000076CF6000-0x0000000076CF7000-memory.dmp

Filesize
4KB

Download
memory/1216-37-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1216-38-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1216-5-0x0000000002E20000-0x0000000002E21000-memory.dmp

Filesize
4KB

Download
memory/1216-47-0x0000000076CF6000-0x0000000076CF7000-memory.dmp

Filesize
4KB

Download
memory/1216-27-0x0000000076E01000-0x0000000076E02000-memory.dmp

Filesize
4KB

Download
memory/1216-16-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1216-8-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1216-7-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1216-18-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1216-14-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1216-26-0x0000000002E00000-0x0000000002E07000-memory.dmp

Filesize
28KB

Download
memory/2280-46-0x000007FEF5DF0000-0x000007FEF5F21000-memory.dmp

Filesize
1.2MB

Download
memory/2280-0-0x0000000001D00000-0x0000000001D07000-memory.dmp

Filesize
28KB

Download
memory/2280-1-0x000007FEF5DF0000-0x000007FEF5F21000-memory.dmp

Filesize
1.2MB

Download
memory/2636-61-0x000007FEF5A10000-0x000007FEF5B42000-memory.dmp

Filesize
1.2MB

Download
memory/2636-56-0x000007FEF5A10000-0x000007FEF5B42000-memory.dmp

Filesize
1.2MB

Download
memory/2636-55-0x0000000000430000-0x0000000000437000-memory.dmp

Filesize
28KB

Download
memory/2864-96-0x000007FEF5DF0000-0x000007FEF5F22000-memory.dmp

Filesize
1.2MB

Download