dridex | 8ac37fc17d40290bb1bd932383ca3b99da2cf2629b2dc3efddeecd8f8cfb5e13

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
27-08-2024 07:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c488428598c8b77ae9a87c494467e416_JaffaCakes118.dll
Size

1.2MB
MD5

c488428598c8b77ae9a87c494467e416
SHA1

d6fd46cdbec1b0f3f6465c7f823b8f8f285a37b8
SHA256

8ac37fc17d40290bb1bd932383ca3b99da2cf2629b2dc3efddeecd8f8cfb5e13
SHA512

a3e5ac2a8ed73353150f762db6e052b350c00c86678e960ef16335dbca06b10be427c43d4c59f05349c0fe30b65749d28e7b2b5feb5c1bfad128474f2a41e96d
SSDEEP

24576:GuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9NYt:m9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1196-6-0x0000000002D40000-0x0000000002D41000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

irftp.exeisoburn.exemsdtc.exe

pid	Process
2648	irftp.exe
2960	isoburn.exe
1676	msdtc.exe

Loads dropped DLL 7 IoCs

Processes:

irftp.exeisoburn.exemsdtc.exe

pid	Process
1196
2648	irftp.exe
1196
2960	isoburn.exe
1196
1676	msdtc.exe
1196

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\Qdgopofbxbljb = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Excel\\leFb\\isoburn.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

irftp.exeisoburn.exemsdtc.exerundll32.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	irftp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	isoburn.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msdtc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	Process
2460	rundll32.exe
2460	rundll32.exe
2460	rundll32.exe
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	procid_target
PID 1196 wrote to memory of 2788	1196	31
PID 1196 wrote to memory of 2788	1196	31
PID 1196 wrote to memory of 2788	1196	31
PID 1196 wrote to memory of 2648	1196	32
PID 1196 wrote to memory of 2648	1196	32
PID 1196 wrote to memory of 2648	1196	32
PID 1196 wrote to memory of 2624	1196	33
PID 1196 wrote to memory of 2624	1196	33
PID 1196 wrote to memory of 2624	1196	33
PID 1196 wrote to memory of 2960	1196	34
PID 1196 wrote to memory of 2960	1196	34
PID 1196 wrote to memory of 2960	1196	34
PID 1196 wrote to memory of 1300	1196	35
PID 1196 wrote to memory of 1300	1196	35
PID 1196 wrote to memory of 1300	1196	35
PID 1196 wrote to memory of 1676	1196	36
PID 1196 wrote to memory of 1676	1196	36
PID 1196 wrote to memory of 1676	1196	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c488428598c8b77ae9a87c494467e416_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2460

C:\Windows\system32\irftp.exe
C:\Windows\system32\irftp.exe
1⤵
PID:2788

C:\Users\Admin\AppData\Local\7ETNSUk\irftp.exe
C:\Users\Admin\AppData\Local\7ETNSUk\irftp.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2648

C:\Windows\system32\isoburn.exe
C:\Windows\system32\isoburn.exe
1⤵
PID:2624

C:\Users\Admin\AppData\Local\0fDsExNC\isoburn.exe
C:\Users\Admin\AppData\Local\0fDsExNC\isoburn.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2960

C:\Windows\system32\msdtc.exe
C:\Windows\system32\msdtc.exe
1⤵
PID:1300

C:\Users\Admin\AppData\Local\FL1SNT\msdtc.exe
C:\Users\Admin\AppData\Local\FL1SNT\msdtc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\0fDsExNC\UxTheme.dll

Filesize
1.2MB

MD5
d88096fe2c8dc9a5f7bd09fc4f8be98c

SHA1
5ae98cd80d74e3a51f62c118a1c9c196de33c4e1

SHA256
5eb9d5d6340137f7fceee4866cdee87eef7e6469d73caac164c83be4d4c4b3a1

SHA512
923839b136ef8f1a364479ceb3e498d5c95d8a23fbba526e65c991af4ecf25888fde643fd8c38cdef8440c8da6e0762f6b37845237f6f1aaaed143c0e0b0de73

Download Submit
C:\Users\Admin\AppData\Local\0fDsExNC\isoburn.exe

Filesize
89KB

MD5
f8051f06e1c4aa3f2efe4402af5919b1

SHA1
bbcf3711501dfb22b04b1a6f356d95a6d5998790

SHA256
50dcb4be409f50d26c0fc32dd9cdbf96bff4e19bf624221cb566ebeb3e09ce1a

SHA512
5f664d937abe4426ee7e0d8491a395f9ef4ffe7a51dba05b54b7ba27e80c9be37833400911c5878d3dec659f4fa1579ec8ba4cfc485fb2ce24dd37c321006daa

Download Submit
C:\Users\Admin\AppData\Local\7ETNSUk\MFC42u.dll

Filesize
1.2MB

MD5
4b9f56d8ad7753ee6190443f3fe5872d

SHA1
558514f51df9dd3ea5d80c938b2ddc8b69eff911

SHA256
d2de89472aad1f427145d08cc3fc322472ad012c595019e3748d8da244660330

SHA512
7256816e96c3bc62367716bed7d1bb5535eeafac99fb15abf9bf524c1626c80482ec060dcccbe9a505b2936779e6ed0501aa1debd3dac6243feb4574cb28be75

Download Submit
C:\Users\Admin\AppData\Local\FL1SNT\VERSION.dll

Filesize
1.2MB

MD5
1f861927e1314746ba47cdaace7ca234

SHA1
12d0f74141311cdce9fa0c5a345e9598d8881fd4

SHA256
11f443bb788470e8e080a44b8ac93dcd2d2b3614aceab079f5d58d5a5f8d5bcc

SHA512
e6f86334709cd0588b3156aea770d15444b8e6cf04b72b06ad04b175e26da49a7247864e09d3ecaf9755b76c4f9794b1121e91996b2fb951bc0d85475ddba4b5

Download Submit
C:\Users\Admin\AppData\Local\FL1SNT\msdtc.exe

Filesize
138KB

MD5
de0ece52236cfa3ed2dbfc03f28253a8

SHA1
84bbd2495c1809fcd19b535d41114e4fb101466c

SHA256
2fbbec4cacb5161f68d7c2935852a5888945ca0f107cf8a1c01f4528ce407de3

SHA512
69386134667626c60c99d941c8ab52f8e5235e3897b5af76965572287afd5dcd42b8207a520587844a57a268e4decb3f3c550e5b7a06230ee677dc5e40c50bb3

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dzyzbjcaevupvd.lnk

Filesize
1005B

MD5
1738ecdcc3e37ff349e5f6f5d51d8be0

SHA1
847f1427b30fa147526f6d451978d53e52377ecf

SHA256
96c295f267a090460518e85d2f1e80729e2fd0aa8ca77e56970a2d5f0b3db8fb

SHA512
9b7844a16c57285fb683e543876ab472f3367d230d6187d7aed326a32f46e6b17875ed51e8ad02103ee9b8cb29564809846117b097fda136b4dd60e95ebefded

Download Submit
\Users\Admin\AppData\Local\7ETNSUk\irftp.exe

Filesize
192KB

MD5
0cae1fb725c56d260bfd6feba7ae9a75

SHA1
102ac676a1de3ec3d56401f8efd518c31c8b0b80

SHA256
312f4107ff37dc988d99c5f56178708bb74a3906740cff4e337c0dde8f1e151d

SHA512
db969064577c4158d6bf925354319766b0d0373ddefb03dbfc9a9d2cadf8ddcd50a7f99b7ddf2ffad5e7fdbb6f02090b5b678bdf792d265054bff3b56ee0b8ec

Download Submit
memory/1196-22-0x0000000002D20000-0x0000000002D27000-memory.dmp

Filesize
28KB

Download
memory/1196-30-0x0000000077CF0000-0x0000000077CF2000-memory.dmp

Filesize
8KB

Download
memory/1196-4-0x0000000077A56000-0x0000000077A57000-memory.dmp

Filesize
4KB

Download
memory/1196-17-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1196-16-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1196-15-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1196-14-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1196-13-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1196-12-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1196-11-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1196-10-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1196-9-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1196-33-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1196-34-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1196-6-0x0000000002D40000-0x0000000002D41000-memory.dmp

Filesize
4KB

Download
memory/1196-29-0x0000000077B61000-0x0000000077B62000-memory.dmp

Filesize
4KB

Download
memory/1196-26-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1196-7-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1196-8-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1676-86-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download
memory/1676-87-0x000007FEF6300000-0x000007FEF6432000-memory.dmp

Filesize
1.2MB

Download
memory/1676-92-0x000007FEF6300000-0x000007FEF6432000-memory.dmp

Filesize
1.2MB

Download
memory/2460-42-0x000007FEF6490000-0x000007FEF65C1000-memory.dmp

Filesize
1.2MB

Download
memory/2460-0-0x000007FEF6490000-0x000007FEF65C1000-memory.dmp

Filesize
1.2MB

Download
memory/2460-3-0x00000000001A0000-0x00000000001A7000-memory.dmp

Filesize
28KB

Download
memory/2648-56-0x000007FEF7060000-0x000007FEF7198000-memory.dmp

Filesize
1.2MB

Download
memory/2648-50-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/2648-51-0x000007FEF7060000-0x000007FEF7198000-memory.dmp

Filesize
1.2MB

Download
memory/2960-69-0x000007FEF6880000-0x000007FEF69B2000-memory.dmp

Filesize
1.2MB

Download
memory/2960-68-0x0000000000120000-0x0000000000127000-memory.dmp

Filesize
28KB

Download
memory/2960-74-0x000007FEF6880000-0x000007FEF69B2000-memory.dmp

Filesize
1.2MB

Download