dridex | 38342eb9d98ddd4a2bdc2223fb97471c186123a5f675d7c2f3291bb84e9d9f3b

Analysis

max time kernel
149s
max time network
17s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
29-08-2024 04:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c835b2a733959689b55c54ba276ff260_JaffaCakes118.dll
Size

1.2MB
MD5

c835b2a733959689b55c54ba276ff260
SHA1

0bae1085ddd3c19f28ffa22854a1963a2f9d5750
SHA256

38342eb9d98ddd4a2bdc2223fb97471c186123a5f675d7c2f3291bb84e9d9f3b
SHA512

eadce97a5fc89ff16e63ecd33fe41b39fbf1cc9f96626a536815fa1048b367893dcc3108ff137b439fef7d5ad693c56420ca0b4b17249a9d0f3a39e407a6c5bb
SSDEEP

24576:GuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N/t:m9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1220-5-0x0000000002B00000-0x0000000002B01000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

dialer.exeRDVGHelper.exemsdt.exe

pid	Process
2852	dialer.exe
1272	RDVGHelper.exe
2760	msdt.exe

Loads dropped DLL 7 IoCs

Processes:

dialer.exeRDVGHelper.exemsdt.exe

pid	Process
1220
2852	dialer.exe
1220
1272	RDVGHelper.exe
1220
2760	msdt.exe
1220

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wqbazsgxtjodx = "C:\\Users\\Admin\\AppData\\Roaming\\MEDIAC~1\\Q6l\\RDVGHE~1.EXE"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

msdt.exerundll32.exedialer.exeRDVGHelper.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msdt.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dialer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RDVGHelper.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	Process
1756	rundll32.exe
1756	rundll32.exe
1756	rundll32.exe
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	procid_target
PID 1220 wrote to memory of 2776	1220	30
PID 1220 wrote to memory of 2776	1220	30
PID 1220 wrote to memory of 2776	1220	30
PID 1220 wrote to memory of 2852	1220	31
PID 1220 wrote to memory of 2852	1220	31
PID 1220 wrote to memory of 2852	1220	31
PID 1220 wrote to memory of 2928	1220	32
PID 1220 wrote to memory of 2928	1220	32
PID 1220 wrote to memory of 2928	1220	32
PID 1220 wrote to memory of 1272	1220	33
PID 1220 wrote to memory of 1272	1220	33
PID 1220 wrote to memory of 1272	1220	33
PID 1220 wrote to memory of 2604	1220	34
PID 1220 wrote to memory of 2604	1220	34
PID 1220 wrote to memory of 2604	1220	34
PID 1220 wrote to memory of 2760	1220	35
PID 1220 wrote to memory of 2760	1220	35
PID 1220 wrote to memory of 2760	1220	35

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c835b2a733959689b55c54ba276ff260_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1756

C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
1⤵
PID:2776

C:\Users\Admin\AppData\Local\a8h6e4hwo\dialer.exe
C:\Users\Admin\AppData\Local\a8h6e4hwo\dialer.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2852

C:\Windows\system32\RDVGHelper.exe
C:\Windows\system32\RDVGHelper.exe
1⤵
PID:2928

C:\Users\Admin\AppData\Local\mN8lTz\RDVGHelper.exe
C:\Users\Admin\AppData\Local\mN8lTz\RDVGHelper.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1272

C:\Windows\system32\msdt.exe
C:\Windows\system32\msdt.exe
1⤵
PID:2604

C:\Users\Admin\AppData\Local\VY3s0n\msdt.exe
C:\Users\Admin\AppData\Local\VY3s0n\msdt.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\VY3s0n\Secur32.dll

Filesize
1.2MB

MD5
2151586eebecd2a5f6689a43406395fc

SHA1
8b1456c12e2dd4e5ebeb1f0e7d3ed86e2684ce2a

SHA256
bbc200b0fdd321032d039ebd5351a2687714d4d955335415ac48ab7db449e85f

SHA512
07e1f9626a462174dc9bd17acb018f76b7d773fc0b7cbadef6afa5d2a9e1f7675e4b8d07f6056bd5e5213810715cde88e828a67b4417ce7ec88e693ead95d12d

Download Submit
C:\Users\Admin\AppData\Local\VY3s0n\msdt.exe

Filesize
1.0MB

MD5
aecb7b09566b1f83f61d5a4b44ae9c7e

SHA1
3a4a2338c6b5ac833dc87497e04fe89c5481e289

SHA256
fbdbe7a2027cab237c4635ef71c1a93cf7afc4b79d56b63a119b7f8e3029ccf5

SHA512
6e14200262e0729ebcab2226c3eac729ab5af2a4c6f4f9c3e2950cc203387d9a0a447cf38665c724d4397353931fd10064dc067e043a3579538a6144e33e4746

Download Submit
C:\Users\Admin\AppData\Local\a8h6e4hwo\TAPI32.dll

Filesize
1.2MB

MD5
0b0abd80bfb9df290017a7b2435610bd

SHA1
bc2e9b235eafa40a9f164717a1c450ce6a161598

SHA256
514cf3cb6fb8852f43a9c78e06940723d76a69d3adf1ddf9494e80de68e016da

SHA512
0d8d2e65e21f9a2065141ca0fb5793e17d0eba06be4240015bd11745a1f19a4359f350ac01df032fe26d78ea6991988814940f7445b6964c385242d382904d17

Download Submit
C:\Users\Admin\AppData\Local\a8h6e4hwo\dialer.exe

Filesize
34KB

MD5
46523e17ee0f6837746924eda7e9bac9

SHA1
d6b2a9cc6bd3588fa9804ada5197afda6a9e034b

SHA256
23d8a6a1d847a324c556c30e10c8f63c2004aeb42ac3f5a5ca362077f1517382

SHA512
c7117c3778650864e685bd89df599d7cdd9319d757344ddc7cfd9403d6673964127f6ff0c5ac48455fd3097af31a6ff09173f85dfa7be2d25f395cdf3692bb9a

Download Submit
C:\Users\Admin\AppData\Local\mN8lTz\RDVGHelper.exe

Filesize
93KB

MD5
53fda4af81e7c4895357a50e848b7cfe

SHA1
01fb2d0210f1c47aaf684e31a9fb78f89bba9c0f

SHA256
62ab8c2c5b5bd84fd07e96b6a3b87a4ea56946107ed9b7f8076580ae1fefd038

SHA512
dbbda90a57d27160c5a3a5e4e94cfc43b1663fcbfe424fdec851e52356f61492bdcf677c46be8aa4e8ccc8be7c389b6aa7bbbce8447e1fae32f03e5e409f4051

Download Submit
C:\Users\Admin\AppData\Local\mN8lTz\WTSAPI32.dll

Filesize
1.2MB

MD5
c6b803bf514f6a8c3b5b73c5b4d24c72

SHA1
78798511a57e7847033e5241b317f49f41510f33

SHA256
01798ffdd676d57da7f242d062216b4f01e18ccae4cd8ffd6acfc7a765f0d7dd

SHA512
09410a5bf200efbcf7e363df49324c752e27677f4c811cb5c64c7e16c5adb28504d9151fbb98bf6d0b7ccf136ba8afd6a0cc6d96edd807623e497c2aec579785

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Frhyegfvspmw.lnk

Filesize
1010B

MD5
52584ffd74cf293132dac62ae2d37b4c

SHA1
70e4217bac113a3155884da17e574f35af71c818

SHA256
6e45185fd760fd6ca1d45b71aaeaf1f017d5e4b30401be87bb6ca370bd2ccb3d

SHA512
688eaf577bff63d1d8794c6e995c583ba3d5924bc9fe212a12e2f6799a5c61c6251a494bf28bed0c378ad6fdfd288b1c60b14faf93efde455675444b66a99840

Download Submit
memory/1220-14-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1220-47-0x0000000077696000-0x0000000077697000-memory.dmp

Filesize
4KB

Download
memory/1220-12-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1220-13-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1220-26-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1220-28-0x0000000077A30000-0x0000000077A32000-memory.dmp

Filesize
8KB

Download
memory/1220-27-0x00000000778A1000-0x00000000778A2000-memory.dmp

Filesize
4KB

Download
memory/1220-18-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1220-17-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1220-16-0x0000000002610000-0x0000000002617000-memory.dmp

Filesize
28KB

Download
memory/1220-15-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1220-4-0x0000000077696000-0x0000000077697000-memory.dmp

Filesize
4KB

Download
memory/1220-38-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1220-37-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1220-5-0x0000000002B00000-0x0000000002B01000-memory.dmp

Filesize
4KB

Download
memory/1220-11-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1220-10-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1220-9-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1220-7-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1220-8-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1272-73-0x0000000000170000-0x0000000000177000-memory.dmp

Filesize
28KB

Download
memory/1272-74-0x000007FEF7B50000-0x000007FEF7C82000-memory.dmp

Filesize
1.2MB

Download
memory/1272-79-0x000007FEF7B50000-0x000007FEF7C82000-memory.dmp

Filesize
1.2MB

Download
memory/1756-46-0x000007FEF7B40000-0x000007FEF7C71000-memory.dmp

Filesize
1.2MB

Download
memory/1756-1-0x000007FEF7B40000-0x000007FEF7C71000-memory.dmp

Filesize
1.2MB

Download
memory/1756-3-0x0000000000120000-0x0000000000127000-memory.dmp

Filesize
28KB

Download
memory/2760-96-0x000007FEF7B50000-0x000007FEF7C82000-memory.dmp

Filesize
1.2MB

Download
memory/2852-61-0x000007FEF7C80000-0x000007FEF7DB3000-memory.dmp

Filesize
1.2MB

Download
memory/2852-56-0x000007FEF7C80000-0x000007FEF7DB3000-memory.dmp

Filesize
1.2MB

Download
memory/2852-55-0x00000000002A0000-0x00000000002A7000-memory.dmp

Filesize
28KB

Download