dridex | e19ce29247123b0510e9008cfc58ebfc1f044a10d788b56ed1aaec774735d9db

Analysis

max time kernel
150s
max time network
126s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
29-08-2024 16:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c92e3efca093f668248b1296266083b3_JaffaCakes118.dll
Size

1.2MB
MD5

c92e3efca093f668248b1296266083b3
SHA1

3517fccb614a9acae54875fde47e75835f4c88ab
SHA256

e19ce29247123b0510e9008cfc58ebfc1f044a10d788b56ed1aaec774735d9db
SHA512

32b944dfd3c52e2b742ca82e14ebca4c7a2e441cb8f86ca9808f9d40b9f757afd4ea651291cabf0ed62beb646c092f3c553c8b5789b09207aa01561fe2af1455
SSDEEP

24576:+VHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:+V8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence privilege_escalation trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1412-5-0x0000000002700000-0x0000000002701000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

sethc.exedialer.exepsr.exe

pid	Process
364	sethc.exe
2964	dialer.exe
1340	psr.exe

Loads dropped DLL 7 IoCs

Processes:

sethc.exedialer.exepsr.exe

pid	Process
1412
364	sethc.exe
1412
2964	dialer.exe
1412
1340	psr.exe
1412

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Madzpveq = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Word\\AMq\\dialer.exe"

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

dialer.exepsr.exesethc.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dialer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	psr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sethc.exe

Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

regsvr32.exe

pid	Process
2728	regsvr32.exe
2728	regsvr32.exe
2728	regsvr32.exe
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	procid_target
PID 1412 wrote to memory of 1052	1412	30
PID 1412 wrote to memory of 1052	1412	30
PID 1412 wrote to memory of 1052	1412	30
PID 1412 wrote to memory of 364	1412	31
PID 1412 wrote to memory of 364	1412	31
PID 1412 wrote to memory of 364	1412	31
PID 1412 wrote to memory of 2136	1412	32
PID 1412 wrote to memory of 2136	1412	32
PID 1412 wrote to memory of 2136	1412	32
PID 1412 wrote to memory of 2964	1412	33
PID 1412 wrote to memory of 2964	1412	33
PID 1412 wrote to memory of 2964	1412	33
PID 1412 wrote to memory of 2420	1412	34
PID 1412 wrote to memory of 2420	1412	34
PID 1412 wrote to memory of 2420	1412	34
PID 1412 wrote to memory of 1340	1412	35
PID 1412 wrote to memory of 1340	1412	35
PID 1412 wrote to memory of 1340	1412	35

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\c92e3efca093f668248b1296266083b3_JaffaCakes118.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2728

C:\Windows\system32\sethc.exe
C:\Windows\system32\sethc.exe
1⤵
PID:1052

C:\Users\Admin\AppData\Local\f1AuN\sethc.exe
C:\Users\Admin\AppData\Local\f1AuN\sethc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:364

C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
1⤵
PID:2136

C:\Users\Admin\AppData\Local\GYIOUh\dialer.exe
C:\Users\Admin\AppData\Local\GYIOUh\dialer.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2964

C:\Windows\system32\psr.exe
C:\Windows\system32\psr.exe
1⤵
PID:2420

C:\Users\Admin\AppData\Local\MxEfiO6\psr.exe
C:\Users\Admin\AppData\Local\MxEfiO6\psr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\GYIOUh\TAPI32.dll

Filesize
1.2MB

MD5
0391f16b8d59de6fbb2fedd59c01f5e9

SHA1
cad2d855c0b4379bdfe18a243d3d425e4d02a123

SHA256
d05d727ce49c49a9a400a403cb5da18b79bb7d20ea28d72ffaadf198d27d479a

SHA512
8f10fa38abd31b31d5b17de60db02552c9bed65193977b1b2973e0a7b9fe596d29e45492eefb7eb650ee45d54e24d219f5c882366f423e288d11fc83d5d2bbf6

Download Submit
C:\Users\Admin\AppData\Local\GYIOUh\dialer.exe

Filesize
34KB

MD5
46523e17ee0f6837746924eda7e9bac9

SHA1
d6b2a9cc6bd3588fa9804ada5197afda6a9e034b

SHA256
23d8a6a1d847a324c556c30e10c8f63c2004aeb42ac3f5a5ca362077f1517382

SHA512
c7117c3778650864e685bd89df599d7cdd9319d757344ddc7cfd9403d6673964127f6ff0c5ac48455fd3097af31a6ff09173f85dfa7be2d25f395cdf3692bb9a

Download Submit
C:\Users\Admin\AppData\Local\MxEfiO6\XmlLite.dll

Filesize
1.2MB

MD5
4af239ea040c2c37346cef43adc70955

SHA1
10b107e56f05b35fccb405c2af1708f4e83d684c

SHA256
ef570391308d055f75053fd1161d8c4defebc1fa4bfb04f02325ae86d8ddf78b

SHA512
5a939d71463b078c2ce25ad46376da1899d8e55c60f28ee3ddb6222d360489ee092a2ed95d173dee52037386d7e57ce88da90b4f6e9bc9796efc69190a080097

Download Submit
C:\Users\Admin\AppData\Local\f1AuN\UxTheme.dll

Filesize
1.2MB

MD5
134946aca336f46d6e097152d8bb2f84

SHA1
e163ddfc25115429f58affb022659f0bbc2acdff

SHA256
7d3145e5d49828449160a763e54d23303883aa896b8e2f34426f2aaf9f88a0d7

SHA512
5ce554ecb50f683a8d88991e69e4e7578c8c20e295b09070c1e0b9e9ed99dbddef035827e158e1298385b4987a5373c4cd280f52d8d03b0faf413f1bf59ca2c4

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Rinzzkcfiw.lnk

Filesize
984B

MD5
52708d8418d9512bf9ce9502cccca1bf

SHA1
31920b7f6a3fa77b4eb31549730b125681dbff24

SHA256
7801ba9c39262ac5447287d97f430897f65034a4fbc880a99fc583ff2afddb64

SHA512
4e5827751355bd4d9b5cdd78c0b4837058d2cf444c9647570644957122b05eec19a5d32c51403dff8dbe62b8e547cfb69e38e449add7dad38330adf942e3056a

Download Submit
\Users\Admin\AppData\Local\MxEfiO6\psr.exe

Filesize
715KB

MD5
a80527109d75cba125d940b007eea151

SHA1
facf32a9ede6abfaa09368bfdfcfec8554107272

SHA256
68910f8aae867e938b6a3b76cdf176898ba275d9ade85b4ce00b03232de4c495

SHA512
77b86a597c33af8d3fbd9711f4abe6e0ca33b86279b1d28a25dcf3545a34b221be1ad7d11004d016203809cead1ebfd4b7e889ee9df2efc100eabf77963c1774

Download Submit
\Users\Admin\AppData\Local\f1AuN\sethc.exe

Filesize
272KB

MD5
3bcb70da9b5a2011e01e35ed29a3f3f3

SHA1
9daecb1ee5d7cbcf46ee154dd642fcd993723a9b

SHA256
dd94bf73f0e3652b76cfb774b419ceaa2082bc7f30cc34e28dfa51952fa9ccb5

SHA512
69d231132f488fd7033349f232db1207f88f1d5cb84f5422adf0dd5fb7b373dada8fdfac7760b8845e5aab00a7ae56f24d66bbb8aa70c3c8de6ec5c31982b4df

Download Submit
memory/364-60-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/364-55-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/364-54-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/1340-96-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1340-90-0x00000000000A0000-0x00000000000A7000-memory.dmp

Filesize
28KB

Download
memory/1412-14-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1412-13-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1412-9-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1412-8-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1412-27-0x0000000076FF0000-0x0000000076FF2000-memory.dmp

Filesize
8KB

Download
memory/1412-37-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1412-36-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1412-4-0x0000000076C56000-0x0000000076C57000-memory.dmp

Filesize
4KB

Download
memory/1412-46-0x0000000076C56000-0x0000000076C57000-memory.dmp

Filesize
4KB

Download
memory/1412-11-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1412-12-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1412-10-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1412-5-0x0000000002700000-0x0000000002701000-memory.dmp

Filesize
4KB

Download
memory/1412-15-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1412-24-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1412-25-0x00000000021E0000-0x00000000021E7000-memory.dmp

Filesize
28KB

Download
memory/1412-7-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1412-26-0x0000000076E61000-0x0000000076E62000-memory.dmp

Filesize
4KB

Download
memory/2728-0-0x00000000001A0000-0x00000000001A7000-memory.dmp

Filesize
28KB

Download
memory/2728-43-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/2728-1-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/2964-78-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/2964-73-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/2964-72-0x00000000000F0000-0x00000000000F7000-memory.dmp

Filesize
28KB

Download