dridex | fc7250c2304197a28f68e088a7bb5fb90415ac996838166ce4fe4b2b797cc24a

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
30-08-2024 04:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca3cbd4bb76e276967023dfcec4c8d65_JaffaCakes118.dll
Size

1.2MB
MD5

ca3cbd4bb76e276967023dfcec4c8d65
SHA1

11733d1ced342598f9851031bea13e9b3a1022c9
SHA256

fc7250c2304197a28f68e088a7bb5fb90415ac996838166ce4fe4b2b797cc24a
SHA512

12dec455ff2e7a04ae68b066a15683894bd6c9bb6960839b1b971a554274672f34fdd8bbc6724aedf7367cae1a62e08427ba553783c050edc3314bdb08fc5949
SSDEEP

24576:QuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9NMt:A9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1196-5-0x00000000024F0000-0x00000000024F1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

ComputerDefaults.exeBdeUISrv.exespinstall.exe

pid	Process
2636	ComputerDefaults.exe
2668	BdeUISrv.exe
2672	spinstall.exe

Loads dropped DLL 7 IoCs

Processes:

ComputerDefaults.exeBdeUISrv.exespinstall.exe

pid	Process
1196
2636	ComputerDefaults.exe
1196
2668	BdeUISrv.exe
1196
2672	spinstall.exe
1196

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rjrgyymfyoxefs = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\emSOX\\BdeUISrv.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeComputerDefaults.exeBdeUISrv.exespinstall.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ComputerDefaults.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BdeUISrv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spinstall.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	Process
2500	rundll32.exe
2500	rundll32.exe
2500	rundll32.exe
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	procid_target
PID 1196 wrote to memory of 1856	1196	31
PID 1196 wrote to memory of 1856	1196	31
PID 1196 wrote to memory of 1856	1196	31
PID 1196 wrote to memory of 2636	1196	32
PID 1196 wrote to memory of 2636	1196	32
PID 1196 wrote to memory of 2636	1196	32
PID 1196 wrote to memory of 2388	1196	33
PID 1196 wrote to memory of 2388	1196	33
PID 1196 wrote to memory of 2388	1196	33
PID 1196 wrote to memory of 2668	1196	34
PID 1196 wrote to memory of 2668	1196	34
PID 1196 wrote to memory of 2668	1196	34
PID 1196 wrote to memory of 2936	1196	35
PID 1196 wrote to memory of 2936	1196	35
PID 1196 wrote to memory of 2936	1196	35
PID 1196 wrote to memory of 2672	1196	36
PID 1196 wrote to memory of 2672	1196	36
PID 1196 wrote to memory of 2672	1196	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ca3cbd4bb76e276967023dfcec4c8d65_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2500

C:\Windows\system32\ComputerDefaults.exe
C:\Windows\system32\ComputerDefaults.exe
1⤵
PID:1856

C:\Users\Admin\AppData\Local\BjL\ComputerDefaults.exe
C:\Users\Admin\AppData\Local\BjL\ComputerDefaults.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2636

C:\Windows\system32\BdeUISrv.exe
C:\Windows\system32\BdeUISrv.exe
1⤵
PID:2388

C:\Users\Admin\AppData\Local\0aciVG\BdeUISrv.exe
C:\Users\Admin\AppData\Local\0aciVG\BdeUISrv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2668

C:\Windows\system32\spinstall.exe
C:\Windows\system32\spinstall.exe
1⤵
PID:2936

C:\Users\Admin\AppData\Local\xSF\spinstall.exe
C:\Users\Admin\AppData\Local\xSF\spinstall.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\0aciVG\WTSAPI32.dll

Filesize
1.2MB

MD5
cb7a174cf615af2c4cb7f380835b1249

SHA1
7cb8f072e9b76a6ae33134c0c97ead2548557cf4

SHA256
da1a99062eb70100d22311896b55da63c1d5fc97883739319cb0acfa49cd65a0

SHA512
ed47eabed0ecd845b8574aa98530a895ea5850d482c8a28401de54126487456032880b806c533e3f4a11b9db34d9a1e264d4ca455706f75c10da0bb2b67fdd7a

Download Submit
C:\Users\Admin\AppData\Local\BjL\appwiz.cpl

Filesize
1.2MB

MD5
74560f36954945bbeddb498289dea3bd

SHA1
f7e9495a27b2c06b4a00897b29f75cef65347c57

SHA256
34b04de02c1af011fe56832a63b78f0bd3c34f901ae3cbd9cebaf4412d7f3ddc

SHA512
3806ae7c1a3aa6fdf437feaaa4ba4546fe545b31194be4e0e56ce988925f9aea565f08214f745c5a461dff997ec5f284cd2ce65caa6e9e507c34735b96f6587c

Download Submit
C:\Users\Admin\AppData\Local\xSF\WINBRAND.dll

Filesize
1.2MB

MD5
7581ab71451a6961f3401cf8b673dee2

SHA1
854cefa6b2e3a7c2a6f2b0a750e3707ac8d592cb

SHA256
082b601c0e292412eebe20faac2ff938086c2bf60219647e58102352be0aaeea

SHA512
f4940647006d488ee31925093da08e60e4b7e8ae42c82a6f3a00602bcbacaea9b2ca3e0b02ca6eb6b2390ca7ffc46b9841eb2f9e07cbb4d1cf572386940b508d

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dwxzrb.lnk

Filesize
1KB

MD5
447681c4fa6378d72f38c4d6bf010e78

SHA1
cd6a6822e40a5baa39978397f370d5790cf211b9

SHA256
5811d2fc93d56fb35d2cfe5466a7eb62a7e9cae64aec6564a0362b4081ff7512

SHA512
f0358ad5060002874257557c7308058a7a9d460dd766e701587add04fc13e1a2dee34afbd3dd849454ea9f004a414c2ddc7c12021980bc9ed44d109239bf7e27

Download Submit
\Users\Admin\AppData\Local\0aciVG\BdeUISrv.exe

Filesize
47KB

MD5
1da6b19be5d4949c868a264bc5e74206

SHA1
d5ee86ba03a03ef8c93d93accafe40461084c839

SHA256
00330a0e0eb1dbb6ee84997963f8e15c7c15c1df787f1c7f109609d7b31bd35c

SHA512
9cee858c55eb0852e5bad53a675a094ae591b46b07afe9fb4224cac32e0be577fe36c1ed3e9f6bda4d4eb0c924a773d00e3181cd97f07e24c6c68c70f2b002c6

Download Submit
\Users\Admin\AppData\Local\BjL\ComputerDefaults.exe

Filesize
36KB

MD5
86bd981f55341273753ac42ea200a81e

SHA1
14fe410efc9aeb0a905b984ac27719ff0dd10ea7

SHA256
40b194be2bad2d3d4d1b69f9aec2853c8b663130810a11607ff72a9e3a06d5b3

SHA512
49bb6d4bf7a9356fadde7f6165af6973630827d28b69db10ad477a84d98b08fb82e4daae777166e1ddddb5b5efcdf634e4e9bd34b255dae87462ba32e8bba143

Download Submit
\Users\Admin\AppData\Local\xSF\spinstall.exe

Filesize
584KB

MD5
29c1d5b330b802efa1a8357373bc97fe

SHA1
90797aaa2c56fc2a667c74475996ea1841bc368f

SHA256
048bd22abf158346ab991a377cc6e9d2b20b4d73ccee7656c96a41f657e7be7f

SHA512
66f4f75a04340a1dd55dfdcc3ff1103ea34a55295f56c12e88d38d1a41e5be46b67c98bd66ac9f878ce79311773e374ed2bce4dd70e8bb5543e4ec1dd56625ee

Download Submit
memory/1196-28-0x0000000077410000-0x0000000077412000-memory.dmp

Filesize
8KB

Download
memory/1196-47-0x0000000077076000-0x0000000077077000-memory.dmp

Filesize
4KB

Download
memory/1196-17-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1196-15-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1196-14-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1196-13-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1196-12-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1196-11-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1196-9-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1196-16-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1196-7-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1196-4-0x0000000077076000-0x0000000077077000-memory.dmp

Filesize
4KB

Download
memory/1196-37-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1196-38-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1196-5-0x00000000024F0000-0x00000000024F1000-memory.dmp

Filesize
4KB

Download
memory/1196-26-0x00000000024D0000-0x00000000024D7000-memory.dmp

Filesize
28KB

Download
memory/1196-27-0x0000000077281000-0x0000000077282000-memory.dmp

Filesize
4KB

Download
memory/1196-25-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1196-8-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1196-10-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/2500-46-0x000007FEF5F60000-0x000007FEF6091000-memory.dmp

Filesize
1.2MB

Download
memory/2500-1-0x000007FEF5F60000-0x000007FEF6091000-memory.dmp

Filesize
1.2MB

Download
memory/2500-0-0x00000000001A0000-0x00000000001A7000-memory.dmp

Filesize
28KB

Download
memory/2636-61-0x000007FEF69B0000-0x000007FEF6AE2000-memory.dmp

Filesize
1.2MB

Download
memory/2636-56-0x000007FEF69B0000-0x000007FEF6AE2000-memory.dmp

Filesize
1.2MB

Download
memory/2636-55-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/2668-73-0x0000000000390000-0x0000000000397000-memory.dmp

Filesize
28KB

Download
memory/2668-74-0x000007FEF5F60000-0x000007FEF6092000-memory.dmp

Filesize
1.2MB

Download
memory/2668-77-0x000007FEF5F60000-0x000007FEF6092000-memory.dmp

Filesize
1.2MB

Download
memory/2672-91-0x0000000001AA0000-0x0000000001AA7000-memory.dmp

Filesize
28KB

Download
memory/2672-95-0x000007FEF5F60000-0x000007FEF6092000-memory.dmp

Filesize
1.2MB

Download