dridex | 480819cebdae01d450d58cd97b2a92b70f2ba4b01e92fa3c99add416e1cb4031

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
31-08-2024 10:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cca80d9e068acff700587abcb34c5234_JaffaCakes118.dll
Size

1.2MB
MD5

cca80d9e068acff700587abcb34c5234
SHA1

d9bbd6dfafc80c3a0af3a6814abd237cebdd6c55
SHA256

480819cebdae01d450d58cd97b2a92b70f2ba4b01e92fa3c99add416e1cb4031
SHA512

a9e55710194bb7958b642231466b6ff67be5afcb0081ff6563813be380fbb672a198e70ba5d9b2eee4cc71ba5c5fb7320169d99d03eef574917c43e68d92e2a2
SSDEEP

24576:0uYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9Nlpt:s9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral1/memory/1332-5-0x00000000029E0000-0x00000000029E1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
1240	SystemPropertiesDataExecutionPrevention.exe
2280	SystemPropertiesRemote.exe
592	Dxpserver.exe

Loads dropped DLL 7 IoCs

pid	Process
1332	Process not Found
1240	SystemPropertiesDataExecutionPrevention.exe
1332	Process not Found
2280	SystemPropertiesRemote.exe
1332	Process not Found
592	Dxpserver.exe
1332	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rjrgyymfyoxefs = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\yzRNVQd9\\SystemPropertiesRemote.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesDataExecutionPrevention.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesRemote.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Dxpserver.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2788	rundll32.exe
2788	rundll32.exe
2788	rundll32.exe
1332	Process not Found
1332	Process not Found
1332	Process not Found
1332	Process not Found
1332	Process not Found
1332	Process not Found
1332	Process not Found
1332	Process not Found
1332	Process not Found
1332	Process not Found
1332	Process not Found
1332	Process not Found
1332	Process not Found
1332	Process not Found
1332	Process not Found
1332	Process not Found
1332	Process not Found
1332	Process not Found
1332	Process not Found
1332	Process not Found
1332	Process not Found
1332	Process not Found
1332	Process not Found
1332	Process not Found
1332	Process not Found
1332	Process not Found
1332	Process not Found
1332	Process not Found
1332	Process not Found
1332	Process not Found
1332	Process not Found
1332	Process not Found
1332	Process not Found
1332	Process not Found
1332	Process not Found
1332	Process not Found
1332	Process not Found
1332	Process not Found
1332	Process not Found
1332	Process not Found
1332	Process not Found
1332	Process not Found
1332	Process not Found
1332	Process not Found
1332	Process not Found
1332	Process not Found
1332	Process not Found
1332	Process not Found
1332	Process not Found
1332	Process not Found
1332	Process not Found
1332	Process not Found
1332	Process not Found
1332	Process not Found
1332	Process not Found
1332	Process not Found
1332	Process not Found
1332	Process not Found
1332	Process not Found
1332	Process not Found
1332	Process not Found

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1332 wrote to memory of 608	1332	Process not Found	30
PID 1332 wrote to memory of 608	1332	Process not Found	30
PID 1332 wrote to memory of 608	1332	Process not Found	30
PID 1332 wrote to memory of 1240	1332	Process not Found	31
PID 1332 wrote to memory of 1240	1332	Process not Found	31
PID 1332 wrote to memory of 1240	1332	Process not Found	31
PID 1332 wrote to memory of 2272	1332	Process not Found	32
PID 1332 wrote to memory of 2272	1332	Process not Found	32
PID 1332 wrote to memory of 2272	1332	Process not Found	32
PID 1332 wrote to memory of 2280	1332	Process not Found	33
PID 1332 wrote to memory of 2280	1332	Process not Found	33
PID 1332 wrote to memory of 2280	1332	Process not Found	33
PID 1332 wrote to memory of 2088	1332	Process not Found	34
PID 1332 wrote to memory of 2088	1332	Process not Found	34
PID 1332 wrote to memory of 2088	1332	Process not Found	34
PID 1332 wrote to memory of 592	1332	Process not Found	35
PID 1332 wrote to memory of 592	1332	Process not Found	35
PID 1332 wrote to memory of 592	1332	Process not Found	35

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\cca80d9e068acff700587abcb34c5234_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2788

C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
1⤵
PID:608

C:\Users\Admin\AppData\Local\uTJZKvq0\SystemPropertiesDataExecutionPrevention.exe
C:\Users\Admin\AppData\Local\uTJZKvq0\SystemPropertiesDataExecutionPrevention.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1240

C:\Windows\system32\SystemPropertiesRemote.exe
C:\Windows\system32\SystemPropertiesRemote.exe
1⤵
PID:2272

C:\Users\Admin\AppData\Local\m7Wof8OPg\SystemPropertiesRemote.exe
C:\Users\Admin\AppData\Local\m7Wof8OPg\SystemPropertiesRemote.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2280

C:\Windows\system32\Dxpserver.exe
C:\Windows\system32\Dxpserver.exe
1⤵
PID:2088

C:\Users\Admin\AppData\Local\qHQA\Dxpserver.exe
C:\Users\Admin\AppData\Local\qHQA\Dxpserver.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\m7Wof8OPg\SYSDM.CPL

Filesize
1.2MB

MD5
47cee5ccd66adccc2505bef6d8adbb94

SHA1
9f2281ad18a9936990dc631688c17bfb83f7d271

SHA256
7f40b116d972b5e7012a5c2155e219f968343517c6e9f9e41b05786c5368f698

SHA512
b1a6de0c1f53a9d61eba50d07da2c9f06f2a2beb04d65bc6b9aae4deda9c95df0daa4cce46673047c53fd14f66b27c900e3d74b4d641ee0c2848561373d59cc0

Download Submit
C:\Users\Admin\AppData\Local\qHQA\XmlLite.dll

Filesize
1.2MB

MD5
4249fc4b899ffba484fee6f215cc902c

SHA1
321e4bf6ad056e574587c5fc83a98906f45e6b95

SHA256
7d568b723a7d1567cad1516f360416c1ac72465b61798162a3a197184930051a

SHA512
ab08b6fd67bc91593b5ca7e96fddc42749fab4fff5198d8deecff843c907d312fbdad865d92476aff56a8cc9baca71e73389568ea3426cc585956d5d9c24fd52

Download Submit
C:\Users\Admin\AppData\Local\uTJZKvq0\SYSDM.CPL

Filesize
1.2MB

MD5
43217e272f474f27ad4c9e1d081bff38

SHA1
13578e768fca5b85b29864d4a080b01667e1f142

SHA256
53abe9ecfb08068295fe420cc66c65073e182a34f3c07b0625188caea153b3a7

SHA512
f4949b0efc1b665df69713191c8ee9d4e14653f0d12b6c911818eeea3b5221e9a6438f8a215f32c612684f9d7a6e479d23ca09f2061109573512dd643ab71124

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dwxzrb.lnk

Filesize
1KB

MD5
dbef6b9a5d3fee7b0fe64de661ab3f80

SHA1
b16e27ddecc7406b514c9ad860803f3dda9bfdfc

SHA256
c900a1a02f1a0cec95eecc4a7994a4e8f7f3e90a6d159d680d5a4f59022797cb

SHA512
3a6e93cef061c5f7034784604bab718238ba90e121b915f79b4cde41a08f3f72ee6b8251ee64540d131f2ba5b557d01f93da4a88b4d485e7968a00f2b64c0cd7

Download Submit
\Users\Admin\AppData\Local\m7Wof8OPg\SystemPropertiesRemote.exe

Filesize
80KB

MD5
d0d7ac869aa4e179da2cc333f0440d71

SHA1
e7b9a58f5bfc1ec321f015641a60978c0c683894

SHA256
5762e1570de6ca4ff4254d03c8f6e572f3b9c065bf5c78fd5a9ea3769c33818a

SHA512
1808b10dc85f8755a0074d1ea00794b46b4254573b6862c2813a89ca171ad94f95262e8b59a8f9a596c9bd6a724f440a14a813eab93aa140e818ee97af106db7

Download Submit
\Users\Admin\AppData\Local\qHQA\Dxpserver.exe

Filesize
259KB

MD5
4d38389fb92e43c77a524fd96dbafd21

SHA1
08014e52f6894cad4f1d1e6fc1a703732e9acd19

SHA256
070bc95c486c15d2edc3548ba416dc9565ead401cb03a0472f719fb55ac94e73

SHA512
02d8d130cff2b8de15139d309e1cd74a2148bb786fd749e5f22775d45e193b0f75adf40274375cabce33576480ff20456f25172d29a034cd134b8084d40a67ba

Download Submit
\Users\Admin\AppData\Local\uTJZKvq0\SystemPropertiesDataExecutionPrevention.exe

Filesize
80KB

MD5
e43ff7785fac643093b3b16a9300e133

SHA1
a30688e84c0b0a22669148fe87680b34fcca2fba

SHA256
c8e1b3ecce673035a934d65b25c43ec23416f5bbf52d772e24e48e6fd3e77e9b

SHA512
61260999bb57817dea2d404bcf093820679e597298c752d38db181fe9963b5fa47e070d6a3c7c970905035b396389bb02946b44869dc8b9560acc419b065999a

Download Submit
memory/592-96-0x000007FEF7A60000-0x000007FEF7B91000-memory.dmp

Filesize
1.2MB

Download
memory/592-90-0x0000000000290000-0x0000000000297000-memory.dmp

Filesize
28KB

Download
memory/1240-60-0x000007FEF7B90000-0x000007FEF7CC1000-memory.dmp

Filesize
1.2MB

Download
memory/1240-55-0x000007FEF7B90000-0x000007FEF7CC1000-memory.dmp

Filesize
1.2MB

Download
memory/1240-54-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download
memory/1332-12-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1332-46-0x00000000775A6000-0x00000000775A7000-memory.dmp

Filesize
4KB

Download
memory/1332-25-0x00000000029C0000-0x00000000029C7000-memory.dmp

Filesize
28KB

Download
memory/1332-24-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1332-29-0x0000000077940000-0x0000000077942000-memory.dmp

Filesize
8KB

Download
memory/1332-28-0x00000000777B1000-0x00000000777B2000-memory.dmp

Filesize
4KB

Download
memory/1332-37-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1332-36-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1332-4-0x00000000775A6000-0x00000000775A7000-memory.dmp

Filesize
4KB

Download
memory/1332-16-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1332-14-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1332-15-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1332-13-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1332-5-0x00000000029E0000-0x00000000029E1000-memory.dmp

Filesize
4KB

Download
memory/1332-11-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1332-7-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1332-8-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1332-10-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1332-9-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/2280-78-0x000007FEF7A60000-0x000007FEF7B91000-memory.dmp

Filesize
1.2MB

Download
memory/2280-72-0x00000000000A0000-0x00000000000A7000-memory.dmp

Filesize
28KB

Download
memory/2280-73-0x000007FEF7A60000-0x000007FEF7B91000-memory.dmp

Filesize
1.2MB

Download
memory/2788-1-0x000007FEF7A70000-0x000007FEF7BA0000-memory.dmp

Filesize
1.2MB

Download
memory/2788-45-0x000007FEF7A70000-0x000007FEF7BA0000-memory.dmp

Filesize
1.2MB

Download
memory/2788-0-0x00000000001A0000-0x00000000001A7000-memory.dmp

Filesize
28KB

Download