dridex | 28fb620bc8c98c777202e2c78138149132c9f237f75832028a3c01fd3009398d

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08-09-2024 08:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d3f216eeea37381852976689b9c537a8_JaffaCakes118.dll
Size

1.2MB
MD5

d3f216eeea37381852976689b9c537a8
SHA1

ba8d8d6b2319e53f8b58cf84376e15b214516aa4
SHA256

28fb620bc8c98c777202e2c78138149132c9f237f75832028a3c01fd3009398d
SHA512

ae12c4bbccd60faed5544f406f80c7be37a2aef001dd33d26069bea60d95a78b7c5807d188bcbc92e6ddbcff04584006c5a54013073dafadb0b3b9286966cb0c
SSDEEP

24576:/uYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9NN:B9cKrUqZWLAcUV

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1200-5-0x0000000002510000-0x0000000002511000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

MpSigStub.exejavaws.exeSystemPropertiesPerformance.exe

pid	Process
2648	MpSigStub.exe
3068	javaws.exe
1688	SystemPropertiesPerformance.exe

Loads dropped DLL 7 IoCs

Processes:

MpSigStub.exejavaws.exeSystemPropertiesPerformance.exe

pid	Process
1200
2648	MpSigStub.exe
1200
3068	javaws.exe
1200
1688	SystemPropertiesPerformance.exe
1200

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Kccgsbu = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Office\\08NTU\\javaws.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeMpSigStub.exejavaws.exeSystemPropertiesPerformance.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MpSigStub.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	javaws.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesPerformance.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	Process
2516	rundll32.exe
2516	rundll32.exe
2516	rundll32.exe
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	procid_target
PID 1200 wrote to memory of 2636	1200	30
PID 1200 wrote to memory of 2636	1200	30
PID 1200 wrote to memory of 2636	1200	30
PID 1200 wrote to memory of 2648	1200	31
PID 1200 wrote to memory of 2648	1200	31
PID 1200 wrote to memory of 2648	1200	31
PID 1200 wrote to memory of 2668	1200	32
PID 1200 wrote to memory of 2668	1200	32
PID 1200 wrote to memory of 2668	1200	32
PID 1200 wrote to memory of 3068	1200	33
PID 1200 wrote to memory of 3068	1200	33
PID 1200 wrote to memory of 3068	1200	33
PID 1200 wrote to memory of 1288	1200	34
PID 1200 wrote to memory of 1288	1200	34
PID 1200 wrote to memory of 1288	1200	34
PID 1200 wrote to memory of 1688	1200	35
PID 1200 wrote to memory of 1688	1200	35
PID 1200 wrote to memory of 1688	1200	35

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d3f216eeea37381852976689b9c537a8_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2516

C:\Windows\system32\MpSigStub.exe
C:\Windows\system32\MpSigStub.exe
1⤵
PID:2636

C:\Users\Admin\AppData\Local\JzG\MpSigStub.exe
C:\Users\Admin\AppData\Local\JzG\MpSigStub.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2648

C:\Windows\system32\javaws.exe
C:\Windows\system32\javaws.exe
1⤵
PID:2668

C:\Users\Admin\AppData\Local\7hg4KKQL\javaws.exe
C:\Users\Admin\AppData\Local\7hg4KKQL\javaws.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3068

C:\Windows\system32\SystemPropertiesPerformance.exe
C:\Windows\system32\SystemPropertiesPerformance.exe
1⤵
PID:1288

C:\Users\Admin\AppData\Local\Ml9F\SystemPropertiesPerformance.exe
C:\Users\Admin\AppData\Local\Ml9F\SystemPropertiesPerformance.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\7hg4KKQL\VERSION.dll

Filesize
1.2MB

MD5
d77e3a826a93a9a598c5df94ee8f5e08

SHA1
ccc41fb513484d838491ea00dbfbb5e41dd3f30b

SHA256
397e2c01b950e10733821452124eb4b18a480077899c497dbbdf67d22877e8f4

SHA512
f535129d7e6a09f5c2da30fce66983ed90dab9c7588c0020a5c53fffde612f24090dfe6c0321280200559312f1156762bc3fe89b5845cc360d21dbca8bd08e8a

Download Submit
C:\Users\Admin\AppData\Local\JzG\VERSION.dll

Filesize
1.2MB

MD5
c5a085c510884e2d85747d45445fed3e

SHA1
6566d0286d3575feee261c7d8412d8d26580aef7

SHA256
008bdfa3b99fc38cdab61267308f1e1b1fcb96e26f95914fb5440906e8ea54bf

SHA512
a541d30f60849491b990c278918be4ea993db352048c4768bb25f5492f4acebc7878b913d10385638fadcef84aa364ec1f6f2cba44ca7fbb3011508e6e39ea95

Download Submit
C:\Users\Admin\AppData\Local\Ml9F\SYSDM.CPL

Filesize
1.2MB

MD5
96436dc4312f5a1f6c525fb74c7f7f54

SHA1
0dca4d465787203b24fc9e58366a1fa5ab3aa675

SHA256
6e8b0a0b472a62323a0a606672ec401ddf8d6108ddbd1cf281e3e78942be6686

SHA512
d681ab63b934f6afe41e09ceb6ca388c7fc935667b45b9102feb840b3189eb4e56e49b11e4971b57345e693c1c5970cda99fb6b11903b8a0fe9a8c3a10028693

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Lcuygmmobxhxaxh.lnk

Filesize
815B

MD5
0bf6cf8391736db2b29cc51b7670ae4d

SHA1
fa70968f3e65e95068bdab5cb86c44dd1a09b4ef

SHA256
18ef5f051f7541c136cc666a2f4127f4bb5f84210152aa963d4111fd00bcadd4

SHA512
ad0b1c6d8ad9fc01fda68b618f52c4574d3ec003ffdd9653f8341d6c13798b310d8f2fb35a7331bbc3c08a1de508fa16d8babeb148a49f2459312db69f628b8d

Download Submit
\Users\Admin\AppData\Local\7hg4KKQL\javaws.exe

Filesize
312KB

MD5
f94bc1a70c942621c4279236df284e04

SHA1
8f46d89c7db415a7f48ccd638963028f63df4e4f

SHA256
be9f8986a6c86d9f77978105d48b59eebfec3b9732dbf19e0f3d48bf7f20120c

SHA512
60edf20ca3cae9802263446af266568d0b5e0692eddcfcfc3b2f9a39327b3184613ca994460b919d17a6edc5936b4da16d9033f5138bcfd9bc0f09d88c8dcd52

Download Submit
\Users\Admin\AppData\Local\JzG\MpSigStub.exe

Filesize
264KB

MD5
2e6bd16aa62e5e95c7b256b10d637f8f

SHA1
350be084477b1fe581af83ca79eb58d4defe260f

SHA256
d795968b8067bb610033fa4a5b21eb2f96cef61513aba62912b8eb5c6a5ff7b3

SHA512
1f37150f6bcbe0df54bb85a5ad585824cea9332baa9be1649a95c1dfb41723de85c09d98fb2ca8261a49c2184d3bda638b84b2b7b60b97fe42a15ab1620a2542

Download Submit
\Users\Admin\AppData\Local\Ml9F\SystemPropertiesPerformance.exe

Filesize
80KB

MD5
870726cdcc241a92785572628b89cc07

SHA1
63d47cc4fe9beb75862add1abca1d8ae8235710a

SHA256
1ab77fa1ee0cbe59ca185c228c3c11abeba2b2008a162c91a06d3c40542e7fc6

SHA512
89b961c2a2716fe0800e54e0206c8b349a26f1bc2a463ec9bd12f3ab22bfcb13e6402b4c20ddcf284d838a3c66e73335af8f6dc4554d76646382e387242c6f72

Download Submit
memory/1200-28-0x0000000076F20000-0x0000000076F22000-memory.dmp

Filesize
8KB

Download
memory/1200-47-0x0000000076C86000-0x0000000076C87000-memory.dmp

Filesize
4KB

Download
memory/1200-12-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1200-13-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1200-14-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1200-15-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1200-18-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1200-26-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1200-27-0x0000000076D91000-0x0000000076D92000-memory.dmp

Filesize
4KB

Download
memory/1200-16-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1200-17-0x00000000024F0000-0x00000000024F7000-memory.dmp

Filesize
28KB

Download
memory/1200-4-0x0000000076C86000-0x0000000076C87000-memory.dmp

Filesize
4KB

Download
memory/1200-37-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1200-38-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1200-5-0x0000000002510000-0x0000000002511000-memory.dmp

Filesize
4KB

Download
memory/1200-11-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1200-10-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1200-9-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1200-7-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1200-8-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1688-94-0x00000000001A0000-0x00000000001A7000-memory.dmp

Filesize
28KB

Download
memory/1688-97-0x000007FEF5D60000-0x000007FEF5E92000-memory.dmp

Filesize
1.2MB

Download
memory/2516-46-0x000007FEF5D60000-0x000007FEF5E91000-memory.dmp

Filesize
1.2MB

Download
memory/2516-0-0x0000000000120000-0x0000000000127000-memory.dmp

Filesize
28KB

Download
memory/2516-1-0x000007FEF5D60000-0x000007FEF5E91000-memory.dmp

Filesize
1.2MB

Download
memory/2648-61-0x000007FEF64A0000-0x000007FEF65D2000-memory.dmp

Filesize
1.2MB

Download
memory/2648-56-0x000007FEF64A0000-0x000007FEF65D2000-memory.dmp

Filesize
1.2MB

Download
memory/2648-55-0x00000000000F0000-0x00000000000F7000-memory.dmp

Filesize
28KB

Download
memory/3068-73-0x0000000000080000-0x0000000000087000-memory.dmp

Filesize
28KB

Download
memory/3068-74-0x000007FEF5D60000-0x000007FEF5E92000-memory.dmp

Filesize
1.2MB

Download
memory/3068-79-0x000007FEF5D60000-0x000007FEF5E92000-memory.dmp

Filesize
1.2MB

Download