dridex | 624fd6a2c2a29a89d845271773a63a2950d9e12759de4910e0dd2ad5685e8476

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-09-2024 10:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d61f5b5b8dafce129496a33195e5842b_JaffaCakes118.dll
Size

1.1MB
MD5

d61f5b5b8dafce129496a33195e5842b
SHA1

c165d40db3e1414e961795118dece8d52b686e81
SHA256

624fd6a2c2a29a89d845271773a63a2950d9e12759de4910e0dd2ad5685e8476
SHA512

0929356ae9dc07a9e06f109da209500a440fa60411f34ae6bce955ce44e7642e8dea450049bd3cd5ff7ed1ad37eeba294091d1ec6ea8eb8c1f4e7804f87f7546
SSDEEP

12288:tdMIwS97wJs6tSKDXEabXaC+jhc1S8XXk7CZzHsZH9dq0TGu:DMIJxSDX3bqjhcfHk7MzH6zl

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1184-4-0x0000000002520000-0x0000000002521000-memory.dmp	dridex_stager_shellcode

Dridex payload 9 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/2264-0-0x0000000140000000-0x0000000140117000-memory.dmp	dridex_payload
behavioral1/memory/1184-57-0x0000000140000000-0x0000000140117000-memory.dmp	dridex_payload
behavioral1/memory/1184-56-0x0000000140000000-0x0000000140117000-memory.dmp	dridex_payload
behavioral1/memory/1184-45-0x0000000140000000-0x0000000140117000-memory.dmp	dridex_payload
behavioral1/memory/2264-65-0x0000000140000000-0x0000000140117000-memory.dmp	dridex_payload
behavioral1/memory/2916-74-0x0000000140000000-0x0000000140118000-memory.dmp	dridex_payload
behavioral1/memory/2916-79-0x0000000140000000-0x0000000140118000-memory.dmp	dridex_payload
behavioral1/memory/1608-96-0x0000000140000000-0x0000000140118000-memory.dmp	dridex_payload
behavioral1/memory/1908-112-0x0000000140000000-0x0000000140118000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

OptionalFeatures.exevmicsvc.exedwm.exe

pid	Process
2916	OptionalFeatures.exe
1608	vmicsvc.exe
1908	dwm.exe

Loads dropped DLL 7 IoCs

Processes:

OptionalFeatures.exevmicsvc.exedwm.exe

pid	Process
1184
2916	OptionalFeatures.exe
1184
1608	vmicsvc.exe
1184
1908	dwm.exe
1184

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rcoehfpd = "C:\\Users\\Admin\\AppData\\Roaming\\MACROM~1\\FLASHP~1\\MACROM~1.COM\\support\\FLASHP~1\\PYIFIL~1\\vmicsvc.exe"

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

vmicsvc.exedwm.exeOptionalFeatures.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vmicsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OptionalFeatures.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

regsvr32.exe

pid	Process
2264	regsvr32.exe
2264	regsvr32.exe
2264	regsvr32.exe
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	procid_target
PID 1184 wrote to memory of 2876	1184	30
PID 1184 wrote to memory of 2876	1184	30
PID 1184 wrote to memory of 2876	1184	30
PID 1184 wrote to memory of 2916	1184	31
PID 1184 wrote to memory of 2916	1184	31
PID 1184 wrote to memory of 2916	1184	31
PID 1184 wrote to memory of 828	1184	32
PID 1184 wrote to memory of 828	1184	32
PID 1184 wrote to memory of 828	1184	32
PID 1184 wrote to memory of 1608	1184	33
PID 1184 wrote to memory of 1608	1184	33
PID 1184 wrote to memory of 1608	1184	33
PID 1184 wrote to memory of 2324	1184	34
PID 1184 wrote to memory of 2324	1184	34
PID 1184 wrote to memory of 2324	1184	34
PID 1184 wrote to memory of 1908	1184	35
PID 1184 wrote to memory of 1908	1184	35
PID 1184 wrote to memory of 1908	1184	35

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\d61f5b5b8dafce129496a33195e5842b_JaffaCakes118.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2264

C:\Windows\system32\OptionalFeatures.exe
C:\Windows\system32\OptionalFeatures.exe
1⤵
PID:2876

C:\Users\Admin\AppData\Local\ni4v\OptionalFeatures.exe
C:\Users\Admin\AppData\Local\ni4v\OptionalFeatures.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2916

C:\Windows\system32\vmicsvc.exe
C:\Windows\system32\vmicsvc.exe
1⤵
PID:828

C:\Users\Admin\AppData\Local\EynmgLPh\vmicsvc.exe
C:\Users\Admin\AppData\Local\EynmgLPh\vmicsvc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1608

C:\Windows\system32\dwm.exe
C:\Windows\system32\dwm.exe
1⤵
PID:2324

C:\Users\Admin\AppData\Local\wEVxQh\dwm.exe
C:\Users\Admin\AppData\Local\wEVxQh\dwm.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\EynmgLPh\ACTIVEDS.dll

Filesize
1.1MB

MD5
c35e5173f35734a15ac9e239f4089743

SHA1
ffda25d9c3610598fc417e7395fbd5241121a739

SHA256
5e76bab42fdff1993f2f823a8825da69b08f8b92acbf01c4677aa1e5573c590c

SHA512
158fcd751026142ba9f43f2f68f9ef53762400efb2c1a17a3974b05d8b6ff3d2baa42e50f576007439fa578642493d28ce5ca57ba2248606cd85899d8fd36b02

Download Submit
C:\Users\Admin\AppData\Local\ni4v\appwiz.cpl

Filesize
1.1MB

MD5
38da1f266a8d18f40c08262b9d6eb7e8

SHA1
43b132dd9bbd46a698058d481b3b28f11bf7278d

SHA256
1e3fdbb79fcc08737e6314db822e77f50623711d7e7e582905ae154661d677cf

SHA512
3830ccaf630da2140644d3186f275051fd1dc8202af65ba85609311172b12d6a6829354fed2ae2b82cc2016cb2c22b94ea41479646246d8790118e9d442a42f4

Download Submit
C:\Users\Admin\AppData\Local\wEVxQh\UxTheme.dll

Filesize
1.1MB

MD5
2bc74fbdcfd0507e8b3ddd6ec7d75ac7

SHA1
b93e068fa393c567fbfc4a4daf78351cc5fffcee

SHA256
7528e661dcaae2c8f56b7f7d1f7d4a386f011d906155d52fc10dc971b2a213d8

SHA512
3ee455948f947ba77cdec91afd143ad2eb5329e361566e6a538e00ceda4fdeaca30d2e9e4b9d4275335d82df19dda3cee4ef238b6b5b447057d6cd430d122787

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yjafzwirjcl.lnk

Filesize
1KB

MD5
996bf322670808fc970b8dcdd22f1ea2

SHA1
988e49a3f0a65f2d62a2667b83d388de0266c1d6

SHA256
6e10db394d751721dbcb8c7d82a946a7968b0668583b202241938267d359abfb

SHA512
fd361e20ae40f1d59f0f17584e83b4d749e37e6948cb73f1953308606233f85c4fbbe413e5d23c45afbc913522b4f7f6820b72d58bb39ac3398ef24f598407c0

Download Submit
\Users\Admin\AppData\Local\EynmgLPh\vmicsvc.exe

Filesize
238KB

MD5
79e14b291ca96a02f1eb22bd721deccd

SHA1
4c8dbff611acd8a92cd2280239f78bebd2a9947e

SHA256
d829166db30923406a025bf33d6a0997be0a3df950114d1f34547a9525b749e8

SHA512
f3d1fa7732b6b027bbaf22530331d27ede85f92c9fd64f940139fd262bd7468211a8a54c835d3934b1974b3d8ecddefa79ea77901b9ef49ab36069963693f988

Download Submit
\Users\Admin\AppData\Local\ni4v\OptionalFeatures.exe

Filesize
95KB

MD5
eae7af6084667c8f05412ddf096167fc

SHA1
0dbe8aba001447030e48e8ad5466fd23481e6140

SHA256
01feebd3aca961f31ba4eac45347b105d1c5772627b08f5538047721b61ff9bc

SHA512
172a8accaa35a6c9f86713a330c5899dfeeffe3b43413a3d276fc16d45cd62ed9237aa6bff29cc60a2022fba8dcc156959723c041df4b7463436a3bdabef2a9d

Download Submit
\Users\Admin\AppData\Local\wEVxQh\dwm.exe

Filesize
117KB

MD5
f162d5f5e845b9dc352dd1bad8cef1bc

SHA1
35bc294b7e1f062ef5cb5fa1bd3fc942a3e37ae2

SHA256
8a7b7528db30ab123b060d8e41954d95913c07bb40cdae32e97f9edb0baf79c7

SHA512
7077e800453a4564a24af022636a2f6547bdae2c9c6f4ed080d0c98415ecc4fbf538109cbebd456e321b9b74a00613d647b63998e31925fbd841fc9d4613e851

Download Submit
memory/1184-33-0x0000000140000000-0x0000000140117000-memory.dmp

Filesize
1.1MB

Download
memory/1184-29-0x0000000140000000-0x0000000140117000-memory.dmp

Filesize
1.1MB

Download
memory/1184-7-0x0000000140000000-0x0000000140117000-memory.dmp

Filesize
1.1MB

Download
memory/1184-6-0x0000000140000000-0x0000000140117000-memory.dmp

Filesize
1.1MB

Download
memory/1184-13-0x0000000140000000-0x0000000140117000-memory.dmp

Filesize
1.1MB

Download
memory/1184-20-0x0000000140000000-0x0000000140117000-memory.dmp

Filesize
1.1MB

Download
memory/1184-19-0x0000000140000000-0x0000000140117000-memory.dmp

Filesize
1.1MB

Download
memory/1184-18-0x0000000140000000-0x0000000140117000-memory.dmp

Filesize
1.1MB

Download
memory/1184-17-0x0000000140000000-0x0000000140117000-memory.dmp

Filesize
1.1MB

Download
memory/1184-16-0x0000000140000000-0x0000000140117000-memory.dmp

Filesize
1.1MB

Download
memory/1184-15-0x0000000140000000-0x0000000140117000-memory.dmp

Filesize
1.1MB

Download
memory/1184-14-0x0000000140000000-0x0000000140117000-memory.dmp

Filesize
1.1MB

Download
memory/1184-57-0x0000000140000000-0x0000000140117000-memory.dmp

Filesize
1.1MB

Download
memory/1184-56-0x0000000140000000-0x0000000140117000-memory.dmp

Filesize
1.1MB

Download
memory/1184-47-0x00000000778E0000-0x00000000778E2000-memory.dmp

Filesize
8KB

Download
memory/1184-46-0x00000000778B0000-0x00000000778B2000-memory.dmp

Filesize
8KB

Download
memory/1184-45-0x0000000140000000-0x0000000140117000-memory.dmp

Filesize
1.1MB

Download
memory/1184-44-0x0000000002500000-0x0000000002507000-memory.dmp

Filesize
28KB

Download
memory/1184-36-0x0000000140000000-0x0000000140117000-memory.dmp

Filesize
1.1MB

Download
memory/1184-35-0x0000000140000000-0x0000000140117000-memory.dmp

Filesize
1.1MB

Download
memory/1184-34-0x0000000140000000-0x0000000140117000-memory.dmp

Filesize
1.1MB

Download
memory/1184-3-0x0000000077546000-0x0000000077547000-memory.dmp

Filesize
4KB

Download
memory/1184-32-0x0000000140000000-0x0000000140117000-memory.dmp

Filesize
1.1MB

Download
memory/1184-31-0x0000000140000000-0x0000000140117000-memory.dmp

Filesize
1.1MB

Download
memory/1184-30-0x0000000140000000-0x0000000140117000-memory.dmp

Filesize
1.1MB

Download
memory/1184-8-0x0000000140000000-0x0000000140117000-memory.dmp

Filesize
1.1MB

Download
memory/1184-28-0x0000000140000000-0x0000000140117000-memory.dmp

Filesize
1.1MB

Download
memory/1184-27-0x0000000140000000-0x0000000140117000-memory.dmp

Filesize
1.1MB

Download
memory/1184-26-0x0000000140000000-0x0000000140117000-memory.dmp

Filesize
1.1MB

Download
memory/1184-25-0x0000000140000000-0x0000000140117000-memory.dmp

Filesize
1.1MB

Download
memory/1184-24-0x0000000140000000-0x0000000140117000-memory.dmp

Filesize
1.1MB

Download
memory/1184-23-0x0000000140000000-0x0000000140117000-memory.dmp

Filesize
1.1MB

Download
memory/1184-22-0x0000000140000000-0x0000000140117000-memory.dmp

Filesize
1.1MB

Download
memory/1184-21-0x0000000140000000-0x0000000140117000-memory.dmp

Filesize
1.1MB

Download
memory/1184-4-0x0000000002520000-0x0000000002521000-memory.dmp

Filesize
4KB

Download
memory/1184-66-0x0000000077546000-0x0000000077547000-memory.dmp

Filesize
4KB

Download
memory/1184-9-0x0000000140000000-0x0000000140117000-memory.dmp

Filesize
1.1MB

Download
memory/1184-10-0x0000000140000000-0x0000000140117000-memory.dmp

Filesize
1.1MB

Download
memory/1184-12-0x0000000140000000-0x0000000140117000-memory.dmp

Filesize
1.1MB

Download
memory/1184-11-0x0000000140000000-0x0000000140117000-memory.dmp

Filesize
1.1MB

Download
memory/1608-93-0x0000000000020000-0x0000000000027000-memory.dmp

Filesize
28KB

Download
memory/1608-96-0x0000000140000000-0x0000000140118000-memory.dmp

Filesize
1.1MB

Download
memory/1908-111-0x0000000000090000-0x0000000000097000-memory.dmp

Filesize
28KB

Download
memory/1908-112-0x0000000140000000-0x0000000140118000-memory.dmp

Filesize
1.1MB

Download
memory/2264-65-0x0000000140000000-0x0000000140117000-memory.dmp

Filesize
1.1MB

Download
memory/2264-0-0x0000000140000000-0x0000000140117000-memory.dmp

Filesize
1.1MB

Download
memory/2264-2-0x0000000000120000-0x0000000000127000-memory.dmp

Filesize
28KB

Download
memory/2916-79-0x0000000140000000-0x0000000140118000-memory.dmp

Filesize
1.1MB

Download
memory/2916-74-0x0000000140000000-0x0000000140118000-memory.dmp

Filesize
1.1MB

Download
memory/2916-76-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download