dridex | 2062fc2f0bab8aafd218ac4a32fe9800beed5f260675fff153d838dd2e4cbe3a

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-09-2024 02:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dbb016d718263e81da2ebf373f3f4f89_JaffaCakes118.dll
Size

1.2MB
MD5

dbb016d718263e81da2ebf373f3f4f89
SHA1

8e2717cb4a7925963cbbc31ef7601ca42596474a
SHA256

2062fc2f0bab8aafd218ac4a32fe9800beed5f260675fff153d838dd2e4cbe3a
SHA512

5176707394139ab0b29e06db3898b79364e88a6db95be18ac4607346aa241854f5280669810a14d858abf764414eb345b178a2877146ddb100df6b1837dd1fb4
SSDEEP

24576:7VHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8R2:7V8hf6STw1ZlQauvzSq01ICe6zvmh

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1188-5-0x0000000002D40000-0x0000000002D41000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

SoundRecorder.exejavaws.exedwm.exe

pid	Process
2168	SoundRecorder.exe
984	javaws.exe
1720	dwm.exe

Loads dropped DLL 7 IoCs

Processes:

SoundRecorder.exejavaws.exedwm.exe

pid	Process
1188
2168	SoundRecorder.exe
1188
984	javaws.exe
1188
1720	dwm.exe
1188

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wtobeyey = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\AddIns\\wFIXn\\javaws.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

dwm.exerundll32.exeSoundRecorder.exejavaws.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SoundRecorder.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	javaws.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	Process
1704	rundll32.exe
1704	rundll32.exe
1704	rundll32.exe
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	procid_target
PID 1188 wrote to memory of 2904	1188	30
PID 1188 wrote to memory of 2904	1188	30
PID 1188 wrote to memory of 2904	1188	30
PID 1188 wrote to memory of 2168	1188	31
PID 1188 wrote to memory of 2168	1188	31
PID 1188 wrote to memory of 2168	1188	31
PID 1188 wrote to memory of 572	1188	33
PID 1188 wrote to memory of 572	1188	33
PID 1188 wrote to memory of 572	1188	33
PID 1188 wrote to memory of 984	1188	34
PID 1188 wrote to memory of 984	1188	34
PID 1188 wrote to memory of 984	1188	34
PID 1188 wrote to memory of 2940	1188	35
PID 1188 wrote to memory of 2940	1188	35
PID 1188 wrote to memory of 2940	1188	35
PID 1188 wrote to memory of 1720	1188	36
PID 1188 wrote to memory of 1720	1188	36
PID 1188 wrote to memory of 1720	1188	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\dbb016d718263e81da2ebf373f3f4f89_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1704

C:\Windows\system32\SoundRecorder.exe
C:\Windows\system32\SoundRecorder.exe
1⤵
PID:2904

C:\Users\Admin\AppData\Local\5Lwt3tld\SoundRecorder.exe
C:\Users\Admin\AppData\Local\5Lwt3tld\SoundRecorder.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2168

C:\Windows\system32\javaws.exe
C:\Windows\system32\javaws.exe
1⤵
PID:572

C:\Users\Admin\AppData\Local\feXtOc5PH\javaws.exe
C:\Users\Admin\AppData\Local\feXtOc5PH\javaws.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:984

C:\Windows\system32\dwm.exe
C:\Windows\system32\dwm.exe
1⤵
PID:2940

C:\Users\Admin\AppData\Local\0g9rz\dwm.exe
C:\Users\Admin\AppData\Local\0g9rz\dwm.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\0g9rz\UxTheme.dll

Filesize
1.2MB

MD5
949e8b220d8b72e96fed7c32dcdcbf11

SHA1
3496f466dca88ce69a19402eccceb8c0b1bf4367

SHA256
77c828b191ab7424d8684e34286b12f32d30d36dc2340f6b5c5f18250b83083f

SHA512
724348c56808069b7d120c8ddfe8beceb0f2a1f885c93f1f61f74024b69732bcf826c311d679aac884aa3d04530b2c33f0858fb99834a2a82a585d7615e6a24d

Download Submit
C:\Users\Admin\AppData\Local\5Lwt3tld\UxTheme.dll

Filesize
1.2MB

MD5
5b507973c6cc5cfc8fd1d423e02b503b

SHA1
a2f0237941a1e313f1685c52d08739ca4a618664

SHA256
795c093055bfc11dfbb0b65239907c578d07d210b802ff9a031413982c5ba491

SHA512
e598497c5042162762306ffb1a733cd3bc827f3f9b2eec8676038cb2adf68a22baf94a787ca395ed15302f6cdbbb0168ac189b8381ea6db8624a536b7c2f94e4

Download Submit
C:\Users\Admin\AppData\Local\feXtOc5PH\VERSION.dll

Filesize
1.2MB

MD5
526fe2c84196979aa1fbd136f7044c78

SHA1
2593d9456c85e2c9105658823e20c1145cbf7eaa

SHA256
ba4c9649024878b1771580317bd86a52668c6859c2db6b40d80699efa9e45805

SHA512
3c872c61e230abc5fb4f53b3742c23440a72af38e263b5db9b14b4d586d8e6d58aa12874cc680d9bd5e21f60942a4f1e85a1f7f1cd51b3b51bf1be679fa0e9a0

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ykefwsdudlbqds.lnk

Filesize
1KB

MD5
223d80462585578f2348742a67750470

SHA1
f5a417a22cbf07fa823eb8aa376e91ffa8eb853d

SHA256
031b6fec7eef2e183ba1a5c1d2fc0ab1d5f7acf7ab56ff007b3d1d591ce585bc

SHA512
9532ef7c43f78ddbfa38a36d08ec0a4405b819ac6c696915bf4c8cfdd958bbcddce663d89e8b11c244cb94d0ac0adb9dedf24319e6989d31ebe563a3da024f1d

Download Submit
\Users\Admin\AppData\Local\0g9rz\dwm.exe

Filesize
117KB

MD5
f162d5f5e845b9dc352dd1bad8cef1bc

SHA1
35bc294b7e1f062ef5cb5fa1bd3fc942a3e37ae2

SHA256
8a7b7528db30ab123b060d8e41954d95913c07bb40cdae32e97f9edb0baf79c7

SHA512
7077e800453a4564a24af022636a2f6547bdae2c9c6f4ed080d0c98415ecc4fbf538109cbebd456e321b9b74a00613d647b63998e31925fbd841fc9d4613e851

Download Submit
\Users\Admin\AppData\Local\5Lwt3tld\SoundRecorder.exe

Filesize
139KB

MD5
47f0f526ad4982806c54b845b3289de1

SHA1
8420ea488a2e187fe1b7fcfb53040d10d5497236

SHA256
e81b11fe30b16fa4e3f08810513c245248adce8566355a8f2a19c63b1143ff5b

SHA512
4c9a1aa5ed55087538c91a77d7420932263b69e59dc57b1db738e59624265b734bf29e2b6ed8d0adb2e0dec5763bfbf86876fd7d1139c21e829001c7868d515d

Download Submit
\Users\Admin\AppData\Local\feXtOc5PH\javaws.exe

Filesize
312KB

MD5
f94bc1a70c942621c4279236df284e04

SHA1
8f46d89c7db415a7f48ccd638963028f63df4e4f

SHA256
be9f8986a6c86d9f77978105d48b59eebfec3b9732dbf19e0f3d48bf7f20120c

SHA512
60edf20ca3cae9802263446af266568d0b5e0692eddcfcfc3b2f9a39327b3184613ca994460b919d17a6edc5936b4da16d9033f5138bcfd9bc0f09d88c8dcd52

Download Submit
memory/984-77-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/984-71-0x00000000001F0000-0x00000000001F7000-memory.dmp

Filesize
28KB

Download
memory/1188-35-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/1188-4-0x00000000774F6000-0x00000000774F7000-memory.dmp

Filesize
4KB

Download
memory/1188-11-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/1188-10-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/1188-9-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/1188-28-0x0000000077890000-0x0000000077892000-memory.dmp

Filesize
8KB

Download
memory/1188-27-0x0000000077701000-0x0000000077702000-memory.dmp

Filesize
4KB

Download
memory/1188-12-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/1188-36-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/1188-14-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/1188-45-0x00000000774F6000-0x00000000774F7000-memory.dmp

Filesize
4KB

Download
memory/1188-13-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/1188-21-0x00000000025C0000-0x00000000025C7000-memory.dmp

Filesize
28KB

Download
memory/1188-5-0x0000000002D40000-0x0000000002D41000-memory.dmp

Filesize
4KB

Download
memory/1188-7-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/1188-8-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/1188-24-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/1704-3-0x00000000003B0000-0x00000000003B7000-memory.dmp

Filesize
28KB

Download
memory/1704-44-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/1704-1-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/1720-89-0x0000000001E90000-0x0000000001E97000-memory.dmp

Filesize
28KB

Download
memory/1720-94-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/2168-59-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/2168-54-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/2168-53-0x0000000001AC0000-0x0000000001AC7000-memory.dmp

Filesize
28KB

Download