dridex | 05d450ee3454e6ca1e2b3d3adc4cf104b85d39bf4d219daa7951b2ff7d834b97

Analysis

max time kernel
149s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-09-2024 19:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dcea7f27744c02429fdf1c007ad07bb0_JaffaCakes118.dll
Size

1.2MB
MD5

dcea7f27744c02429fdf1c007ad07bb0
SHA1

5ae352c4ae07d6327ceee302739a5ebe5ce12c81
SHA256

05d450ee3454e6ca1e2b3d3adc4cf104b85d39bf4d219daa7951b2ff7d834b97
SHA512

0a751a9187dd67c7cc3ac068737f95892bee0e67024f51d5e5041b932fb965be99cd88a73507677b5a920b375c89843741d65ce918b83c06b59e6235c1246961
SSDEEP

24576:GuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N7t:m9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1236-5-0x0000000002ED0000-0x0000000002ED1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

perfmon.exefveprompt.exeSystemPropertiesPerformance.exe

pid	Process
3016	perfmon.exe
2528	fveprompt.exe
2756	SystemPropertiesPerformance.exe

Loads dropped DLL 7 IoCs

Processes:

perfmon.exefveprompt.exeSystemPropertiesPerformance.exe

pid	Process
1236
3016	perfmon.exe
1236
2528	fveprompt.exe
1236
2756	SystemPropertiesPerformance.exe
1236

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wtobeyey = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Extensions\\MjkfRjdi3ML\\fveprompt.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeperfmon.exefveprompt.exeSystemPropertiesPerformance.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	perfmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fveprompt.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesPerformance.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	Process
880	rundll32.exe
880	rundll32.exe
880	rundll32.exe
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	procid_target
PID 1236 wrote to memory of 2604	1236	30
PID 1236 wrote to memory of 2604	1236	30
PID 1236 wrote to memory of 2604	1236	30
PID 1236 wrote to memory of 3016	1236	31
PID 1236 wrote to memory of 3016	1236	31
PID 1236 wrote to memory of 3016	1236	31
PID 1236 wrote to memory of 992	1236	32
PID 1236 wrote to memory of 992	1236	32
PID 1236 wrote to memory of 992	1236	32
PID 1236 wrote to memory of 2528	1236	33
PID 1236 wrote to memory of 2528	1236	33
PID 1236 wrote to memory of 2528	1236	33
PID 1236 wrote to memory of 2532	1236	34
PID 1236 wrote to memory of 2532	1236	34
PID 1236 wrote to memory of 2532	1236	34
PID 1236 wrote to memory of 2756	1236	35
PID 1236 wrote to memory of 2756	1236	35
PID 1236 wrote to memory of 2756	1236	35

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\dcea7f27744c02429fdf1c007ad07bb0_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:880

C:\Windows\system32\perfmon.exe
C:\Windows\system32\perfmon.exe
1⤵
PID:2604

C:\Users\Admin\AppData\Local\DOgoS8O2g\perfmon.exe
C:\Users\Admin\AppData\Local\DOgoS8O2g\perfmon.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3016

C:\Windows\system32\fveprompt.exe
C:\Windows\system32\fveprompt.exe
1⤵
PID:992

C:\Users\Admin\AppData\Local\yImoL\fveprompt.exe
C:\Users\Admin\AppData\Local\yImoL\fveprompt.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2528

C:\Windows\system32\SystemPropertiesPerformance.exe
C:\Windows\system32\SystemPropertiesPerformance.exe
1⤵
PID:2532

C:\Users\Admin\AppData\Local\6fCP\SystemPropertiesPerformance.exe
C:\Users\Admin\AppData\Local\6fCP\SystemPropertiesPerformance.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\6fCP\SYSDM.CPL

Filesize
1.2MB

MD5
f12d22192ab3cb06b729ef74d55982de

SHA1
14d80c2cbe696d944ca8f1614d3f0f28c32270cf

SHA256
fcbfaabc8e00a6c7ea3179d86484211c72cf9fec2b55385a16c31c7b5964ad28

SHA512
393e61b06be696f2c6de48fa4bf2116275a3fa6f1ca3a4cfb5b78eb2b1678533ee72521d0f344e364455883481fa48becb975cce9022970c391e9e40171e5656

Download Submit
C:\Users\Admin\AppData\Local\DOgoS8O2g\credui.dll

Filesize
1.2MB

MD5
f67b6c50ef1723f9a210d46c8b1c1127

SHA1
007e2e20a50d1ae7771539032e3a93e1227aacc6

SHA256
aaf57e92797cecaeda48fdebd60890227f7297a905925a1fd71823627ae5e3d0

SHA512
86819a36fd529a495778a46afcc2a71957bc00def1e18b97a19b31a66f830a5bb9784fc99a5594e516773dec15a8afc09fe23d7a77be7f4d8a0e0def84ce1aa6

Download Submit
C:\Users\Admin\AppData\Local\DOgoS8O2g\perfmon.exe

Filesize
168KB

MD5
3eb98cff1c242167df5fdbc6441ce3c5

SHA1
730b27a1c92e8df1e60db5a6fc69ea1b24f68a69

SHA256
6d8d5a244bb5a23c95653853fec3d04d2bdd2df5cff8cffb9848bddeb6adb081

SHA512
f42be2a52d97fd1db2ed5a1a1a81a186a0aab41204980a103df33a4190632ba03f3cbb88fcea8da7ed9a5e15f60732d49a924b025fe6d3e623195ec1d37dfb35

Download Submit
C:\Users\Admin\AppData\Local\yImoL\slc.dll

Filesize
1.2MB

MD5
c53764d7d944ee93df3b73887752d520

SHA1
d4ddc8c60b2a5172398a2fbc317a98b1fc12feb3

SHA256
89fe464e84404e7543759cef780de3efe1ac914c226cc0acfef81c8d53ea3281

SHA512
f6067609f32bf04c474ec810fa05bb893d23cfef4ce649ca602a82722b89a973e0979cac084338edcf7ffa2308aa3426c4139d59603252e0e876295fdd384c0b

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ykefwsdudlbqds.lnk

Filesize
1KB

MD5
8d6cebfe690d64a24d387230e0bbf187

SHA1
880751157769dd116e5fec13d5e6515b44fcadf6

SHA256
35066b5dc812712366e2f0008b6719c9143ddefeb3405931ea348af5336df219

SHA512
745b7ce15b9008d3289e3f527681b7507cf973b6591a970f0f56deb4400f399dc52a02e65b5643cfb5a57ae6ebad1260eb4429900b9005f1bbe3ff77078e7bf4

Download Submit
\Users\Admin\AppData\Local\6fCP\SystemPropertiesPerformance.exe

Filesize
80KB

MD5
870726cdcc241a92785572628b89cc07

SHA1
63d47cc4fe9beb75862add1abca1d8ae8235710a

SHA256
1ab77fa1ee0cbe59ca185c228c3c11abeba2b2008a162c91a06d3c40542e7fc6

SHA512
89b961c2a2716fe0800e54e0206c8b349a26f1bc2a463ec9bd12f3ab22bfcb13e6402b4c20ddcf284d838a3c66e73335af8f6dc4554d76646382e387242c6f72

Download Submit
\Users\Admin\AppData\Local\yImoL\fveprompt.exe

Filesize
104KB

MD5
dc2c44a23b2cd52bd53accf389ae14b2

SHA1
e36c7b6f328aa2ab2f52478169c52c1916f04b5f

SHA256
7f5b19f2c6a94833196ee1929d48094889b33b504d73d3af88dd857ceaf67921

SHA512
ff083f74777a9cfc940d4e0cb55886397e27c85f867de9a5dd9ea2c2751d2a77bf75fe0734e424d9678c83e927788d07d0b3072024f7e5a9848c7ff1aa4090dc

Download Submit
memory/880-0-0x000007FEF77F0000-0x000007FEF7921000-memory.dmp

Filesize
1.2MB

Download
memory/880-3-0x0000000000120000-0x0000000000127000-memory.dmp

Filesize
28KB

Download
memory/880-46-0x000007FEF77F0000-0x000007FEF7921000-memory.dmp

Filesize
1.2MB

Download
memory/1236-28-0x00000000776E0000-0x00000000776E2000-memory.dmp

Filesize
8KB

Download
memory/1236-17-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1236-15-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1236-14-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1236-13-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1236-11-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1236-10-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1236-8-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1236-26-0x0000000002A70000-0x0000000002A77000-memory.dmp

Filesize
28KB

Download
memory/1236-37-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1236-38-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1236-27-0x0000000077551000-0x0000000077552000-memory.dmp

Filesize
4KB

Download
memory/1236-47-0x0000000077446000-0x0000000077447000-memory.dmp

Filesize
4KB

Download
memory/1236-16-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1236-25-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1236-4-0x0000000077446000-0x0000000077447000-memory.dmp

Filesize
4KB

Download
memory/1236-5-0x0000000002ED0000-0x0000000002ED1000-memory.dmp

Filesize
4KB

Download
memory/1236-7-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1236-12-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1236-9-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/2528-73-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download
memory/2528-74-0x000007FEF7800000-0x000007FEF7932000-memory.dmp

Filesize
1.2MB

Download
memory/2528-77-0x000007FEF7800000-0x000007FEF7932000-memory.dmp

Filesize
1.2MB

Download
memory/2756-91-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/2756-97-0x000007FEF7800000-0x000007FEF7932000-memory.dmp

Filesize
1.2MB

Download
memory/3016-61-0x000007FEF7930000-0x000007FEF7A62000-memory.dmp

Filesize
1.2MB

Download
memory/3016-56-0x000007FEF7930000-0x000007FEF7A62000-memory.dmp

Filesize
1.2MB

Download
memory/3016-55-0x0000000001AC0000-0x0000000001AC7000-memory.dmp

Filesize
28KB

Download