dridex | 720dda96ea558310e2dd575d2dbd382caeccff1c8a71299b091f293845bf46de

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-09-2024 20:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dd004eb1995ca16c41612ab17fb29d16_JaffaCakes118.dll
Size

1.2MB
MD5

dd004eb1995ca16c41612ab17fb29d16
SHA1

3a75a7c007771180bd4c55006b3f60015fa96b8d
SHA256

720dda96ea558310e2dd575d2dbd382caeccff1c8a71299b091f293845bf46de
SHA512

8ac3e636b114189eab565f7d68f634e989bee34a48b5d259af724c55df9dd4ee70626559d3f73f302de78a605a21e8b0ca88483d8efa1e15cc920c5812e0516a
SSDEEP

12288:8VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:JfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral1/memory/1156-5-0x0000000002520000-0x0000000002521000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
1996	SystemPropertiesPerformance.exe
832	sigverif.exe
2932	mfpmp.exe

Loads dropped DLL 7 IoCs

pid	Process
1156	Process not Found
1996	SystemPropertiesPerformance.exe
1156	Process not Found
832	sigverif.exe
1156	Process not Found
2932	mfpmp.exe
1156	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Auwqk = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\uTqQnqM2Z9\\sigverif.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesPerformance.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sigverif.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mfpmp.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2544	rundll32.exe
2544	rundll32.exe
2544	rundll32.exe
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1156 wrote to memory of 2620	1156	Process not Found	30
PID 1156 wrote to memory of 2620	1156	Process not Found	30
PID 1156 wrote to memory of 2620	1156	Process not Found	30
PID 1156 wrote to memory of 1996	1156	Process not Found	31
PID 1156 wrote to memory of 1996	1156	Process not Found	31
PID 1156 wrote to memory of 1996	1156	Process not Found	31
PID 1156 wrote to memory of 1768	1156	Process not Found	32
PID 1156 wrote to memory of 1768	1156	Process not Found	32
PID 1156 wrote to memory of 1768	1156	Process not Found	32
PID 1156 wrote to memory of 832	1156	Process not Found	33
PID 1156 wrote to memory of 832	1156	Process not Found	33
PID 1156 wrote to memory of 832	1156	Process not Found	33
PID 1156 wrote to memory of 2612	1156	Process not Found	34
PID 1156 wrote to memory of 2612	1156	Process not Found	34
PID 1156 wrote to memory of 2612	1156	Process not Found	34
PID 1156 wrote to memory of 2932	1156	Process not Found	35
PID 1156 wrote to memory of 2932	1156	Process not Found	35
PID 1156 wrote to memory of 2932	1156	Process not Found	35

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\dd004eb1995ca16c41612ab17fb29d16_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2544

C:\Windows\system32\SystemPropertiesPerformance.exe
C:\Windows\system32\SystemPropertiesPerformance.exe
1⤵
PID:2620

C:\Users\Admin\AppData\Local\4vj\SystemPropertiesPerformance.exe
C:\Users\Admin\AppData\Local\4vj\SystemPropertiesPerformance.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1996

C:\Windows\system32\sigverif.exe
C:\Windows\system32\sigverif.exe
1⤵
PID:1768

C:\Users\Admin\AppData\Local\KMB\sigverif.exe
C:\Users\Admin\AppData\Local\KMB\sigverif.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:832

C:\Windows\system32\mfpmp.exe
C:\Windows\system32\mfpmp.exe
1⤵
PID:2612

C:\Users\Admin\AppData\Local\m0GTfOX8\mfpmp.exe
C:\Users\Admin\AppData\Local\m0GTfOX8\mfpmp.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\4vj\SYSDM.CPL

Filesize
1.2MB

MD5
4ef540c2ac1b0f0de474cf58ad19280e

SHA1
d6fef56230b035c6245db72cfffadb6a8fa6e731

SHA256
309f39c89d5c0dbb600593c7e1e7336221510f8ddb6a0d80adb9b092795f74f8

SHA512
64d0de56b22621cbca7db3d821497731c6a85ebb2c4abb3c56432a27638acbf8c86987869a18576da64f3534bd4f1f89c6e7a460f6366f3d771cba79caa24a6a

Download Submit
C:\Users\Admin\AppData\Local\KMB\VERSION.dll

Filesize
1.2MB

MD5
086575e238a6620d72b0177b143ea703

SHA1
e9e8cfaf3769b5318a070f2b4312d64af2d724ac

SHA256
f63bcd300d3c9bb2d863a5e7b10e3deb7422a9fab7ee1792935c5a29a991936f

SHA512
be008ac26987914d20b46b284f42d0226d5de9dd6923dae0b8fee2127b7d588d24320210a233c5e2ec683c8816670dad1c4eec1a040c283f5028792f3f387efe

Download Submit
C:\Users\Admin\AppData\Local\m0GTfOX8\MFPlat.DLL

Filesize
1.2MB

MD5
946d67a0b022dcd902794a322ef6c5b4

SHA1
d4007766ca5cf63fae026cc973d5f8f5c912bb59

SHA256
0637e086dbef9f7832c9f7ed1d2817a3029ab4b2f672aff005740de9b216a0ce

SHA512
dd2ae0ab89d07372151a9cd6e5725eb9c5a953886d26c37bacfef64340ef4dd9263966c220738e05b228d0bbd03ac365a5a891ebed93184f8c5f9157b75d972c

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ukatmrkmywz.lnk

Filesize
1KB

MD5
85bb275ffd3b5832786feddccfa6a3b4

SHA1
96943cfd94acce049b41655c319e375e147067d2

SHA256
3eff32a7be8d51975540be15a4c5a53110b8f9f1521f88806f4d1742e975ef8d

SHA512
79fc2584fc3efdf3e66ef694a4c4ffb81eb60b16bbb408791392ff11aca96d0cc8e3147d882f4a93d92f6e8d293e7a3867b07f8141c0f5330a8430deb2cd6782

Download Submit
\Users\Admin\AppData\Local\4vj\SystemPropertiesPerformance.exe

Filesize
80KB

MD5
870726cdcc241a92785572628b89cc07

SHA1
63d47cc4fe9beb75862add1abca1d8ae8235710a

SHA256
1ab77fa1ee0cbe59ca185c228c3c11abeba2b2008a162c91a06d3c40542e7fc6

SHA512
89b961c2a2716fe0800e54e0206c8b349a26f1bc2a463ec9bd12f3ab22bfcb13e6402b4c20ddcf284d838a3c66e73335af8f6dc4554d76646382e387242c6f72

Download Submit
\Users\Admin\AppData\Local\KMB\sigverif.exe

Filesize
73KB

MD5
e8e95ae5534553fc055051cee99a7f55

SHA1
4e0f668849fd546edd083d5981ed685d02a68df4

SHA256
9e107fd99892d08b15c223ac17c49af75a4cbca41b5e939bb91c9dca9f0d0bec

SHA512
5d3c32d136a264b6d2cfba4602e4d8f75e55ba0e199e0e81d7a515c34d8b9237db29647c10ab79081173010ff8e2c6a59b652c0a9cfa796433aed2d200f02da6

Download Submit
\Users\Admin\AppData\Local\m0GTfOX8\mfpmp.exe

Filesize
24KB

MD5
2d8600b94de72a9d771cbb56b9f9c331

SHA1
a0e2ac409159546183aa45875497844c4adb5aac

SHA256
7d8d8918761b8b6c95758375a6e7cf7fb8e43abfdd3846476219883ef3f8c185

SHA512
3aaa6619f29434c294b9b197c3b86fdc5d88b0254c8f35f010c9b5f254fd47fbc3272412907e2a5a4f490bda2acfbbd7a90f968e25067abf921b934d2616eafc

Download Submit
memory/832-100-0x0000000000180000-0x0000000000187000-memory.dmp

Filesize
28KB

Download
memory/1156-32-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/1156-26-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/1156-14-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/1156-59-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/1156-58-0x0000000077BB0000-0x0000000077BB2000-memory.dmp

Filesize
8KB

Download
memory/1156-55-0x0000000077A51000-0x0000000077A52000-memory.dmp

Filesize
4KB

Download
memory/1156-54-0x0000000002500000-0x0000000002507000-memory.dmp

Filesize
28KB

Download
memory/1156-53-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/1156-46-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/1156-45-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/1156-44-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/1156-43-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/1156-42-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/1156-41-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/1156-40-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/1156-39-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/1156-38-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/1156-37-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/1156-36-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/1156-35-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/1156-34-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/1156-33-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/1156-4-0x0000000077846000-0x0000000077847000-memory.dmp

Filesize
4KB

Download
memory/1156-31-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/1156-30-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/1156-29-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/1156-28-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/1156-15-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/1156-25-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/1156-24-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/1156-23-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/1156-22-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/1156-21-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/1156-20-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/1156-19-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/1156-18-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/1156-17-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/1156-16-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/1156-65-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/1156-10-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/1156-27-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/1156-5-0x0000000002520000-0x0000000002521000-memory.dmp

Filesize
4KB

Download
memory/1156-130-0x0000000077846000-0x0000000077847000-memory.dmp

Filesize
4KB

Download
memory/1156-12-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/1156-13-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/1156-9-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/1156-8-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/1156-7-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/1996-82-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download
memory/1996-77-0x0000000140000000-0x0000000140138000-memory.dmp

Filesize
1.2MB

Download
memory/2544-3-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download
memory/2544-0-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/2544-11-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download