dridex | 2556434fa80ac79faa55812f479fd1e14d0b7297d379f6935073bd5c6e25f693

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15-09-2024 03:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e197f60b0db3189f6af916cf489f6cb3_JaffaCakes118.dll
Size

1.2MB
MD5

e197f60b0db3189f6af916cf489f6cb3
SHA1

f1679a5453809d4cf2de3ea04e5cdf3aab48a0ee
SHA256

2556434fa80ac79faa55812f479fd1e14d0b7297d379f6935073bd5c6e25f693
SHA512

cf709ff4cd7671fd69d7bea310269ff44f031c5cd98fae96bc1835716d3911ab03477e7945da13083dd905e9e385f43df2d0fad56db870f0fa75b3bf58e08fce
SSDEEP

24576:buYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:F9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral1/memory/1200-5-0x0000000002A50000-0x0000000002A51000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
2676	BitLockerWizard.exe
1672	dccw.exe
2728	xpsrchvw.exe

Loads dropped DLL 7 IoCs

pid	Process
1200	Process not Found
2676	BitLockerWizard.exe
1200	Process not Found
1672	dccw.exe
1200	Process not Found
2728	xpsrchvw.exe
1200	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Gazvzzjnt = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\eFfVFDu\\dccw.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BitLockerWizard.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dccw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	xpsrchvw.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1864	rundll32.exe
1864	rundll32.exe
1864	rundll32.exe
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1200 wrote to memory of 2248	1200	Process not Found	31
PID 1200 wrote to memory of 2248	1200	Process not Found	31
PID 1200 wrote to memory of 2248	1200	Process not Found	31
PID 1200 wrote to memory of 2676	1200	Process not Found	32
PID 1200 wrote to memory of 2676	1200	Process not Found	32
PID 1200 wrote to memory of 2676	1200	Process not Found	32
PID 1200 wrote to memory of 2592	1200	Process not Found	33
PID 1200 wrote to memory of 2592	1200	Process not Found	33
PID 1200 wrote to memory of 2592	1200	Process not Found	33
PID 1200 wrote to memory of 1672	1200	Process not Found	34
PID 1200 wrote to memory of 1672	1200	Process not Found	34
PID 1200 wrote to memory of 1672	1200	Process not Found	34
PID 1200 wrote to memory of 2500	1200	Process not Found	35
PID 1200 wrote to memory of 2500	1200	Process not Found	35
PID 1200 wrote to memory of 2500	1200	Process not Found	35
PID 1200 wrote to memory of 2728	1200	Process not Found	36
PID 1200 wrote to memory of 2728	1200	Process not Found	36
PID 1200 wrote to memory of 2728	1200	Process not Found	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e197f60b0db3189f6af916cf489f6cb3_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1864

C:\Windows\system32\BitLockerWizard.exe
C:\Windows\system32\BitLockerWizard.exe
1⤵
PID:2248

C:\Users\Admin\AppData\Local\PsAp\BitLockerWizard.exe
C:\Users\Admin\AppData\Local\PsAp\BitLockerWizard.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2676

C:\Windows\system32\dccw.exe
C:\Windows\system32\dccw.exe
1⤵
PID:2592

C:\Users\Admin\AppData\Local\JrVQQO7\dccw.exe
C:\Users\Admin\AppData\Local\JrVQQO7\dccw.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1672

C:\Windows\system32\xpsrchvw.exe
C:\Windows\system32\xpsrchvw.exe
1⤵
PID:2500

C:\Users\Admin\AppData\Local\CARHv\xpsrchvw.exe
C:\Users\Admin\AppData\Local\CARHv\xpsrchvw.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\CARHv\WINMM.dll

Filesize
1.2MB

MD5
b66e033e29537e6e6e5152d139044076

SHA1
941603b5f4374e1683d249aef882490fc8de4198

SHA256
d9aa50b440a62a4367a1955d871f9d5608796e247aa08e6669d61c685de359a7

SHA512
a3f4b09c12eac523d1bb7c54c1befcfc8dbdfa74c2ba1f73b5469111631461dc928d8b508edbb9b6bd3c9f5bdea38f758825fe99a8f0dd990f3e18d6759d816b

Download Submit
C:\Users\Admin\AppData\Local\JrVQQO7\mscms.dll

Filesize
1.2MB

MD5
172fb19e149b278a98a3baa2e665dd44

SHA1
3276943217a2842fc66d5e0b3774ad44ba905207

SHA256
0ed5a78cdc33f245004d77d237bc407808c815816ff0ae19d2ddf5f0c86429af

SHA512
cab01441741d0b18bcb4f0f30d070f6062d96ae34a6d965884fffb3b1f6027aacf961c9da7af4bbb9afc1e486b761e4e96edd73483d4866fe932d94d47ec96fe

Download Submit
C:\Users\Admin\AppData\Local\PsAp\FVEWIZ.dll

Filesize
1.2MB

MD5
50f7c0ff084b5550271bb25d7471f315

SHA1
3d5ad777523a6ffd5308e6be15415d35eabb0a30

SHA256
e235c04c32aa619fe6610a1762cdb23cb53025dbd082ee526cdf52bf20f26eac

SHA512
f51c1a458d630678ba494837ca7b5a5b8cf2f5cbf1424d1b2051efd9a3577451e6950c2f954260f532c533f89467a879b92d22ca13a5a9a7726bba710ae0c574

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wbvsyha.lnk

Filesize
1KB

MD5
2ef776f9de3ab21c63cd6ff8f1e87090

SHA1
1c52fdcc00aff87a398c5e7fd83f1d115302f05b

SHA256
b95626aec93159616dac770e4ec4f8cb1e43d2148393553e1b0cfc010ae67690

SHA512
ac145234570e2554715caf39ab4d9743e2c39d5b9c9fc4ff922708a5edc2be6835370b019e40dbfc22162db7c1166ac085a44b165e90657904c91e72535f6563

Download Submit
\Users\Admin\AppData\Local\CARHv\xpsrchvw.exe

Filesize
4.6MB

MD5
492cb6a624d5dad73ee0294b5db37dd6

SHA1
e74806af04a5147ccabfb5b167eb95a0177c43b3

SHA256
ccb4ecd48561ce024ea176b7036f0f2713b98bc82aa37347a30d8187762a8784

SHA512
63bf2931764efe767fb42f9576702dd585a032f74ad2be2481eaf309f34950f05974d77b5cb220a3ff89c92af0c7693dc558f8e3a3ee2a0be6c5c07171d03835

Download Submit
\Users\Admin\AppData\Local\JrVQQO7\dccw.exe

Filesize
861KB

MD5
a46cee731351eb4146db8e8a63a5c520

SHA1
8ea441e4a77642e12987ac842b36034230edd731

SHA256
283526a98a83524d21ff23f9109754c6587380b67f74cc02a9a4cd56fdb720d5

SHA512
3573c0ae21406db0c6fdda7c065fabde03235bde7f5589910822500bdfa37144f59f6e58e753e7347b899998db1dcb28050ac5a4e2c611558ae5fa405fbbc5cc

Download Submit
\Users\Admin\AppData\Local\PsAp\BitLockerWizard.exe

Filesize
98KB

MD5
08a761595ad21d152db2417d6fdb239a

SHA1
d84c1bc2e8c9afce9fb79916df9bca169f93a936

SHA256
ec0b9e5f29a43f9db44fa76b85701058f26776ab974044c1d4741591b74d0620

SHA512
8b07828e9c0edf09277f89294b8e1a54816f6f3d1fe132b3eb70370b81feb82d056ec31566793bd6f451725f79c3b4aeedb15a83216115e00943e0c19cab37c9

Download Submit
memory/1200-29-0x0000000076ED0000-0x0000000076ED2000-memory.dmp

Filesize
8KB

Download
memory/1200-16-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1200-4-0x0000000076C36000-0x0000000076C37000-memory.dmp

Filesize
4KB

Download
memory/1200-24-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1200-15-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1200-14-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1200-13-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1200-12-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1200-11-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1200-10-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1200-9-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1200-37-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1200-36-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1200-5-0x0000000002A50000-0x0000000002A51000-memory.dmp

Filesize
4KB

Download
memory/1200-46-0x0000000076C36000-0x0000000076C37000-memory.dmp

Filesize
4KB

Download
memory/1200-26-0x0000000076D41000-0x0000000076D42000-memory.dmp

Filesize
4KB

Download
memory/1200-25-0x0000000002A30000-0x0000000002A37000-memory.dmp

Filesize
28KB

Download
memory/1200-8-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1200-7-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1672-75-0x0000000000120000-0x0000000000127000-memory.dmp

Filesize
28KB

Download
memory/1672-72-0x000007FEF5C90000-0x000007FEF5DC1000-memory.dmp

Filesize
1.2MB

Download
memory/1672-76-0x000007FEF5C90000-0x000007FEF5DC1000-memory.dmp

Filesize
1.2MB

Download
memory/1864-45-0x000007FEF5CA0000-0x000007FEF5DD0000-memory.dmp

Filesize
1.2MB

Download
memory/1864-0-0x00000000001B0000-0x00000000001B7000-memory.dmp

Filesize
28KB

Download
memory/1864-1-0x000007FEF5CA0000-0x000007FEF5DD0000-memory.dmp

Filesize
1.2MB

Download
memory/2676-60-0x000007FEF6C00000-0x000007FEF6D31000-memory.dmp

Filesize
1.2MB

Download
memory/2676-55-0x000007FEF6C00000-0x000007FEF6D31000-memory.dmp

Filesize
1.2MB

Download
memory/2676-54-0x0000000000290000-0x0000000000297000-memory.dmp

Filesize
28KB

Download
memory/2728-90-0x000007FEF5AF0000-0x000007FEF5C22000-memory.dmp

Filesize
1.2MB

Download
memory/2728-94-0x000007FEF5AF0000-0x000007FEF5C22000-memory.dmp

Filesize
1.2MB

Download