dridex | 5201a4cd5b69c5e49689be7361c07bceaa2cb9bf8be47e15e44acd582f814359

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-09-2024 00:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e5ce7011f68ebaaeb173f310c34f87d2_JaffaCakes118.dll
Size

1.2MB
MD5

e5ce7011f68ebaaeb173f310c34f87d2
SHA1

b64a4c56ef7f6a6576a0b0f75e3e271a28722d16
SHA256

5201a4cd5b69c5e49689be7361c07bceaa2cb9bf8be47e15e44acd582f814359
SHA512

4068e1a6ce54d215266a717be3760a21000776f4b9e3f595d5720230d68d8609f5c54e43af922200671353c8d3401433a0b9d80b6a2a475efd5f3ed326d4073d
SSDEEP

24576:SVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:SV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral1/memory/1260-5-0x0000000002600000-0x0000000002601000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
1588	DWWIN.EXE
2596	SystemPropertiesHardware.exe
304	wusa.exe

Loads dropped DLL 7 IoCs

pid	Process
1260	Process not Found
1588	DWWIN.EXE
1260	Process not Found
2596	SystemPropertiesHardware.exe
1260	Process not Found
304	wusa.exe
1260	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Gazvzzjnt = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\ACCESS~1\\SYSTEM~1\\3oNE9\\SYSTEM~1.EXE"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wusa.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DWWIN.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesHardware.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2404	rundll32.exe
2404	rundll32.exe
2404	rundll32.exe
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found
1260	Process not Found

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1260 wrote to memory of 2248	1260	Process not Found	31
PID 1260 wrote to memory of 2248	1260	Process not Found	31
PID 1260 wrote to memory of 2248	1260	Process not Found	31
PID 1260 wrote to memory of 1588	1260	Process not Found	32
PID 1260 wrote to memory of 1588	1260	Process not Found	32
PID 1260 wrote to memory of 1588	1260	Process not Found	32
PID 1260 wrote to memory of 3036	1260	Process not Found	33
PID 1260 wrote to memory of 3036	1260	Process not Found	33
PID 1260 wrote to memory of 3036	1260	Process not Found	33
PID 1260 wrote to memory of 2596	1260	Process not Found	34
PID 1260 wrote to memory of 2596	1260	Process not Found	34
PID 1260 wrote to memory of 2596	1260	Process not Found	34
PID 1260 wrote to memory of 992	1260	Process not Found	35
PID 1260 wrote to memory of 992	1260	Process not Found	35
PID 1260 wrote to memory of 992	1260	Process not Found	35
PID 1260 wrote to memory of 304	1260	Process not Found	36
PID 1260 wrote to memory of 304	1260	Process not Found	36
PID 1260 wrote to memory of 304	1260	Process not Found	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5ce7011f68ebaaeb173f310c34f87d2_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2404

C:\Windows\system32\DWWIN.EXE
C:\Windows\system32\DWWIN.EXE
1⤵
PID:2248

C:\Users\Admin\AppData\Local\Ir3alg2\DWWIN.EXE
C:\Users\Admin\AppData\Local\Ir3alg2\DWWIN.EXE
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1588

C:\Windows\system32\SystemPropertiesHardware.exe
C:\Windows\system32\SystemPropertiesHardware.exe
1⤵
PID:3036

C:\Users\Admin\AppData\Local\MHhjFp\SystemPropertiesHardware.exe
C:\Users\Admin\AppData\Local\MHhjFp\SystemPropertiesHardware.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2596

C:\Windows\system32\wusa.exe
C:\Windows\system32\wusa.exe
1⤵
PID:992

C:\Users\Admin\AppData\Local\yumnMG\wusa.exe
C:\Users\Admin\AppData\Local\yumnMG\wusa.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Ir3alg2\VERSION.dll

Filesize
1.2MB

MD5
c92cca35b9e585b061a2f03d6f99abd9

SHA1
a8612ba6e973a2ae4214bdb5b0ecdadd13e02d75

SHA256
858403c7ed16d5ec3fceffcd6a4956006c665cee99524aefdb1b5a68ea8f4574

SHA512
7d412e61776118d296941269df6b306ec850cc1f636ec041b31f54c7316d9bff013369d0e1ecd51598d7c6074b9f5776c070f739a6a60c44b1b3d1fa68bcb920

Download Submit
C:\Users\Admin\AppData\Local\MHhjFp\SYSDM.CPL

Filesize
1.2MB

MD5
0ce432088b34d259019077cc6a6a4ba1

SHA1
d1f34da4b9ca0189c61520f77ea8f39695e9c5dc

SHA256
af11fdd79860336ecc96c0d50369e6c01723aa298517f1e4fca7adfd44a9df47

SHA512
624bf99531370d4249a3abe794b71565c676d800c85b6ba50a489401b2fa058c95fa82c706a493a99cf97025f500192f819d344e6528c830b394faff9ad5ca79

Download Submit
C:\Users\Admin\AppData\Local\MHhjFp\SystemPropertiesHardware.exe

Filesize
80KB

MD5
c63d722641c417764247f683f9fb43be

SHA1
948ec61ebf241c4d80efca3efdfc33fe746e3b98

SHA256
4759296b421d60c80db0bb112a30425e04883900374602e13ed97f7c03a49df2

SHA512
7223d1c81a4785ed790ec2303d5d9d7ebcae9404d7bf173b3145e51202564de9977e94ac10ab80c6fe49b5f697af3ec70dfd922a891915e8951b5a1b5841c8be

Download Submit
C:\Users\Admin\AppData\Local\yumnMG\dpx.dll

Filesize
1.2MB

MD5
97cf0af0fc424d62cd23eb5e6e5d0297

SHA1
b2dbe56ce2cc3eb3600e5a2222ae489ddb2634ff

SHA256
f0a158f6592d8c04a8611ee1f11928148d8db7738567dd28afffd95b80ecab62

SHA512
310376271a699d12e8bf5ef727d4be22a948b38c15699f975873c8eec51ed67afb95764128c1e224972c39df43775be37010927e7d5a0d8bd3b2ca7ef660700e

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wbvsyha.lnk

Filesize
1KB

MD5
dd8068e2a208cdc01caa3ee9fc9d871c

SHA1
ba559b3a5c9d8bc2f4b97801d5ab4ea0a0b47513

SHA256
1146ecc0fbf5998548958308185a4d6b44009d96469ee500e9bd30a011f3d998

SHA512
5546a149db71268d5dd229ac9109167343610f60ad76354a4a29b0d1599d792eaae18e6a900115e82ec4d10a084a15bf64249835cd86ebb4cb4ccbdba4c9f62c

Download Submit
\Users\Admin\AppData\Local\Ir3alg2\DWWIN.EXE

Filesize
149KB

MD5
25247e3c4e7a7a73baeea6c0008952b1

SHA1
8087adb7a71a696139ddc5c5abc1a84f817ab688

SHA256
c740497a7e58f7678e25b68b03573b4136a364464ee97c02ce5e0fe00cec7050

SHA512
bc27946894e7775f772ac882740430c8b9d3f37a573e2524207f7bb32f44d4a227cb1e9a555e118d68af7f1e129abd2ac5cabbcd8bbf3551c485bae05108324b

Download Submit
\Users\Admin\AppData\Local\yumnMG\wusa.exe

Filesize
300KB

MD5
c15b3d813f4382ade98f1892350f21c7

SHA1
a45c5abc6751bc8b9041e5e07923fa4fc1b4542b

SHA256
8f067da98eb3ea9f1db2f0063ff54e07d992fbf051779b467e222639be4127e3

SHA512
6d028fe81fe45d0ef291741513ecf939e412912647347d4d5bad89571f33e1084dc0fd26eb7313c7191f938c3f50243f453e2690e2475fc3f5539a20c2ff2f3c

Download Submit
memory/304-96-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/1260-28-0x00000000772A0000-0x00000000772A2000-memory.dmp

Filesize
8KB

Download
memory/1260-47-0x0000000076F06000-0x0000000076F07000-memory.dmp

Filesize
4KB

Download
memory/1260-13-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1260-14-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1260-16-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1260-26-0x00000000025E0000-0x00000000025E7000-memory.dmp

Filesize
28KB

Download
memory/1260-25-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1260-15-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1260-4-0x0000000076F06000-0x0000000076F07000-memory.dmp

Filesize
4KB

Download
memory/1260-27-0x0000000077111000-0x0000000077112000-memory.dmp

Filesize
4KB

Download
memory/1260-39-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1260-37-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1260-5-0x0000000002600000-0x0000000002601000-memory.dmp

Filesize
4KB

Download
memory/1260-12-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1260-7-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1260-8-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1260-11-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1260-10-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1260-9-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1588-61-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/1588-56-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/1588-55-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download
memory/2404-46-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/2404-0-0x00000000001A0000-0x00000000001A7000-memory.dmp

Filesize
28KB

Download
memory/2404-1-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/2596-73-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/2596-79-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download