dridex | c1740bb33bac0ad1293f0e1305ea99e8b0d7719f7a02f0d12f719d48336ce1c0

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-09-2024 13:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e6f0b105457870d7cd16f84f233d21f9_JaffaCakes118.dll
Size

1.3MB
MD5

e6f0b105457870d7cd16f84f233d21f9
SHA1

9bc3bf0208c214b1f8f6704e94cd9741e561bd62
SHA256

c1740bb33bac0ad1293f0e1305ea99e8b0d7719f7a02f0d12f719d48336ce1c0
SHA512

80690bced2325abefa50e01e3051e150b452ceeaa573406d753a78e9176cc0d0ea50b320ad94311d2c278ceb01a4de821a256cd28b989f3019467af33990f551
SSDEEP

12288:sdMIwS97wJs6tSKDXEabXaC+jhc1S8XXk7CZzHsZH9dq0T:eMIJxSDX3bqjhcfHk7MzH6z

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral1/memory/1208-4-0x0000000002DB0000-0x0000000002DB1000-memory.dmp	dridex_stager_shellcode

Dridex payload 10 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

resource	yara_rule
behavioral1/memory/1712-0-0x0000000140000000-0x0000000140154000-memory.dmp	dridex_payload
behavioral1/memory/1208-47-0x0000000140000000-0x0000000140154000-memory.dmp	dridex_payload
behavioral1/memory/1712-65-0x0000000140000000-0x0000000140154000-memory.dmp	dridex_payload
behavioral1/memory/1208-61-0x0000000140000000-0x0000000140154000-memory.dmp	dridex_payload
behavioral1/memory/1208-59-0x0000000140000000-0x0000000140154000-memory.dmp	dridex_payload
behavioral1/memory/1984-76-0x0000000140000000-0x0000000140188000-memory.dmp	dridex_payload
behavioral1/memory/1984-81-0x0000000140000000-0x0000000140188000-memory.dmp	dridex_payload
behavioral1/memory/2024-94-0x0000000140000000-0x0000000140156000-memory.dmp	dridex_payload
behavioral1/memory/2024-98-0x0000000140000000-0x0000000140156000-memory.dmp	dridex_payload
behavioral1/memory/2712-111-0x0000000140000000-0x0000000140155000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

pid	Process
1984	msdt.exe
2024	rdpclip.exe
2712	dvdupgrd.exe

Loads dropped DLL 7 IoCs

pid	Process
1208	Process not Found
1984	msdt.exe
1208	Process not Found
2024	rdpclip.exe
1208	Process not Found
2712	dvdupgrd.exe
1208	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Kccgsbu = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\nOFE2LK3G\\rdpclip.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msdt.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdpclip.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dvdupgrd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1712	rundll32.exe
1712	rundll32.exe
1712	rundll32.exe
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1208 wrote to memory of 1728	1208	Process not Found	31
PID 1208 wrote to memory of 1728	1208	Process not Found	31
PID 1208 wrote to memory of 1728	1208	Process not Found	31
PID 1208 wrote to memory of 1984	1208	Process not Found	32
PID 1208 wrote to memory of 1984	1208	Process not Found	32
PID 1208 wrote to memory of 1984	1208	Process not Found	32
PID 1208 wrote to memory of 3004	1208	Process not Found	33
PID 1208 wrote to memory of 3004	1208	Process not Found	33
PID 1208 wrote to memory of 3004	1208	Process not Found	33
PID 1208 wrote to memory of 2024	1208	Process not Found	34
PID 1208 wrote to memory of 2024	1208	Process not Found	34
PID 1208 wrote to memory of 2024	1208	Process not Found	34
PID 1208 wrote to memory of 588	1208	Process not Found	35
PID 1208 wrote to memory of 588	1208	Process not Found	35
PID 1208 wrote to memory of 588	1208	Process not Found	35
PID 1208 wrote to memory of 2712	1208	Process not Found	36
PID 1208 wrote to memory of 2712	1208	Process not Found	36
PID 1208 wrote to memory of 2712	1208	Process not Found	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e6f0b105457870d7cd16f84f233d21f9_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1712

C:\Windows\system32\msdt.exe
C:\Windows\system32\msdt.exe
1⤵
PID:1728

C:\Users\Admin\AppData\Local\FTP7Z2ZWl\msdt.exe
C:\Users\Admin\AppData\Local\FTP7Z2ZWl\msdt.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1984

C:\Windows\system32\rdpclip.exe
C:\Windows\system32\rdpclip.exe
1⤵
PID:3004

C:\Users\Admin\AppData\Local\HWTFc\rdpclip.exe
C:\Users\Admin\AppData\Local\HWTFc\rdpclip.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2024

C:\Windows\system32\dvdupgrd.exe
C:\Windows\system32\dvdupgrd.exe
1⤵
PID:588

C:\Users\Admin\AppData\Local\xYObte\dvdupgrd.exe
C:\Users\Admin\AppData\Local\xYObte\dvdupgrd.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\FTP7Z2ZWl\DUI70.dll

Filesize
1.5MB

MD5
a116560ceb35da27158e85f92913f763

SHA1
bb7f14975d30a3846e08567d09d8e4edc5850ebd

SHA256
72f9662a92ea24f87930cdaba23e22cdb24d2062e363b42e606129929fbf1add

SHA512
bc8869a07b4299c10cfacfcdd2f212d8a80ab5781d9f7faae6d359afcf1401cd9aa71c316bb682d2ea2cecfa2fc636c566d17473a5ae7f8d223308f013468907

Download Submit
C:\Users\Admin\AppData\Local\HWTFc\WINSTA.dll

Filesize
1.3MB

MD5
562575cc0c68f7c2b3b4f740fabbc43a

SHA1
405004e6008d99efbe72171c55d57f00ae007ec2

SHA256
36ebca1c957c13b8c135d8bebd6c6a8e67b4d3d3d2f711c7537a8c5ec2475c04

SHA512
9aa32befdae44105844bdf0c04eb0c866929d1070faf63b55352732deaf211dbcda6294864f0814437be68a3e88b4127f776f98ad58fc9a5055837dbe466d886

Download Submit
C:\Users\Admin\AppData\Local\xYObte\VERSION.dll

Filesize
1.3MB

MD5
4830c4772647f73a8b96f92e01ad5610

SHA1
6e94383e3f453887e0fb218f5066e1a832095386

SHA256
abf496c4466250a68d1d196d4956c4d714d6990c77fbad0c270b613a8d4ec363

SHA512
f67d2dab8f15f9dea8273b882311e0ae5b04277594e6902a0a7d036fec09d9131ea2b3e3e85cc33b52c79c59f8e5d73cabf1e9be5817f72595b36398976d90e8

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Lcuygmmobxhxaxh.lnk

Filesize
1KB

MD5
50068e1d306ae1aaca280921151973db

SHA1
b13143389f43db41f6838e779cebb264b27c2993

SHA256
c30fb0773f019473aa1323f663f262579b88a9d36a3dac5ffd5195af2d37b4ed

SHA512
e6164d2b9324e568334927a1c4c590e6c8d1efcb2a775498f1744bb512f3665baa51bdb3751e8e4c59a5a0d03126b16096b7fd41f3863a3d77362340c1f0e748

Download Submit
\Users\Admin\AppData\Local\FTP7Z2ZWl\msdt.exe

Filesize
1.0MB

MD5
aecb7b09566b1f83f61d5a4b44ae9c7e

SHA1
3a4a2338c6b5ac833dc87497e04fe89c5481e289

SHA256
fbdbe7a2027cab237c4635ef71c1a93cf7afc4b79d56b63a119b7f8e3029ccf5

SHA512
6e14200262e0729ebcab2226c3eac729ab5af2a4c6f4f9c3e2950cc203387d9a0a447cf38665c724d4397353931fd10064dc067e043a3579538a6144e33e4746

Download Submit
\Users\Admin\AppData\Local\HWTFc\rdpclip.exe

Filesize
206KB

MD5
25d284eb2f12254c001afe9a82575a81

SHA1
cf131801fdd5ec92278f9e0ae62050e31c6670a5

SHA256
837e0d864c474956c0d9d4e7ae5f884007f19b7f420db9afcf0d266aefa6608b

SHA512
7b4f208fa1681a0a139577ebc974e7acfc85e3c906a674e111223783460585eb989cb6b38f215d79f89e747a0e9224d90e1aa43e091d2042edb8bac7b27b968b

Download Submit
\Users\Admin\AppData\Local\xYObte\dvdupgrd.exe

Filesize
25KB

MD5
75a9b4172eac01d9648c6d2133af952f

SHA1
63c7e1af762d2b584e9cc841e8b0100f2a482b81

SHA256
18f9f520c7157023b0e7dfe7433a63c4dedd47b04d24aac4038b795893050736

SHA512
5a7a2c7f184efd9c84256a1a0a5e7aeb95432d63a567196be54e7a9437a5ada9b922983c5fc0cafb16eab4493665d8e56e2f646f9f6a2d6179986925ffcdf769

Download Submit
memory/1208-48-0x0000000077DD0000-0x0000000077DD2000-memory.dmp

Filesize
8KB

Download
memory/1208-59-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/1208-9-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/1208-28-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/1208-11-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/1208-12-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/1208-13-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/1208-49-0x0000000077E00000-0x0000000077E02000-memory.dmp

Filesize
8KB

Download
memory/1208-3-0x0000000077A66000-0x0000000077A67000-memory.dmp

Filesize
4KB

Download
memory/1208-47-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/1208-46-0x0000000002D90000-0x0000000002D97000-memory.dmp

Filesize
28KB

Download
memory/1208-38-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/1208-37-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/1208-36-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/1208-35-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/1208-34-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/1208-33-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/1208-32-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/1208-31-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/1208-30-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/1208-29-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/1208-27-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/1208-26-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/1208-25-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/1208-24-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/1208-4-0x0000000002DB0000-0x0000000002DB1000-memory.dmp

Filesize
4KB

Download
memory/1208-61-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/1208-22-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/1208-23-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/1208-21-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/1208-20-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/1208-19-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/1208-18-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/1208-17-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/1208-16-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/1208-15-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/1208-14-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/1208-68-0x0000000077A66000-0x0000000077A67000-memory.dmp

Filesize
4KB

Download
memory/1208-10-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/1208-7-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/1208-6-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/1208-8-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/1712-65-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/1712-2-0x0000000001D80000-0x0000000001D87000-memory.dmp

Filesize
28KB

Download
memory/1712-0-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/1984-81-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/1984-76-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/1984-78-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download
memory/2024-93-0x0000000000180000-0x0000000000187000-memory.dmp

Filesize
28KB

Download
memory/2024-94-0x0000000140000000-0x0000000140156000-memory.dmp

Filesize
1.3MB

Download
memory/2024-98-0x0000000140000000-0x0000000140156000-memory.dmp

Filesize
1.3MB

Download
memory/2712-110-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download
memory/2712-111-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download