dridex | 66b88b6a6bbc1178cd69d4730d4e946ac78fd7b7941a7752c269e5526475a48f

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18-09-2024 01:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e8117100d5ebd3aa4580e80bf9d2dabf_JaffaCakes118.dll
Size

1.2MB
MD5

e8117100d5ebd3aa4580e80bf9d2dabf
SHA1

fce6f07ee2719f8aeed4605302aa59a4a83733d0
SHA256

66b88b6a6bbc1178cd69d4730d4e946ac78fd7b7941a7752c269e5526475a48f
SHA512

5d088bc52d77f63e74ca665c234c8e6180f8dde3087a3df95c5ec551e89eb32c11618b4fa6ae538bbd16b2d7942293544b769ec3de06748a359633f74aff4c66
SSDEEP

24576:tuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:n9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence privilege_escalation trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral1/memory/1148-5-0x0000000002D20000-0x0000000002D21000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
1712	spinstall.exe
2068	raserver.exe
532	sethc.exe

Loads dropped DLL 7 IoCs

pid	Process
1148	Process not Found
1712	spinstall.exe
1148	Process not Found
2068	raserver.exe
1148	Process not Found
532	sethc.exe
1148	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rtunysabu = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\FLASHP~1\\dZ\\raserver.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spinstall.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	raserver.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sethc.exe

Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2348	rundll32.exe
2348	rundll32.exe
2348	rundll32.exe
1148	Process not Found
1148	Process not Found
1148	Process not Found
1148	Process not Found
1148	Process not Found
1148	Process not Found
1148	Process not Found
1148	Process not Found
1148	Process not Found
1148	Process not Found
1148	Process not Found
1148	Process not Found
1148	Process not Found
1148	Process not Found
1148	Process not Found
1148	Process not Found
1148	Process not Found
1148	Process not Found
1148	Process not Found
1148	Process not Found
1148	Process not Found
1148	Process not Found
1148	Process not Found
1148	Process not Found
1148	Process not Found
1148	Process not Found
1148	Process not Found
1148	Process not Found
1148	Process not Found
1148	Process not Found
1148	Process not Found
1148	Process not Found
1148	Process not Found
1148	Process not Found
1148	Process not Found
1148	Process not Found
1148	Process not Found
1148	Process not Found
1148	Process not Found
1148	Process not Found
1148	Process not Found
1148	Process not Found
1148	Process not Found
1148	Process not Found
1148	Process not Found
1148	Process not Found
1148	Process not Found
1148	Process not Found
1148	Process not Found
1148	Process not Found
1148	Process not Found
1148	Process not Found
1148	Process not Found
1148	Process not Found
1148	Process not Found
1148	Process not Found
1148	Process not Found
1148	Process not Found
1148	Process not Found
1148	Process not Found
1148	Process not Found

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1148 wrote to memory of 2776	1148	Process not Found	31
PID 1148 wrote to memory of 2776	1148	Process not Found	31
PID 1148 wrote to memory of 2776	1148	Process not Found	31
PID 1148 wrote to memory of 1712	1148	Process not Found	32
PID 1148 wrote to memory of 1712	1148	Process not Found	32
PID 1148 wrote to memory of 1712	1148	Process not Found	32
PID 1148 wrote to memory of 2124	1148	Process not Found	33
PID 1148 wrote to memory of 2124	1148	Process not Found	33
PID 1148 wrote to memory of 2124	1148	Process not Found	33
PID 1148 wrote to memory of 2068	1148	Process not Found	34
PID 1148 wrote to memory of 2068	1148	Process not Found	34
PID 1148 wrote to memory of 2068	1148	Process not Found	34
PID 1148 wrote to memory of 2848	1148	Process not Found	35
PID 1148 wrote to memory of 2848	1148	Process not Found	35
PID 1148 wrote to memory of 2848	1148	Process not Found	35
PID 1148 wrote to memory of 532	1148	Process not Found	36
PID 1148 wrote to memory of 532	1148	Process not Found	36
PID 1148 wrote to memory of 532	1148	Process not Found	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e8117100d5ebd3aa4580e80bf9d2dabf_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2348

C:\Windows\system32\spinstall.exe
C:\Windows\system32\spinstall.exe
1⤵
PID:2776

C:\Users\Admin\AppData\Local\pkHfnYA\spinstall.exe
C:\Users\Admin\AppData\Local\pkHfnYA\spinstall.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1712

C:\Windows\system32\raserver.exe
C:\Windows\system32\raserver.exe
1⤵
PID:2124

C:\Users\Admin\AppData\Local\oRn0fP\raserver.exe
C:\Users\Admin\AppData\Local\oRn0fP\raserver.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2068

C:\Windows\system32\sethc.exe
C:\Windows\system32\sethc.exe
1⤵
PID:2848

C:\Users\Admin\AppData\Local\km9Va6YWk\sethc.exe
C:\Users\Admin\AppData\Local\km9Va6YWk\sethc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\km9Va6YWk\DUI70.dll

Filesize
1.4MB

MD5
05b8c6a331a6776b48cee4ad77b1d3c5

SHA1
120de9605c40e878ca63583804b7c30481ec7c15

SHA256
11baa4dbbb2f37695f5de16ad6f2326dc5addc7961a8062f1c76fda4f98da7ec

SHA512
efcc45d397ffd925e94929dea3bb414025e0d4907944f011e38af26f38c9fa9d7ce54b8d59dde0084789c9ec7c09115d51e6661fea5e9f3fce2d277189a8d32f

Download Submit
C:\Users\Admin\AppData\Local\oRn0fP\WTSAPI32.dll

Filesize
1.2MB

MD5
bc454e54c7f642fbbd61964ddc73cc41

SHA1
032072cc16e3b382c197aa494a3fbf5c0d815369

SHA256
2281bb810c13b78753b9d2ac9b2d77d6a121be089dd4c08a71d750a84b70b43b

SHA512
f1449e60119f9ee798636ff0e697280a10fea64a279833ceeb133c4df0d322a9b523ac53df4efc0d5333ce51021ca792658a6460c29caaabc0f9e1655540bfb3

Download Submit
C:\Users\Admin\AppData\Local\pkHfnYA\VERSION.dll

Filesize
1.2MB

MD5
cc59a200038ea1971043a808cfdf3c96

SHA1
2264d7526da3644b54f378440f4818e5f2a3d946

SHA256
9f8091e7618146af61161f37afd53fd05c4857f01b7dec6de0683836d775653b

SHA512
bb5889f846a56d131c337c30d9b4355688ad9426b69b780c69480af262024bd21875efc4a99643a99a8c88c0c6bc1051b1ecc995701e8ab932199a89334f287b

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Gwifj.lnk

Filesize
1KB

MD5
d91c9b2d858ae73387c2bcd349b2051c

SHA1
7d2953f9443a82b6a80e081eabf11dc74f4a1fd9

SHA256
49c1b1a878c32530de52f7551620a24b1375d01f424fee7f0404308eee7405d9

SHA512
e3e9784c1b7de3734b9cdfa318bce2a970b10258c8273e0ed2f58be6aca9dbae569ca4b909bdc324cfa550780a58098ece063017d0ed001adc581172ac66f84b

Download Submit
\Users\Admin\AppData\Local\km9Va6YWk\sethc.exe

Filesize
272KB

MD5
3bcb70da9b5a2011e01e35ed29a3f3f3

SHA1
9daecb1ee5d7cbcf46ee154dd642fcd993723a9b

SHA256
dd94bf73f0e3652b76cfb774b419ceaa2082bc7f30cc34e28dfa51952fa9ccb5

SHA512
69d231132f488fd7033349f232db1207f88f1d5cb84f5422adf0dd5fb7b373dada8fdfac7760b8845e5aab00a7ae56f24d66bbb8aa70c3c8de6ec5c31982b4df

Download Submit
\Users\Admin\AppData\Local\oRn0fP\raserver.exe

Filesize
123KB

MD5
cd0bc0b6b8d219808aea3ecd4e889b19

SHA1
9f8f4071ce2484008e36fdfd963378f4ebad703f

SHA256
16abc530c0367df1ad631f09e14c565cf99561949aa14acc533cd54bf8a5e22c

SHA512
84291ea3fafb38ef96817d5fe4a972475ef8ea24a4353568029e892fa8e15cf8e8f6ef4ff567813cd3b38092f0db4577d9dccb22be755eebdd4f77e623dc80ac

Download Submit
\Users\Admin\AppData\Local\pkHfnYA\spinstall.exe

Filesize
584KB

MD5
29c1d5b330b802efa1a8357373bc97fe

SHA1
90797aaa2c56fc2a667c74475996ea1841bc368f

SHA256
048bd22abf158346ab991a377cc6e9d2b20b4d73ccee7656c96a41f657e7be7f

SHA512
66f4f75a04340a1dd55dfdcc3ff1103ea34a55295f56c12e88d38d1a41e5be46b67c98bd66ac9f878ce79311773e374ed2bce4dd70e8bb5543e4ec1dd56625ee

Download Submit
memory/532-90-0x000007FEF6860000-0x000007FEF69C4000-memory.dmp

Filesize
1.4MB

Download
memory/532-95-0x000007FEF6860000-0x000007FEF69C4000-memory.dmp

Filesize
1.4MB

Download
memory/532-89-0x0000000000130000-0x0000000000137000-memory.dmp

Filesize
28KB

Download
memory/1148-25-0x00000000029B0000-0x00000000029B7000-memory.dmp

Filesize
28KB

Download
memory/1148-46-0x0000000076DE6000-0x0000000076DE7000-memory.dmp

Filesize
4KB

Download
memory/1148-15-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1148-13-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1148-12-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1148-11-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1148-26-0x0000000076FF1000-0x0000000076FF2000-memory.dmp

Filesize
4KB

Download
memory/1148-27-0x0000000077180000-0x0000000077182000-memory.dmp

Filesize
8KB

Download
memory/1148-37-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1148-38-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1148-4-0x0000000076DE6000-0x0000000076DE7000-memory.dmp

Filesize
4KB

Download
memory/1148-10-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1148-24-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1148-5-0x0000000002D20000-0x0000000002D21000-memory.dmp

Filesize
4KB

Download
memory/1148-9-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1148-7-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1148-16-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1148-8-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1148-14-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1712-60-0x000007FEF6EB0000-0x000007FEF6FE1000-memory.dmp

Filesize
1.2MB

Download
memory/1712-55-0x000007FEF6EB0000-0x000007FEF6FE1000-memory.dmp

Filesize
1.2MB

Download
memory/1712-54-0x00000000001F0000-0x00000000001F7000-memory.dmp

Filesize
28KB

Download
memory/2068-72-0x000007FEF6890000-0x000007FEF69C1000-memory.dmp

Filesize
1.2MB

Download
memory/2068-77-0x000007FEF6890000-0x000007FEF69C1000-memory.dmp

Filesize
1.2MB

Download
memory/2348-0-0x00000000001A0000-0x00000000001A7000-memory.dmp

Filesize
28KB

Download
memory/2348-45-0x000007FEF68A0000-0x000007FEF69D0000-memory.dmp

Filesize
1.2MB

Download
memory/2348-1-0x000007FEF68A0000-0x000007FEF69D0000-memory.dmp

Filesize
1.2MB

Download