dridex | 71e81df6b6a1662f36f6dbd56571d345bf55f342d6deb464c33c2c3cb2c55d4d

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
18-09-2024 07:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e89fed8bcadd8c09505de5a77f5869fd_JaffaCakes118.dll
Size

1.2MB
MD5

e89fed8bcadd8c09505de5a77f5869fd
SHA1

73b46bfbcf230c1f0a5bfe6efe53c43b494a8c25
SHA256

71e81df6b6a1662f36f6dbd56571d345bf55f342d6deb464c33c2c3cb2c55d4d
SHA512

8a0185e05880d5979b392bdb02f15c6f37b7b8dbde337f71f6e41291f05d281b222a9d9df31965f4c2640e299bf0e265da96333b7fc1190e5fb6c0570264dbfc
SSDEEP

24576:buYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:F9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral1/memory/1424-5-0x0000000002980000-0x0000000002981000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
2780	icardagt.exe
2240	raserver.exe
684	iexpress.exe

Loads dropped DLL 7 IoCs

pid	Process
1424	Process not Found
2780	icardagt.exe
1424	Process not Found
2240	raserver.exe
1424	Process not Found
684	iexpress.exe
1424	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mkmfyiwmvqjxba = "C:\\Users\\Admin\\AppData\\Roaming\\Identities\\{C644314C-DE10-4D5C-BF7F-80177F7F3F98}\\CiNV0\\raserver.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	icardagt.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	raserver.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iexpress.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2084	rundll32.exe
2084	rundll32.exe
2084	rundll32.exe
1424	Process not Found
1424	Process not Found
1424	Process not Found
1424	Process not Found
1424	Process not Found
1424	Process not Found
1424	Process not Found
1424	Process not Found
1424	Process not Found
1424	Process not Found
1424	Process not Found
1424	Process not Found
1424	Process not Found
1424	Process not Found
1424	Process not Found
1424	Process not Found
1424	Process not Found
1424	Process not Found
1424	Process not Found
1424	Process not Found
1424	Process not Found
1424	Process not Found
1424	Process not Found
1424	Process not Found
1424	Process not Found
1424	Process not Found
1424	Process not Found
1424	Process not Found
1424	Process not Found
1424	Process not Found
1424	Process not Found
1424	Process not Found
1424	Process not Found
1424	Process not Found
1424	Process not Found
1424	Process not Found
1424	Process not Found
1424	Process not Found
1424	Process not Found
1424	Process not Found
1424	Process not Found
1424	Process not Found
1424	Process not Found
1424	Process not Found
1424	Process not Found
1424	Process not Found
1424	Process not Found
1424	Process not Found
1424	Process not Found
1424	Process not Found
1424	Process not Found
1424	Process not Found
1424	Process not Found
1424	Process not Found
1424	Process not Found
1424	Process not Found
1424	Process not Found
1424	Process not Found
1424	Process not Found
1424	Process not Found
1424	Process not Found

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1424 wrote to memory of 2892	1424	Process not Found	31
PID 1424 wrote to memory of 2892	1424	Process not Found	31
PID 1424 wrote to memory of 2892	1424	Process not Found	31
PID 1424 wrote to memory of 2780	1424	Process not Found	32
PID 1424 wrote to memory of 2780	1424	Process not Found	32
PID 1424 wrote to memory of 2780	1424	Process not Found	32
PID 1424 wrote to memory of 2452	1424	Process not Found	33
PID 1424 wrote to memory of 2452	1424	Process not Found	33
PID 1424 wrote to memory of 2452	1424	Process not Found	33
PID 1424 wrote to memory of 2240	1424	Process not Found	34
PID 1424 wrote to memory of 2240	1424	Process not Found	34
PID 1424 wrote to memory of 2240	1424	Process not Found	34
PID 1424 wrote to memory of 1680	1424	Process not Found	35
PID 1424 wrote to memory of 1680	1424	Process not Found	35
PID 1424 wrote to memory of 1680	1424	Process not Found	35
PID 1424 wrote to memory of 684	1424	Process not Found	36
PID 1424 wrote to memory of 684	1424	Process not Found	36
PID 1424 wrote to memory of 684	1424	Process not Found	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e89fed8bcadd8c09505de5a77f5869fd_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2084

C:\Windows\system32\icardagt.exe
C:\Windows\system32\icardagt.exe
1⤵
PID:2892

C:\Users\Admin\AppData\Local\yuFQrZz\icardagt.exe
C:\Users\Admin\AppData\Local\yuFQrZz\icardagt.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2780

C:\Windows\system32\raserver.exe
C:\Windows\system32\raserver.exe
1⤵
PID:2452

C:\Users\Admin\AppData\Local\v8B\raserver.exe
C:\Users\Admin\AppData\Local\v8B\raserver.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2240

C:\Windows\system32\iexpress.exe
C:\Windows\system32\iexpress.exe
1⤵
PID:1680

C:\Users\Admin\AppData\Local\HGIj\iexpress.exe
C:\Users\Admin\AppData\Local\HGIj\iexpress.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\HGIj\VERSION.dll

Filesize
1.2MB

MD5
9ccad5b3f95b68af9c0f7504b494f27f

SHA1
1b4e34dee2e02c109278e1b653e30446160b71c0

SHA256
581a62806df3332ddffe37931d2346bde9cff799de47fe92c635a1801a31e8f3

SHA512
d3c88e79a0c41484d0b8c51bec8a26d2c8dd8531096f70d756232def227c788cd00f0244d9fbc4aff8cbc2ca4231a7b958c9dee7f10e2964e9d25357aa595f60

Download Submit
C:\Users\Admin\AppData\Local\v8B\WTSAPI32.dll

Filesize
1.2MB

MD5
51b0478497d67e3daf66d0ea9b2a174e

SHA1
91572054735abbe1736fcf7c0458f433ebba7877

SHA256
b4f141f49b8b9ee7864e6fbb43513f9692614d135d81491114d6790448317fe9

SHA512
970e0f55fc6cb9a20cac89072c157b5c20129649620c6fc4d2cca2b8c9ca3ef92f5e6a3b0bd509ca28cde0dfa029ea052daf3df4e28823f74b67d58d206eda1b

Download Submit
C:\Users\Admin\AppData\Local\yuFQrZz\UxTheme.dll

Filesize
1.2MB

MD5
20103a9e5988e7d34b11d5146348c1ba

SHA1
f427f28f779575c73d950e9697e5506139568132

SHA256
88521739a1bad9d98edab99731c5f61d494f6bb1e69fd0423b3fcf67f527f8b8

SHA512
6314705cf98377a30215d43c1755d05a34780b1b36b0e0331499cbf282fd8c40bf1290453aa083ea944ce63b3b4c934c3b167f89de81b9f81054290fab3f005d

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ppapbotpack.lnk

Filesize
1005B

MD5
89eeea336770a88f4350ac647c2bb468

SHA1
b2b1a5dfd9892b75f6ffdb4c02558353204cdc6d

SHA256
0ab8a6a83728b73af24ad8479bccbc3d549076d9d35d4fbb52635518d8c57a49

SHA512
80c832e12039adfed7fbc5ad056717989313d5a3b065bf037d5582a587f595008ad47b1ba12f24f0e3a2eef320f897858ceb17cd8ba1b979e0d11e71f881c9e4

Download Submit
\Users\Admin\AppData\Local\HGIj\iexpress.exe

Filesize
163KB

MD5
46fd16f9b1924a2ea8cd5c6716cc654f

SHA1
99284bc91cf829e9602b4b95811c1d72977700b6

SHA256
9f993a1f6a133fa8375eab99bf1710471dd13ef177ef713acf8921fb4ff565a3

SHA512
52c91043f514f3f8ce07f8e60357786eb7236fcf6cdcccca0dd76000b9a23d6b138cebcdec53b01823cb2313ec850fc7bece326ec01d44ed33f4052b789b7629

Download Submit
\Users\Admin\AppData\Local\v8B\raserver.exe

Filesize
123KB

MD5
cd0bc0b6b8d219808aea3ecd4e889b19

SHA1
9f8f4071ce2484008e36fdfd963378f4ebad703f

SHA256
16abc530c0367df1ad631f09e14c565cf99561949aa14acc533cd54bf8a5e22c

SHA512
84291ea3fafb38ef96817d5fe4a972475ef8ea24a4353568029e892fa8e15cf8e8f6ef4ff567813cd3b38092f0db4577d9dccb22be755eebdd4f77e623dc80ac

Download Submit
\Users\Admin\AppData\Local\yuFQrZz\icardagt.exe

Filesize
1.3MB

MD5
2fe97a3052e847190a9775431292a3a3

SHA1
43edc451ac97365600391fa4af15476a30423ff6

SHA256
473d17e571d6947ce93103454f1e9fe27136403125152b97acb6cad5cc2a9ac7

SHA512
93ed1f9ef6fb256b53df9c6f2ce03301c0d3a0ef49c3f0604872653e4ba3fce369256f50604dd8386f543e1ea9231f5700213e683d3ea9af9e4d6c427a19117a

Download Submit
memory/684-96-0x000007FEF62B0000-0x000007FEF63E1000-memory.dmp

Filesize
1.2MB

Download
memory/684-91-0x000007FEF62B0000-0x000007FEF63E1000-memory.dmp

Filesize
1.2MB

Download
memory/684-90-0x00000000006B0000-0x00000000006B7000-memory.dmp

Filesize
28KB

Download
memory/1424-16-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1424-37-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1424-12-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1424-11-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1424-10-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1424-9-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1424-8-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1424-27-0x0000000077830000-0x0000000077832000-memory.dmp

Filesize
8KB

Download
memory/1424-36-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1424-26-0x00000000776A1000-0x00000000776A2000-memory.dmp

Filesize
4KB

Download
memory/1424-4-0x0000000077596000-0x0000000077597000-memory.dmp

Filesize
4KB

Download
memory/1424-46-0x0000000077596000-0x0000000077597000-memory.dmp

Filesize
4KB

Download
memory/1424-15-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1424-13-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1424-5-0x0000000002980000-0x0000000002981000-memory.dmp

Filesize
4KB

Download
memory/1424-7-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1424-14-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1424-24-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1424-25-0x0000000002960000-0x0000000002967000-memory.dmp

Filesize
28KB

Download
memory/2084-3-0x0000000000580000-0x0000000000587000-memory.dmp

Filesize
28KB

Download
memory/2084-45-0x000007FEF66A0000-0x000007FEF67D0000-memory.dmp

Filesize
1.2MB

Download
memory/2084-0-0x000007FEF66A0000-0x000007FEF67D0000-memory.dmp

Filesize
1.2MB

Download
memory/2240-73-0x000007FEF6690000-0x000007FEF67C1000-memory.dmp

Filesize
1.2MB

Download
memory/2240-78-0x000007FEF6690000-0x000007FEF67C1000-memory.dmp

Filesize
1.2MB

Download
memory/2240-72-0x0000000000290000-0x0000000000297000-memory.dmp

Filesize
28KB

Download
memory/2780-60-0x000007FEF6DD0000-0x000007FEF6F01000-memory.dmp

Filesize
1.2MB

Download
memory/2780-55-0x000007FEF6DD0000-0x000007FEF6F01000-memory.dmp

Filesize
1.2MB

Download
memory/2780-54-0x0000000000660000-0x0000000000667000-memory.dmp

Filesize
28KB

Download