dridex | e06c71d9c6e770486e02dc3dc6fb9d8d640c3142b625d7a4e8ca0d99aff3b944

Analysis

max time kernel
150s
max time network
19s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-09-2024 03:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ecc94ddcac7f889fba06679317c767a1_JaffaCakes118.dll
Size

1.2MB
MD5

ecc94ddcac7f889fba06679317c767a1
SHA1

75da782863c7e30f45939c0711057d37483bd437
SHA256

e06c71d9c6e770486e02dc3dc6fb9d8d640c3142b625d7a4e8ca0d99aff3b944
SHA512

f096735220bc58a172bc362aae448ac3e169418fd76a247c9d20fc814d93e8fde44e2a99e9a5a4ccac73b41dbbca3849bd7215cd4fbe8c68f26d3a512ec9444a
SSDEEP

24576:FuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:/9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral1/memory/1244-5-0x0000000002200000-0x0000000002201000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
2796	consent.exe
800	xpsrchvw.exe
2460	consent.exe

Loads dropped DLL 7 IoCs

pid	Process
1244	Process not Found
2796	consent.exe
1244	Process not Found
800	xpsrchvw.exe
1244	Process not Found
2460	consent.exe
1244	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Orgemlwcbffgzj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\MZIhy\\xpsrchvw.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	consent.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	xpsrchvw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	consent.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
984	rundll32.exe
984	rundll32.exe
984	rundll32.exe
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1244 wrote to memory of 2808	1244	Process not Found	29
PID 1244 wrote to memory of 2808	1244	Process not Found	29
PID 1244 wrote to memory of 2808	1244	Process not Found	29
PID 1244 wrote to memory of 2796	1244	Process not Found	30
PID 1244 wrote to memory of 2796	1244	Process not Found	30
PID 1244 wrote to memory of 2796	1244	Process not Found	30
PID 1244 wrote to memory of 2612	1244	Process not Found	31
PID 1244 wrote to memory of 2612	1244	Process not Found	31
PID 1244 wrote to memory of 2612	1244	Process not Found	31
PID 1244 wrote to memory of 800	1244	Process not Found	32
PID 1244 wrote to memory of 800	1244	Process not Found	32
PID 1244 wrote to memory of 800	1244	Process not Found	32
PID 1244 wrote to memory of 2436	1244	Process not Found	33
PID 1244 wrote to memory of 2436	1244	Process not Found	33
PID 1244 wrote to memory of 2436	1244	Process not Found	33
PID 1244 wrote to memory of 2460	1244	Process not Found	34
PID 1244 wrote to memory of 2460	1244	Process not Found	34
PID 1244 wrote to memory of 2460	1244	Process not Found	34

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ecc94ddcac7f889fba06679317c767a1_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:984

C:\Windows\system32\consent.exe
C:\Windows\system32\consent.exe
1⤵
PID:2808

C:\Users\Admin\AppData\Local\f8fE\consent.exe
C:\Users\Admin\AppData\Local\f8fE\consent.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2796

C:\Windows\system32\xpsrchvw.exe
C:\Windows\system32\xpsrchvw.exe
1⤵
PID:2612

C:\Users\Admin\AppData\Local\NhJZfj\xpsrchvw.exe
C:\Users\Admin\AppData\Local\NhJZfj\xpsrchvw.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:800

C:\Windows\system32\consent.exe
C:\Windows\system32\consent.exe
1⤵
PID:2436

C:\Users\Admin\AppData\Local\2YNUks\consent.exe
C:\Users\Admin\AppData\Local\2YNUks\consent.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\2YNUks\WINSTA.dll

Filesize
1.2MB

MD5
b9ec32badaa704f986206dd73a5ef774

SHA1
40ab30d12ebbd78448f7dc3cee75f1e4a56fdd83

SHA256
77e3143858855d10442b86ba120fc113044ce3776f27e167d964f7b0c687b4ab

SHA512
ab70dbf7f3135ca026660848e46dbcafdd1aefef49c6d6be487221518ca13c6e90363799e37c9c2b477d8c905abaf2c670f40bd83f1fe7f5e21d550481e73576

Download Submit
C:\Users\Admin\AppData\Local\NhJZfj\WINMM.dll

Filesize
1.2MB

MD5
37d4d11c22002d4cffaccb8987889a4c

SHA1
3965c005676b2f084a3be04f90edd4074c48cf34

SHA256
173df27710543549d4c36a2fdfc13cf115557940037688eb537c9044dce06d19

SHA512
bdbeceb9e8dd15e50e245816878447e5a4aef26b9460c4c039295f8860766127b2e8d21d9ec5a80f4c1588abf45fe5d034bac7e192a87a7b33c0cca94269a244

Download Submit
C:\Users\Admin\AppData\Local\f8fE\WINSTA.dll

Filesize
1.2MB

MD5
dbddfafa764576bbb0423f6f40fe5fd5

SHA1
69e91ec5d794a03283216bd69bbd0b0cf9e77a57

SHA256
dcd56a8080fba6ae1b5410ac2b6475b14bd620ab6dcd88eb2f1ec8eb7cbba5cb

SHA512
a440bec53a6692b7be39b56045460983eb170d4269440b3584e9e7abed3741c78cbdbfd46957a0337e97b38099755ad47d2884f09f75d48990670a2492c0f544

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wzkhocxsoqdr.lnk

Filesize
1KB

MD5
b13fc85239da2ef4d2be917d67f3b0ab

SHA1
0ba1cda0244340c231365442fb73bf1ecb81f535

SHA256
03e6e58dfb3aa1a28288a51bbc30671eca9b26f0178996b8dcdfefb4d163d6f2

SHA512
5ef39887917c8a2f9dceddc06b560328af7fccea89b18258e73da7c2abc3c48844de4451e1815210df7062f607e72702b97f7133868195b2dc60430cfa1e6a94

Download Submit
\Users\Admin\AppData\Local\NhJZfj\xpsrchvw.exe

Filesize
4.6MB

MD5
492cb6a624d5dad73ee0294b5db37dd6

SHA1
e74806af04a5147ccabfb5b167eb95a0177c43b3

SHA256
ccb4ecd48561ce024ea176b7036f0f2713b98bc82aa37347a30d8187762a8784

SHA512
63bf2931764efe767fb42f9576702dd585a032f74ad2be2481eaf309f34950f05974d77b5cb220a3ff89c92af0c7693dc558f8e3a3ee2a0be6c5c07171d03835

Download Submit
\Users\Admin\AppData\Local\f8fE\consent.exe

Filesize
109KB

MD5
0b5511674394666e9d221f8681b2c2e6

SHA1
6e4e720dfc424a12383f0b8194e4477e3bc346dc

SHA256
ccad775decb5aec98118b381eeccc6d540928035cfb955abcb4ad3ded390b79b

SHA512
00d28a00fd3ceaeae42ba6882ffb42aa4cc8b92b07a10f28df8e1931df4b806aebdcfab1976bf8d5ce0b98c64da19d4ee06a6315734fa5f885ecd1f6e1ff16a7

Download Submit
memory/800-72-0x000007FEF69B0000-0x000007FEF6AE2000-memory.dmp

Filesize
1.2MB

Download
memory/800-68-0x000007FEF69B0000-0x000007FEF6AE2000-memory.dmp

Filesize
1.2MB

Download
memory/984-1-0x000007FEF6CA0000-0x000007FEF6DD0000-memory.dmp

Filesize
1.2MB

Download
memory/984-0-0x0000000000290000-0x0000000000297000-memory.dmp

Filesize
28KB

Download
memory/984-41-0x000007FEF6CA0000-0x000007FEF6DD0000-memory.dmp

Filesize
1.2MB

Download
memory/1244-25-0x00000000021E0000-0x00000000021E7000-memory.dmp

Filesize
28KB

Download
memory/1244-15-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1244-26-0x0000000077581000-0x0000000077582000-memory.dmp

Filesize
4KB

Download
memory/1244-9-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1244-8-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1244-12-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1244-17-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1244-33-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1244-32-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1244-14-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1244-42-0x0000000077376000-0x0000000077377000-memory.dmp

Filesize
4KB

Download
memory/1244-11-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1244-24-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1244-4-0x0000000077376000-0x0000000077377000-memory.dmp

Filesize
4KB

Download
memory/1244-7-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1244-5-0x0000000002200000-0x0000000002201000-memory.dmp

Filesize
4KB

Download
memory/1244-27-0x0000000077710000-0x0000000077712000-memory.dmp

Filesize
8KB

Download
memory/1244-13-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1244-10-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/2460-100-0x000007FEF6C90000-0x000007FEF6DC2000-memory.dmp

Filesize
1.2MB

Download
memory/2460-105-0x000007FEF6C90000-0x000007FEF6DC2000-memory.dmp

Filesize
1.2MB

Download
memory/2796-56-0x000007FEFB1C0000-0x000007FEFB2F2000-memory.dmp

Filesize
1.2MB

Download
memory/2796-51-0x000007FEFB1C0000-0x000007FEFB2F2000-memory.dmp

Filesize
1.2MB

Download
memory/2796-50-0x0000000001AA0000-0x0000000001AA7000-memory.dmp

Filesize
28KB

Download