dridex | 4128d0f84d420bcd7d2b648660b3cae21bcbf088e8a82f225b65acf95de78d98

Analysis

max time kernel
149s
max time network
16s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
20-09-2024 13:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

edbc2bb8ff32ba555d9ecfb4ebe4336d_JaffaCakes118.dll
Size

1.2MB
MD5

edbc2bb8ff32ba555d9ecfb4ebe4336d
SHA1

30fa3d1d4d7f4993667d2717a8fcd8fa27ba9656
SHA256

4128d0f84d420bcd7d2b648660b3cae21bcbf088e8a82f225b65acf95de78d98
SHA512

0ed34499393e76d87da9c227a755086147720d36e358bbefe8e0167cbeb7927b843202ba35e8d9eb86da25324c89511d8b4891da46fb59e01dc3a1cd660ee28e
SSDEEP

24576:GuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9NHt:m9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral1/memory/1360-6-0x0000000002490000-0x0000000002491000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
2652	SystemPropertiesPerformance.exe
1488	WFS.exe
1960	rstrui.exe

Loads dropped DLL 7 IoCs

pid	Process
1360	Process not Found
2652	SystemPropertiesPerformance.exe
1360	Process not Found
1488	WFS.exe
1360	Process not Found
1960	rstrui.exe
1360	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mkmfyiwmvqjxba = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\NETWOR~1\\zywp\\WFS.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WFS.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rstrui.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesPerformance.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2464	rundll32.exe
2464	rundll32.exe
2464	rundll32.exe
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1360 wrote to memory of 2716	1360	Process not Found	30
PID 1360 wrote to memory of 2716	1360	Process not Found	30
PID 1360 wrote to memory of 2716	1360	Process not Found	30
PID 1360 wrote to memory of 2652	1360	Process not Found	31
PID 1360 wrote to memory of 2652	1360	Process not Found	31
PID 1360 wrote to memory of 2652	1360	Process not Found	31
PID 1360 wrote to memory of 696	1360	Process not Found	32
PID 1360 wrote to memory of 696	1360	Process not Found	32
PID 1360 wrote to memory of 696	1360	Process not Found	32
PID 1360 wrote to memory of 1488	1360	Process not Found	33
PID 1360 wrote to memory of 1488	1360	Process not Found	33
PID 1360 wrote to memory of 1488	1360	Process not Found	33
PID 1360 wrote to memory of 1084	1360	Process not Found	34
PID 1360 wrote to memory of 1084	1360	Process not Found	34
PID 1360 wrote to memory of 1084	1360	Process not Found	34
PID 1360 wrote to memory of 1960	1360	Process not Found	35
PID 1360 wrote to memory of 1960	1360	Process not Found	35
PID 1360 wrote to memory of 1960	1360	Process not Found	35

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\edbc2bb8ff32ba555d9ecfb4ebe4336d_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2464

C:\Windows\system32\SystemPropertiesPerformance.exe
C:\Windows\system32\SystemPropertiesPerformance.exe
1⤵
PID:2716

C:\Users\Admin\AppData\Local\jQiXowI\SystemPropertiesPerformance.exe
C:\Users\Admin\AppData\Local\jQiXowI\SystemPropertiesPerformance.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2652

C:\Windows\system32\WFS.exe
C:\Windows\system32\WFS.exe
1⤵
PID:696

C:\Users\Admin\AppData\Local\Z4Xs\WFS.exe
C:\Users\Admin\AppData\Local\Z4Xs\WFS.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1488

C:\Windows\system32\rstrui.exe
C:\Windows\system32\rstrui.exe
1⤵
PID:1084

C:\Users\Admin\AppData\Local\EaFZ0OR\rstrui.exe
C:\Users\Admin\AppData\Local\EaFZ0OR\rstrui.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\EaFZ0OR\SPP.dll

Filesize
1.2MB

MD5
21235cdc9749939488ae4123014e99df

SHA1
6a991ffcab96ac13d884dd817b2ce0865f6d2856

SHA256
873431987dc7b5a39927c89c586a2a6a2ef5d5827ee2a0e27d9b818580931f69

SHA512
636c8553b8230245bdc5697299496e9f2404a99eb149894b337640cdf2b10dc93b893aa8f8b7985f31a638c4ca046b269cb4e62a505ffb05bbf18758093912a0

Download Submit
C:\Users\Admin\AppData\Local\Z4Xs\WFS.exe

Filesize
951KB

MD5
a943d670747778c7597987a4b5b9a679

SHA1
c48b760ff9762205386563b93e8884352645ef40

SHA256
1a582ebe780abc1143baccaf4910714d3e9f4195edd86939499d03ed6e756610

SHA512
3d926ddead8afcb32b52b3eb3c416d197c15e5fff6ba9fa03a31a07522bdb9088b32500fc8b98d82af657071571d09cd336a65cf45c485ebcc145dea70b3a934

Download Submit
C:\Users\Admin\AppData\Local\jQiXowI\SYSDM.CPL

Filesize
1.2MB

MD5
3f8c300ea8c49876a76d74d68740e6d3

SHA1
3737f7981266afcc6d2160e1459277ed64266084

SHA256
711a1d74c898fecf82dd55d5015e4794b6688c5ce425d53d182ebdfec184b79f

SHA512
a81695feab235b40945486944c194ba1548b509b7726c37367b198cf04d7638d0a3803b768687e4215fd432c247462f3f3b0058ee14ba242282fe21b9493eb30

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ppapbotpack.lnk

Filesize
1024B

MD5
0842084b5e4f4101210cc1201bdcec5a

SHA1
466275a4e023e7356596cf2eac2070ebe830ba92

SHA256
6d7449e6e2b3066c8ba319178a818dba8ac5d99ad7f592c83717b6ab95d75e69

SHA512
d0462e94678024f2705e85ef2dcbdf8c2deb1fc108855e55e70baabe05bf9c0ddacd2329bac18c8986050864e5a8b2bdf415138acd0d3fad6270732f38221959

Download Submit
\Users\Admin\AppData\Local\EaFZ0OR\rstrui.exe

Filesize
290KB

MD5
3db5a1eace7f3049ecc49fa64461e254

SHA1
7dc64e4f75741b93804cbae365e10dc70592c6a9

SHA256
ba8387d4543b8b11e2202919b9608ee614753fe77f967aad9906702841658b49

SHA512
ea81e3233e382f1cf2938785c9ded7c8fbbf11a6a6f5cf4323e3211ae66dad4a2c597cb589ff11f9eae79516043aba77d4b24bfa6eb0aa045d405aabdea4a025

Download Submit
\Users\Admin\AppData\Local\Z4Xs\MFC42u.dll

Filesize
1.2MB

MD5
d01baba2d9e0904d1956fc16b797206b

SHA1
feb04e7fb4908a5408edc51ccad9aee5bd82b4e6

SHA256
380d0d2912419ab308eba98327231694e6277884fc18187fd9ae0a20521c21df

SHA512
04a3b6e39878a601fc72a8313d4ae88483e34aa298a8271d81a96517e1a9d8b6a3ba6eb3d61c8c6fd122b89b5a5272379fac2604d90259f8e85277591aa6353d

Download Submit
\Users\Admin\AppData\Local\jQiXowI\SystemPropertiesPerformance.exe

Filesize
80KB

MD5
870726cdcc241a92785572628b89cc07

SHA1
63d47cc4fe9beb75862add1abca1d8ae8235710a

SHA256
1ab77fa1ee0cbe59ca185c228c3c11abeba2b2008a162c91a06d3c40542e7fc6

SHA512
89b961c2a2716fe0800e54e0206c8b349a26f1bc2a463ec9bd12f3ab22bfcb13e6402b4c20ddcf284d838a3c66e73335af8f6dc4554d76646382e387242c6f72

Download Submit
memory/1360-9-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1360-47-0x0000000077046000-0x0000000077047000-memory.dmp

Filesize
4KB

Download
memory/1360-23-0x0000000002470000-0x0000000002477000-memory.dmp

Filesize
28KB

Download
memory/1360-17-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1360-16-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1360-15-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1360-14-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1360-13-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1360-12-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1360-11-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1360-10-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1360-4-0x0000000077046000-0x0000000077047000-memory.dmp

Filesize
4KB

Download
memory/1360-37-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1360-38-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1360-6-0x0000000002490000-0x0000000002491000-memory.dmp

Filesize
4KB

Download
memory/1360-27-0x0000000077251000-0x0000000077252000-memory.dmp

Filesize
4KB

Download
memory/1360-30-0x00000000773E0000-0x00000000773E2000-memory.dmp

Filesize
8KB

Download
memory/1360-26-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1360-7-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1360-8-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1488-73-0x0000000000080000-0x0000000000087000-memory.dmp

Filesize
28KB

Download
memory/1488-74-0x000007FEF7630000-0x000007FEF7768000-memory.dmp

Filesize
1.2MB

Download
memory/1488-79-0x000007FEF7630000-0x000007FEF7768000-memory.dmp

Filesize
1.2MB

Download
memory/1960-92-0x000007FEF7630000-0x000007FEF7762000-memory.dmp

Filesize
1.2MB

Download
memory/1960-91-0x0000000000120000-0x0000000000127000-memory.dmp

Filesize
28KB

Download
memory/1960-97-0x000007FEF7630000-0x000007FEF7762000-memory.dmp

Filesize
1.2MB

Download
memory/2464-46-0x000007FEF7630000-0x000007FEF7761000-memory.dmp

Filesize
1.2MB

Download
memory/2464-1-0x000007FEF7630000-0x000007FEF7761000-memory.dmp

Filesize
1.2MB

Download
memory/2464-0-0x00000000003A0000-0x00000000003A7000-memory.dmp

Filesize
28KB

Download
memory/2652-61-0x000007FEFA910000-0x000007FEFAA42000-memory.dmp

Filesize
1.2MB

Download
memory/2652-55-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/2652-56-0x000007FEFA910000-0x000007FEFAA42000-memory.dmp

Filesize
1.2MB

Download