dridex | a778300ec5f7f0660a1009be0d859897cf12b0ff1f60cd01ec2adf82aeaf5844

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
21-09-2024 08:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ef747e43d5de3708eb4a10f4eb17f2d3_JaffaCakes118.dll
Size

1.2MB
MD5

ef747e43d5de3708eb4a10f4eb17f2d3
SHA1

2752f41170e192acc418d1b19791763326c1b363
SHA256

a778300ec5f7f0660a1009be0d859897cf12b0ff1f60cd01ec2adf82aeaf5844
SHA512

0d42f89ad6d9884b68e07af6ed9f1a19b39975b234dc4ebf5e664c484ae81ac628d396efc485e2aa0b5cc9dca7403d13adec99ec08831c18e9595819166bd08a
SSDEEP

24576:BuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9NI:T9cKrUqZWLAcUw

Score

10^/10

dridex botnet evasion payload persistence privilege_escalation trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral1/memory/1208-5-0x0000000002980000-0x0000000002981000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
2668	mblctr.exe
2996	DisplaySwitch.exe
584	calc.exe

Loads dropped DLL 7 IoCs

pid	Process
1208	Process not Found
2668	mblctr.exe
1208	Process not Found
2996	DisplaySwitch.exe
1208	Process not Found
584	calc.exe
1208	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mcbsdqtxprcnbm = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\NETWOR~1\\HO5Z\\DISPLA~1.EXE"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DisplaySwitch.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	calc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mblctr.exe

Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1620	rundll32.exe
1620	rundll32.exe
1620	rundll32.exe
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1208 wrote to memory of 2596	1208	Process not Found	30
PID 1208 wrote to memory of 2596	1208	Process not Found	30
PID 1208 wrote to memory of 2596	1208	Process not Found	30
PID 1208 wrote to memory of 2668	1208	Process not Found	31
PID 1208 wrote to memory of 2668	1208	Process not Found	31
PID 1208 wrote to memory of 2668	1208	Process not Found	31
PID 1208 wrote to memory of 2984	1208	Process not Found	32
PID 1208 wrote to memory of 2984	1208	Process not Found	32
PID 1208 wrote to memory of 2984	1208	Process not Found	32
PID 1208 wrote to memory of 2996	1208	Process not Found	33
PID 1208 wrote to memory of 2996	1208	Process not Found	33
PID 1208 wrote to memory of 2996	1208	Process not Found	33
PID 1208 wrote to memory of 2792	1208	Process not Found	34
PID 1208 wrote to memory of 2792	1208	Process not Found	34
PID 1208 wrote to memory of 2792	1208	Process not Found	34
PID 1208 wrote to memory of 584	1208	Process not Found	35
PID 1208 wrote to memory of 584	1208	Process not Found	35
PID 1208 wrote to memory of 584	1208	Process not Found	35

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ef747e43d5de3708eb4a10f4eb17f2d3_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1620

C:\Windows\system32\mblctr.exe
C:\Windows\system32\mblctr.exe
1⤵
PID:2596

C:\Users\Admin\AppData\Local\yAxe\mblctr.exe
C:\Users\Admin\AppData\Local\yAxe\mblctr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2668

C:\Windows\system32\DisplaySwitch.exe
C:\Windows\system32\DisplaySwitch.exe
1⤵
PID:2984

C:\Users\Admin\AppData\Local\KSF3\DisplaySwitch.exe
C:\Users\Admin\AppData\Local\KSF3\DisplaySwitch.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2996

C:\Windows\system32\calc.exe
C:\Windows\system32\calc.exe
1⤵
PID:2792

C:\Users\Admin\AppData\Local\gz9jST\calc.exe
C:\Users\Admin\AppData\Local\gz9jST\calc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\KSF3\DisplaySwitch.exe

Filesize
517KB

MD5
b795e6138e29a37508285fc31e92bd78

SHA1
d0fe0c38c7c61adbb77e58d48b96cd4bf98ecd4a

SHA256
01a9733871baa8518092bade3fce62dcca14cdf6fc55b98218253580b38d7659

SHA512
8312174a77bab5fef7c4e9efff66c43d3515b02f5766ed1d3b9bd0abb3d7344a9a22cbac228132098428c122293d2b1898b3a2d75f5e4247b1dcb9aa9c7913b1

Download Submit
C:\Users\Admin\AppData\Local\gz9jST\UxTheme.dll

Filesize
1.2MB

MD5
ee479fb581cca792169a2bbcea0b8411

SHA1
9c8748fcf66c34ecb8ddef3a13910ebee277f7b5

SHA256
ad8a6cdb3b00beb1a0da01a06601800b127f962adfa218a859ef3da3ae97a310

SHA512
5c240b0b6464c7188027bfe16e567b4cecf51d44031de0f529a5dcc6cd7297e6278da67bb4945dca1239e5e45aaec373d42cb900f08afc6db798453579e75ee7

Download Submit
C:\Users\Admin\AppData\Local\yAxe\WTSAPI32.dll

Filesize
1.2MB

MD5
0413610f788af96d4af609c4ccd04b78

SHA1
d916dfb03b4b570e4cb35ddcbebb4bdacc30c55f

SHA256
900baa9d780e23dc6289ba2433cbbdddbee313a0351b839f56b7f7777219c249

SHA512
fa23a79d5143c035f465f0e69a0e7808c44e0ed915a0a45bc38e126cdb2c1d605fdbf6948ae28b228bad63ff8d46e2f748671c9880f8afcac7a98cb76068be2e

Download Submit
C:\Users\Admin\AppData\Local\yAxe\mblctr.exe

Filesize
935KB

MD5
fa4c36b574bf387d9582ed2c54a347a8

SHA1
149077715ee56c668567e3a9cb9842284f4fe678

SHA256
b71cdf708d4a4f045f784de5e5458ebf9a4fa2b188c3f7422e2fbfe19310be3f

SHA512
1f04ce0440eec7477153ebc2ce56eaabcbbac58d9d703c03337f030e160d22cd635ae201752bc2962643c75bbf2036afdd69d97e8cbc81260fd0e2f55946bb55

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ygxjfqh.lnk

Filesize
1KB

MD5
ab6238b1f0151a24a8bebdd94607b64f

SHA1
5143aac1a49caa354502f0a4cdcbdd9ca44b2851

SHA256
b2148203ebd114b355c3e35b291b22dff308eab09a27c962260e28f595d8bae2

SHA512
01e94824100ec92dd715e8c68e71300feaf5cc5d7e5dc2e879a986a6ca1e886430ca37a1f78d21493f4e9547e3eba3f7de5149479d616ad65decbc298831cc13

Download Submit
\Users\Admin\AppData\Local\KSF3\slc.dll

Filesize
1.2MB

MD5
078fc2070232eda656083a5b53f3163f

SHA1
fc8d28a896b8003a8424e8ad89390a87c754f64e

SHA256
9f941014964341d8f3606d2453988e5af9e8b64bfe66507bee5a14fa98066faa

SHA512
eaa17cf5d4b05cd68e00d41a2729a18561478c92e5b3dcea60c4f36aa53c5ed87191ccc3cb5c006f0bce0037e65e96543a517e2a8fc9d4a5d379ab2ab85f793d

Download Submit
\Users\Admin\AppData\Local\gz9jST\calc.exe

Filesize
897KB

MD5
10e4a1d2132ccb5c6759f038cdb6f3c9

SHA1
42d36eeb2140441b48287b7cd30b38105986d68f

SHA256
c6a91cba00bf87cdb064c49adaac82255cbec6fdd48fd21f9b3b96abf019916b

SHA512
9bd44afb164ab3e09a784c765cd03838d2e5f696c549fc233eb5a69cada47a8e1fb62095568cb272a80da579d9d0e124b1c27cf61bb2ac8cf6e584a722d8864d

Download Submit
memory/584-90-0x000007FEF7E40000-0x000007FEF7F71000-memory.dmp

Filesize
1.2MB

Download
memory/1208-9-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1208-42-0x00000000775B6000-0x00000000775B7000-memory.dmp

Filesize
4KB

Download
memory/1208-15-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1208-14-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1208-13-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1208-12-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1208-11-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1208-10-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1208-4-0x00000000775B6000-0x00000000775B7000-memory.dmp

Filesize
4KB

Download
memory/1208-8-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1208-32-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1208-33-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1208-5-0x0000000002980000-0x0000000002981000-memory.dmp

Filesize
4KB

Download
memory/1208-16-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1208-24-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1208-25-0x0000000002960000-0x0000000002967000-memory.dmp

Filesize
28KB

Download
memory/1208-7-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1208-29-0x0000000077950000-0x0000000077952000-memory.dmp

Filesize
8KB

Download
memory/1208-28-0x00000000777C1000-0x00000000777C2000-memory.dmp

Filesize
4KB

Download
memory/1620-41-0x000007FEF7E50000-0x000007FEF7F80000-memory.dmp

Filesize
1.2MB

Download
memory/1620-0-0x00000000001A0000-0x00000000001A7000-memory.dmp

Filesize
28KB

Download
memory/1620-1-0x000007FEF7E50000-0x000007FEF7F80000-memory.dmp

Filesize
1.2MB

Download
memory/2668-56-0x000007FEF7F70000-0x000007FEF80A1000-memory.dmp

Filesize
1.2MB

Download
memory/2668-50-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download
memory/2668-51-0x000007FEF7F70000-0x000007FEF80A1000-memory.dmp

Filesize
1.2MB

Download
memory/2996-68-0x000007FEF7E40000-0x000007FEF7F71000-memory.dmp

Filesize
1.2MB

Download
memory/2996-73-0x000007FEF7E40000-0x000007FEF7F71000-memory.dmp

Filesize
1.2MB

Download