dridex | f5c4a8d100074c8177cd39eb29e743cc48d5cc1b9eb17773c79b1465c0f0278d

Analysis

max time kernel
150s
max time network
19s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-09-2024 00:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f0f02efa0024435c1edf094743b7cdf6_JaffaCakes118.dll
Size

1.2MB
MD5

f0f02efa0024435c1edf094743b7cdf6
SHA1

57dfa6f63f794f897e53b0eb582ef76e1a646ae0
SHA256

f5c4a8d100074c8177cd39eb29e743cc48d5cc1b9eb17773c79b1465c0f0278d
SHA512

196c9db8e6c57c7c6680869c4099c10b844cea7d73b6f9eb489e3948344a0870f498a7f64750bd60251496195a11ccd99359250fee16b8ea424fb2c93b51cece
SSDEEP

24576:NyTonNVlKTt/Q5ECvVP7hpJMvjtKpvPf9+m6kLRqgSyI:NyWRKTt/QlPVp3h9

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral1/memory/1200-5-0x0000000002AD0000-0x0000000002AD1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
2612	iexpress.exe
3068	recdisc.exe
2420	rekeywiz.exe

Loads dropped DLL 7 IoCs

pid	Process
1200	Process not Found
2612	iexpress.exe
1200	Process not Found
3068	recdisc.exe
1200	Process not Found
2420	rekeywiz.exe
1200	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Orgemlwcbffgzj = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\USERPI~1\\IMPLIC~1\\MyJpbt\\recdisc.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iexpress.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	recdisc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rekeywiz.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2256	rundll32.exe
2256	rundll32.exe
2256	rundll32.exe
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1200 wrote to memory of 2800	1200	Process not Found	29
PID 1200 wrote to memory of 2800	1200	Process not Found	29
PID 1200 wrote to memory of 2800	1200	Process not Found	29
PID 1200 wrote to memory of 2612	1200	Process not Found	30
PID 1200 wrote to memory of 2612	1200	Process not Found	30
PID 1200 wrote to memory of 2612	1200	Process not Found	30
PID 1200 wrote to memory of 2640	1200	Process not Found	31
PID 1200 wrote to memory of 2640	1200	Process not Found	31
PID 1200 wrote to memory of 2640	1200	Process not Found	31
PID 1200 wrote to memory of 3068	1200	Process not Found	32
PID 1200 wrote to memory of 3068	1200	Process not Found	32
PID 1200 wrote to memory of 3068	1200	Process not Found	32
PID 1200 wrote to memory of 2396	1200	Process not Found	33
PID 1200 wrote to memory of 2396	1200	Process not Found	33
PID 1200 wrote to memory of 2396	1200	Process not Found	33
PID 1200 wrote to memory of 2420	1200	Process not Found	34
PID 1200 wrote to memory of 2420	1200	Process not Found	34
PID 1200 wrote to memory of 2420	1200	Process not Found	34

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f0f02efa0024435c1edf094743b7cdf6_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2256

C:\Windows\system32\iexpress.exe
C:\Windows\system32\iexpress.exe
1⤵
PID:2800

C:\Users\Admin\AppData\Local\8pR\iexpress.exe
C:\Users\Admin\AppData\Local\8pR\iexpress.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2612

C:\Windows\system32\recdisc.exe
C:\Windows\system32\recdisc.exe
1⤵
PID:2640

C:\Users\Admin\AppData\Local\PgUO3O6I\recdisc.exe
C:\Users\Admin\AppData\Local\PgUO3O6I\recdisc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3068

C:\Windows\system32\rekeywiz.exe
C:\Windows\system32\rekeywiz.exe
1⤵
PID:2396

C:\Users\Admin\AppData\Local\JJyI0tlWU\rekeywiz.exe
C:\Users\Admin\AppData\Local\JJyI0tlWU\rekeywiz.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\8pR\VERSION.dll

Filesize
1.2MB

MD5
a812e4b3faea6b49727ea5510d5d0263

SHA1
49cedf0981e736f5ca9989abdcdc99f6c6e33621

SHA256
c26ecb60b70fcec2ec276737aabd0afc859bbb8704fd07300b4989d7706a94ca

SHA512
5c049a736d0f26116ba9b805eee9ee99e20c3db7ddd0926518ba8ac49dbd78910c9c1dd0ee61c2c6f79e96f7f2ef0a60e6fe2a5ea3519bda7132af53f3418c0d

Download Submit
C:\Users\Admin\AppData\Local\JJyI0tlWU\slc.dll

Filesize
1.2MB

MD5
d6afb13db78071c5abac2394848547b6

SHA1
69148fb0063b12b42632ed580c4127a6f3c886cb

SHA256
65251fc054152fd2c218fa704a99cd1f316e3895d37853e603196bd0921e412c

SHA512
5dad208a573e7885ff57610b02c67f62a2191b52edda8b2494892b567152e802414963a074473dba0357549250ebecc6dfcc63b89e7ba81bc911e011790fe510

Download Submit
C:\Users\Admin\AppData\Local\PgUO3O6I\ReAgent.dll

Filesize
1.2MB

MD5
b6aa8f3df487f075b3852b41cb38ae90

SHA1
0827b4c18542cd9ba8ea4ec0018e489825f7c042

SHA256
7644ccd6cd41aac64339b8923439e2f5ad1c9443a74603a89269b8cabb7b40b1

SHA512
b28d187ce0fbc06f6ecaecc7d197978d4dce39dea174eb798c3d9d96135a735eb0f41bfe03febe79a39b491af0050a2ae5d8d5ee547ce79232e584cd4fbac1b3

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wzkhocxsoqdr.lnk

Filesize
1KB

MD5
0660ed549dc0d7593019a61db747788f

SHA1
fed1270787b9f008e380ff722d0cc1dc5eb9c155

SHA256
4d23eb8f4c64b4b5d7841e4e1467821b8f62da4ca97eca086a9112731298f638

SHA512
fee72830871cf95b112fd87b820362b558639555c564f9a7d54fc1eccf8ba9f01390688f15f6f889169c45392a44d95bd0fa2ab38026a7632c928958a74558d4

Download Submit
\Users\Admin\AppData\Local\8pR\iexpress.exe

Filesize
163KB

MD5
46fd16f9b1924a2ea8cd5c6716cc654f

SHA1
99284bc91cf829e9602b4b95811c1d72977700b6

SHA256
9f993a1f6a133fa8375eab99bf1710471dd13ef177ef713acf8921fb4ff565a3

SHA512
52c91043f514f3f8ce07f8e60357786eb7236fcf6cdcccca0dd76000b9a23d6b138cebcdec53b01823cb2313ec850fc7bece326ec01d44ed33f4052b789b7629

Download Submit
\Users\Admin\AppData\Local\JJyI0tlWU\rekeywiz.exe

Filesize
67KB

MD5
767c75767b00ccfd41a547bb7b2adfff

SHA1
91890853a5476def402910e6507417d400c0d3cb

SHA256
bd70e504871a2ac1c883d19b87970c8d1b8b251c784bf777ba77ed764f5f2395

SHA512
f096043452a1aa213a5e4d62638de3ee4b0b3ad3d12b7ee0372d8c79e00e2e13b4fd0ebc4206bbdb5124bed292dd5b30ef1641288046ef835f89c332985154f9

Download Submit
\Users\Admin\AppData\Local\PgUO3O6I\recdisc.exe

Filesize
232KB

MD5
f3b306179f1840c0813dc6771b018358

SHA1
dec7ce3c13f7a684cb52ae6007c99cf03afef005

SHA256
dcaeb590394b42d180e23e3cef4dd135513395b026e0ed489aec49848b85b8f0

SHA512
9f9ec4c2ca6373bd738bf415d059f3536390e46e5b0a560e9ee1b190407a6d0f481c38664c51b834a9e72d8878f71c3c19e427e3a6b5ca4ec6b02d1156eb9ef4

Download Submit
memory/1200-25-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1200-40-0x0000000077506000-0x0000000077507000-memory.dmp

Filesize
4KB

Download
memory/1200-14-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1200-15-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1200-27-0x00000000778A0000-0x00000000778A2000-memory.dmp

Filesize
8KB

Download
memory/1200-16-0x0000000002980000-0x0000000002987000-memory.dmp

Filesize
28KB

Download
memory/1200-10-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1200-26-0x0000000077711000-0x0000000077712000-memory.dmp

Filesize
4KB

Download
memory/1200-8-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1200-4-0x0000000077506000-0x0000000077507000-memory.dmp

Filesize
4KB

Download
memory/1200-30-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1200-31-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1200-5-0x0000000002AD0000-0x0000000002AD1000-memory.dmp

Filesize
4KB

Download
memory/1200-12-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1200-11-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1200-9-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1200-7-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1200-13-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/2256-37-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/2256-0-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/2256-1-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/2420-84-0x00000000002E0000-0x00000000002E7000-memory.dmp

Filesize
28KB

Download
memory/2420-90-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/2612-54-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/2612-49-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/2612-48-0x0000000000170000-0x0000000000177000-memory.dmp

Filesize
28KB

Download
memory/3068-66-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download
memory/3068-72-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download