dridex | c946e2a27a0c8eb2dd4bbffd200e12eb98ecec7ac2b41ae21b86ce6197e2444b

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-10-2024 05:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2bbced116fdb8fc62616ebecff5923b0_JaffaCakes118.dll
Size

1.2MB
MD5

2bbced116fdb8fc62616ebecff5923b0
SHA1

08c7486f88a21923f42b1da93f80e518be7e2332
SHA256

c946e2a27a0c8eb2dd4bbffd200e12eb98ecec7ac2b41ae21b86ce6197e2444b
SHA512

e581584c16497af995212caf6f80011fdded57e02184293ff9d67c07d552a96e70655af54d1be9f28f12445f43ae578480c400d559528622e5e060e3c1b361d4
SSDEEP

12288:qVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:3fP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Score

10^/10

dridex botnet evasion payload persistence privilege_escalation trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral1/memory/1284-6-0x0000000002DF0000-0x0000000002DF1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
2636	wisptis.exe
3064	osk.exe
3040	rdpshell.exe

Loads dropped DLL 7 IoCs

pid	Process
1284	Process not Found
2636	wisptis.exe
1284	Process not Found
3064	osk.exe
1284	Process not Found
3040	rdpshell.exe
1284	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rtunysabu = "C:\\Users\\Admin\\AppData\\Roaming\\MACROM~1\\FLASHP~1\\#SHARE~1\\Jaa8Z\\osk.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wisptis.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	osk.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdpshell.exe

Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1680	rundll32.exe
1680	rundll32.exe
1680	rundll32.exe
1284	Process not Found
1284	Process not Found
1284	Process not Found
1284	Process not Found
1284	Process not Found
1284	Process not Found
1284	Process not Found
1284	Process not Found
1284	Process not Found
1284	Process not Found
1284	Process not Found
1284	Process not Found
1284	Process not Found
1284	Process not Found
1284	Process not Found
1284	Process not Found
1284	Process not Found
1284	Process not Found
1284	Process not Found
1284	Process not Found
1284	Process not Found
1284	Process not Found
1284	Process not Found
1284	Process not Found
1284	Process not Found
1284	Process not Found
1284	Process not Found
1284	Process not Found
1284	Process not Found
1284	Process not Found
1284	Process not Found
1284	Process not Found
1284	Process not Found
1284	Process not Found
1284	Process not Found
1284	Process not Found
1284	Process not Found
1284	Process not Found
1284	Process not Found
1284	Process not Found
1284	Process not Found
1284	Process not Found
1284	Process not Found
1284	Process not Found
1284	Process not Found
1284	Process not Found
1284	Process not Found
1284	Process not Found
1284	Process not Found
1284	Process not Found
1284	Process not Found
1284	Process not Found
1284	Process not Found
1284	Process not Found
1284	Process not Found
1284	Process not Found
1284	Process not Found
1284	Process not Found
1284	Process not Found
1284	Process not Found
1284	Process not Found

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1284 wrote to memory of 2640	1284	Process not Found	30
PID 1284 wrote to memory of 2640	1284	Process not Found	30
PID 1284 wrote to memory of 2640	1284	Process not Found	30
PID 1284 wrote to memory of 2636	1284	Process not Found	31
PID 1284 wrote to memory of 2636	1284	Process not Found	31
PID 1284 wrote to memory of 2636	1284	Process not Found	31
PID 1284 wrote to memory of 2656	1284	Process not Found	33
PID 1284 wrote to memory of 2656	1284	Process not Found	33
PID 1284 wrote to memory of 2656	1284	Process not Found	33
PID 1284 wrote to memory of 3064	1284	Process not Found	34
PID 1284 wrote to memory of 3064	1284	Process not Found	34
PID 1284 wrote to memory of 3064	1284	Process not Found	34
PID 1284 wrote to memory of 2932	1284	Process not Found	35
PID 1284 wrote to memory of 2932	1284	Process not Found	35
PID 1284 wrote to memory of 2932	1284	Process not Found	35
PID 1284 wrote to memory of 3040	1284	Process not Found	36
PID 1284 wrote to memory of 3040	1284	Process not Found	36
PID 1284 wrote to memory of 3040	1284	Process not Found	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2bbced116fdb8fc62616ebecff5923b0_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1680

C:\Windows\system32\wisptis.exe
C:\Windows\system32\wisptis.exe
1⤵
PID:2640

C:\Users\Admin\AppData\Local\rgqx5Jti\wisptis.exe
C:\Users\Admin\AppData\Local\rgqx5Jti\wisptis.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2636

C:\Windows\system32\osk.exe
C:\Windows\system32\osk.exe
1⤵
PID:2656

C:\Users\Admin\AppData\Local\tIy\osk.exe
C:\Users\Admin\AppData\Local\tIy\osk.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3064

C:\Windows\system32\rdpshell.exe
C:\Windows\system32\rdpshell.exe
1⤵
PID:2932

C:\Users\Admin\AppData\Local\G8FN\rdpshell.exe
C:\Users\Admin\AppData\Local\G8FN\rdpshell.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\rgqx5Jti\OLEACC.dll

Filesize
1.2MB

MD5
79452303bc9b94e5fe20fc106bba8ba7

SHA1
29d9f4cf4a5d1de0a3bbf69b4705348335e75e6d

SHA256
a6b416b3ba3085dbaf5d4a4d7dd4f8d406e87f1b8c2fb1b39e5f72feb9e75743

SHA512
8e6e139db298aa9c108892c3ec310cf0401c8f2e31ac4a4d2b9b5ab8a1efff5f1fd017827c84eced879b0d0e875a74903b1b9d26ef14aaa1abb347d49df6a506

Download Submit
C:\Users\Admin\AppData\Local\tIy\OLEACC.dll

Filesize
1.2MB

MD5
7f909a22014a8501bc85ad485bc2d30c

SHA1
76783ad38cc381a7654589d371555b281ea63ed4

SHA256
582e752bce102c722cdea42a2e7b8c33904bcf6998513ea8aca35bd73053a8df

SHA512
21ea735c492e333136f976a131c5caeb45fb65027affbc2538acc3c4f18eb15c022ad45cc639c7f0996a0035f58ec7d8136d1aacf4a245c1d3dc594980624853

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Gwifj.lnk

Filesize
1KB

MD5
3b6f825e7cb65031d0f89041cb22b39d

SHA1
9b68149096a5f20556e4f605d22e987a9c4e5c47

SHA256
2f48d964b6f03bc6432dcc57bad27a95f4a6498d0f564ad16bdb5ef5f1d9a955

SHA512
60618d6743a1aff68752543c4f49e247b91650f2b2758714167359be9938e9b6e663633c8e97b52b32b26f645af04c8d0a217ab6ad961af22e21da40dd867509

Download Submit
\Users\Admin\AppData\Local\G8FN\WINSTA.dll

Filesize
1.2MB

MD5
3ece23f07a5ed443476e122a6e34b0e5

SHA1
ca2d0a02ceaf3ff191271f8b88b0a21caa5d8635

SHA256
b30058604ce582da4cc8520e993f5c38b5abfc86cc5652911cc37884c9eb2ac3

SHA512
3d556a07d12de7e106aa890cebbd54b668c1acc6c1bf162a6e06daac1c57b808c170b2ceedd62ff686a5e0fc19d4a5764dc4f8f1138e2270b6a01d52cb70f552

Download Submit
\Users\Admin\AppData\Local\G8FN\rdpshell.exe

Filesize
292KB

MD5
a62dfcea3a58ba8fcf32f831f018fe3f

SHA1
75f7690b19866f2c2b3dd3bfdff8a1c6fa8e958b

SHA256
f8346a44f12e5b1ca6beaae5fbdf5f7f494ba204379c21d1875b03ba6da6152e

SHA512
9a3df5be95017c23ab144302d2275654e86193e2cd94957d5f72bda3cb171ec2a6da14e6631a7fd4fd053b4529f4083aa287ada57484ad0ee01a8e5b2b54c603

Download Submit
\Users\Admin\AppData\Local\rgqx5Jti\wisptis.exe

Filesize
396KB

MD5
02e20372d9d6d28e37ba9704edc90b67

SHA1
d7d18ba0df95c3507bf20be8d72e25c5d11ab40c

SHA256
3338129ddf6fb53d6e743c10bc39ec372d9b2c39c607cbe8a71cff929f854144

SHA512
bcad8894614dcfc1429be04829c217e7c8ac3c40ea3927073de3421d96d9815739ee1b84f0200eb18b3b8406b972bd934204b7b31638c9fe7c297fb201ed4200

Download Submit
\Users\Admin\AppData\Local\tIy\osk.exe

Filesize
676KB

MD5
b918311a8e59fb8ccf613a110024deba

SHA1
a9a64a53d2d1c023d058cfe23db4c9b4fbe59d1b

SHA256
e1f7612086c2d01f15f2e74f1c22bc6abeb56f18e6bda058edce8d780aebb353

SHA512
e3a2480e546bf31509d6e0ffb5ce9dc5da3eb93a1a06d8e89b68165f2dd9ad520edac52af4c485c93fe6028dffaf7fcaadaafb04e524954dd117551afff87cf1

Download Submit
memory/1284-28-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1284-23-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1284-15-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1284-14-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1284-55-0x0000000077D70000-0x0000000077D72000-memory.dmp

Filesize
8KB

Download
memory/1284-54-0x0000000077C11000-0x0000000077C12000-memory.dmp

Filesize
4KB

Download
memory/1284-51-0x00000000020B0000-0x00000000020B7000-memory.dmp

Filesize
28KB

Download
memory/1284-50-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1284-43-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1284-42-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1284-41-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1284-40-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1284-39-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1284-38-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1284-37-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1284-36-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1284-35-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1284-34-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1284-33-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1284-32-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1284-31-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1284-30-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1284-29-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1284-4-0x0000000077B06000-0x0000000077B07000-memory.dmp

Filesize
4KB

Download
memory/1284-26-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1284-25-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1284-24-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1284-27-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1284-22-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1284-21-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1284-20-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1284-19-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1284-18-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1284-17-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1284-16-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1284-58-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1284-63-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1284-12-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1284-13-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1284-6-0x0000000002DF0000-0x0000000002DF1000-memory.dmp

Filesize
4KB

Download
memory/1284-127-0x0000000077B06000-0x0000000077B07000-memory.dmp

Filesize
4KB

Download
memory/1284-7-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1284-8-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1284-9-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1284-10-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1680-11-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1680-0-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1680-1-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download
memory/2636-81-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/2636-78-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/2636-77-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/3040-109-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download
memory/3064-91-0x0000000001F20000-0x0000000001F27000-memory.dmp

Filesize
28KB

Download