dridex | 85a83765c561ea8375b492b286a66a6541427217967cd399d2e4e4230141e4e7

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15-10-2024 19:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

49b478cc38b76090a5dcf3bf2bf85860_JaffaCakes118.dll
Size

1.2MB
MD5

49b478cc38b76090a5dcf3bf2bf85860
SHA1

17eac34e5fa4b82d401a47c5f5763e918693cac3
SHA256

85a83765c561ea8375b492b286a66a6541427217967cd399d2e4e4230141e4e7
SHA512

6f37c08e374b6b07a7c45a1521b05d2841864cf66d04044c1db9e6c828cdd877adbd6df0602df8db6df86740c28d72a27ed077c916333e2d08cb3129bae57958
SSDEEP

12288:pVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:IfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral1/memory/1212-5-0x0000000002E90000-0x0000000002E91000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
2828	StikyNot.exe
1572	fvenotify.exe
756	SystemPropertiesAdvanced.exe

Loads dropped DLL 7 IoCs

pid	Process
1212	Process not Found
2828	StikyNot.exe
1212	Process not Found
1572	fvenotify.exe
1212	Process not Found
756	SystemPropertiesAdvanced.exe
1212	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Gazvzzjnt = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\FLASHP~1\\ASSETC~1\\UXFRP6~1\\FVENOT~1.EXE"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	StikyNot.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fvenotify.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesAdvanced.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2480	rundll32.exe
2480	rundll32.exe
2480	rundll32.exe
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1212 wrote to memory of 1508	1212	Process not Found	31
PID 1212 wrote to memory of 1508	1212	Process not Found	31
PID 1212 wrote to memory of 1508	1212	Process not Found	31
PID 1212 wrote to memory of 2828	1212	Process not Found	32
PID 1212 wrote to memory of 2828	1212	Process not Found	32
PID 1212 wrote to memory of 2828	1212	Process not Found	32
PID 1212 wrote to memory of 3068	1212	Process not Found	33
PID 1212 wrote to memory of 3068	1212	Process not Found	33
PID 1212 wrote to memory of 3068	1212	Process not Found	33
PID 1212 wrote to memory of 1572	1212	Process not Found	34
PID 1212 wrote to memory of 1572	1212	Process not Found	34
PID 1212 wrote to memory of 1572	1212	Process not Found	34
PID 1212 wrote to memory of 2884	1212	Process not Found	35
PID 1212 wrote to memory of 2884	1212	Process not Found	35
PID 1212 wrote to memory of 2884	1212	Process not Found	35
PID 1212 wrote to memory of 756	1212	Process not Found	36
PID 1212 wrote to memory of 756	1212	Process not Found	36
PID 1212 wrote to memory of 756	1212	Process not Found	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\49b478cc38b76090a5dcf3bf2bf85860_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2480

C:\Windows\system32\StikyNot.exe
C:\Windows\system32\StikyNot.exe
1⤵
PID:1508

C:\Users\Admin\AppData\Local\JEsHuWzbp\StikyNot.exe
C:\Users\Admin\AppData\Local\JEsHuWzbp\StikyNot.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2828

C:\Windows\system32\fvenotify.exe
C:\Windows\system32\fvenotify.exe
1⤵
PID:3068

C:\Users\Admin\AppData\Local\N2riyB\fvenotify.exe
C:\Users\Admin\AppData\Local\N2riyB\fvenotify.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1572

C:\Windows\system32\SystemPropertiesAdvanced.exe
C:\Windows\system32\SystemPropertiesAdvanced.exe
1⤵
PID:2884

C:\Users\Admin\AppData\Local\dXCeY\SystemPropertiesAdvanced.exe
C:\Users\Admin\AppData\Local\dXCeY\SystemPropertiesAdvanced.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\JEsHuWzbp\DUI70.dll

Filesize
1.4MB

MD5
be11a59197cde99bc3c98c4853103f99

SHA1
0c79c299201bec3efdbf847944136398cf5c582d

SHA256
a30c3fb2f2ffbe64b4a64df65ad27ab2a25e0eda4554c1d9ed5a96fce4c8009b

SHA512
901dc8ceea222c74101e20367e8b0586c477ff936819966c3800d715145d5ed4c8c02195adad0c8fd85057384da2c5ff9e98fa50b618a709b79d23eeda3c5705

Download Submit
C:\Users\Admin\AppData\Local\N2riyB\slc.dll

Filesize
1.2MB

MD5
225729b672a43fa7e54d7c18861161a0

SHA1
49df6e0164917379bc8c547192aed48032b0a599

SHA256
943f4001ca0f566e8807b9e34b37fb5d3fa753ea40515451f73bb750658c023f

SHA512
b3d5143981da6b6daa518dcd2bbf14ccd4d5ab352b9c647e5232dac3763d86477939b87654ffdb0abcabddee3663aff39db154e4aa21dc0a33e08bb9e121ff46

Download Submit
C:\Users\Admin\AppData\Local\dXCeY\SYSDM.CPL

Filesize
1.2MB

MD5
58810058c2d03427b5a498b1544f5971

SHA1
501e68d79e2af76efea26d2e480b08a6064250bc

SHA256
b84e51c73adb51d811155168318f30164dfc2772cccdbe9395d645ff571d7c85

SHA512
0c3ffa729a18a027cb0f0f658e4274b1c5b4a41ba7002f1a1fe122334c2366ab3c4fadb8f24957f1b25afcb56d85e1b83932eccfd3fcd71ecc9de0f0263f7cd6

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wbvsyha.lnk

Filesize
979B

MD5
c1a6c841ddcda302adb543167610c718

SHA1
d7a631696832c8fa6468d80a3542530df8c7cfb6

SHA256
fb09f4aea3feb127202d1e7889cc19932a2fdc096be7880b809efebcc35bda4e

SHA512
01a224d3b6b2bb8939cb3eac55a021204ba96e772778d69c4bbb061e84ed5ca272bb69d3bf93303bb998489f15cb60ec9023de7b3e3eb27f0a4d4ed586ea989b

Download Submit
\Users\Admin\AppData\Local\JEsHuWzbp\StikyNot.exe

Filesize
417KB

MD5
b22cb67919ebad88b0e8bb9cda446010

SHA1
423a794d26d96d9f812d76d75fa89bffdc07d468

SHA256
2f744feac48ede7d6b6d2727f7ddfa80b26d9e3b0009741b00992b19ad85e128

SHA512
f40aad2a381b766aae0a353fae3ab759d5c536b2d00d135527bba37b601d2f24323f079bd09600355d79404d574ac59201d415ef64c1568877ad0ce0da2dd1d5

Download Submit
\Users\Admin\AppData\Local\N2riyB\fvenotify.exe

Filesize
117KB

MD5
e61d644998e07c02f0999388808ac109

SHA1
183130ad81ff4c7997582a484e759bf7769592d6

SHA256
15a85cd6fbcb1ec57d78f986d6dd8908bd56231ce0cf65775075512303f7e5fa

SHA512
310141b73394ae12a35f8d4f0c097868ee8a8045a62dd402a5dfbe2151980dd4fe18409ae3ca9422e3b88b2fa9afb04c1acbf8ec23a937a0a242b32a9a1e9272

Download Submit
\Users\Admin\AppData\Local\dXCeY\SystemPropertiesAdvanced.exe

Filesize
80KB

MD5
25dc1e599591871c074a68708206e734

SHA1
27a9dffa92d979d39c07d889fada536c062dac77

SHA256
a13b2ba5892c11c731869410b1e3dd2f250d70ff9efd513a9f260ab506dd42ef

SHA512
f7da9ce4c3e8aea9095fcc977084c042f85df48fca0b58fb136dfd835ce69b5b1e68f3c11eeb14c617ffcec7011ffc7e5d5a948f49dde653a2348b28e10adb72

Download Submit
memory/756-114-0x00000000000A0000-0x00000000000A7000-memory.dmp

Filesize
28KB

Download
memory/1212-21-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/1212-15-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/1212-50-0x0000000002E70000-0x0000000002E77000-memory.dmp

Filesize
28KB

Download
memory/1212-49-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/1212-42-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/1212-41-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/1212-40-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/1212-39-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/1212-38-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/1212-36-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/1212-35-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/1212-34-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/1212-33-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/1212-32-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/1212-31-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/1212-30-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/1212-29-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/1212-27-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/1212-25-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/1212-24-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/1212-23-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/1212-22-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/1212-4-0x00000000779F6000-0x00000000779F7000-memory.dmp

Filesize
4KB

Download
memory/1212-20-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/1212-19-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/1212-18-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/1212-17-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/1212-28-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/1212-12-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/1212-10-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/1212-9-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/1212-52-0x0000000077C60000-0x0000000077C62000-memory.dmp

Filesize
8KB

Download
memory/1212-51-0x0000000077B01000-0x0000000077B02000-memory.dmp

Filesize
4KB

Download
memory/1212-65-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/1212-67-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/1212-61-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/1212-70-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/1212-14-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/1212-13-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/1212-8-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/1212-132-0x00000000779F6000-0x00000000779F7000-memory.dmp

Filesize
4KB

Download
memory/1212-7-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/1212-5-0x0000000002E90000-0x0000000002E91000-memory.dmp

Filesize
4KB

Download
memory/1212-16-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/1212-26-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/1212-37-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/1572-97-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/2480-11-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/2480-3-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/2480-0-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/2828-85-0x0000000140000000-0x000000014015F000-memory.dmp

Filesize
1.4MB

Download
memory/2828-80-0x0000000140000000-0x000000014015F000-memory.dmp

Filesize
1.4MB

Download
memory/2828-79-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download