dridex | 84d3d619e2c19d65f1cd545a46284f1b0c8fed90e5e5ae3c2ea2c2fd8cd08dc3

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-10-2024 14:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4d4735af8b4bff7c28411a6c45ab0712_JaffaCakes118.dll
Size

1.1MB
MD5

4d4735af8b4bff7c28411a6c45ab0712
SHA1

29d2150c2481ad8422a6c89efea1eba372a59db0
SHA256

84d3d619e2c19d65f1cd545a46284f1b0c8fed90e5e5ae3c2ea2c2fd8cd08dc3
SHA512

fa3587957044c7e7140d5897c39ccbbfaf90db55f31ae70d1500c29d572c059d6be87aa13e6d4d2e5275607d11598f7e5d1b057010bc9e2c85a95f1daa933160
SSDEEP

12288:RdMIwS97wJs6tSKDXEabXaC+jhc1S8XXk7CZzHsZH9dq0T:/MIJxSDX3bqjhcfHk7MzH6z

Score

10^/10

dridex botnet evasion payload persistence privilege_escalation trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1184-4-0x0000000002520000-0x0000000002521000-memory.dmp	dridex_stager_shellcode

Dridex payload 11 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/2008-0-0x0000000140000000-0x000000014010F000-memory.dmp	dridex_payload
behavioral1/memory/1184-55-0x0000000140000000-0x000000014010F000-memory.dmp	dridex_payload
behavioral1/memory/1184-54-0x0000000140000000-0x000000014010F000-memory.dmp	dridex_payload
behavioral1/memory/1184-43-0x0000000140000000-0x000000014010F000-memory.dmp	dridex_payload
behavioral1/memory/2008-63-0x0000000140000000-0x000000014010F000-memory.dmp	dridex_payload
behavioral1/memory/2908-77-0x0000000140000000-0x0000000140116000-memory.dmp	dridex_payload
behavioral1/memory/2908-72-0x0000000140000000-0x0000000140116000-memory.dmp	dridex_payload
behavioral1/memory/1248-91-0x0000000140000000-0x0000000140143000-memory.dmp	dridex_payload
behavioral1/memory/1248-95-0x0000000140000000-0x0000000140143000-memory.dmp	dridex_payload
behavioral1/memory/1908-107-0x0000000140000000-0x0000000140110000-memory.dmp	dridex_payload
behavioral1/memory/1908-112-0x0000000140000000-0x0000000140110000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

shrpubw.exeUtilman.exeSystemPropertiesRemote.exe

pid process

2908 shrpubw.exe
1248 Utilman.exe
1908 SystemPropertiesRemote.exe
Loads dropped DLL 7 IoCs

Processes:

shrpubw.exeUtilman.exeSystemPropertiesRemote.exe

pid process

1184
2908 shrpubw.exe
1184
1248 Utilman.exe
1184
1908 SystemPropertiesRemote.exe
1184

pid	process
2908	shrpubw.exe
1248	Utilman.exe
1908	SystemPropertiesRemote.exe

pid	process
1184
2908	shrpubw.exe
1184
1248	Utilman.exe
1184
1908	SystemPropertiesRemote.exe
1184

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rcoehfpd = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Extensions\\z7XCeb\\Utilman.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeshrpubw.exeUtilman.exeSystemPropertiesRemote.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	shrpubw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Utilman.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesRemote.exe

Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2008	rundll32.exe
2008	rundll32.exe
2008	rundll32.exe
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1184 wrote to memory of 1796	1184	shrpubw.exe
PID 1184 wrote to memory of 1796	1184	shrpubw.exe
PID 1184 wrote to memory of 1796	1184	shrpubw.exe
PID 1184 wrote to memory of 2908	1184	shrpubw.exe
PID 1184 wrote to memory of 2908	1184	shrpubw.exe
PID 1184 wrote to memory of 2908	1184	shrpubw.exe
PID 1184 wrote to memory of 2540	1184	Utilman.exe
PID 1184 wrote to memory of 2540	1184	Utilman.exe
PID 1184 wrote to memory of 2540	1184	Utilman.exe
PID 1184 wrote to memory of 1248	1184	Utilman.exe
PID 1184 wrote to memory of 1248	1184	Utilman.exe
PID 1184 wrote to memory of 1248	1184	Utilman.exe
PID 1184 wrote to memory of 2324	1184	SystemPropertiesRemote.exe
PID 1184 wrote to memory of 2324	1184	SystemPropertiesRemote.exe
PID 1184 wrote to memory of 2324	1184	SystemPropertiesRemote.exe
PID 1184 wrote to memory of 1908	1184	SystemPropertiesRemote.exe
PID 1184 wrote to memory of 1908	1184	SystemPropertiesRemote.exe
PID 1184 wrote to memory of 1908	1184	SystemPropertiesRemote.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4d4735af8b4bff7c28411a6c45ab0712_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2008

C:\Windows\system32\shrpubw.exe
C:\Windows\system32\shrpubw.exe
1⤵
PID:1796

C:\Users\Admin\AppData\Local\qicu2LTmq\shrpubw.exe
C:\Users\Admin\AppData\Local\qicu2LTmq\shrpubw.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2908

C:\Windows\system32\Utilman.exe
C:\Windows\system32\Utilman.exe
1⤵
PID:2540

C:\Users\Admin\AppData\Local\T5nbxu\Utilman.exe
C:\Users\Admin\AppData\Local\T5nbxu\Utilman.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1248

C:\Windows\system32\SystemPropertiesRemote.exe
C:\Windows\system32\SystemPropertiesRemote.exe
1⤵
PID:2324

C:\Users\Admin\AppData\Local\n4VQfc\SystemPropertiesRemote.exe
C:\Users\Admin\AppData\Local\n4VQfc\SystemPropertiesRemote.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\T5nbxu\DUI70.dll

Filesize
1.3MB

MD5
fa81371d494ddbf1d5966333abcbd078

SHA1
80af58431165cacc46dbc1258c52bd80adc84d11

SHA256
148d8c0c47872ef9e9b8686e3dc6093a2dc84188d216dc01eaf37fd8850480a1

SHA512
b0ffd39d9fd7a6d43c0669d2e9974704196549d39961cae9375558dd02a0e72859dd1cacb17d64663ac346f157ff371fa0ec7aafed526e3e14b9c0090e55dddd

Download Submit
C:\Users\Admin\AppData\Local\n4VQfc\SYSDM.CPL

Filesize
1.1MB

MD5
e19cb07bdc0b9eeb4c36f37250528a0a

SHA1
e3ed78869a80c5cec7c984c7e72ee4973b376fdd

SHA256
773533e65b6f023db0a6ae2a993f71ddbeaf21d0a1c5c0146a1b57b2c8dba27a

SHA512
f1b60955d826b635c840bc28d5ec368379bc6b33668cbeae40041e57a9fbac56c9e321c7b90b69ec3f6d1e227a5236d2e786766b0698cdce535c8be0c38a2d91

Download Submit
C:\Users\Admin\AppData\Local\qicu2LTmq\MFC42u.dll

Filesize
1.1MB

MD5
8b328f63d4954b27b383ced355d676db

SHA1
72a240664e6eb0edea71cb8b3ebc110ed55355b0

SHA256
aeae01d9c5672553d1dc3aa8850053337f390d8ba4146c80559fe6374c3261d2

SHA512
be2a2fdab0321bffc23ada6857e309cb65a69b30d2ffc0434093bcb794eed3cf2880979907a260db122f3fdb07e10ad6853c4415b28565f293e7c5eced95cb7a

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yjafzwirjcl.lnk

Filesize
986B

MD5
ae259e401171451ec00b05a8514bc056

SHA1
a17c3609d6d8a90528059f07d472dccd86a88e4c

SHA256
fc3e08279ad7535e1d94bf9dab98a62fb0c09d4f4d87f26cf8bee12f0287a2db

SHA512
35ec7d500fc05b3432b03da7aeab8217ff229a9f9b070d4f5b3e95a03b1948a7f92f1e899a2d72408ac9851dabcd5f01bbdc07381018c69f14c5f02b2146c9d8

Download Submit
\Users\Admin\AppData\Local\T5nbxu\Utilman.exe

Filesize
1.3MB

MD5
32c5ee55eadfc071e57851e26ac98477

SHA1
8f8d0aee344e152424143da49ce2c7badabb8f9d

SHA256
7ca90616e68bc851f14658a366d80f21ddb7a7dd8a866049e54651158784a9ea

SHA512
e0943efa81f3087c84a5909c72a436671ee8cc3cc80154901430e83ec7966aac800ad4b26f4a174a0071da617c0982ceda584686c6e2056e1a83e864aca6c975

Download Submit
\Users\Admin\AppData\Local\n4VQfc\SystemPropertiesRemote.exe

Filesize
80KB

MD5
d0d7ac869aa4e179da2cc333f0440d71

SHA1
e7b9a58f5bfc1ec321f015641a60978c0c683894

SHA256
5762e1570de6ca4ff4254d03c8f6e572f3b9c065bf5c78fd5a9ea3769c33818a

SHA512
1808b10dc85f8755a0074d1ea00794b46b4254573b6862c2813a89ca171ad94f95262e8b59a8f9a596c9bd6a724f440a14a813eab93aa140e818ee97af106db7

Download Submit
\Users\Admin\AppData\Local\qicu2LTmq\shrpubw.exe

Filesize
398KB

MD5
29e6d0016611c8f948db5ea71372f76c

SHA1
01d007a01020370709cd6580717f9ace049647e8

SHA256
53c868882ebc9e0d4f703afeccb172043069ccc0b5b6f7cac1d2aad9c4640930

SHA512
300216ab47ee44b8f68d4835bf26641f949039522b680af00fb602f57d31c38812428dc624461bc2cc7d6384cad396bc033718e41e11a65f7dd0eeb36ed924e4

Download Submit
memory/1184-33-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/1184-15-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/1184-8-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/1184-7-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/1184-6-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/1184-42-0x0000000002500000-0x0000000002507000-memory.dmp

Filesize
28KB

Download
memory/1184-34-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/1184-3-0x0000000077546000-0x0000000077547000-memory.dmp

Filesize
4KB

Download
memory/1184-32-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/1184-31-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/1184-30-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/1184-29-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/1184-28-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/1184-27-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/1184-26-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/1184-25-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/1184-24-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/1184-23-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/1184-22-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/1184-21-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/1184-20-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/1184-19-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/1184-18-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/1184-17-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/1184-16-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/1184-9-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/1184-14-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/1184-55-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/1184-54-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/1184-45-0x00000000778E0000-0x00000000778E2000-memory.dmp

Filesize
8KB

Download
memory/1184-44-0x00000000778B0000-0x00000000778B2000-memory.dmp

Filesize
8KB

Download
memory/1184-43-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/1184-4-0x0000000002520000-0x0000000002521000-memory.dmp

Filesize
4KB

Download
memory/1184-64-0x0000000077546000-0x0000000077547000-memory.dmp

Filesize
4KB

Download
memory/1184-10-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/1184-11-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/1184-13-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/1184-12-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/1248-91-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1248-95-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1908-107-0x0000000140000000-0x0000000140110000-memory.dmp

Filesize
1.1MB

Download
memory/1908-109-0x00000000001E0000-0x00000000001E7000-memory.dmp

Filesize
28KB

Download
memory/1908-112-0x0000000140000000-0x0000000140110000-memory.dmp

Filesize
1.1MB

Download
memory/2008-63-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/2008-0-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/2008-2-0x0000000000230000-0x0000000000237000-memory.dmp

Filesize
28KB

Download
memory/2908-72-0x0000000140000000-0x0000000140116000-memory.dmp

Filesize
1.1MB

Download
memory/2908-74-0x0000000000180000-0x0000000000187000-memory.dmp

Filesize
28KB

Download
memory/2908-77-0x0000000140000000-0x0000000140116000-memory.dmp

Filesize
1.1MB

Download