dridex | 00a4f5b50c281942629456327a8a4772f28e234abcb4dc6ecd755ff849714a93

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20/10/2024, 23:42 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64aceb8bda31f573a45db0ea2c70c918_JaffaCakes118.dll
Size

872KB
MD5

64aceb8bda31f573a45db0ea2c70c918
SHA1

448bbb8dfded2f51b6b098cb2d650c961d0275b8
SHA256

00a4f5b50c281942629456327a8a4772f28e234abcb4dc6ecd755ff849714a93
SHA512

201c607317f291c84f417ca9b3c9c371c85140283c9d9279b62a8c46682224411ac3d612eafd95b606564893bea354df6af0ec7e443ae300e5862b591605e19f
SSDEEP

12288:SdMIwS97wJs6tSKDXEabXaC+jhc1S8XXk7CZzHsZH9dq0T:kMIJxSDX3bqjhcfHk7MzH6z

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral1/memory/1128-4-0x00000000024F0000-0x00000000024F1000-memory.dmp	dridex_stager_shellcode

Dridex payload 8 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

resource	yara_rule
behavioral1/memory/2336-0-0x0000000140000000-0x00000001400DA000-memory.dmp	dridex_payload
behavioral1/memory/1128-47-0x0000000140000000-0x00000001400DA000-memory.dmp	dridex_payload
behavioral1/memory/1128-59-0x0000000140000000-0x00000001400DA000-memory.dmp	dridex_payload
behavioral1/memory/1128-58-0x0000000140000000-0x00000001400DA000-memory.dmp	dridex_payload
behavioral1/memory/2336-67-0x0000000140000000-0x00000001400DA000-memory.dmp	dridex_payload
behavioral1/memory/2564-76-0x0000000140000000-0x00000001400DB000-memory.dmp	dridex_payload
behavioral1/memory/2564-81-0x0000000140000000-0x00000001400DB000-memory.dmp	dridex_payload
behavioral1/memory/1140-98-0x0000000140000000-0x00000001400DB000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

pid	Process
2564	wextract.exe
1140	rekeywiz.exe
1668	DWWIN.EXE

Loads dropped DLL 7 IoCs

pid	Process
1128	Process not Found
2564	wextract.exe
1128	Process not Found
1140	rekeywiz.exe
1128	Process not Found
1668	DWWIN.EXE
1128	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rtunysabu = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\4NqPT4pdPc\\rekeywiz.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wextract.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rekeywiz.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DWWIN.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2336	rundll32.exe
2336	rundll32.exe
2336	rundll32.exe
1128	Process not Found
1128	Process not Found
1128	Process not Found
1128	Process not Found
1128	Process not Found
1128	Process not Found
1128	Process not Found
1128	Process not Found
1128	Process not Found
1128	Process not Found
1128	Process not Found
1128	Process not Found
1128	Process not Found
1128	Process not Found
1128	Process not Found
1128	Process not Found
1128	Process not Found
1128	Process not Found
1128	Process not Found
1128	Process not Found
1128	Process not Found
1128	Process not Found
1128	Process not Found
1128	Process not Found
1128	Process not Found
1128	Process not Found
1128	Process not Found
1128	Process not Found
1128	Process not Found
1128	Process not Found
1128	Process not Found
1128	Process not Found
1128	Process not Found
1128	Process not Found
1128	Process not Found
1128	Process not Found
1128	Process not Found
1128	Process not Found
1128	Process not Found
1128	Process not Found
1128	Process not Found
1128	Process not Found
1128	Process not Found
1128	Process not Found
1128	Process not Found
1128	Process not Found
1128	Process not Found
1128	Process not Found
1128	Process not Found
1128	Process not Found
1128	Process not Found
1128	Process not Found
1128	Process not Found
1128	Process not Found
1128	Process not Found
1128	Process not Found
1128	Process not Found
1128	Process not Found
1128	Process not Found
2564	wextract.exe
2564	wextract.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1128 wrote to memory of 2620	1128	Process not Found	31
PID 1128 wrote to memory of 2620	1128	Process not Found	31
PID 1128 wrote to memory of 2620	1128	Process not Found	31
PID 1128 wrote to memory of 2564	1128	Process not Found	32
PID 1128 wrote to memory of 2564	1128	Process not Found	32
PID 1128 wrote to memory of 2564	1128	Process not Found	32
PID 1128 wrote to memory of 1188	1128	Process not Found	33
PID 1128 wrote to memory of 1188	1128	Process not Found	33
PID 1128 wrote to memory of 1188	1128	Process not Found	33
PID 1128 wrote to memory of 1140	1128	Process not Found	34
PID 1128 wrote to memory of 1140	1128	Process not Found	34
PID 1128 wrote to memory of 1140	1128	Process not Found	34
PID 1128 wrote to memory of 1652	1128	Process not Found	35
PID 1128 wrote to memory of 1652	1128	Process not Found	35
PID 1128 wrote to memory of 1652	1128	Process not Found	35
PID 1128 wrote to memory of 1668	1128	Process not Found	36
PID 1128 wrote to memory of 1668	1128	Process not Found	36
PID 1128 wrote to memory of 1668	1128	Process not Found	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\64aceb8bda31f573a45db0ea2c70c918_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2336

C:\Windows\system32\wextract.exe
C:\Windows\system32\wextract.exe
1⤵
PID:2620

C:\Users\Admin\AppData\Local\fmK\wextract.exe
C:\Users\Admin\AppData\Local\fmK\wextract.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2564

C:\Windows\system32\rekeywiz.exe
C:\Windows\system32\rekeywiz.exe
1⤵
PID:1188

C:\Users\Admin\AppData\Local\OQvoc\rekeywiz.exe
C:\Users\Admin\AppData\Local\OQvoc\rekeywiz.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1140

C:\Windows\system32\DWWIN.EXE
C:\Windows\system32\DWWIN.EXE
1⤵
PID:1652

C:\Users\Admin\AppData\Local\1qY7t\DWWIN.EXE
C:\Users\Admin\AppData\Local\1qY7t\DWWIN.EXE
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\1qY7t\wer.dll

Filesize
876KB

MD5
3c908e29b9de09d30d827bac0a568bd2

SHA1
edc865e419165ed07dcf36ba190385b5065c301e

SHA256
334722c5c38bfe0459efbfb3781bf89b1ec4705cc41b0458bb5c4ba7c0a7e604

SHA512
0d0ed0e31a1f1030517cf245c9bb0702988694d3c4e1dacf3ef77cb694d9bd638cc1d8b30a4053570e98fc96035206932f80d31f4fc5d71eb85976633feafaee

Download Submit
C:\Users\Admin\AppData\Local\OQvoc\slc.dll

Filesize
876KB

MD5
be668902fe0c6b3b83a9d1901930b8e6

SHA1
ff0fae849d293104be73b7f5cb43854bfb4bb44f

SHA256
1c9d950656ca1c74487aa7480ab9403d0a8e1a5f32e8cc68d5cc9b944d50fed7

SHA512
1873263203321da9f98cde5e915c64c2de3ded6865a5239024bbd321baacefa1afc0f993881750ce58e4fb6f6ee19503f20aba5003fb45c76c575e9c529a1ffc

Download Submit
C:\Users\Admin\AppData\Local\fmK\VERSION.dll

Filesize
876KB

MD5
5b2aa432a4097dab56e658409ae329d8

SHA1
12207b45bb1ea732fc255eaeab9b41123b152ff5

SHA256
a4af529c486364e5db33fe05d50455e93c598ae97f560ea9425e68af6dd08ece

SHA512
438ffe8f23ec9793b2b3b1a9bb67665a251d6e465cbe46f98f2d4843801ba97e926279d89ff177e0ed7993aa45d666622878f7968695a98a94e8728eb7429946

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Gwifj.lnk

Filesize
723B

MD5
d1852e4af6331c4ec319536407071077

SHA1
4746fabfa424f6656ab94faa68d36de5c2da1809

SHA256
5504e7ccd52a6544305ee5d30b04128b4a46f98e88554116caa232df45ae9069

SHA512
857f588ec5c6fedea7ab270d243f4a9a13943c4dde4e8fdac97b9924fa0baffaf461a810c613a99697c0a4c47c07282cc384e7b86a22bcc2005eb1878368a462

Download Submit
\Users\Admin\AppData\Local\1qY7t\DWWIN.EXE

Filesize
149KB

MD5
25247e3c4e7a7a73baeea6c0008952b1

SHA1
8087adb7a71a696139ddc5c5abc1a84f817ab688

SHA256
c740497a7e58f7678e25b68b03573b4136a364464ee97c02ce5e0fe00cec7050

SHA512
bc27946894e7775f772ac882740430c8b9d3f37a573e2524207f7bb32f44d4a227cb1e9a555e118d68af7f1e129abd2ac5cabbcd8bbf3551c485bae05108324b

Download Submit
\Users\Admin\AppData\Local\OQvoc\rekeywiz.exe

Filesize
67KB

MD5
767c75767b00ccfd41a547bb7b2adfff

SHA1
91890853a5476def402910e6507417d400c0d3cb

SHA256
bd70e504871a2ac1c883d19b87970c8d1b8b251c784bf777ba77ed764f5f2395

SHA512
f096043452a1aa213a5e4d62638de3ee4b0b3ad3d12b7ee0372d8c79e00e2e13b4fd0ebc4206bbdb5124bed292dd5b30ef1641288046ef835f89c332985154f9

Download Submit
\Users\Admin\AppData\Local\fmK\wextract.exe

Filesize
140KB

MD5
1ea6500c25a80e8bdb65099c509af993

SHA1
6a090ef561feb4ae1c6794de5b19c5e893c4aafc

SHA256
99123d4e7bf93aa7f3315a432307c8b0cbaf24ad2cfb46edc149edbe24de4ca2

SHA512
b8f9f1ab48671e382d1385c34f0f19fc52fc0061e00db53bbbc2cdaee6d8a3f245707329f98e9167c53721aeaddcebfe66632729b6bcc98892031fd9914fb1fb

Download Submit
memory/1128-25-0x0000000140000000-0x00000001400DA000-memory.dmp

Filesize
872KB

Download
memory/1128-21-0x0000000140000000-0x00000001400DA000-memory.dmp

Filesize
872KB

Download
memory/1128-9-0x0000000140000000-0x00000001400DA000-memory.dmp

Filesize
872KB

Download
memory/1128-15-0x0000000140000000-0x00000001400DA000-memory.dmp

Filesize
872KB

Download
memory/1128-20-0x0000000140000000-0x00000001400DA000-memory.dmp

Filesize
872KB

Download
memory/1128-26-0x0000000140000000-0x00000001400DA000-memory.dmp

Filesize
872KB

Download
memory/1128-27-0x0000000140000000-0x00000001400DA000-memory.dmp

Filesize
872KB

Download
memory/1128-28-0x0000000140000000-0x00000001400DA000-memory.dmp

Filesize
872KB

Download
memory/1128-46-0x00000000024D0000-0x00000000024D7000-memory.dmp

Filesize
28KB

Download
memory/1128-47-0x0000000140000000-0x00000001400DA000-memory.dmp

Filesize
872KB

Download
memory/1128-38-0x0000000140000000-0x00000001400DA000-memory.dmp

Filesize
872KB

Download
memory/1128-37-0x0000000140000000-0x00000001400DA000-memory.dmp

Filesize
872KB

Download
memory/1128-36-0x0000000140000000-0x00000001400DA000-memory.dmp

Filesize
872KB

Download
memory/1128-35-0x0000000140000000-0x00000001400DA000-memory.dmp

Filesize
872KB

Download
memory/1128-34-0x0000000140000000-0x00000001400DA000-memory.dmp

Filesize
872KB

Download
memory/1128-33-0x0000000140000000-0x00000001400DA000-memory.dmp

Filesize
872KB

Download
memory/1128-32-0x0000000140000000-0x00000001400DA000-memory.dmp

Filesize
872KB

Download
memory/1128-49-0x00000000774E0000-0x00000000774E2000-memory.dmp

Filesize
8KB

Download
memory/1128-48-0x00000000774B0000-0x00000000774B2000-memory.dmp

Filesize
8KB

Download
memory/1128-31-0x0000000140000000-0x00000001400DA000-memory.dmp

Filesize
872KB

Download
memory/1128-30-0x0000000140000000-0x00000001400DA000-memory.dmp

Filesize
872KB

Download
memory/1128-16-0x0000000140000000-0x00000001400DA000-memory.dmp

Filesize
872KB

Download
memory/1128-24-0x0000000140000000-0x00000001400DA000-memory.dmp

Filesize
872KB

Download
memory/1128-23-0x0000000140000000-0x00000001400DA000-memory.dmp

Filesize
872KB

Download
memory/1128-22-0x0000000140000000-0x00000001400DA000-memory.dmp

Filesize
872KB

Download
memory/1128-29-0x0000000140000000-0x00000001400DA000-memory.dmp

Filesize
872KB

Download
memory/1128-19-0x0000000140000000-0x00000001400DA000-memory.dmp

Filesize
872KB

Download
memory/1128-18-0x0000000140000000-0x00000001400DA000-memory.dmp

Filesize
872KB

Download
memory/1128-17-0x0000000140000000-0x00000001400DA000-memory.dmp

Filesize
872KB

Download
memory/1128-14-0x0000000140000000-0x00000001400DA000-memory.dmp

Filesize
872KB

Download
memory/1128-13-0x0000000140000000-0x00000001400DA000-memory.dmp

Filesize
872KB

Download
memory/1128-12-0x0000000140000000-0x00000001400DA000-memory.dmp

Filesize
872KB

Download
memory/1128-11-0x0000000140000000-0x00000001400DA000-memory.dmp

Filesize
872KB

Download
memory/1128-10-0x0000000140000000-0x00000001400DA000-memory.dmp

Filesize
872KB

Download
memory/1128-59-0x0000000140000000-0x00000001400DA000-memory.dmp

Filesize
872KB

Download
memory/1128-58-0x0000000140000000-0x00000001400DA000-memory.dmp

Filesize
872KB

Download
memory/1128-68-0x0000000077246000-0x0000000077247000-memory.dmp

Filesize
4KB

Download
memory/1128-3-0x0000000077246000-0x0000000077247000-memory.dmp

Filesize
4KB

Download
memory/1128-4-0x00000000024F0000-0x00000000024F1000-memory.dmp

Filesize
4KB

Download
memory/1128-8-0x0000000140000000-0x00000001400DA000-memory.dmp

Filesize
872KB

Download
memory/1128-7-0x0000000140000000-0x00000001400DA000-memory.dmp

Filesize
872KB

Download
memory/1128-6-0x0000000140000000-0x00000001400DA000-memory.dmp

Filesize
872KB

Download
memory/1140-93-0x0000000001C20000-0x0000000001C27000-memory.dmp

Filesize
28KB

Download
memory/1140-98-0x0000000140000000-0x00000001400DB000-memory.dmp

Filesize
876KB

Download
memory/2336-67-0x0000000140000000-0x00000001400DA000-memory.dmp

Filesize
872KB

Download
memory/2336-2-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download
memory/2336-0-0x0000000140000000-0x00000001400DA000-memory.dmp

Filesize
872KB

Download
memory/2564-81-0x0000000140000000-0x00000001400DB000-memory.dmp

Filesize
876KB

Download
memory/2564-76-0x0000000140000000-0x00000001400DB000-memory.dmp

Filesize
876KB

Download
memory/2564-78-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.