dridex | de08365e362b2d95838d2a3a7a3bcae93cde512cbcc6e0cdbf60f2588350a572

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
21/10/2024, 07:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

65eedb07a6f749ad69bd6a937505442f_JaffaCakes118.dll
Size

816KB
MD5

65eedb07a6f749ad69bd6a937505442f
SHA1

8a37ca00b017b63c3d231302419d2e89a06d5b7d
SHA256

de08365e362b2d95838d2a3a7a3bcae93cde512cbcc6e0cdbf60f2588350a572
SHA512

d9b1bcdd1c5d0f6ee6f8ec326a7a1cf5370241475204d3fc31f91f31ab76b42e3e5b5fec7402335b46405d2fa47ccdab5e719b71502b3075f6802d0a35551512
SSDEEP

12288:XdMIwS97wJs6tSKDXEabXaC+jhc1S8XXk7CZzHsZH9dq0T:tMIJxSDX3bqjhcfHk7MzH6z

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral1/memory/1172-4-0x0000000002D70000-0x0000000002D71000-memory.dmp	dridex_stager_shellcode

Dridex payload 9 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

resource	yara_rule
behavioral1/memory/2264-0-0x0000000140000000-0x00000001400CC000-memory.dmp	dridex_payload
behavioral1/memory/1172-46-0x0000000140000000-0x00000001400CC000-memory.dmp	dridex_payload
behavioral1/memory/1172-59-0x0000000140000000-0x00000001400CC000-memory.dmp	dridex_payload
behavioral1/memory/1172-58-0x0000000140000000-0x00000001400CC000-memory.dmp	dridex_payload
behavioral1/memory/2264-66-0x0000000140000000-0x00000001400CC000-memory.dmp	dridex_payload
behavioral1/memory/3024-75-0x0000000140000000-0x00000001400CD000-memory.dmp	dridex_payload
behavioral1/memory/3024-79-0x0000000140000000-0x00000001400CD000-memory.dmp	dridex_payload
behavioral1/memory/1260-91-0x0000000140000000-0x00000001400CE000-memory.dmp	dridex_payload
behavioral1/memory/1260-96-0x0000000140000000-0x00000001400CE000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

pid	Process
3024	spinstall.exe
1260	UI0Detect.exe
1496	Netplwiz.exe

Loads dropped DLL 7 IoCs

pid	Process
1172	Process not Found
3024	spinstall.exe
1172	Process not Found
1260	UI0Detect.exe
1172	Process not Found
1496	Netplwiz.exe
1172	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mkmfyiwmvqjxba = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\ACCESS~1\\ACCESS~1\\eQoo9\\UI0DET~1.EXE"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spinstall.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	UI0Detect.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Netplwiz.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2264	rundll32.exe
2264	rundll32.exe
2264	rundll32.exe
1172	Process not Found
1172	Process not Found
1172	Process not Found
1172	Process not Found
1172	Process not Found
1172	Process not Found
1172	Process not Found
1172	Process not Found
1172	Process not Found
1172	Process not Found
1172	Process not Found
1172	Process not Found
1172	Process not Found
1172	Process not Found
1172	Process not Found
1172	Process not Found
1172	Process not Found
1172	Process not Found
1172	Process not Found
1172	Process not Found
1172	Process not Found
1172	Process not Found
1172	Process not Found
1172	Process not Found
1172	Process not Found
1172	Process not Found
1172	Process not Found
1172	Process not Found
1172	Process not Found
1172	Process not Found
1172	Process not Found
1172	Process not Found
1172	Process not Found
1172	Process not Found
1172	Process not Found
1172	Process not Found
1172	Process not Found
1172	Process not Found
1172	Process not Found
1172	Process not Found
1172	Process not Found
1172	Process not Found
1172	Process not Found
1172	Process not Found
1172	Process not Found
1172	Process not Found
1172	Process not Found
1172	Process not Found
1172	Process not Found
1172	Process not Found
1172	Process not Found
1172	Process not Found
1172	Process not Found
1172	Process not Found
1172	Process not Found
1172	Process not Found
1172	Process not Found
1172	Process not Found
1172	Process not Found
3024	spinstall.exe
3024	spinstall.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1172 wrote to memory of 2280	1172	Process not Found	30
PID 1172 wrote to memory of 2280	1172	Process not Found	30
PID 1172 wrote to memory of 2280	1172	Process not Found	30
PID 1172 wrote to memory of 3024	1172	Process not Found	31
PID 1172 wrote to memory of 3024	1172	Process not Found	31
PID 1172 wrote to memory of 3024	1172	Process not Found	31
PID 1172 wrote to memory of 1520	1172	Process not Found	32
PID 1172 wrote to memory of 1520	1172	Process not Found	32
PID 1172 wrote to memory of 1520	1172	Process not Found	32
PID 1172 wrote to memory of 1260	1172	Process not Found	33
PID 1172 wrote to memory of 1260	1172	Process not Found	33
PID 1172 wrote to memory of 1260	1172	Process not Found	33
PID 1172 wrote to memory of 2812	1172	Process not Found	34
PID 1172 wrote to memory of 2812	1172	Process not Found	34
PID 1172 wrote to memory of 2812	1172	Process not Found	34
PID 1172 wrote to memory of 1496	1172	Process not Found	35
PID 1172 wrote to memory of 1496	1172	Process not Found	35
PID 1172 wrote to memory of 1496	1172	Process not Found	35

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\65eedb07a6f749ad69bd6a937505442f_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2264

C:\Windows\system32\spinstall.exe
C:\Windows\system32\spinstall.exe
1⤵
PID:2280

C:\Users\Admin\AppData\Local\0l9H\spinstall.exe
C:\Users\Admin\AppData\Local\0l9H\spinstall.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3024

C:\Windows\system32\UI0Detect.exe
C:\Windows\system32\UI0Detect.exe
1⤵
PID:1520

C:\Users\Admin\AppData\Local\1mu8nfV\UI0Detect.exe
C:\Users\Admin\AppData\Local\1mu8nfV\UI0Detect.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1260

C:\Windows\system32\Netplwiz.exe
C:\Windows\system32\Netplwiz.exe
1⤵
PID:2812

C:\Users\Admin\AppData\Local\M6H96Ry72\Netplwiz.exe
C:\Users\Admin\AppData\Local\M6H96Ry72\Netplwiz.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\0l9H\sqmapi.dll

Filesize
820KB

MD5
679c7d289c0d4be8ddab283fac2c51aa

SHA1
c10c3a4233a220a38d45190c749992dfee117c2d

SHA256
7d45955ae5d47186799814734d4f4942eba0828cdd635e6139645b8a0b7026cb

SHA512
04d64ccc94196090f44d0c26f6aca5a6737a7685c1aa47b9e6dbabf89ce64f4a0e9bda008d8697c4353d527327293b763d369d30264dbc1138a21b1a73f9558b

Download Submit
C:\Users\Admin\AppData\Local\1mu8nfV\WINSTA.dll

Filesize
824KB

MD5
496f5ba0fd4978b7d39c19b9b2532145

SHA1
c28eb6aa6bb19be7ec7fe8df71cbc361e80bb3d3

SHA256
8fcde2c5f7740ea435d6bfa18eb78449a0beb58a69123161cc15e5adde973b4a

SHA512
5f01f3a8d15760acc0a722e3fcc828dd0bde2ec0781f12521ce1c03aef76223cc1747acde6f00b8222baf876664f67542f3303ade58c0b41a620d28c44f66a2f

Download Submit
C:\Users\Admin\AppData\Local\M6H96Ry72\NETPLWIZ.dll

Filesize
820KB

MD5
ddc13a25d444bbc6fcc8e7c724e19d54

SHA1
594637f4da45862d1e9a1f8383f2421e3afd2dd9

SHA256
097478d4440acc5245081e70fa5fb1f732310e395cd9c610017a00f4d7a87530

SHA512
ca88b48abcbc278160b350c52205251c0a3ebb633b66ceaaab26c07d144329433174b854cb6bcc8ce4ca95201c3fce21432100ac50d2fde7e28af98f5e4b589a

Download Submit
C:\Users\Admin\AppData\Local\M6H96Ry72\Netplwiz.exe

Filesize
26KB

MD5
e43ec3c800d4c0716613392e81fba1d9

SHA1
37de6a235e978ecf3bb0fc2c864016c5b0134348

SHA256
636606415a85a16a7e6c5c8fcbdf35494991bce1c37dfc19c75ecb7ce12dc65c

SHA512
176c6d8b87bc5a9ca06698e2542ff34d474bcbbf21278390127981366eda89769bd9dd712f3b34f4dd8332a0b40ee0e609276400f16b51999471c8ff24522a08

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ppapbotpack.lnk

Filesize
1KB

MD5
6ce6a0d4df3fd34ba9d10343891c8a15

SHA1
20baf0a51d1f047bc4c6da219ae29d53c29312df

SHA256
985f3e74ce8fd22a7916a34dc475d1df88e01debc5ee6d7da012aa5464db3d71

SHA512
564035119736f23b08a68b514270eec77ba2231458e599f1e65652bb750a74c957cc3e13a7d61c6c30929c2279c95dd16c802b3290067131d29457a3d0b9298c

Download Submit
\Users\Admin\AppData\Local\0l9H\spinstall.exe

Filesize
584KB

MD5
29c1d5b330b802efa1a8357373bc97fe

SHA1
90797aaa2c56fc2a667c74475996ea1841bc368f

SHA256
048bd22abf158346ab991a377cc6e9d2b20b4d73ccee7656c96a41f657e7be7f

SHA512
66f4f75a04340a1dd55dfdcc3ff1103ea34a55295f56c12e88d38d1a41e5be46b67c98bd66ac9f878ce79311773e374ed2bce4dd70e8bb5543e4ec1dd56625ee

Download Submit
\Users\Admin\AppData\Local\1mu8nfV\UI0Detect.exe

Filesize
40KB

MD5
3cbdec8d06b9968aba702eba076364a1

SHA1
6e0fcaccadbdb5e3293aa3523ec1006d92191c58

SHA256
b8dab8aa804fc23021bfebd7ae4d40fbe648d6c6ba21cc008e26d1c084972f9b

SHA512
a8e434c925ef849ecef0efcb4873dbb95eea2821c967b05afbbe5733071cc2293fc94e7fdf1fdaee51cbcf9885b3b72bfd4d690f23af34558b056920263e465d

Download Submit
memory/1172-29-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/1172-25-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/1172-15-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/1172-14-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/1172-13-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/1172-12-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/1172-11-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/1172-10-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/1172-9-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/1172-8-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/1172-7-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/1172-6-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/1172-21-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/1172-45-0x00000000029E0000-0x00000000029E7000-memory.dmp

Filesize
28KB

Download
memory/1172-37-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/1172-36-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/1172-35-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/1172-34-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/1172-33-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/1172-32-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/1172-30-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/1172-3-0x0000000077736000-0x0000000077737000-memory.dmp

Filesize
4KB

Download
memory/1172-28-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/1172-27-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/1172-26-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/1172-16-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/1172-24-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/1172-23-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/1172-22-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/1172-31-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/1172-46-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/1172-48-0x00000000779D0000-0x00000000779D2000-memory.dmp

Filesize
8KB

Download
memory/1172-47-0x00000000779A0000-0x00000000779A2000-memory.dmp

Filesize
8KB

Download
memory/1172-59-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/1172-58-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/1172-4-0x0000000002D70000-0x0000000002D71000-memory.dmp

Filesize
4KB

Download
memory/1172-17-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/1172-18-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/1172-20-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/1172-19-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/1260-91-0x0000000140000000-0x00000001400CE000-memory.dmp

Filesize
824KB

Download
memory/1260-93-0x0000000000320000-0x0000000000327000-memory.dmp

Filesize
28KB

Download
memory/1260-96-0x0000000140000000-0x00000001400CE000-memory.dmp

Filesize
824KB

Download
memory/1496-110-0x0000000000090000-0x0000000000097000-memory.dmp

Filesize
28KB

Download
memory/2264-66-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/2264-2-0x0000000000310000-0x0000000000317000-memory.dmp

Filesize
28KB

Download
memory/2264-0-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/3024-74-0x0000000000070000-0x0000000000077000-memory.dmp

Filesize
28KB

Download
memory/3024-79-0x0000000140000000-0x00000001400CD000-memory.dmp

Filesize
820KB

Download
memory/3024-75-0x0000000140000000-0x00000001400CD000-memory.dmp

Filesize
820KB

Download