dridex | 45e0689c0505e4d32d651eeabac3c15072558c57fa8ed3403bdc3ffbb7197f2a

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21/10/2024, 14:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

66f1c60cbffe0d19f4b0459ef14628ab_JaffaCakes118.dll
Size

800KB
MD5

66f1c60cbffe0d19f4b0459ef14628ab
SHA1

a1a37181f922c11159a5ea45272973e85563c7bc
SHA256

45e0689c0505e4d32d651eeabac3c15072558c57fa8ed3403bdc3ffbb7197f2a
SHA512

bf87f0a585bc271b99d3b4d2b966a40b70b147646489a730700f6ecd5fe095040ad0334955ff0845c00e6625e91a2726122b40f9a75530dcdfde7efef595b446
SSDEEP

12288:HdMIwS97wJs6tSKDXEabXaC+jhc1S8XXk7CZzHsZH9dq0T:9MIJxSDX3bqjhcfHk7MzH6z

Score

10^/10

dridex botnet evasion payload persistence privilege_escalation trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral1/memory/1152-4-0x0000000002E80000-0x0000000002E81000-memory.dmp	dridex_stager_shellcode

Dridex payload 10 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

resource	yara_rule
behavioral1/memory/1792-1-0x0000000140000000-0x00000001400C8000-memory.dmp	dridex_payload
behavioral1/memory/1152-44-0x0000000140000000-0x00000001400C8000-memory.dmp	dridex_payload
behavioral1/memory/1792-50-0x0000000140000000-0x00000001400C8000-memory.dmp	dridex_payload
behavioral1/memory/1152-56-0x0000000140000000-0x00000001400C8000-memory.dmp	dridex_payload
behavioral1/memory/1152-57-0x0000000140000000-0x00000001400C8000-memory.dmp	dridex_payload
behavioral1/memory/1468-73-0x0000000140000000-0x00000001400FC000-memory.dmp	dridex_payload
behavioral1/memory/1468-77-0x0000000140000000-0x00000001400FC000-memory.dmp	dridex_payload
behavioral1/memory/1760-90-0x0000000140000000-0x00000001400C9000-memory.dmp	dridex_payload
behavioral1/memory/1760-94-0x0000000140000000-0x00000001400C9000-memory.dmp	dridex_payload
behavioral1/memory/3048-111-0x0000000140000000-0x00000001400C9000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

pid	Process
1468	Utilman.exe
1760	p2phost.exe
3048	SystemPropertiesHardware.exe

Loads dropped DLL 7 IoCs

pid	Process
1152	Process not Found
1468	Utilman.exe
1152	Process not Found
1760	p2phost.exe
1152	Process not Found
3048	SystemPropertiesHardware.exe
1152	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Gazvzzjnt = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\GMhS\\p2phost.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Utilman.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	p2phost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesHardware.exe

Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1792	rundll32.exe
1792	rundll32.exe
1792	rundll32.exe
1152	Process not Found
1152	Process not Found
1152	Process not Found
1152	Process not Found
1152	Process not Found
1152	Process not Found
1152	Process not Found
1152	Process not Found
1152	Process not Found
1152	Process not Found
1152	Process not Found
1152	Process not Found
1152	Process not Found
1152	Process not Found
1152	Process not Found
1152	Process not Found
1152	Process not Found
1152	Process not Found
1152	Process not Found
1152	Process not Found
1152	Process not Found
1152	Process not Found
1152	Process not Found
1152	Process not Found
1152	Process not Found
1152	Process not Found
1152	Process not Found
1152	Process not Found
1152	Process not Found
1152	Process not Found
1152	Process not Found
1152	Process not Found
1152	Process not Found
1152	Process not Found
1152	Process not Found
1152	Process not Found
1152	Process not Found
1152	Process not Found
1152	Process not Found
1152	Process not Found
1152	Process not Found
1152	Process not Found
1152	Process not Found
1152	Process not Found
1152	Process not Found
1152	Process not Found
1152	Process not Found
1152	Process not Found
1152	Process not Found
1152	Process not Found
1152	Process not Found
1152	Process not Found
1152	Process not Found
1152	Process not Found
1152	Process not Found
1152	Process not Found
1152	Process not Found
1152	Process not Found
1152	Process not Found
1152	Process not Found
1468	Utilman.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1152 wrote to memory of 2852	1152	Process not Found	30
PID 1152 wrote to memory of 2852	1152	Process not Found	30
PID 1152 wrote to memory of 2852	1152	Process not Found	30
PID 1152 wrote to memory of 1468	1152	Process not Found	31
PID 1152 wrote to memory of 1468	1152	Process not Found	31
PID 1152 wrote to memory of 1468	1152	Process not Found	31
PID 1152 wrote to memory of 1568	1152	Process not Found	33
PID 1152 wrote to memory of 1568	1152	Process not Found	33
PID 1152 wrote to memory of 1568	1152	Process not Found	33
PID 1152 wrote to memory of 1760	1152	Process not Found	34
PID 1152 wrote to memory of 1760	1152	Process not Found	34
PID 1152 wrote to memory of 1760	1152	Process not Found	34
PID 1152 wrote to memory of 3060	1152	Process not Found	35
PID 1152 wrote to memory of 3060	1152	Process not Found	35
PID 1152 wrote to memory of 3060	1152	Process not Found	35
PID 1152 wrote to memory of 3048	1152	Process not Found	36
PID 1152 wrote to memory of 3048	1152	Process not Found	36
PID 1152 wrote to memory of 3048	1152	Process not Found	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\66f1c60cbffe0d19f4b0459ef14628ab_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1792

C:\Windows\system32\Utilman.exe
C:\Windows\system32\Utilman.exe
1⤵
PID:2852

C:\Users\Admin\AppData\Local\S7qCdw\Utilman.exe
C:\Users\Admin\AppData\Local\S7qCdw\Utilman.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1468

C:\Windows\system32\p2phost.exe
C:\Windows\system32\p2phost.exe
1⤵
PID:1568

C:\Users\Admin\AppData\Local\BAeu1\p2phost.exe
C:\Users\Admin\AppData\Local\BAeu1\p2phost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1760

C:\Windows\system32\SystemPropertiesHardware.exe
C:\Windows\system32\SystemPropertiesHardware.exe
1⤵
PID:3060

C:\Users\Admin\AppData\Local\U9dNc\SystemPropertiesHardware.exe
C:\Users\Admin\AppData\Local\U9dNc\SystemPropertiesHardware.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\BAeu1\P2P.dll

Filesize
804KB

MD5
2f9e155cd46ebc1a2eda4e0ad6b61dc7

SHA1
11a07a81dc8be42118199ac622822cbe797eb5b3

SHA256
2ae2549a123c8cf25c8b53713f748148ec3fce2a02b850e238423de79a55957a

SHA512
3cad872f64cb258a4a92f62c57ee118775b2cca0a8256771de23f0e0deef1826d110d21b2f551cb9d4c0330cdd33eea902ead0ebad81c80b167ef18fea0c20ec

Download Submit
C:\Users\Admin\AppData\Local\S7qCdw\DUI70.dll

Filesize
1008KB

MD5
bcb9270d71a7fe2587e0cc41e72b7a18

SHA1
055db1f5ee33bde737eba4b5655f8399b1039e46

SHA256
ec35ca39c07a57289bc815ba90c42d1c6641850c26a63465d6d8e6c52852d930

SHA512
a3249c15a8f8a9f06c9f7ef3c9c15993a4915188de8975aa2bbf3581fa270fc6b7eb56aa9ef296197a0db89a30c2855ca7ea4fde46205feec4dc3c03121c72e4

Download Submit
C:\Users\Admin\AppData\Local\U9dNc\SYSDM.CPL

Filesize
804KB

MD5
046484b36ae189890e780b34d93577a0

SHA1
5f3cba7cf1e99754c8d2edf674a8e187052fac1f

SHA256
0539eed267e9587475ce7c02603f69c31b0510db6d177e481df2cf11dab83f19

SHA512
edda9bfa17c31b4b3d7278c0bd18af4831b5396919f28111a6718d47860187b841035231b1be2f3772c292ad0ee9206a88678f846655aaede2db0bc28ced86b6

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wbvsyha.lnk

Filesize
1KB

MD5
98355e05afb151507fbc4e509f188f0d

SHA1
c5fdbaab239b4045706174d53f9d61f1630a0f06

SHA256
8ad1931f9296b65f902100102d7f5222aa7a241396a274ec29e0b0fa82a991ec

SHA512
7d1a4952ee67fb96e2649b62b67bd42f634a289fa280364769c0cd19902e56a3fe24259343b09a6da2bf53501f969d229a02936d68f1627d0b1f44b746b37e1d

Download Submit
\Users\Admin\AppData\Local\BAeu1\p2phost.exe

Filesize
172KB

MD5
0dbd420477352b278dfdc24f4672b79c

SHA1
df446f25be33ac60371557717073249a64e04bb2

SHA256
1baba169de6c8f3b3c33cea96314c67b709a171bdc8ea9c250a0d016db767345

SHA512
84014b2dcc00f9fa1a337089ad4d4abcaa9e3155171978ec07bc155ddaebebfabb529d8de3578e564b3aae59545f52d71af173ebb50d2af252f219ac60b453d1

Download Submit
\Users\Admin\AppData\Local\S7qCdw\Utilman.exe

Filesize
1.3MB

MD5
32c5ee55eadfc071e57851e26ac98477

SHA1
8f8d0aee344e152424143da49ce2c7badabb8f9d

SHA256
7ca90616e68bc851f14658a366d80f21ddb7a7dd8a866049e54651158784a9ea

SHA512
e0943efa81f3087c84a5909c72a436671ee8cc3cc80154901430e83ec7966aac800ad4b26f4a174a0071da617c0982ceda584686c6e2056e1a83e864aca6c975

Download Submit
\Users\Admin\AppData\Local\U9dNc\SystemPropertiesHardware.exe

Filesize
80KB

MD5
c63d722641c417764247f683f9fb43be

SHA1
948ec61ebf241c4d80efca3efdfc33fe746e3b98

SHA256
4759296b421d60c80db0bb112a30425e04883900374602e13ed97f7c03a49df2

SHA512
7223d1c81a4785ed790ec2303d5d9d7ebcae9404d7bf173b3145e51202564de9977e94ac10ab80c6fe49b5f697af3ec70dfd922a891915e8951b5a1b5841c8be

Download Submit
memory/1152-32-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/1152-13-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/1152-44-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/1152-46-0x00000000773D0000-0x00000000773D2000-memory.dmp

Filesize
8KB

Download
memory/1152-45-0x00000000773A0000-0x00000000773A2000-memory.dmp

Filesize
8KB

Download
memory/1152-43-0x0000000002E60000-0x0000000002E67000-memory.dmp

Filesize
28KB

Download
memory/1152-35-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/1152-3-0x0000000077136000-0x0000000077137000-memory.dmp

Filesize
4KB

Download
memory/1152-31-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/1152-30-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/1152-29-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/1152-28-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/1152-27-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/1152-26-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/1152-25-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/1152-24-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/1152-23-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/1152-21-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/1152-20-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/1152-19-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/1152-18-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/1152-17-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/1152-16-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/1152-15-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/1152-14-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/1152-33-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/1152-12-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/1152-11-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/1152-10-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/1152-9-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/1152-34-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/1152-4-0x0000000002E80000-0x0000000002E81000-memory.dmp

Filesize
4KB

Download
memory/1152-56-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/1152-57-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/1152-65-0x0000000077136000-0x0000000077137000-memory.dmp

Filesize
4KB

Download
memory/1152-22-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/1152-8-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/1152-6-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/1152-7-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/1468-77-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1468-73-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1760-90-0x0000000140000000-0x00000001400C9000-memory.dmp

Filesize
804KB

Download
memory/1760-89-0x0000000000180000-0x0000000000187000-memory.dmp

Filesize
28KB

Download
memory/1760-94-0x0000000140000000-0x00000001400C9000-memory.dmp

Filesize
804KB

Download
memory/1792-50-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/1792-2-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download
memory/1792-1-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/3048-108-0x0000000000020000-0x0000000000027000-memory.dmp

Filesize
28KB

Download
memory/3048-111-0x0000000140000000-0x00000001400C9000-memory.dmp

Filesize
804KB

Download