dridex | 7ec10a17f6970d4d8db9ee8b26fb8dff79a3d8a666701c91ca856f1e023df29d

Analysis

max time kernel
115s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23-11-2024 22:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

910c0c807fac1d91d4f2c0e1b40669f8_JaffaCakes118.dll
Size

1.2MB
MD5

910c0c807fac1d91d4f2c0e1b40669f8
SHA1

837bd3d884170bb6b23de202e9cb17d0964ebfdb
SHA256

7ec10a17f6970d4d8db9ee8b26fb8dff79a3d8a666701c91ca856f1e023df29d
SHA512

b1a059f9bf9d401080d61e9c599dc2ac742483f72ff5fa5bb80a2d8511044af4922bf302625ba9c5124a4b69e1e9f7ed1808e19885bc6c66e3136f84b8bb874e
SSDEEP

12288:pVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:IfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Score

10^/10

dridex botnet evasion payload persistence privilege_escalation trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex family
dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1076-5-0x0000000002570000-0x0000000002571000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

OptionalFeatures.exeDisplaySwitch.exeUI0Detect.exe

pid process

2848 OptionalFeatures.exe
2264 DisplaySwitch.exe
1964 UI0Detect.exe
Loads dropped DLL 7 IoCs

Processes:

OptionalFeatures.exeDisplaySwitch.exeUI0Detect.exe

pid process

1076
2848 OptionalFeatures.exe
1076
2264 DisplaySwitch.exe
1076
1964 UI0Detect.exe
1076

pid	process
2848	OptionalFeatures.exe
2264	DisplaySwitch.exe
1964	UI0Detect.exe

pid	process
1076
2848	OptionalFeatures.exe
1076
2264	DisplaySwitch.exe
1076
1964	UI0Detect.exe
1076

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rtunysabu = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\019VsWe7f\\DisplaySwitch.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeOptionalFeatures.exeDisplaySwitch.exeUI0Detect.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OptionalFeatures.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DisplaySwitch.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	UI0Detect.exe

Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
3052	rundll32.exe
3052	rundll32.exe
3052	rundll32.exe
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076
1076

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1076 wrote to memory of 2892	1076	OptionalFeatures.exe
PID 1076 wrote to memory of 2892	1076	OptionalFeatures.exe
PID 1076 wrote to memory of 2892	1076	OptionalFeatures.exe
PID 1076 wrote to memory of 2848	1076	OptionalFeatures.exe
PID 1076 wrote to memory of 2848	1076	OptionalFeatures.exe
PID 1076 wrote to memory of 2848	1076	OptionalFeatures.exe
PID 1076 wrote to memory of 2548	1076	DisplaySwitch.exe
PID 1076 wrote to memory of 2548	1076	DisplaySwitch.exe
PID 1076 wrote to memory of 2548	1076	DisplaySwitch.exe
PID 1076 wrote to memory of 2264	1076	DisplaySwitch.exe
PID 1076 wrote to memory of 2264	1076	DisplaySwitch.exe
PID 1076 wrote to memory of 2264	1076	DisplaySwitch.exe
PID 1076 wrote to memory of 2000	1076	UI0Detect.exe
PID 1076 wrote to memory of 2000	1076	UI0Detect.exe
PID 1076 wrote to memory of 2000	1076	UI0Detect.exe
PID 1076 wrote to memory of 1964	1076	UI0Detect.exe
PID 1076 wrote to memory of 1964	1076	UI0Detect.exe
PID 1076 wrote to memory of 1964	1076	UI0Detect.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\910c0c807fac1d91d4f2c0e1b40669f8_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3052

C:\Windows\system32\OptionalFeatures.exe
C:\Windows\system32\OptionalFeatures.exe
1⤵
PID:2892

C:\Users\Admin\AppData\Local\3S2\OptionalFeatures.exe
C:\Users\Admin\AppData\Local\3S2\OptionalFeatures.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2848

C:\Windows\system32\DisplaySwitch.exe
C:\Windows\system32\DisplaySwitch.exe
1⤵
PID:2548

C:\Users\Admin\AppData\Local\RZJge\DisplaySwitch.exe
C:\Users\Admin\AppData\Local\RZJge\DisplaySwitch.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2264

C:\Windows\system32\UI0Detect.exe
C:\Windows\system32\UI0Detect.exe
1⤵
PID:2000

C:\Users\Admin\AppData\Local\sudY\UI0Detect.exe
C:\Users\Admin\AppData\Local\sudY\UI0Detect.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\3S2\OptionalFeatures.exe

Filesize
95KB

MD5
eae7af6084667c8f05412ddf096167fc

SHA1
0dbe8aba001447030e48e8ad5466fd23481e6140

SHA256
01feebd3aca961f31ba4eac45347b105d1c5772627b08f5538047721b61ff9bc

SHA512
172a8accaa35a6c9f86713a330c5899dfeeffe3b43413a3d276fc16d45cd62ed9237aa6bff29cc60a2022fba8dcc156959723c041df4b7463436a3bdabef2a9d

Download Submit
C:\Users\Admin\AppData\Local\RZJge\DisplaySwitch.exe

Filesize
517KB

MD5
b795e6138e29a37508285fc31e92bd78

SHA1
d0fe0c38c7c61adbb77e58d48b96cd4bf98ecd4a

SHA256
01a9733871baa8518092bade3fce62dcca14cdf6fc55b98218253580b38d7659

SHA512
8312174a77bab5fef7c4e9efff66c43d3515b02f5766ed1d3b9bd0abb3d7344a9a22cbac228132098428c122293d2b1898b3a2d75f5e4247b1dcb9aa9c7913b1

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Gwifj.lnk

Filesize
1KB

MD5
eed252f97306b3c40493dfbe028f492b

SHA1
96d0e94efd31ed1d6a6420f057e55f80ee39dce5

SHA256
5389b736803fa1f52e708204ecafe1df9b80816a7c2eab40678b9ff16f3e3de0

SHA512
4f098c31237ab9c37b3fbacaa1be93822ef82ca059c0a1c8d5390b097cfed22a514fc873b518ca983bad818d1e49eb2043d5d245f6780a9014c63bbc1ba7a9ad

Download Submit
\Users\Admin\AppData\Local\3S2\appwiz.cpl

Filesize
1.2MB

MD5
9fdf95354bd2a62e31c262addb3de99f

SHA1
44d470c13b124ac19521dd6665da6af5ba4f329f

SHA256
efd6943c5b16720a78ad8314ef42fad303a90e1d28191b93766d84d74c96ccbf

SHA512
671e518ca79f8fd647d7985c53acbe753869686b950e64e5445cd24357b146267c59a05debb0bb765e9461b3935fc90ff2e149b85f879154f1e9f7362661db96

Download Submit
\Users\Admin\AppData\Local\RZJge\slc.dll

Filesize
1.2MB

MD5
b4b8d6bf90b6803033974be6e20b093b

SHA1
fb9359c7b46afc4a6efa7d22dadd457d91ed269a

SHA256
d325048201d4b9c7ab116d895bd0d8b06a897d524be8190eebf6ecd13861f5fb

SHA512
1ea438a4481620165d7ce63ee59065818a9d39434de4d3dbb62fdb04cb2aafbd904db40df642d376a8a1798a7948945169796e34f1172a1ac702275b4c6b2829

Download Submit
\Users\Admin\AppData\Local\sudY\UI0Detect.exe

Filesize
40KB

MD5
3cbdec8d06b9968aba702eba076364a1

SHA1
6e0fcaccadbdb5e3293aa3523ec1006d92191c58

SHA256
b8dab8aa804fc23021bfebd7ae4d40fbe648d6c6ba21cc008e26d1c084972f9b

SHA512
a8e434c925ef849ecef0efcb4873dbb95eea2821c967b05afbbe5733071cc2293fc94e7fdf1fdaee51cbcf9885b3b72bfd4d690f23af34558b056920263e465d

Download Submit
\Users\Admin\AppData\Local\sudY\WINSTA.dll

Filesize
1.2MB

MD5
289186a44104d01d9e9fb8fe93492324

SHA1
a0ad1761dc31c5974de722154715d4a1ee3b6270

SHA256
8d8cfe9c2de3e3cb44775c22db51bf78e8a199744f286aa5d479bb205aef1393

SHA512
069fe76443fbe03e60f07111119d26bc6f416a279ed7e2561ef8ef0cd22f411a1838e5aa29a9e4a884867ab4be704a7783985d8779ef43847c55be119d6ea555

Download Submit
memory/1076-17-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/1076-42-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/1076-55-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/1076-47-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/1076-45-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/1076-67-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/1076-76-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/1076-57-0x00000000774C1000-0x00000000774C2000-memory.dmp

Filesize
4KB

Download
memory/1076-143-0x00000000772B6000-0x00000000772B7000-memory.dmp

Filesize
4KB

Download
memory/1076-58-0x0000000077620000-0x0000000077622000-memory.dmp

Filesize
8KB

Download
memory/1076-73-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/1076-43-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/1076-41-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/1076-39-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/1076-37-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/1076-35-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/1076-31-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/1076-29-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/1076-27-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/1076-25-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/1076-23-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/1076-21-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/1076-19-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/1076-4-0x00000000772B6000-0x00000000772B7000-memory.dmp

Filesize
4KB

Download
memory/1076-48-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/1076-46-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/1076-44-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/1076-56-0x0000000002550000-0x0000000002557000-memory.dmp

Filesize
28KB

Download
memory/1076-40-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/1076-38-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/1076-34-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/1076-33-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/1076-36-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/1076-32-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/1076-30-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/1076-28-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/1076-26-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/1076-24-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/1076-22-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/1076-20-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/1076-18-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/1076-15-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/1076-14-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/1076-13-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/1076-12-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/1076-11-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/1076-16-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/1076-9-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/1076-8-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/1076-7-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/1076-5-0x0000000002570000-0x0000000002571000-memory.dmp

Filesize
4KB

Download
memory/1964-127-0x0000000000380000-0x0000000000387000-memory.dmp

Filesize
28KB

Download
memory/2848-85-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download
memory/3052-10-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/3052-3-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/3052-0-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download