dridex | 9fe73d5332d83d76ee254a477355e48040194e781fd5c12b34f729a999e2554c

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24-11-2024 10:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

93fc422ef8eef071e16c5b12310f6b36_JaffaCakes118.dll
Size

1.1MB
MD5

93fc422ef8eef071e16c5b12310f6b36
SHA1

f1761280479126762632211380de0969d9295315
SHA256

9fe73d5332d83d76ee254a477355e48040194e781fd5c12b34f729a999e2554c
SHA512

c41316986dcc2359bff2eafb7f4d83403b792110a8257be28c706463957a785ac9c24aee033a02d10fc36b7a2327b655ecc751d3bc489aad4e73165390add566
SSDEEP

12288:idMIwS97wJs6tSKDXEabXaC+jhc1S8XXk7CZzHsZH9dq0T:UMIJxSDX3bqjhcfHk7MzH6z

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex family
dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1248-4-0x0000000002DB0000-0x0000000002DB1000-memory.dmp	dridex_stager_shellcode

Dridex payload 9 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/264-0-0x0000000140000000-0x000000014010D000-memory.dmp	dridex_payload
behavioral1/memory/1248-41-0x0000000140000000-0x000000014010D000-memory.dmp	dridex_payload
behavioral1/memory/1248-52-0x0000000140000000-0x000000014010D000-memory.dmp	dridex_payload
behavioral1/memory/1248-55-0x0000000140000000-0x000000014010D000-memory.dmp	dridex_payload
behavioral1/memory/264-61-0x0000000140000000-0x000000014010D000-memory.dmp	dridex_payload
behavioral1/memory/2788-71-0x0000000140000000-0x000000014010E000-memory.dmp	dridex_payload
behavioral1/memory/2788-73-0x0000000140000000-0x000000014010E000-memory.dmp	dridex_payload
behavioral1/memory/1916-90-0x0000000140000000-0x000000014010E000-memory.dmp	dridex_payload
behavioral1/memory/1720-106-0x0000000140000000-0x000000014010E000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

SystemPropertiesRemote.exetabcal.exeSystemPropertiesAdvanced.exe

pid process

2788 SystemPropertiesRemote.exe
1916 tabcal.exe
1720 SystemPropertiesAdvanced.exe
Loads dropped DLL 7 IoCs

Processes:

SystemPropertiesRemote.exetabcal.exeSystemPropertiesAdvanced.exe

pid process

1248
2788 SystemPropertiesRemote.exe
1248
1916 tabcal.exe
1248
1720 SystemPropertiesAdvanced.exe
1248

pid	process
2788	SystemPropertiesRemote.exe
1916	tabcal.exe
1720	SystemPropertiesAdvanced.exe

pid	process
1248
2788	SystemPropertiesRemote.exe
1248
1916	tabcal.exe
1248
1720	SystemPropertiesAdvanced.exe
1248

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rcoehfpd = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\ADMINI~1\\WTWSZL~1\\tabcal.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeSystemPropertiesRemote.exetabcal.exeSystemPropertiesAdvanced.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesRemote.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	tabcal.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesAdvanced.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
264	rundll32.exe
264	rundll32.exe
264	rundll32.exe
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1248 wrote to memory of 2688	1248	SystemPropertiesRemote.exe
PID 1248 wrote to memory of 2688	1248	SystemPropertiesRemote.exe
PID 1248 wrote to memory of 2688	1248	SystemPropertiesRemote.exe
PID 1248 wrote to memory of 2788	1248	SystemPropertiesRemote.exe
PID 1248 wrote to memory of 2788	1248	SystemPropertiesRemote.exe
PID 1248 wrote to memory of 2788	1248	SystemPropertiesRemote.exe
PID 1248 wrote to memory of 2204	1248	tabcal.exe
PID 1248 wrote to memory of 2204	1248	tabcal.exe
PID 1248 wrote to memory of 2204	1248	tabcal.exe
PID 1248 wrote to memory of 1916	1248	tabcal.exe
PID 1248 wrote to memory of 1916	1248	tabcal.exe
PID 1248 wrote to memory of 1916	1248	tabcal.exe
PID 1248 wrote to memory of 1680	1248	SystemPropertiesAdvanced.exe
PID 1248 wrote to memory of 1680	1248	SystemPropertiesAdvanced.exe
PID 1248 wrote to memory of 1680	1248	SystemPropertiesAdvanced.exe
PID 1248 wrote to memory of 1720	1248	SystemPropertiesAdvanced.exe
PID 1248 wrote to memory of 1720	1248	SystemPropertiesAdvanced.exe
PID 1248 wrote to memory of 1720	1248	SystemPropertiesAdvanced.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\93fc422ef8eef071e16c5b12310f6b36_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:264

C:\Windows\system32\SystemPropertiesRemote.exe
C:\Windows\system32\SystemPropertiesRemote.exe
1⤵
PID:2688

C:\Users\Admin\AppData\Local\kdM1q5\SystemPropertiesRemote.exe
C:\Users\Admin\AppData\Local\kdM1q5\SystemPropertiesRemote.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2788

C:\Windows\system32\tabcal.exe
C:\Windows\system32\tabcal.exe
1⤵
PID:2204

C:\Users\Admin\AppData\Local\4pijv\tabcal.exe
C:\Users\Admin\AppData\Local\4pijv\tabcal.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1916

C:\Windows\system32\SystemPropertiesAdvanced.exe
C:\Windows\system32\SystemPropertiesAdvanced.exe
1⤵
PID:1680

C:\Users\Admin\AppData\Local\7EzU\SystemPropertiesAdvanced.exe
C:\Users\Admin\AppData\Local\7EzU\SystemPropertiesAdvanced.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\4pijv\HID.DLL

Filesize
1.1MB

MD5
cb6857fcf64ac38093bd7e80f55dc0fa

SHA1
d160d7c90cd619983ffddabc70f19db38788a52b

SHA256
a7cf1141f7f2041e5615f874fdd80b66efbd50461ac9472230f9ff19b7768890

SHA512
fe7c86628b0b5e7ea916105adbe710679f9176af98c451382de5d4c87835956a05f29d55d7eecc42f01a6d47420b6732afe6fae3b5a4243019caf46c17b60bf6

Download Submit
C:\Users\Admin\AppData\Local\7EzU\SYSDM.CPL

Filesize
1.1MB

MD5
561d66600397e1f0d892f2320e1c36fb

SHA1
6007429e4c1e206ba81d90c2057454821310fbad

SHA256
056166cb8296f0bc9a2b93640439f88a25985f2f18d744d094343723d594d776

SHA512
7323b601a8875c6a35c4a2f4e4dd9ff4fe6b213c22cf4324a9fea2edcd1f6161f789990b7e64431419dc717c42a8322d6c8be914cb3928cc0a77c91ddf82350f

Download Submit
C:\Users\Admin\AppData\Local\kdM1q5\SYSDM.CPL

Filesize
1.1MB

MD5
2915e1807cbdf163a7c5f6f8649ea5b5

SHA1
5fe67abc5aa97dc332e3dbf6b44747a9ac6eff2c

SHA256
dce653725650f807e1e513d1b4d273d0cb54353c68df1c616e09d74d91657845

SHA512
5194e5e5452e4068894cf1ce71bb6de3682d577c9847e410175af9724e41344a837ea3b01441504b5f25122bb6a785c7017b461980ea8628673b9fb82311d3ef

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yjafzwirjcl.lnk

Filesize
1KB

MD5
2fcda14ea2024b58371e1352a44c970c

SHA1
2b75c4b2f889290b211597f5a58110a0957b109a

SHA256
6e16cbdd590c0184f61864fca84a9306a7394d86a246aa00f80580d23ee2288f

SHA512
737a788f00381485ac1b628f63af43bac300da2f75901d53af4cc1c1857f8366e311185237840eeeb68612f92057391cdd751ae44ce17f1cc7d23afe0b77c09a

Download Submit
\Users\Admin\AppData\Local\4pijv\tabcal.exe

Filesize
77KB

MD5
98e7911befe83f76777317ce6905666d

SHA1
2780088dffe1dd1356c5dd5112a9f04afee3ee8d

SHA256
3fe8b63367b4298e70d46e87ce04cc7af5f30dfdb86b79eae41d0731d9415ea1

SHA512
fc0226381d9a6984cccac8282697c78966524e1359f7f6044559b8223e773d3c108dda08a2dd283aa171dca3390801f2c92a5d1dbb978dd7f92a67bd8877b8b6

Download Submit
\Users\Admin\AppData\Local\7EzU\SystemPropertiesAdvanced.exe

Filesize
80KB

MD5
25dc1e599591871c074a68708206e734

SHA1
27a9dffa92d979d39c07d889fada536c062dac77

SHA256
a13b2ba5892c11c731869410b1e3dd2f250d70ff9efd513a9f260ab506dd42ef

SHA512
f7da9ce4c3e8aea9095fcc977084c042f85df48fca0b58fb136dfd835ce69b5b1e68f3c11eeb14c617ffcec7011ffc7e5d5a948f49dde653a2348b28e10adb72

Download Submit
\Users\Admin\AppData\Local\kdM1q5\SystemPropertiesRemote.exe

Filesize
80KB

MD5
d0d7ac869aa4e179da2cc333f0440d71

SHA1
e7b9a58f5bfc1ec321f015641a60978c0c683894

SHA256
5762e1570de6ca4ff4254d03c8f6e572f3b9c065bf5c78fd5a9ea3769c33818a

SHA512
1808b10dc85f8755a0074d1ea00794b46b4254573b6862c2813a89ca171ad94f95262e8b59a8f9a596c9bd6a724f440a14a813eab93aa140e818ee97af106db7

Download Submit
memory/264-2-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download
memory/264-0-0x0000000140000000-0x000000014010D000-memory.dmp

Filesize
1.1MB

Download
memory/264-61-0x0000000140000000-0x000000014010D000-memory.dmp

Filesize
1.1MB

Download
memory/1248-43-0x0000000077BC0000-0x0000000077BC2000-memory.dmp

Filesize
8KB

Download
memory/1248-12-0x0000000140000000-0x000000014010D000-memory.dmp

Filesize
1.1MB

Download
memory/1248-27-0x0000000140000000-0x000000014010D000-memory.dmp

Filesize
1.1MB

Download
memory/1248-26-0x0000000140000000-0x000000014010D000-memory.dmp

Filesize
1.1MB

Download
memory/1248-42-0x0000000077B90000-0x0000000077B92000-memory.dmp

Filesize
8KB

Download
memory/1248-41-0x0000000140000000-0x000000014010D000-memory.dmp

Filesize
1.1MB

Download
memory/1248-40-0x0000000002D90000-0x0000000002D97000-memory.dmp

Filesize
28KB

Download
memory/1248-30-0x0000000140000000-0x000000014010D000-memory.dmp

Filesize
1.1MB

Download
memory/1248-25-0x0000000140000000-0x000000014010D000-memory.dmp

Filesize
1.1MB

Download
memory/1248-24-0x0000000140000000-0x000000014010D000-memory.dmp

Filesize
1.1MB

Download
memory/1248-23-0x0000000140000000-0x000000014010D000-memory.dmp

Filesize
1.1MB

Download
memory/1248-22-0x0000000140000000-0x000000014010D000-memory.dmp

Filesize
1.1MB

Download
memory/1248-52-0x0000000140000000-0x000000014010D000-memory.dmp

Filesize
1.1MB

Download
memory/1248-21-0x0000000140000000-0x000000014010D000-memory.dmp

Filesize
1.1MB

Download
memory/1248-20-0x0000000140000000-0x000000014010D000-memory.dmp

Filesize
1.1MB

Download
memory/1248-19-0x0000000140000000-0x000000014010D000-memory.dmp

Filesize
1.1MB

Download
memory/1248-18-0x0000000140000000-0x000000014010D000-memory.dmp

Filesize
1.1MB

Download
memory/1248-16-0x0000000140000000-0x000000014010D000-memory.dmp

Filesize
1.1MB

Download
memory/1248-15-0x0000000140000000-0x000000014010D000-memory.dmp

Filesize
1.1MB

Download
memory/1248-14-0x0000000140000000-0x000000014010D000-memory.dmp

Filesize
1.1MB

Download
memory/1248-13-0x0000000140000000-0x000000014010D000-memory.dmp

Filesize
1.1MB

Download
memory/1248-29-0x0000000140000000-0x000000014010D000-memory.dmp

Filesize
1.1MB

Download
memory/1248-11-0x0000000140000000-0x000000014010D000-memory.dmp

Filesize
1.1MB

Download
memory/1248-10-0x0000000140000000-0x000000014010D000-memory.dmp

Filesize
1.1MB

Download
memory/1248-9-0x0000000140000000-0x000000014010D000-memory.dmp

Filesize
1.1MB

Download
memory/1248-8-0x0000000140000000-0x000000014010D000-memory.dmp

Filesize
1.1MB

Download
memory/1248-55-0x0000000140000000-0x000000014010D000-memory.dmp

Filesize
1.1MB

Download
memory/1248-28-0x0000000140000000-0x000000014010D000-memory.dmp

Filesize
1.1MB

Download
memory/1248-62-0x0000000077926000-0x0000000077927000-memory.dmp

Filesize
4KB

Download
memory/1248-31-0x0000000140000000-0x000000014010D000-memory.dmp

Filesize
1.1MB

Download
memory/1248-32-0x0000000140000000-0x000000014010D000-memory.dmp

Filesize
1.1MB

Download
memory/1248-3-0x0000000077926000-0x0000000077927000-memory.dmp

Filesize
4KB

Download
memory/1248-4-0x0000000002DB0000-0x0000000002DB1000-memory.dmp

Filesize
4KB

Download
memory/1248-7-0x0000000140000000-0x000000014010D000-memory.dmp

Filesize
1.1MB

Download
memory/1248-17-0x0000000140000000-0x000000014010D000-memory.dmp

Filesize
1.1MB

Download
memory/1248-6-0x0000000140000000-0x000000014010D000-memory.dmp

Filesize
1.1MB

Download
memory/1720-106-0x0000000140000000-0x000000014010E000-memory.dmp

Filesize
1.1MB

Download
memory/1916-85-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download
memory/1916-90-0x0000000140000000-0x000000014010E000-memory.dmp

Filesize
1.1MB

Download
memory/2788-73-0x0000000140000000-0x000000014010E000-memory.dmp

Filesize
1.1MB

Download
memory/2788-71-0x0000000140000000-0x000000014010E000-memory.dmp

Filesize
1.1MB

Download
memory/2788-70-0x0000000000020000-0x0000000000027000-memory.dmp

Filesize
28KB

Download