dridex | cae5ab2ba8aa12b42c216e1d1b3efb016a89826e07e1bba5213e6ede4fb11a00

Analysis

max time kernel
149s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-11-2024 12:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9b736eaf2c05ce53035ffd01e89966ec_JaffaCakes118.dll
Size

908KB
MD5

9b736eaf2c05ce53035ffd01e89966ec
SHA1

c80b5109d5996dec0d4764b3a8524a2f82af1cde
SHA256

cae5ab2ba8aa12b42c216e1d1b3efb016a89826e07e1bba5213e6ede4fb11a00
SHA512

86c87851b5fe98215ab9d835139626c297522761daeb5f753cc998172e36275ceebd997b0f6a6b59da2ec42a8223ab86dfceafbf58ecb3dd6f8a1359df1cd00a
SSDEEP

24576:QKfE4IeyDiRhMnFKO2pS9BDrFYA7CKW5:d3yDiRhYF22B57i5

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex family
dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1184-4-0x0000000002960000-0x0000000002961000-memory.dmp	dridex_stager_shellcode

Dridex payload 12 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/2720-1-0x000007FEF7B30000-0x000007FEF7C13000-memory.dmp	dridex_payload
behavioral1/memory/1184-19-0x0000000140000000-0x00000001400E3000-memory.dmp	dridex_payload
behavioral1/memory/1184-27-0x0000000140000000-0x00000001400E3000-memory.dmp	dridex_payload
behavioral1/memory/1184-38-0x0000000140000000-0x00000001400E3000-memory.dmp	dridex_payload
behavioral1/memory/1184-39-0x0000000140000000-0x00000001400E3000-memory.dmp	dridex_payload
behavioral1/memory/2720-47-0x000007FEF7B30000-0x000007FEF7C13000-memory.dmp	dridex_payload
behavioral1/memory/1224-60-0x000007FEF7BD0000-0x000007FEF7CB4000-memory.dmp	dridex_payload
behavioral1/memory/1224-64-0x000007FEF7BD0000-0x000007FEF7CB4000-memory.dmp	dridex_payload
behavioral1/memory/2772-76-0x000007FEF66A0000-0x000007FEF6784000-memory.dmp	dridex_payload
behavioral1/memory/2772-81-0x000007FEF66A0000-0x000007FEF6784000-memory.dmp	dridex_payload
behavioral1/memory/2804-93-0x000007FEF6230000-0x000007FEF6315000-memory.dmp	dridex_payload
behavioral1/memory/2804-97-0x000007FEF6230000-0x000007FEF6315000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

wscript.exeWindowsAnytimeUpgradeResults.exerrinstaller.exe

pid	Process
1224	wscript.exe
2772	WindowsAnytimeUpgradeResults.exe
2804	rrinstaller.exe

Loads dropped DLL 8 IoCs

Processes:

wscript.exeWindowsAnytimeUpgradeResults.exerrinstaller.exe

pid	Process
1184
1184
1224	wscript.exe
1184
2772	WindowsAnytimeUpgradeResults.exe
1184
2804	rrinstaller.exe
1184

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Auwqk = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\MAINTE~1\\ZsTKMZ\\WINDOW~1.EXE"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

wscript.exeWindowsAnytimeUpgradeResults.exerrinstaller.exerundll32.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WindowsAnytimeUpgradeResults.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rrinstaller.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exewscript.exe

pid	Process
2720	rundll32.exe
2720	rundll32.exe
2720	rundll32.exe
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1224	wscript.exe
1224	wscript.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	procid_target
PID 1184 wrote to memory of 2404	1184	30
PID 1184 wrote to memory of 2404	1184	30
PID 1184 wrote to memory of 2404	1184	30
PID 1184 wrote to memory of 1224	1184	31
PID 1184 wrote to memory of 1224	1184	31
PID 1184 wrote to memory of 1224	1184	31
PID 1184 wrote to memory of 2172	1184	32
PID 1184 wrote to memory of 2172	1184	32
PID 1184 wrote to memory of 2172	1184	32
PID 1184 wrote to memory of 2772	1184	33
PID 1184 wrote to memory of 2772	1184	33
PID 1184 wrote to memory of 2772	1184	33
PID 1184 wrote to memory of 2792	1184	34
PID 1184 wrote to memory of 2792	1184	34
PID 1184 wrote to memory of 2792	1184	34
PID 1184 wrote to memory of 2804	1184	35
PID 1184 wrote to memory of 2804	1184	35
PID 1184 wrote to memory of 2804	1184	35

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9b736eaf2c05ce53035ffd01e89966ec_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2720

C:\Windows\system32\wscript.exe
C:\Windows\system32\wscript.exe
1⤵
PID:2404

C:\Users\Admin\AppData\Local\mYzL\wscript.exe
C:\Users\Admin\AppData\Local\mYzL\wscript.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1224

C:\Windows\system32\WindowsAnytimeUpgradeResults.exe
C:\Windows\system32\WindowsAnytimeUpgradeResults.exe
1⤵
PID:2172

C:\Users\Admin\AppData\Local\w7m\WindowsAnytimeUpgradeResults.exe
C:\Users\Admin\AppData\Local\w7m\WindowsAnytimeUpgradeResults.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2772

C:\Windows\system32\rrinstaller.exe
C:\Windows\system32\rrinstaller.exe
1⤵
PID:2792

C:\Users\Admin\AppData\Local\n4kO6VGk5\rrinstaller.exe
C:\Users\Admin\AppData\Local\n4kO6VGk5\rrinstaller.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\mYzL\VERSION.dll

Filesize
912KB

MD5
72bd1938895152f81078aa9cb5db7b9b

SHA1
265c560ef49dd3b551c25412c4a3eef397477907

SHA256
a7e519500feaeab5e1d53c8d05d932d081b8df2119aa6eb0d2b39491ed176913

SHA512
caee52b6aa33015c265a3ef4b22193606cf3ac1b7bf3542fafd5eb3e30958e70e8bb4d89aecad983af7608900fbc921540793878e914269626c6a7851f5588e9

Download Submit
C:\Users\Admin\AppData\Local\mYzL\wscript.exe

Filesize
165KB

MD5
8886e0697b0a93c521f99099ef643450

SHA1
851bd390bf559e702b8323062dbeb251d9f2f6f7

SHA256
d73f7ee4e6e992a618d02580bdbf4fd6ba7c683d110928001092f4073341e95f

SHA512
fc4a176f49a69c5600c427af72d3d274cfeacef48612b18cda966c3b4dda0b9d59c0fe8114d5ed8e0fec780744346e2cd503d1fd15c0c908908d067214b9d837

Download Submit
C:\Users\Admin\AppData\Local\n4kO6VGk5\MFPlat.DLL

Filesize
916KB

MD5
1a0a9b993d56766e6ed2ef7c904f60c0

SHA1
c4e4be11c783cc1cdb8deed433c502391f19ff53

SHA256
134fe09e8f024e9b11590915bafdd085298fe628af56c34f8d7dbc0c6415866d

SHA512
1eba4a5ce678eabfb1371a96b751eeb34b506f7d724cd92ae01bdae32120d1beaae0b2d5a33914ee2300b2ef314c4983664433148da1ef45de2d1c4ac451e47b

Download Submit
C:\Users\Admin\AppData\Local\w7m\WINBRAND.dll

Filesize
912KB

MD5
431e86e7040e643b10585de2601d9f8b

SHA1
544ae0bbd0b358bb06db6565cc1747bbb0e73ae1

SHA256
cc3f23865ab49e8a78b3bbbcf293042634256ae453f8db0c4c5b56e71e267f9f

SHA512
804fe2f950c1e156295ab183b4d6a7a155bb7cdf81d394271e5a02067a37d96cf3866c9cc7f3b825468ffe498725d850aec47f73254f74191cb206237144208d

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ukatmrkmywz.lnk

Filesize
974B

MD5
7f698250ab326d7a25a48dbab80595c3

SHA1
56b06ea562741b3a3398dbf883f3cd6e65d3d4f1

SHA256
7ce01a7c4682da9acfa02440b1f7b6a17c44fedb0a3674872444a10f4bdb1b71

SHA512
53031f5592669b0e385e0dd07dd19afb6026949bf717eea60d1825dbe8a82b68b710aaf68409b36476595bdde79b5471efffa7b17e8ea1eda272ca0faaa9c481

Download Submit
\Users\Admin\AppData\Local\n4kO6VGk5\rrinstaller.exe

Filesize
54KB

MD5
0d3a73b0b30252680b383532f1758649

SHA1
9f098d2037e4dd94eca6d04c37b3d4ad8b0cc931

SHA256
fc8a992b6ac311e1b1491ec3e31e273a41f7fdf3f68176321307b68489a03fbc

SHA512
a7961f4d8d0e07959d1501d721c7751b01af6704c7da5c1f31e40de5372ee6a1fce2f3e0077c8e6a1bed017e11ce4be9b0d17c04e30b222fb3f0df67b870b2d4

Download Submit
\Users\Admin\AppData\Local\w7m\WindowsAnytimeUpgradeResults.exe

Filesize
288KB

MD5
6f3f29905f0ec4ce22c1fd8acbf6c6de

SHA1
68bdfefe549dfa6262ad659f1578f3e87d862773

SHA256
e9c4d718d09a28de8a99386b0dd65429f433837c712314e98ec4f01031af595b

SHA512
16a9ad3183d7e11d9f0dd3c79363aa9a7af306f4f35a6f1e0cc1e175ef254e8052ec94dfd600dbe882f9ab41254d482cce9190ab7b0c005a34e46c66e8ff5f9e

Download Submit
memory/1184-29-0x00000000771D0000-0x00000000771D2000-memory.dmp

Filesize
8KB

Download
memory/1184-6-0x0000000140000000-0x00000001400E3000-memory.dmp

Filesize
908KB

Download
memory/1184-7-0x0000000140000000-0x00000001400E3000-memory.dmp

Filesize
908KB

Download
memory/1184-12-0x0000000140000000-0x00000001400E3000-memory.dmp

Filesize
908KB

Download
memory/1184-26-0x0000000002990000-0x0000000002997000-memory.dmp

Filesize
28KB

Download
memory/1184-19-0x0000000140000000-0x00000001400E3000-memory.dmp

Filesize
908KB

Download
memory/1184-18-0x0000000140000000-0x00000001400E3000-memory.dmp

Filesize
908KB

Download
memory/1184-17-0x0000000140000000-0x00000001400E3000-memory.dmp

Filesize
908KB

Download
memory/1184-16-0x0000000140000000-0x00000001400E3000-memory.dmp

Filesize
908KB

Download
memory/1184-15-0x0000000140000000-0x00000001400E3000-memory.dmp

Filesize
908KB

Download
memory/1184-14-0x0000000140000000-0x00000001400E3000-memory.dmp

Filesize
908KB

Download
memory/1184-13-0x0000000140000000-0x00000001400E3000-memory.dmp

Filesize
908KB

Download
memory/1184-28-0x00000000771A0000-0x00000000771A2000-memory.dmp

Filesize
8KB

Download
memory/1184-3-0x0000000076F36000-0x0000000076F37000-memory.dmp

Filesize
4KB

Download
memory/1184-27-0x0000000140000000-0x00000001400E3000-memory.dmp

Filesize
908KB

Download
memory/1184-38-0x0000000140000000-0x00000001400E3000-memory.dmp

Filesize
908KB

Download
memory/1184-39-0x0000000140000000-0x00000001400E3000-memory.dmp

Filesize
908KB

Download
memory/1184-4-0x0000000002960000-0x0000000002961000-memory.dmp

Filesize
4KB

Download
memory/1184-48-0x0000000076F36000-0x0000000076F37000-memory.dmp

Filesize
4KB

Download
memory/1184-9-0x0000000140000000-0x00000001400E3000-memory.dmp

Filesize
908KB

Download
memory/1184-10-0x0000000140000000-0x00000001400E3000-memory.dmp

Filesize
908KB

Download
memory/1184-8-0x0000000140000000-0x00000001400E3000-memory.dmp

Filesize
908KB

Download
memory/1184-11-0x0000000140000000-0x00000001400E3000-memory.dmp

Filesize
908KB

Download
memory/1224-64-0x000007FEF7BD0000-0x000007FEF7CB4000-memory.dmp

Filesize
912KB

Download
memory/1224-59-0x0000000000090000-0x0000000000097000-memory.dmp

Filesize
28KB

Download
memory/1224-60-0x000007FEF7BD0000-0x000007FEF7CB4000-memory.dmp

Filesize
912KB

Download
memory/2720-47-0x000007FEF7B30000-0x000007FEF7C13000-memory.dmp

Filesize
908KB

Download
memory/2720-1-0x000007FEF7B30000-0x000007FEF7C13000-memory.dmp

Filesize
908KB

Download
memory/2720-0-0x0000000000120000-0x0000000000127000-memory.dmp

Filesize
28KB

Download
memory/2772-76-0x000007FEF66A0000-0x000007FEF6784000-memory.dmp

Filesize
912KB

Download
memory/2772-78-0x00000000002C0000-0x00000000002C7000-memory.dmp

Filesize
28KB

Download
memory/2772-81-0x000007FEF66A0000-0x000007FEF6784000-memory.dmp

Filesize
912KB

Download
memory/2804-93-0x000007FEF6230000-0x000007FEF6315000-memory.dmp

Filesize
916KB

Download
memory/2804-97-0x000007FEF6230000-0x000007FEF6315000-memory.dmp

Filesize
916KB

Download