dridex | d87fbd8fc181f8b1f65f87bf1c20ea1e9862d5d9bd8dd7abcb53966cfe2c38e3

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28-11-2024 02:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa97726c96275f57ca686d1e95dfdfd9_JaffaCakes118.dll
Size

944KB
MD5

aa97726c96275f57ca686d1e95dfdfd9
SHA1

d2424394c6398a3ea7b69deac9dd41a30091905d
SHA256

d87fbd8fc181f8b1f65f87bf1c20ea1e9862d5d9bd8dd7abcb53966cfe2c38e3
SHA512

a596e347615867a6f6514bf2889af9bc725a8eebb90056c3dea39347ecfb8a8b090e3e5b2334361a239fd564352b54196295fb0108ba03847f89ea1d0d55f7e1
SSDEEP

24576:JKfE4IeyDiRhMnFKO2pS9BDrFYA7CKW5:o3yDiRhYF22B57i5

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex family
dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1160-4-0x0000000002DB0000-0x0000000002DB1000-memory.dmp	dridex_stager_shellcode

Dridex payload 12 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/2496-0-0x000007FEF68F0000-0x000007FEF69DC000-memory.dmp	dridex_payload
behavioral1/memory/1160-23-0x0000000140000000-0x00000001400EC000-memory.dmp	dridex_payload
behavioral1/memory/1160-30-0x0000000140000000-0x00000001400EC000-memory.dmp	dridex_payload
behavioral1/memory/1160-41-0x0000000140000000-0x00000001400EC000-memory.dmp	dridex_payload
behavioral1/memory/1160-42-0x0000000140000000-0x00000001400EC000-memory.dmp	dridex_payload
behavioral1/memory/2496-50-0x000007FEF68F0000-0x000007FEF69DC000-memory.dmp	dridex_payload
behavioral1/memory/2604-59-0x000007FEF68F0000-0x000007FEF69DD000-memory.dmp	dridex_payload
behavioral1/memory/2604-63-0x000007FEF68F0000-0x000007FEF69DD000-memory.dmp	dridex_payload
behavioral1/memory/992-76-0x000007FEF6410000-0x000007FEF64FE000-memory.dmp	dridex_payload
behavioral1/memory/992-80-0x000007FEF6410000-0x000007FEF64FE000-memory.dmp	dridex_payload
behavioral1/memory/1824-92-0x000007FEF6410000-0x000007FEF64FD000-memory.dmp	dridex_payload
behavioral1/memory/1824-96-0x000007FEF6410000-0x000007FEF64FD000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

SystemPropertiesRemote.execalc.exeSystemPropertiesProtection.exe

pid	Process
2604	SystemPropertiesRemote.exe
992	calc.exe
1824	SystemPropertiesProtection.exe

Loads dropped DLL 7 IoCs

Processes:

SystemPropertiesRemote.execalc.exeSystemPropertiesProtection.exe

pid	Process
1160
2604	SystemPropertiesRemote.exe
1160
992	calc.exe
1160
1824	SystemPropertiesProtection.exe
1160

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rcoehfpd = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\SendTo\\pA5cFRZdvZa\\calc.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeSystemPropertiesRemote.execalc.exeSystemPropertiesProtection.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesRemote.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	calc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesProtection.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exeSystemPropertiesRemote.exe

pid	Process
2496	rundll32.exe
2496	rundll32.exe
2496	rundll32.exe
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
2604	SystemPropertiesRemote.exe
2604	SystemPropertiesRemote.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	procid_target
PID 1160 wrote to memory of 2612	1160	30
PID 1160 wrote to memory of 2612	1160	30
PID 1160 wrote to memory of 2612	1160	30
PID 1160 wrote to memory of 2604	1160	31
PID 1160 wrote to memory of 2604	1160	31
PID 1160 wrote to memory of 2604	1160	31
PID 1160 wrote to memory of 2980	1160	33
PID 1160 wrote to memory of 2980	1160	33
PID 1160 wrote to memory of 2980	1160	33
PID 1160 wrote to memory of 992	1160	34
PID 1160 wrote to memory of 992	1160	34
PID 1160 wrote to memory of 992	1160	34
PID 1160 wrote to memory of 2024	1160	35
PID 1160 wrote to memory of 2024	1160	35
PID 1160 wrote to memory of 2024	1160	35
PID 1160 wrote to memory of 1824	1160	36
PID 1160 wrote to memory of 1824	1160	36
PID 1160 wrote to memory of 1824	1160	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\aa97726c96275f57ca686d1e95dfdfd9_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2496

C:\Windows\system32\SystemPropertiesRemote.exe
C:\Windows\system32\SystemPropertiesRemote.exe
1⤵
PID:2612

C:\Users\Admin\AppData\Local\jYfTfz\SystemPropertiesRemote.exe
C:\Users\Admin\AppData\Local\jYfTfz\SystemPropertiesRemote.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2604

C:\Windows\system32\calc.exe
C:\Windows\system32\calc.exe
1⤵
PID:2980

C:\Users\Admin\AppData\Local\GwP\calc.exe
C:\Users\Admin\AppData\Local\GwP\calc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:992

C:\Windows\system32\SystemPropertiesProtection.exe
C:\Windows\system32\SystemPropertiesProtection.exe
1⤵
PID:2024

C:\Users\Admin\AppData\Local\4qiKBM\SystemPropertiesProtection.exe
C:\Users\Admin\AppData\Local\4qiKBM\SystemPropertiesProtection.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\4qiKBM\SYSDM.CPL

Filesize
948KB

MD5
8625788f3b1487cb2dfa1ad6b3524111

SHA1
820268eb4674fa1df4eb5243f347d676758c1739

SHA256
32ee556c6866eae7359ecca6810117832ce45ee2e514b0798236b6a2a49da3ec

SHA512
b75d7957df16f5f75b620d6eb892c4bfedeae7ad1082602cd9c98dcd02eac2a93f850e7d8fbdf1744dba5159ee3ac24d8de33a9d4fded6c7156db21e33bbab9c

Download Submit
C:\Users\Admin\AppData\Local\GwP\WINMM.dll

Filesize
952KB

MD5
eb4894255a6b61ec04fd362ec11b56ef

SHA1
4fdb63ce15a9b083fae30e298f48f302788ac4d4

SHA256
bf681dadaee642f26099bcafbe65ada5034c430e6be6e11211e7e1cbbc462ed4

SHA512
f0ece4abb5f629c02b291b44a000c6b784f58aa54a1b5da1c5b1127b6b3bc9933c2fa1b8036d96e8ea75fe79d848fc0260419ce84aed6a97afb53270213dd6f3

Download Submit
C:\Users\Admin\AppData\Local\jYfTfz\SYSDM.CPL

Filesize
948KB

MD5
96bf842aef81dff8921006307c7f89d5

SHA1
d5a789d758bab1dc8b8d5db0c4b15de9f00c6117

SHA256
6f9743b7b5ea7339a96f50789d57c1fa4b1929738852e511147e7df385c8a527

SHA512
27c454feebcbe35c5123c2df4ea580645d7faf195aaf839573087d62d3be55d8caddd12bad7e1c4b10d6d9908e725b3af3e4ec2f00ff182ba49ec4e90531f289

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yjafzwirjcl.lnk

Filesize
1KB

MD5
f91d04822affc2600351126ee722ad6a

SHA1
43c826a5a2c47ef30de6c1575ac2235ff97a13e8

SHA256
b677774560ceea6d1fc23b6039f71d07f3759bd7fcf52270ae238ac346f443f5

SHA512
4979fc61867301bab663fcc4a628999f16d557f667ac00ae4eedf214db084b1017a5942c0515bb36a45c55b77185d8c4f1a3c655c1c2ef6105835ddfc6d23d9e

Download Submit
\Users\Admin\AppData\Local\4qiKBM\SystemPropertiesProtection.exe

Filesize
80KB

MD5
05138d8f952d3fff1362f7c50158bc38

SHA1
780bc59fcddf06a7494d09771b8340acffdcc720

SHA256
753a43d8aa74341d06582bd6b3784dc5f8c6f46174c2a306cf284de238a9c6bd

SHA512
27fa8c0af3d01f0816852d04693087f3c25d1307d8857a7ea75b0bb3e0ac927d262f5ac5a335afee150142fa3187354d33ebbcf6c3cd5cc33cb4e6cd00c50255

Download Submit
\Users\Admin\AppData\Local\GwP\calc.exe

Filesize
897KB

MD5
10e4a1d2132ccb5c6759f038cdb6f3c9

SHA1
42d36eeb2140441b48287b7cd30b38105986d68f

SHA256
c6a91cba00bf87cdb064c49adaac82255cbec6fdd48fd21f9b3b96abf019916b

SHA512
9bd44afb164ab3e09a784c765cd03838d2e5f696c549fc233eb5a69cada47a8e1fb62095568cb272a80da579d9d0e124b1c27cf61bb2ac8cf6e584a722d8864d

Download Submit
\Users\Admin\AppData\Local\jYfTfz\SystemPropertiesRemote.exe

Filesize
80KB

MD5
d0d7ac869aa4e179da2cc333f0440d71

SHA1
e7b9a58f5bfc1ec321f015641a60978c0c683894

SHA256
5762e1570de6ca4ff4254d03c8f6e572f3b9c065bf5c78fd5a9ea3769c33818a

SHA512
1808b10dc85f8755a0074d1ea00794b46b4254573b6862c2813a89ca171ad94f95262e8b59a8f9a596c9bd6a724f440a14a813eab93aa140e818ee97af106db7

Download Submit
memory/992-80-0x000007FEF6410000-0x000007FEF64FE000-memory.dmp

Filesize
952KB

Download
memory/992-76-0x000007FEF6410000-0x000007FEF64FE000-memory.dmp

Filesize
952KB

Download
memory/992-75-0x00000000000B0000-0x00000000000B7000-memory.dmp

Filesize
28KB

Download
memory/1160-20-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/1160-8-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/1160-31-0x0000000077280000-0x0000000077282000-memory.dmp

Filesize
8KB

Download
memory/1160-30-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/1160-19-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/1160-18-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/1160-17-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/1160-41-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/1160-16-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/1160-14-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/1160-13-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/1160-12-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/1160-11-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/1160-10-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/1160-9-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/1160-29-0x0000000002DC0000-0x0000000002DC7000-memory.dmp

Filesize
28KB

Download
memory/1160-42-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/1160-3-0x0000000077016000-0x0000000077017000-memory.dmp

Filesize
4KB

Download
memory/1160-51-0x0000000077016000-0x0000000077017000-memory.dmp

Filesize
4KB

Download
memory/1160-4-0x0000000002DB0000-0x0000000002DB1000-memory.dmp

Filesize
4KB

Download
memory/1160-21-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/1160-6-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/1160-7-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/1160-23-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/1160-15-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/1160-32-0x00000000772B0000-0x00000000772B2000-memory.dmp

Filesize
8KB

Download
memory/1824-92-0x000007FEF6410000-0x000007FEF64FD000-memory.dmp

Filesize
948KB

Download
memory/1824-96-0x000007FEF6410000-0x000007FEF64FD000-memory.dmp

Filesize
948KB

Download
memory/2496-2-0x0000000000120000-0x0000000000127000-memory.dmp

Filesize
28KB

Download
memory/2496-50-0x000007FEF68F0000-0x000007FEF69DC000-memory.dmp

Filesize
944KB

Download
memory/2496-0-0x000007FEF68F0000-0x000007FEF69DC000-memory.dmp

Filesize
944KB

Download
memory/2604-63-0x000007FEF68F0000-0x000007FEF69DD000-memory.dmp

Filesize
948KB

Download
memory/2604-59-0x000007FEF68F0000-0x000007FEF69DD000-memory.dmp

Filesize
948KB

Download