dridex | c567bcfe50a6894d43a4b85b302b6f76dc6376d64eb60270e92617a20c5a789c

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2024 16:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_27161434e84e258ee09d7b472052965c.dll
Size

1.1MB
MD5

27161434e84e258ee09d7b472052965c
SHA1

8d3c14960b77a4796d7e1c44b48c4e06dfda645b
SHA256

c567bcfe50a6894d43a4b85b302b6f76dc6376d64eb60270e92617a20c5a789c
SHA512

53b593cf1065ce170a5b077ee5646398c74c57801785baed5fe2afe604abd3d870eee5d56cbdb7762f57a642da95c00833ce1fd1f4bb13fb97e56b48ac8c9b87
SSDEEP

12288:2dMIwS97wJs6tSKDXEabXaC+jhc1S8XXk7CZzHsZH9dq0T:wMIJxSDX3bqjhcfHk7MzH6z

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex family
dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3432-4-0x0000000000930000-0x0000000000931000-memory.dmp	dridex_stager_shellcode

Dridex payload 9 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

resource	yara_rule
behavioral2/memory/464-2-0x0000000140000000-0x000000014011C000-memory.dmp	dridex_payload
behavioral2/memory/3432-63-0x0000000140000000-0x000000014011C000-memory.dmp	dridex_payload
behavioral2/memory/3432-52-0x0000000140000000-0x000000014011C000-memory.dmp	dridex_payload
behavioral2/memory/464-67-0x0000000140000000-0x000000014011C000-memory.dmp	dridex_payload
behavioral2/memory/116-76-0x0000000140000000-0x000000014011D000-memory.dmp	dridex_payload
behavioral2/memory/116-81-0x0000000140000000-0x000000014011D000-memory.dmp	dridex_payload
behavioral2/memory/3616-98-0x0000000140000000-0x000000014011D000-memory.dmp	dridex_payload
behavioral2/memory/2440-111-0x0000000140000000-0x0000000140123000-memory.dmp	dridex_payload
behavioral2/memory/2440-115-0x0000000140000000-0x0000000140123000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

pid	Process
116	rstrui.exe
3616	cmstp.exe
2440	FXSCOVER.exe

Loads dropped DLL 3 IoCs

pid	Process
116	rstrui.exe
3616	cmstp.exe
2440	FXSCOVER.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Fzrdqelbmr = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Vault\\TZTf2Owl9t9\\cmstp.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rstrui.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmstp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	FXSCOVER.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
464	rundll32.exe
464	rundll32.exe
464	rundll32.exe
464	rundll32.exe
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3432 wrote to memory of 100	3432	Process not Found	96
PID 3432 wrote to memory of 100	3432	Process not Found	96
PID 3432 wrote to memory of 116	3432	Process not Found	97
PID 3432 wrote to memory of 116	3432	Process not Found	97
PID 3432 wrote to memory of 1580	3432	Process not Found	98
PID 3432 wrote to memory of 1580	3432	Process not Found	98
PID 3432 wrote to memory of 3616	3432	Process not Found	99
PID 3432 wrote to memory of 3616	3432	Process not Found	99
PID 3432 wrote to memory of 868	3432	Process not Found	100
PID 3432 wrote to memory of 868	3432	Process not Found	100
PID 3432 wrote to memory of 2440	3432	Process not Found	101
PID 3432 wrote to memory of 2440	3432	Process not Found	101

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_27161434e84e258ee09d7b472052965c.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:464

C:\Windows\system32\rstrui.exe
C:\Windows\system32\rstrui.exe
1⤵
PID:100

C:\Users\Admin\AppData\Local\KXEOywF\rstrui.exe
C:\Users\Admin\AppData\Local\KXEOywF\rstrui.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:116

C:\Windows\system32\cmstp.exe
C:\Windows\system32\cmstp.exe
1⤵
PID:1580

C:\Users\Admin\AppData\Local\8GAtHzUe\cmstp.exe
C:\Users\Admin\AppData\Local\8GAtHzUe\cmstp.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3616

C:\Windows\system32\FXSCOVER.exe
C:\Windows\system32\FXSCOVER.exe
1⤵
PID:868

C:\Users\Admin\AppData\Local\kItsYDLz\FXSCOVER.exe
C:\Users\Admin\AppData\Local\kItsYDLz\FXSCOVER.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\8GAtHzUe\VERSION.dll

Filesize
1.1MB

MD5
a9f3a954ef923b10a4efc5a1f82d2ab2

SHA1
e90bda8eb35b23a996e589fdab69962ce82a3a10

SHA256
2545828f12a0bb75fa242a72dcd4d6b00a8911b041225e02943a72f47e2ac5ba

SHA512
85ed0dcd396d44e09403624293f2437b42aa6b201158b2093c8a4a52808ddb9451f1c73ff3323e09db24270bfd498c83939d35fb0ecb2e5e0c1a68f2d86f7fb5

Download Submit
C:\Users\Admin\AppData\Local\8GAtHzUe\cmstp.exe

Filesize
96KB

MD5
4cc43fe4d397ff79fa69f397e016df52

SHA1
8fd6cf81ad40c9b123cd75611860a8b95c72869c

SHA256
f2d3905ee38b2b5c0b724d582f14eb1db7621ffb8f3826df686a20784341614c

SHA512
851ef9fa5a03ec8b9fea0094c6e4bfa0b9e71cee3412ee86b2dfc34682aa5fb6455fefe7fc0092b711956d7c880cf8a5761b63ee990aa8e72f3473086ac0f157

Download Submit
C:\Users\Admin\AppData\Local\KXEOywF\SRCORE.dll

Filesize
1.1MB

MD5
62b7c2542c55f9afb06d72a9d1e49d60

SHA1
5639859ec29c51e4d647383740d5cc71df7111aa

SHA256
aec4bae736968274e0c122be437f58126d407d81660eb2b5763869ea52176879

SHA512
02829fb4e3a90892d2189b7431931dc600d9d82b7c2c15730cd5f846613439964d4f96046510e377dce3ea003f5548e435b12412f0c1026c306b409a2d18b9bb

Download Submit
C:\Users\Admin\AppData\Local\KXEOywF\rstrui.exe

Filesize
268KB

MD5
4cad10846e93e85790865d5c0ab6ffd9

SHA1
8a223f4bab28afa4c7ed630f29325563c5dcda1a

SHA256
9ddcfcaf2ebc810cc2e593446681bc4ccbad39756b1712cf045db8dee6310b4b

SHA512
c0db44de0d35a70277f8621a318c5099378da675376e47545cfbfa7412e70a870fd05c92e0d6523ea2e0139d54d9eeaed14973762341fa3154406ae36f4ce7c6

Download Submit
C:\Users\Admin\AppData\Local\kItsYDLz\FXSCOVER.exe

Filesize
242KB

MD5
5769f78d00f22f76a4193dc720d0b2bd

SHA1
d62b6cab057e88737cba43fe9b0c6d11a28b53e8

SHA256
40e8e6dabfa1485b11cdccf220eb86eeaa8256e99e344cf2b2098d4cdb788a31

SHA512
b4b3448a2635b21690c71254d964832e89bf947f7a0d32e79dcc84730f11d4afb4149a810a768878e52f88fc8baec45f1a2fec8e22c5301e9f39fe4fc6a57e3f

Download Submit
C:\Users\Admin\AppData\Local\kItsYDLz\MFC42u.dll

Filesize
1.1MB

MD5
f2c14f8c67de02560d3cecd3c74f271d

SHA1
18577ca1055c2271c3993193201b635ac06c1623

SHA256
86a9a1620d445788cdd768cf9b6718599610481705b80a2078841c90726ef8df

SHA512
61afaa5f2e68e97beea872390c4c5f266d615031fddd3ceedeb0b2404f750903ce28c823fb1813ff4b936ea3fc1b6986b0171e5b9123e57a358ee473841d950d

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Updjljcn.lnk

Filesize
1KB

MD5
69802f3fc94cff5d9ee05d0823b3ddb4

SHA1
effef12d0e8dc34743aef089680c03f34d3b2e69

SHA256
e68eba8b8af431330a5e7990a9b5b889a7842d97612d0d350783877887d43b62

SHA512
e7a7bb07cdbdb6c08801b2aea638b429a4bc5e4cb814492949e4a0c290f723a6f052739101236e25f6339d578e2dffcb724b7cf2118f78cef4eaa9b67a61f96e

Download Submit
memory/116-74-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/116-81-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/116-75-0x0000029626250000-0x0000029626257000-memory.dmp

Filesize
28KB

Download
memory/116-76-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/464-67-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/464-3-0x000001C2206A0000-0x000001C2206A7000-memory.dmp

Filesize
28KB

Download
memory/464-2-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/2440-109-0x0000000140000000-0x0000000140123000-memory.dmp

Filesize
1.1MB

Download
memory/2440-111-0x0000000140000000-0x0000000140123000-memory.dmp

Filesize
1.1MB

Download
memory/2440-110-0x0000012C82900000-0x0000012C82907000-memory.dmp

Filesize
28KB

Download
memory/2440-115-0x0000000140000000-0x0000000140123000-memory.dmp

Filesize
1.1MB

Download
memory/3432-37-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/3432-11-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/3432-33-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/3432-32-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/3432-31-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/3432-30-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/3432-29-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/3432-28-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/3432-27-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/3432-26-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/3432-25-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/3432-24-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/3432-23-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/3432-22-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/3432-35-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/3432-21-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/3432-18-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/3432-17-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/3432-16-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/3432-15-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/3432-14-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/3432-13-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/3432-12-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/3432-34-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/3432-10-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/3432-9-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/3432-8-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/3432-40-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/3432-20-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/3432-36-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/3432-38-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/3432-39-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/3432-41-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/3432-52-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/3432-53-0x00007FFE82680000-0x00007FFE82690000-memory.dmp

Filesize
64KB

Download
memory/3432-54-0x00007FFE82670000-0x00007FFE82680000-memory.dmp

Filesize
64KB

Download
memory/3432-63-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/3432-6-0x00007FFE8176A000-0x00007FFE8176B000-memory.dmp

Filesize
4KB

Download
memory/3432-4-0x0000000000930000-0x0000000000931000-memory.dmp

Filesize
4KB

Download
memory/3432-7-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/3432-42-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/3432-51-0x00000000008E0000-0x00000000008E7000-memory.dmp

Filesize
28KB

Download
memory/3432-43-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/3432-19-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/3616-98-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/3616-95-0x000001F38BEC0000-0x000001F38BEC7000-memory.dmp

Filesize
28KB

Download
memory/3616-92-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download