dridex | 11066c2e0a1b0fe58bc9584918054340aa58179a79a3c8c6da49c63801d8ff2a

Analysis

max time kernel
150s
max time network
22s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
02-01-2025 09:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_63fbef9c63dc9858707e03078f23f1ce.dll
Size

2.4MB
MD5

63fbef9c63dc9858707e03078f23f1ce
SHA1

3a3aa0a1c6663551ee8e05fc2e6b17942fa83b96
SHA256

11066c2e0a1b0fe58bc9584918054340aa58179a79a3c8c6da49c63801d8ff2a
SHA512

e812c268e67ee8eeb46d6d8b50ca00c26e8db4784f99c15edd083b3583d999a1e65ffd46d7af87069d854b62edc956a26fe5ffd80d295efb2dd5126d6ed56956
SSDEEP

12288:tVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:0fP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex family
dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral1/memory/1364-5-0x0000000002660000-0x0000000002661000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
2032	calc.exe
816	WindowsAnytimeUpgradeResults.exe
1272	SystemPropertiesComputerName.exe

Loads dropped DLL 7 IoCs

pid	Process
1364	Process not Found
2032	calc.exe
1364	Process not Found
816	WindowsAnytimeUpgradeResults.exe
1364	Process not Found
1272	SystemPropertiesComputerName.exe
1364	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Kgvptlq = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Office\\6G0\\WindowsAnytimeUpgradeResults.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	calc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WindowsAnytimeUpgradeResults.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesComputerName.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2280	regsvr32.exe
2280	regsvr32.exe
2280	regsvr32.exe
1364	Process not Found
1364	Process not Found
1364	Process not Found
1364	Process not Found
1364	Process not Found
1364	Process not Found
1364	Process not Found
1364	Process not Found
1364	Process not Found
1364	Process not Found
1364	Process not Found
1364	Process not Found
1364	Process not Found
1364	Process not Found
1364	Process not Found
1364	Process not Found
1364	Process not Found
1364	Process not Found
1364	Process not Found
1364	Process not Found
1364	Process not Found
1364	Process not Found
1364	Process not Found
1364	Process not Found
1364	Process not Found
1364	Process not Found
1364	Process not Found
1364	Process not Found
1364	Process not Found
1364	Process not Found
1364	Process not Found
1364	Process not Found
1364	Process not Found
1364	Process not Found
1364	Process not Found
1364	Process not Found
1364	Process not Found
1364	Process not Found
1364	Process not Found
1364	Process not Found
1364	Process not Found
1364	Process not Found
1364	Process not Found
1364	Process not Found
1364	Process not Found
1364	Process not Found
1364	Process not Found
1364	Process not Found
1364	Process not Found
1364	Process not Found
1364	Process not Found
1364	Process not Found
1364	Process not Found
1364	Process not Found
1364	Process not Found
1364	Process not Found
1364	Process not Found
1364	Process not Found
1364	Process not Found
1364	Process not Found
1364	Process not Found

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1364 wrote to memory of 2396	1364	Process not Found	29
PID 1364 wrote to memory of 2396	1364	Process not Found	29
PID 1364 wrote to memory of 2396	1364	Process not Found	29
PID 1364 wrote to memory of 2032	1364	Process not Found	30
PID 1364 wrote to memory of 2032	1364	Process not Found	30
PID 1364 wrote to memory of 2032	1364	Process not Found	30
PID 1364 wrote to memory of 948	1364	Process not Found	31
PID 1364 wrote to memory of 948	1364	Process not Found	31
PID 1364 wrote to memory of 948	1364	Process not Found	31
PID 1364 wrote to memory of 816	1364	Process not Found	32
PID 1364 wrote to memory of 816	1364	Process not Found	32
PID 1364 wrote to memory of 816	1364	Process not Found	32
PID 1364 wrote to memory of 2992	1364	Process not Found	33
PID 1364 wrote to memory of 2992	1364	Process not Found	33
PID 1364 wrote to memory of 2992	1364	Process not Found	33
PID 1364 wrote to memory of 1272	1364	Process not Found	34
PID 1364 wrote to memory of 1272	1364	Process not Found	34
PID 1364 wrote to memory of 1272	1364	Process not Found	34

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_63fbef9c63dc9858707e03078f23f1ce.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2280

C:\Windows\system32\calc.exe
C:\Windows\system32\calc.exe
1⤵
PID:2396

C:\Users\Admin\AppData\Local\nrxFmiOL\calc.exe
C:\Users\Admin\AppData\Local\nrxFmiOL\calc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2032

C:\Windows\system32\WindowsAnytimeUpgradeResults.exe
C:\Windows\system32\WindowsAnytimeUpgradeResults.exe
1⤵
PID:948

C:\Users\Admin\AppData\Local\kMxqlc\WindowsAnytimeUpgradeResults.exe
C:\Users\Admin\AppData\Local\kMxqlc\WindowsAnytimeUpgradeResults.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:816

C:\Windows\system32\SystemPropertiesComputerName.exe
C:\Windows\system32\SystemPropertiesComputerName.exe
1⤵
PID:2992

C:\Users\Admin\AppData\Local\dEQeVU2\SystemPropertiesComputerName.exe
C:\Users\Admin\AppData\Local\dEQeVU2\SystemPropertiesComputerName.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\dEQeVU2\SYSDM.CPL

Filesize
2.4MB

MD5
72d1f29a00611a317548da34b26f758e

SHA1
43a5b647d6fa621a6ffdf14c32b483aa9bd2ad2e

SHA256
37b78909492d775ce046dad3dcc5dfe274cf408ba6fd707fa6ef2306416790ee

SHA512
195cf8c1ea410aa241e4e54057ce8c8cefddb946866c372b4dc3fdbad4b23fd1a47b60a3eefe1eb1053d1e709ba02e145cc57a3305ed2c59413417086a38d10d

Download Submit
C:\Users\Admin\AppData\Local\kMxqlc\WINBRAND.dll

Filesize
2.4MB

MD5
abe4d3dfc992978e2cb828fc114829b9

SHA1
33793a7f88829991741b8aa344800faf101e8c87

SHA256
a6a731a922ab9ad596ec0b8c8b9dcee5494df838d194085f32bd0a15eb1e9071

SHA512
d90f3c2bb69bcfda4a7263ada737b753e35e0e17c1deb2b358f70d9dec3643a5db93177cdad97f8cdf7a6099cb25d8ebf0b2c0f720848e62752792db5446ab92

Download Submit
C:\Users\Admin\AppData\Local\nrxFmiOL\calc.exe

Filesize
897KB

MD5
10e4a1d2132ccb5c6759f038cdb6f3c9

SHA1
42d36eeb2140441b48287b7cd30b38105986d68f

SHA256
c6a91cba00bf87cdb064c49adaac82255cbec6fdd48fd21f9b3b96abf019916b

SHA512
9bd44afb164ab3e09a784c765cd03838d2e5f696c549fc233eb5a69cada47a8e1fb62095568cb272a80da579d9d0e124b1c27cf61bb2ac8cf6e584a722d8864d

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wkybhziu.lnk

Filesize
1KB

MD5
fdd8ea2438a78aed9463d12ceee09123

SHA1
0440b69a6c04e28dd5456c0abf74116cd2e3a711

SHA256
b81edf1397af13e98189e86d29d942fa8f49c832d129f0be915dc0065a3a0ee4

SHA512
3f8ba9ad8c1cae96869fddc005b5e61e0e598b9a8eecf48526ded3b78cf1c37725cddc93ac89b8861a27589302a8fb8d1774f9c1c5a8c88aab0fb6d309b54add

Download Submit
\Users\Admin\AppData\Local\dEQeVU2\SystemPropertiesComputerName.exe

Filesize
80KB

MD5
bd889683916aa93e84e1a75802918acf

SHA1
5ee66571359178613a4256a7470c2c3e6dd93cfa

SHA256
0e22894595891a9ff9706e03b3db31a751541c4a773f82420fce57237d6c47cf

SHA512
9d76de848b319f44657fb7fbe5a3b927774ae999362ff811a199002ffa77ad9e1638a65a271388e605ab5e5a7cb6ce5aa7fcabc3ed583ade00eaa4c265552026

Download Submit
\Users\Admin\AppData\Local\kMxqlc\WindowsAnytimeUpgradeResults.exe

Filesize
288KB

MD5
6f3f29905f0ec4ce22c1fd8acbf6c6de

SHA1
68bdfefe549dfa6262ad659f1578f3e87d862773

SHA256
e9c4d718d09a28de8a99386b0dd65429f433837c712314e98ec4f01031af595b

SHA512
16a9ad3183d7e11d9f0dd3c79363aa9a7af306f4f35a6f1e0cc1e175ef254e8052ec94dfd600dbe882f9ab41254d482cce9190ab7b0c005a34e46c66e8ff5f9e

Download Submit
\Users\Admin\AppData\Local\nrxFmiOL\WINMM.dll

Filesize
2.5MB

MD5
1e26d5931962498440ed4f1904d06137

SHA1
ae7f06a094ee8a02ced10943785eb4a864e4ae4a

SHA256
2a32f11c583bc3b6afe8074626ec224d3529bb3910827af24468986dec52e9cd

SHA512
a86ee3734be0a5dafce90ae47dda71cd8f95e498b7aacb73b16018bc135c716093911d860c6ceb7dc44b1227911e34571939c22054b325d941d959a9bc348ebe

Download Submit
memory/1272-148-0x0000000000270000-0x0000000000277000-memory.dmp

Filesize
28KB

Download
memory/1364-10-0x0000000140000000-0x0000000140272000-memory.dmp

Filesize
2.4MB

Download
memory/1364-30-0x0000000140000000-0x0000000140272000-memory.dmp

Filesize
2.4MB

Download
memory/1364-43-0x0000000140000000-0x0000000140272000-memory.dmp

Filesize
2.4MB

Download
memory/1364-42-0x0000000140000000-0x0000000140272000-memory.dmp

Filesize
2.4MB

Download
memory/1364-41-0x0000000140000000-0x0000000140272000-memory.dmp

Filesize
2.4MB

Download
memory/1364-40-0x0000000140000000-0x0000000140272000-memory.dmp

Filesize
2.4MB

Download
memory/1364-38-0x0000000140000000-0x0000000140272000-memory.dmp

Filesize
2.4MB

Download
memory/1364-37-0x0000000140000000-0x0000000140272000-memory.dmp

Filesize
2.4MB

Download
memory/1364-36-0x0000000140000000-0x0000000140272000-memory.dmp

Filesize
2.4MB

Download
memory/1364-35-0x0000000140000000-0x0000000140272000-memory.dmp

Filesize
2.4MB

Download
memory/1364-34-0x0000000140000000-0x0000000140272000-memory.dmp

Filesize
2.4MB

Download
memory/1364-33-0x0000000140000000-0x0000000140272000-memory.dmp

Filesize
2.4MB

Download
memory/1364-32-0x0000000140000000-0x0000000140272000-memory.dmp

Filesize
2.4MB

Download
memory/1364-56-0x0000000140000000-0x0000000140272000-memory.dmp

Filesize
2.4MB

Download
memory/1364-29-0x0000000140000000-0x0000000140272000-memory.dmp

Filesize
2.4MB

Download
memory/1364-28-0x0000000140000000-0x0000000140272000-memory.dmp

Filesize
2.4MB

Download
memory/1364-27-0x0000000140000000-0x0000000140272000-memory.dmp

Filesize
2.4MB

Download
memory/1364-26-0x0000000140000000-0x0000000140272000-memory.dmp

Filesize
2.4MB

Download
memory/1364-25-0x0000000140000000-0x0000000140272000-memory.dmp

Filesize
2.4MB

Download
memory/1364-24-0x0000000140000000-0x0000000140272000-memory.dmp

Filesize
2.4MB

Download
memory/1364-23-0x0000000140000000-0x0000000140272000-memory.dmp

Filesize
2.4MB

Download
memory/1364-22-0x0000000140000000-0x0000000140272000-memory.dmp

Filesize
2.4MB

Download
memory/1364-21-0x0000000140000000-0x0000000140272000-memory.dmp

Filesize
2.4MB

Download
memory/1364-19-0x0000000140000000-0x0000000140272000-memory.dmp

Filesize
2.4MB

Download
memory/1364-55-0x0000000140000000-0x0000000140272000-memory.dmp

Filesize
2.4MB

Download
memory/1364-17-0x0000000140000000-0x0000000140272000-memory.dmp

Filesize
2.4MB

Download
memory/1364-16-0x0000000140000000-0x0000000140272000-memory.dmp

Filesize
2.4MB

Download
memory/1364-15-0x0000000140000000-0x0000000140272000-memory.dmp

Filesize
2.4MB

Download
memory/1364-13-0x0000000140000000-0x0000000140272000-memory.dmp

Filesize
2.4MB

Download
memory/1364-12-0x0000000140000000-0x0000000140272000-memory.dmp

Filesize
2.4MB

Download
memory/1364-4-0x00000000777F6000-0x00000000777F7000-memory.dmp

Filesize
4KB

Download
memory/1364-8-0x0000000140000000-0x0000000140272000-memory.dmp

Filesize
2.4MB

Download
memory/1364-48-0x0000000140000000-0x0000000140272000-memory.dmp

Filesize
2.4MB

Download
memory/1364-44-0x0000000140000000-0x0000000140272000-memory.dmp

Filesize
2.4MB

Download
memory/1364-18-0x0000000140000000-0x0000000140272000-memory.dmp

Filesize
2.4MB

Download
memory/1364-53-0x0000000140000000-0x0000000140272000-memory.dmp

Filesize
2.4MB

Download
memory/1364-52-0x0000000140000000-0x0000000140272000-memory.dmp

Filesize
2.4MB

Download
memory/1364-51-0x0000000140000000-0x0000000140272000-memory.dmp

Filesize
2.4MB

Download
memory/1364-50-0x0000000140000000-0x0000000140272000-memory.dmp

Filesize
2.4MB

Download
memory/1364-49-0x0000000140000000-0x0000000140272000-memory.dmp

Filesize
2.4MB

Download
memory/1364-54-0x0000000140000000-0x0000000140272000-memory.dmp

Filesize
2.4MB

Download
memory/1364-47-0x0000000140000000-0x0000000140272000-memory.dmp

Filesize
2.4MB

Download
memory/1364-46-0x0000000140000000-0x0000000140272000-memory.dmp

Filesize
2.4MB

Download
memory/1364-66-0x0000000140000000-0x0000000140272000-memory.dmp

Filesize
2.4MB

Download
memory/1364-70-0x0000000002210000-0x0000000002217000-memory.dmp

Filesize
28KB

Download
memory/1364-65-0x0000000140000000-0x0000000140272000-memory.dmp

Filesize
2.4MB

Download
memory/1364-64-0x0000000140000000-0x0000000140272000-memory.dmp

Filesize
2.4MB

Download
memory/1364-63-0x0000000140000000-0x0000000140272000-memory.dmp

Filesize
2.4MB

Download
memory/1364-62-0x0000000140000000-0x0000000140272000-memory.dmp

Filesize
2.4MB

Download
memory/1364-61-0x0000000140000000-0x0000000140272000-memory.dmp

Filesize
2.4MB

Download
memory/1364-60-0x0000000140000000-0x0000000140272000-memory.dmp

Filesize
2.4MB

Download
memory/1364-58-0x0000000140000000-0x0000000140272000-memory.dmp

Filesize
2.4MB

Download
memory/1364-57-0x0000000140000000-0x0000000140272000-memory.dmp

Filesize
2.4MB

Download
memory/1364-79-0x0000000077B60000-0x0000000077B62000-memory.dmp

Filesize
8KB

Download
memory/1364-78-0x0000000077A01000-0x0000000077A02000-memory.dmp

Filesize
4KB

Download
memory/1364-45-0x0000000140000000-0x0000000140272000-memory.dmp

Filesize
2.4MB

Download
memory/1364-5-0x0000000002660000-0x0000000002661000-memory.dmp

Filesize
4KB

Download
memory/1364-39-0x0000000140000000-0x0000000140272000-memory.dmp

Filesize
2.4MB

Download
memory/1364-31-0x0000000140000000-0x0000000140272000-memory.dmp

Filesize
2.4MB

Download
memory/1364-20-0x0000000140000000-0x0000000140272000-memory.dmp

Filesize
2.4MB

Download
memory/1364-14-0x0000000140000000-0x0000000140272000-memory.dmp

Filesize
2.4MB

Download
memory/1364-11-0x0000000140000000-0x0000000140272000-memory.dmp

Filesize
2.4MB

Download
memory/1364-149-0x00000000777F6000-0x00000000777F7000-memory.dmp

Filesize
4KB

Download
memory/1364-7-0x0000000140000000-0x0000000140272000-memory.dmp

Filesize
2.4MB

Download
memory/2032-108-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download
memory/2280-1-0x0000000140000000-0x0000000140272000-memory.dmp

Filesize
2.4MB

Download
memory/2280-0-0x00000000001A0000-0x00000000001A7000-memory.dmp

Filesize
28KB

Download
memory/2280-9-0x0000000140000000-0x0000000140272000-memory.dmp

Filesize
2.4MB

Download