dridex | e269355445b70397f7c8607c12c5010fa25010717851dce4318e120d43aa60e7

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-01-2025 08:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_979cd2c035dbce6d66b94e537870a428.dll
Size

828KB
MD5

979cd2c035dbce6d66b94e537870a428
SHA1

e58fc8c4ecf4a730ca1f761ec4fcd55c40961b60
SHA256

e269355445b70397f7c8607c12c5010fa25010717851dce4318e120d43aa60e7
SHA512

b10644228a0805909c0343f45ed26066a75c9cc7e19554cd3d31381a2b36ef6369c87d436ae53af5eccb55a9b434ca238fda584952bd229ee6d80328a55f4d2f
SSDEEP

12288:qdMIwS97wJs6tSKDXEabXaC+jhc1S8XXk7CZzHsZH9dq0T:MMIJxSDX3bqjhcfHk7MzH6z

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex family
dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral1/memory/1208-4-0x00000000025A0000-0x00000000025A1000-memory.dmp	dridex_stager_shellcode

Dridex payload 7 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

resource	yara_rule
behavioral1/memory/2036-0-0x0000000140000000-0x00000001400CF000-memory.dmp	dridex_payload
behavioral1/memory/1208-49-0x0000000140000000-0x00000001400CF000-memory.dmp	dridex_payload
behavioral1/memory/1208-61-0x0000000140000000-0x00000001400CF000-memory.dmp	dridex_payload
behavioral1/memory/1208-60-0x0000000140000000-0x00000001400CF000-memory.dmp	dridex_payload
behavioral1/memory/2036-69-0x0000000140000000-0x00000001400CF000-memory.dmp	dridex_payload
behavioral1/memory/2472-79-0x0000000140000000-0x00000001400D0000-memory.dmp	dridex_payload
behavioral1/memory/2472-83-0x0000000140000000-0x00000001400D0000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

pid	Process
2472	isoburn.exe
2592	WindowsAnytimeUpgradeResults.exe
2952	dwm.exe

Loads dropped DLL 7 IoCs

pid	Process
1208	Process not Found
2472	isoburn.exe
1208	Process not Found
2592	WindowsAnytimeUpgradeResults.exe
1208	Process not Found
2952	dwm.exe
1208	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rcoehfpd = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\MAINTE~1\\qBOV9k\\WINDOW~1.EXE"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	isoburn.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WindowsAnytimeUpgradeResults.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2036	rundll32.exe
2036	rundll32.exe
2036	rundll32.exe
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1208 wrote to memory of 2900	1208	Process not Found	31
PID 1208 wrote to memory of 2900	1208	Process not Found	31
PID 1208 wrote to memory of 2900	1208	Process not Found	31
PID 1208 wrote to memory of 2472	1208	Process not Found	32
PID 1208 wrote to memory of 2472	1208	Process not Found	32
PID 1208 wrote to memory of 2472	1208	Process not Found	32
PID 1208 wrote to memory of 2024	1208	Process not Found	33
PID 1208 wrote to memory of 2024	1208	Process not Found	33
PID 1208 wrote to memory of 2024	1208	Process not Found	33
PID 1208 wrote to memory of 2592	1208	Process not Found	34
PID 1208 wrote to memory of 2592	1208	Process not Found	34
PID 1208 wrote to memory of 2592	1208	Process not Found	34
PID 1208 wrote to memory of 1724	1208	Process not Found	35
PID 1208 wrote to memory of 1724	1208	Process not Found	35
PID 1208 wrote to memory of 1724	1208	Process not Found	35
PID 1208 wrote to memory of 2952	1208	Process not Found	36
PID 1208 wrote to memory of 2952	1208	Process not Found	36
PID 1208 wrote to memory of 2952	1208	Process not Found	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_979cd2c035dbce6d66b94e537870a428.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2036

C:\Windows\system32\isoburn.exe
C:\Windows\system32\isoburn.exe
1⤵
PID:2900

C:\Users\Admin\AppData\Local\lRnnuCem\isoburn.exe
C:\Users\Admin\AppData\Local\lRnnuCem\isoburn.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2472

C:\Windows\system32\WindowsAnytimeUpgradeResults.exe
C:\Windows\system32\WindowsAnytimeUpgradeResults.exe
1⤵
PID:2024

C:\Users\Admin\AppData\Local\mLoxhEI\WindowsAnytimeUpgradeResults.exe
C:\Users\Admin\AppData\Local\mLoxhEI\WindowsAnytimeUpgradeResults.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2592

C:\Windows\system32\dwm.exe
C:\Windows\system32\dwm.exe
1⤵
PID:1724

C:\Users\Admin\AppData\Local\TQNIWsHm\dwm.exe
C:\Users\Admin\AppData\Local\TQNIWsHm\dwm.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TQNIWsHm\UxTheme.dll

Filesize
832KB

MD5
6c768f3f729a79598fc6aebd97d7b219

SHA1
8a5eab93e0d303c139f028c3e496239970ce9316

SHA256
a2f1b2cf59785aaa433b6ec6298aa391f9c806e4e90ed7a62cda2d356ee6d34e

SHA512
d3df953371f1d55bdff0025a225caeffe8269b36283cf5bf95ae7005aeace4b3a3bc7cdbf1c3227958b65652d818a6d38e1c41805292198818ac4f3ac3cddc41

Download Submit
C:\Users\Admin\AppData\Local\lRnnuCem\isoburn.exe

Filesize
89KB

MD5
f8051f06e1c4aa3f2efe4402af5919b1

SHA1
bbcf3711501dfb22b04b1a6f356d95a6d5998790

SHA256
50dcb4be409f50d26c0fc32dd9cdbf96bff4e19bf624221cb566ebeb3e09ce1a

SHA512
5f664d937abe4426ee7e0d8491a395f9ef4ffe7a51dba05b54b7ba27e80c9be37833400911c5878d3dec659f4fa1579ec8ba4cfc485fb2ce24dd37c321006daa

Download Submit
C:\Users\Admin\AppData\Local\mLoxhEI\UxTheme.dll

Filesize
832KB

MD5
f558235a293721d70f41342f0d13f6ad

SHA1
94e8d1d90a398ddc9b72ae9500f2565afe5a2158

SHA256
57e418a774a7b820265cb5a976b1fe7416440b62c0d1739882c8256c1a908f6c

SHA512
be956c7e1dcf565e7798ce19c2ef7051e32b322120e2250a39d8ad052d00f9149aaa496215118d63b7284d1c53697f08cdd59086be50c561dd33904f36c37e74

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yjafzwirjcl.lnk

Filesize
1KB

MD5
372df99572bb3c63f964df96d45208f4

SHA1
970bd291d0d78045887060ead241175e70576c4b

SHA256
7b49456d470fcc287bc03bc5442e58e5866ea633c38ea5c419b63309d92237b0

SHA512
0caa2c922c886752487c68eda9a59a27e0a0728db2454f7e19901c4cd215344740bad1fbd3453d3f92b8cb87f808a825458aea7f5de6002bf5f82a6e5903ff4b

Download Submit
\Users\Admin\AppData\Local\TQNIWsHm\dwm.exe

Filesize
117KB

MD5
f162d5f5e845b9dc352dd1bad8cef1bc

SHA1
35bc294b7e1f062ef5cb5fa1bd3fc942a3e37ae2

SHA256
8a7b7528db30ab123b060d8e41954d95913c07bb40cdae32e97f9edb0baf79c7

SHA512
7077e800453a4564a24af022636a2f6547bdae2c9c6f4ed080d0c98415ecc4fbf538109cbebd456e321b9b74a00613d647b63998e31925fbd841fc9d4613e851

Download Submit
\Users\Admin\AppData\Local\lRnnuCem\UxTheme.dll

Filesize
832KB

MD5
dc3925710c9bc9d7005358aff2425930

SHA1
384ad22265a55f828636cd6b1f8a7a0d336c5bd3

SHA256
c726086f039e5f56f0bb940df5cd9e818bacaf2f5d404ae34ffa8c754c54dc68

SHA512
1ca9c627720e5611fbad60e8178eabf1a9f098848a86a4b78db5bfdeb26c973f9618d2720b6fa0b22873536f801ed9b98de53e97b5232a61e40d0a61a60f2eb1

Download Submit
\Users\Admin\AppData\Local\mLoxhEI\WindowsAnytimeUpgradeResults.exe

Filesize
288KB

MD5
6f3f29905f0ec4ce22c1fd8acbf6c6de

SHA1
68bdfefe549dfa6262ad659f1578f3e87d862773

SHA256
e9c4d718d09a28de8a99386b0dd65429f433837c712314e98ec4f01031af595b

SHA512
16a9ad3183d7e11d9f0dd3c79363aa9a7af306f4f35a6f1e0cc1e175ef254e8052ec94dfd600dbe882f9ab41254d482cce9190ab7b0c005a34e46c66e8ff5f9e

Download Submit
memory/1208-28-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1208-23-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1208-11-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1208-48-0x0000000002580000-0x0000000002587000-memory.dmp

Filesize
28KB

Download
memory/1208-49-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1208-40-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1208-39-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1208-38-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1208-37-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1208-36-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1208-51-0x00000000777C0000-0x00000000777C2000-memory.dmp

Filesize
8KB

Download
memory/1208-50-0x0000000077790000-0x0000000077792000-memory.dmp

Filesize
8KB

Download
memory/1208-61-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1208-60-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1208-35-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1208-34-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1208-33-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1208-32-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1208-31-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1208-30-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1208-29-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1208-7-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1208-27-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1208-25-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1208-24-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1208-6-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1208-22-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1208-21-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1208-20-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1208-19-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1208-18-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1208-17-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1208-16-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1208-15-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1208-14-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1208-13-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1208-26-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1208-12-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1208-70-0x0000000077526000-0x0000000077527000-memory.dmp

Filesize
4KB

Download
memory/1208-3-0x0000000077526000-0x0000000077527000-memory.dmp

Filesize
4KB

Download
memory/1208-4-0x00000000025A0000-0x00000000025A1000-memory.dmp

Filesize
4KB

Download
memory/1208-10-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1208-9-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1208-8-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2036-69-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2036-2-0x0000000000120000-0x0000000000127000-memory.dmp

Filesize
28KB

Download
memory/2036-0-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2472-83-0x0000000140000000-0x00000001400D0000-memory.dmp

Filesize
832KB

Download
memory/2472-79-0x0000000140000000-0x00000001400D0000-memory.dmp

Filesize
832KB

Download
memory/2472-78-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download
memory/2592-97-0x0000000000220000-0x0000000000227000-memory.dmp

Filesize
28KB

Download
memory/2952-112-0x0000000000200000-0x0000000000207000-memory.dmp

Filesize
28KB

Download