dridex | f5d450ab006b590227e1c2c39a32d9e47a43720120d3f8bde9b77b730be388c1

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-01-2025 02:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_b98027835299cf468cc7169e702e732c.dll
Size

1.3MB
MD5

b98027835299cf468cc7169e702e732c
SHA1

19139b22e1752a8cfe0efe798baf533b96b2e7a6
SHA256

f5d450ab006b590227e1c2c39a32d9e47a43720120d3f8bde9b77b730be388c1
SHA512

ef3197919ba7ec1ddca732c1bd28cdde2598973dc12f0abe1c7a98ed05c1fb54c2fcb8ba94fae4eb4bea064b930681f6fe17aa0dede5ed2d838d3e0365cfe077
SSDEEP

12288:nVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ181:OfP7fWsK5z9A+WGAW+V5SB6Ct4bnb81

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex family
dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral1/memory/1212-5-0x00000000024B0000-0x00000000024B1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
1052	Dxpserver.exe
1804	notepad.exe
2100	SystemPropertiesProtection.exe

Loads dropped DLL 7 IoCs

pid	Process
1212	Process not Found
1052	Dxpserver.exe
1212	Process not Found
1804	notepad.exe
1212	Process not Found
2100	SystemPropertiesProtection.exe
1212	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zoekctxdbskyzr = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\UProof\\Lt0QzQGwzU\\notepad.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Dxpserver.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	notepad.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesProtection.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2492	rundll32.exe
2492	rundll32.exe
2492	rundll32.exe
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1212 wrote to memory of 2580	1212	Process not Found	31
PID 1212 wrote to memory of 2580	1212	Process not Found	31
PID 1212 wrote to memory of 2580	1212	Process not Found	31
PID 1212 wrote to memory of 1052	1212	Process not Found	32
PID 1212 wrote to memory of 1052	1212	Process not Found	32
PID 1212 wrote to memory of 1052	1212	Process not Found	32
PID 1212 wrote to memory of 2788	1212	Process not Found	33
PID 1212 wrote to memory of 2788	1212	Process not Found	33
PID 1212 wrote to memory of 2788	1212	Process not Found	33
PID 1212 wrote to memory of 1804	1212	Process not Found	34
PID 1212 wrote to memory of 1804	1212	Process not Found	34
PID 1212 wrote to memory of 1804	1212	Process not Found	34
PID 1212 wrote to memory of 2368	1212	Process not Found	35
PID 1212 wrote to memory of 2368	1212	Process not Found	35
PID 1212 wrote to memory of 2368	1212	Process not Found	35
PID 1212 wrote to memory of 2100	1212	Process not Found	36
PID 1212 wrote to memory of 2100	1212	Process not Found	36
PID 1212 wrote to memory of 2100	1212	Process not Found	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b98027835299cf468cc7169e702e732c.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2492

C:\Windows\system32\Dxpserver.exe
C:\Windows\system32\Dxpserver.exe
1⤵
PID:2580

C:\Users\Admin\AppData\Local\y0cRkZU3\Dxpserver.exe
C:\Users\Admin\AppData\Local\y0cRkZU3\Dxpserver.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1052

C:\Windows\system32\notepad.exe
C:\Windows\system32\notepad.exe
1⤵
PID:2788

C:\Users\Admin\AppData\Local\nGXp\notepad.exe
C:\Users\Admin\AppData\Local\nGXp\notepad.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1804

C:\Windows\system32\SystemPropertiesProtection.exe
C:\Windows\system32\SystemPropertiesProtection.exe
1⤵
PID:2368

C:\Users\Admin\AppData\Local\F7hPYa\SystemPropertiesProtection.exe
C:\Users\Admin\AppData\Local\F7hPYa\SystemPropertiesProtection.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\F7hPYa\SYSDM.CPL

Filesize
1.3MB

MD5
785e3c8f918d87d1d453edf75c962e58

SHA1
8a84ac0590eaf0beb3dc3abac443150234cbf053

SHA256
3b4f4dc3845bcd0aafbfd54c1c39d5aaa50c4ce2c6025201d37d1dcc80ea4a26

SHA512
d8bcb83b41fd05fe5e8146338ee607f7bddb71638245c213a84d1e1f57bfe2e802f6ac0eeba762337c94080fea2c1aae96422ac3031d9c44d11f791c3f67943f

Download Submit
C:\Users\Admin\AppData\Local\nGXp\VERSION.dll

Filesize
1.3MB

MD5
d7e0481eebba704f6895cfef3cace6ed

SHA1
4cccb573496baec421824876bdbf66a722c22408

SHA256
6ad1e980dca1a2b49cc10af1cf4694fd8b153e3f49dd83e3528daa9d0f11d6ae

SHA512
6c53a56875134efe633e0c22f7352fb408ea6227a1094d621c0071b70785f10bb8bbb78ad5f7cf3f6d1e59814e1d618930383230e939a8815867b4c3555a42af

Download Submit
C:\Users\Admin\AppData\Local\y0cRkZU3\XmlLite.dll

Filesize
1.3MB

MD5
23d136c003c097ac9d117b4e3c214af3

SHA1
61acab5b2b39c4efee9d967ae254b6fa39c4ce3f

SHA256
620c71d404bb4111100d83edb1cc53bd51b8af050391912d64cdfd1ac1af2fcb

SHA512
5b96998ef9d166956c67100f526769649bc16677d5432a09ee2248dd068a29c83f742f6f460687fd116f7678992ea509221d6e44040228161bf14ee2aabd9433

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Adlnwv.lnk

Filesize
1KB

MD5
776483740e7e88b9ea39cd5f89976b02

SHA1
44b98c3ee84c9b14f3ddec9282d3bcea9ca5529f

SHA256
f135bb2b3a496bcb1d5e92d28c32f07ac306da1c5b9ac380a9fcf99322249b22

SHA512
bec1a828a2777a0e5020089b63091b15e0f6be1f54cc2678d6b49b285bda360f6299b5b1f1d6d5c6b39d6060145251bd884835a12e2b98560edf79ded62718db

Download Submit
\Users\Admin\AppData\Local\F7hPYa\SystemPropertiesProtection.exe

Filesize
80KB

MD5
05138d8f952d3fff1362f7c50158bc38

SHA1
780bc59fcddf06a7494d09771b8340acffdcc720

SHA256
753a43d8aa74341d06582bd6b3784dc5f8c6f46174c2a306cf284de238a9c6bd

SHA512
27fa8c0af3d01f0816852d04693087f3c25d1307d8857a7ea75b0bb3e0ac927d262f5ac5a335afee150142fa3187354d33ebbcf6c3cd5cc33cb4e6cd00c50255

Download Submit
\Users\Admin\AppData\Local\nGXp\notepad.exe

Filesize
189KB

MD5
f2c7bb8acc97f92e987a2d4087d021b1

SHA1
7eb0139d2175739b3ccb0d1110067820be6abd29

SHA256
142e1d688ef0568370c37187fd9f2351d7ddeda574f8bfa9b0fa4ef42db85aa2

SHA512
2f37a2e503cffbd7c05c7d8a125b55368ce11aad5b62f17aaac7aaf3391a6886fa6a0fd73223e9f30072419bf5762a8af7958e805a52d788ba41f61eb084bfe8

Download Submit
\Users\Admin\AppData\Local\y0cRkZU3\Dxpserver.exe

Filesize
259KB

MD5
4d38389fb92e43c77a524fd96dbafd21

SHA1
08014e52f6894cad4f1d1e6fc1a703732e9acd19

SHA256
070bc95c486c15d2edc3548ba416dc9565ead401cb03a0472f719fb55ac94e73

SHA512
02d8d130cff2b8de15139d309e1cd74a2148bb786fd749e5f22775d45e193b0f75adf40274375cabce33576480ff20456f25172d29a034cd134b8084d40a67ba

Download Submit
memory/1052-94-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download
memory/1212-32-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1212-26-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1212-65-0x0000000002490000-0x0000000002497000-memory.dmp

Filesize
28KB

Download
memory/1212-64-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1212-57-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1212-56-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1212-55-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1212-54-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1212-53-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1212-52-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1212-51-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1212-50-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1212-48-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1212-47-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1212-46-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1212-45-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1212-44-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1212-43-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1212-42-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1212-41-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1212-40-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1212-38-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1212-36-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1212-35-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1212-34-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1212-33-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1212-4-0x0000000077756000-0x0000000077757000-memory.dmp

Filesize
4KB

Download
memory/1212-31-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1212-30-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1212-28-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1212-27-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1212-37-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1212-25-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1212-24-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1212-23-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1212-22-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1212-21-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1212-20-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1212-18-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1212-17-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1212-16-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1212-15-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1212-14-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1212-13-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1212-12-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1212-9-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1212-66-0x0000000077861000-0x0000000077862000-memory.dmp

Filesize
4KB

Download
memory/1212-67-0x00000000779C0000-0x00000000779C2000-memory.dmp

Filesize
8KB

Download
memory/1212-76-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1212-49-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1212-39-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1212-29-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1212-19-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1212-5-0x00000000024B0000-0x00000000024B1000-memory.dmp

Filesize
4KB

Download
memory/1212-8-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1212-10-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1212-7-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1212-148-0x0000000077756000-0x0000000077757000-memory.dmp

Filesize
4KB

Download
memory/1804-112-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download
memory/2100-135-0x0000000000180000-0x0000000000187000-memory.dmp

Filesize
28KB

Download
memory/2492-0-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/2492-3-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/2492-11-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download