dridex | c16e01bd1c034e16aa5459108ac9894a175f8e9754e1e360f81e0c8ddf720a94

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16-05-2024 17:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c5464886e6c66edad677dddc6606f1f_JaffaCakes118.dll
Size

1.2MB
MD5

4c5464886e6c66edad677dddc6606f1f
SHA1

0b422d84ce42e2d925cfb03c21e03cf52c80c99d
SHA256

c16e01bd1c034e16aa5459108ac9894a175f8e9754e1e360f81e0c8ddf720a94
SHA512

57db43d75b4f3354a9e77a4a4b40086094fb0501f76132c007fa64cb1355b952f8d7258de0460b4646250fb2d2073bf34a50be7d23498e6a09d0065045624652
SSDEEP

24576:NuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:H9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex Shellcode 1 IoCs
Detects Dridex Payload shellcode injected in Explorer process.
botnet payload

Processes:

resource yara_rule

behavioral2/memory/3436-4-0x0000000003020000-0x0000000003021000-memory.dmp dridex_stager_shellcode
Executes dropped EXE 3 IoCs

Processes:

iexpress.exeDWWIN.EXESystemPropertiesAdvanced.exe

pid process

2932 iexpress.exe
4016 DWWIN.EXE
4964 SystemPropertiesAdvanced.exe
Loads dropped DLL 3 IoCs

Processes:

iexpress.exeDWWIN.EXESystemPropertiesAdvanced.exe

pid process

2932 iexpress.exe
4016 DWWIN.EXE
4964 SystemPropertiesAdvanced.exe

resource	yara_rule
behavioral2/memory/3436-4-0x0000000003020000-0x0000000003021000-memory.dmp	dridex_stager_shellcode

pid	process
2932	iexpress.exe
4016	DWWIN.EXE
4964	SystemPropertiesAdvanced.exe

pid	process
2932	iexpress.exe
4016	DWWIN.EXE
4964	SystemPropertiesAdvanced.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Iphtcfjrejti = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\Jj0\\DWWIN.EXE"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

DWWIN.EXESystemPropertiesAdvanced.exerundll32.exeiexpress.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DWWIN.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesAdvanced.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iexpress.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
3156	rundll32.exe
3156	rundll32.exe
3156	rundll32.exe
3156	rundll32.exe
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3436 wrote to memory of 1196	3436	iexpress.exe
PID 3436 wrote to memory of 1196	3436	iexpress.exe
PID 3436 wrote to memory of 2932	3436	iexpress.exe
PID 3436 wrote to memory of 2932	3436	iexpress.exe
PID 3436 wrote to memory of 1144	3436	DWWIN.EXE
PID 3436 wrote to memory of 1144	3436	DWWIN.EXE
PID 3436 wrote to memory of 4016	3436	DWWIN.EXE
PID 3436 wrote to memory of 4016	3436	DWWIN.EXE
PID 3436 wrote to memory of 1500	3436	SystemPropertiesAdvanced.exe
PID 3436 wrote to memory of 1500	3436	SystemPropertiesAdvanced.exe
PID 3436 wrote to memory of 4964	3436	SystemPropertiesAdvanced.exe
PID 3436 wrote to memory of 4964	3436	SystemPropertiesAdvanced.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4c5464886e6c66edad677dddc6606f1f_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3156

C:\Windows\system32\iexpress.exe
C:\Windows\system32\iexpress.exe
1⤵
PID:1196

C:\Users\Admin\AppData\Local\tDqov57Z\iexpress.exe
C:\Users\Admin\AppData\Local\tDqov57Z\iexpress.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2932

C:\Windows\system32\DWWIN.EXE
C:\Windows\system32\DWWIN.EXE
1⤵
PID:1144

C:\Users\Admin\AppData\Local\DZ1GYNyr\DWWIN.EXE
C:\Users\Admin\AppData\Local\DZ1GYNyr\DWWIN.EXE
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4016

C:\Windows\system32\SystemPropertiesAdvanced.exe
C:\Windows\system32\SystemPropertiesAdvanced.exe
1⤵
PID:1500

C:\Users\Admin\AppData\Local\gOLI9nr\SystemPropertiesAdvanced.exe
C:\Users\Admin\AppData\Local\gOLI9nr\SystemPropertiesAdvanced.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4964

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\DZ1GYNyr\DWWIN.EXE
Filesize
229KB

MD5
444cc4d3422a0fdd45c1b78070026c60

SHA1
97162ff341fff1ec54b827ec02f8b86fd2d41a97

SHA256
4b3f620272e709ce3e01ae5b19ef0300bd476f2da6412637f703bbaded2821f0

SHA512
21742d330a6a5763ea41a8fed4d71b98e4a1b4c685675c4cfeb7253033c3a208c23902caf0efdf470a85e0770cb8fac8af0eb6d3a8511445b0570054b42d5553

Download Submit
C:\Users\Admin\AppData\Local\DZ1GYNyr\wer.dll
Filesize
1.2MB

MD5
ff168cd4b58f4f0b14b1d63f6476a80f

SHA1
5a720045f2d0ba93f8762728d704ca76ae35af07

SHA256
a303487a27eafaa60b4c9bb4621284b93b6ee403b453442841d245415faa75e9

SHA512
bc422fa05ee844b97aaf0ba8bf7552587a58594d883029216fd343325a559fdb33bbb2c5fbcba22e389f719229b660467e60489e75b1b6bbf22d382a3ef28ba1

Download Submit
C:\Users\Admin\AppData\Local\gOLI9nr\SYSDM.CPL
Filesize
1.2MB

MD5
96e0d25dbe4c94c3b1320bf65cd9ac09

SHA1
8e5f69c2a39462005b3db69d84b172bb1191a569

SHA256
9eabd12a629240eb274a3d925a661438644427d6d763e201679c819a7ba6ec0e

SHA512
b3ad5b537816d0c3ed6e6090cb34b84dc089537647910adbadc90ffc566b620238884de869606a27a2c6f9041ac8e54c921b338d48a3c4619038729471ead40b

Download Submit
C:\Users\Admin\AppData\Local\gOLI9nr\SystemPropertiesAdvanced.exe
Filesize
82KB

MD5
fa040b18d2d2061ab38cf4e52e753854

SHA1
b1b37124e9afd6c860189ce4d49cebbb2e4c57bc

SHA256
c61fa0f8c5d8d61110adbcceaa453a6c1d31255b3244dc7e3b605a4a931c245c

SHA512
511f5981bd2c446f1f3039f6674f972651512305630bd688b1ef159af36a23cb836b43d7010b132a86b5f4d6c46206057abd31600f1e7dc930cb32ed962298a4

Download Submit
C:\Users\Admin\AppData\Local\tDqov57Z\VERSION.dll
Filesize
1.2MB

MD5
38a3953bee34f94d77c38e8b6430d378

SHA1
c429cde7d9e99f2b54c1afed35348aedee572989

SHA256
2c5d3ca0a374a95610fa86eb971799477f28cad0bfebe35baf16ae7c3690ee01

SHA512
ed959b8e7ba882f2e61db77a4c665737638db0e41d2e5aca22473a64d7b08e26b1bc99010ef83fccf6a1dc0bf343ea47f2d9a9796fb59b1ce370df17f3fc1096

Download Submit
C:\Users\Admin\AppData\Local\tDqov57Z\iexpress.exe
Filesize
166KB

MD5
17b93a43e25d821d01af40ba6babcc8c

SHA1
97c978d78056d995f751dfef1388d7cce4cc404a

SHA256
d070b79fa254c528babb73d607a7a8fd53db89795d751f42fc0a283b61a76fd3

SHA512
6b5743b37a3be8ae9ee2ab84e0749c32c60544298a7cce396470aa40bbd13f2e838d5d98159f21d500d20817c51ebce4b1d2f554e3e05f6c7fc97bc9d70ea391

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Lyvwlrjkvg.lnk
Filesize
1KB

MD5
488e301fce683cf87b9061adee71cad3

SHA1
63102dee170ff884f673c6766cc0c1471c1791bc

SHA256
b7fb24ae4f73987034c1bb85638ba29713f98f8ff9bd108dc6342e2eb0d31c31

SHA512
37a1b5b0afb8194aadc5ec5ca3464040d7003db9d6961ba75064c33d6a1a057addb20322785eb5b4c4da7344c11d5d36308de4e8b08bed8938de2f1e80942341

Download Submit
memory/2932-54-0x00007FF841F20000-0x00007FF842055000-memory.dmp

Filesize
1.2MB

Download
memory/2932-48-0x00007FF841F20000-0x00007FF842055000-memory.dmp

Filesize
1.2MB

Download
memory/2932-51-0x00000195EBCB0000-0x00000195EBCB7000-memory.dmp

Filesize
28KB

Download
memory/3156-41-0x00007FF850EC0000-0x00007FF850FF4000-memory.dmp

Filesize
1.2MB

Download
memory/3156-3-0x0000019497880000-0x0000019497887000-memory.dmp

Filesize
28KB

Download
memory/3156-0-0x00007FF850EC0000-0x00007FF850FF4000-memory.dmp

Filesize
1.2MB

Download
memory/3436-19-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/3436-18-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/3436-12-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/3436-11-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/3436-9-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/3436-8-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/3436-7-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/3436-10-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/3436-14-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/3436-16-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/3436-17-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/3436-13-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/3436-27-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/3436-39-0x00000000010D0000-0x00000000010D7000-memory.dmp

Filesize
28KB

Download
memory/3436-40-0x00007FF85F950000-0x00007FF85F960000-memory.dmp

Filesize
64KB

Download
memory/3436-36-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/3436-4-0x0000000003020000-0x0000000003021000-memory.dmp

Filesize
4KB

Download
memory/3436-6-0x00007FF85F16A000-0x00007FF85F16B000-memory.dmp

Filesize
4KB

Download
memory/3436-15-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/4016-71-0x00007FF841F20000-0x00007FF842056000-memory.dmp

Filesize
1.2MB

Download
memory/4016-66-0x00007FF841F20000-0x00007FF842056000-memory.dmp

Filesize
1.2MB

Download
memory/4016-65-0x000001E9E8EE0000-0x000001E9E8EE7000-memory.dmp

Filesize
28KB

Download
memory/4964-82-0x0000025361CE0000-0x0000025361CE7000-memory.dmp

Filesize
28KB

Download
memory/4964-88-0x00007FF841F20000-0x00007FF842055000-memory.dmp

Filesize
1.2MB

Download