dridex | 095248ed3b37a6a13dc0e755bc6480e04b9c6c7f21f05b7c7de8669da2378a91

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19-05-2024 22:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5bbc3a414ecfee5ef1ad3915de9e7275_JaffaCakes118.dll
Size

990KB
MD5

5bbc3a414ecfee5ef1ad3915de9e7275
SHA1

5d7a2f05e453beca108e0aad77c56716d1aec5c2
SHA256

095248ed3b37a6a13dc0e755bc6480e04b9c6c7f21f05b7c7de8669da2378a91
SHA512

2eeb33941202ca5f5f9b592da09d63e9632c460b35eadd1ace0835439e47c5a92388096dd6cb8afd3aca1a584e7a7215f9f5d7589b990246c60c54c9b03418b5
SSDEEP

24576:iVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:iV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex Shellcode 1 IoCs
Detects Dridex Payload shellcode injected in Explorer process.
botnet payload

Processes:

resource yara_rule

behavioral1/memory/1144-5-0x0000000002DD0000-0x0000000002DD1000-memory.dmp dridex_stager_shellcode
Executes dropped EXE 3 IoCs

Processes:

TpmInit.exemmc.exemfpmp.exe

pid process

2436 TpmInit.exe
776 mmc.exe
544 mfpmp.exe
Loads dropped DLL 7 IoCs

Processes:

TpmInit.exemmc.exemfpmp.exe

pid process

1144
2436 TpmInit.exe
1144
776 mmc.exe
1144
544 mfpmp.exe
1144

resource	yara_rule
behavioral1/memory/1144-5-0x0000000002DD0000-0x0000000002DD1000-memory.dmp	dridex_stager_shellcode

pid	process
2436	TpmInit.exe
776	mmc.exe
544	mfpmp.exe

pid	process
1144
2436	TpmInit.exe
1144
776	mmc.exe
1144
544	mfpmp.exe
1144

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ybhspkdtbke = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\uvpC1Wn6i\\mmc.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeTpmInit.exemmc.exemfpmp.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	TpmInit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mmc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mfpmp.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2224	rundll32.exe
2224	rundll32.exe
2224	rundll32.exe
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144
1144

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1144 wrote to memory of 2648	1144	TpmInit.exe
PID 1144 wrote to memory of 2648	1144	TpmInit.exe
PID 1144 wrote to memory of 2648	1144	TpmInit.exe
PID 1144 wrote to memory of 2436	1144	TpmInit.exe
PID 1144 wrote to memory of 2436	1144	TpmInit.exe
PID 1144 wrote to memory of 2436	1144	TpmInit.exe
PID 1144 wrote to memory of 2312	1144	mmc.exe
PID 1144 wrote to memory of 2312	1144	mmc.exe
PID 1144 wrote to memory of 2312	1144	mmc.exe
PID 1144 wrote to memory of 776	1144	mmc.exe
PID 1144 wrote to memory of 776	1144	mmc.exe
PID 1144 wrote to memory of 776	1144	mmc.exe
PID 1144 wrote to memory of 2624	1144	mfpmp.exe
PID 1144 wrote to memory of 2624	1144	mfpmp.exe
PID 1144 wrote to memory of 2624	1144	mfpmp.exe
PID 1144 wrote to memory of 544	1144	mfpmp.exe
PID 1144 wrote to memory of 544	1144	mfpmp.exe
PID 1144 wrote to memory of 544	1144	mfpmp.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5bbc3a414ecfee5ef1ad3915de9e7275_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2224

C:\Windows\system32\TpmInit.exe
C:\Windows\system32\TpmInit.exe
1⤵
PID:2648

C:\Users\Admin\AppData\Local\WcZI\TpmInit.exe
C:\Users\Admin\AppData\Local\WcZI\TpmInit.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2436

C:\Windows\system32\mmc.exe
C:\Windows\system32\mmc.exe
1⤵
PID:2312

C:\Users\Admin\AppData\Local\J7b5pW8RF\mmc.exe
C:\Users\Admin\AppData\Local\J7b5pW8RF\mmc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:776

C:\Windows\system32\mfpmp.exe
C:\Windows\system32\mfpmp.exe
1⤵
PID:2624

C:\Users\Admin\AppData\Local\hXcF\mfpmp.exe
C:\Users\Admin\AppData\Local\hXcF\mfpmp.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:544

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\J7b5pW8RF\DUser.dll
Filesize
993KB

MD5
8c11a5619673a9fa5fc4f894c769f9dd

SHA1
00ae7f6001315e5f39d035c5a4bef1addd56f3e5

SHA256
a63fbdea2b5a7655f3c1db902d21ae30b866d708545e1654117bd236fa290c1c

SHA512
cca27df80453f7037054da42edac5e0158fef256197a13d1fdf6d2b4418a520971ae9f80f89a90d9ee3812e8bf7f8f16795fb75cfb4b5698748fbedad4a29f89

Download Submit
C:\Users\Admin\AppData\Local\J7b5pW8RF\mmc.exe
Filesize
2.0MB

MD5
9fea051a9585f2a303d55745b4bf63aa

SHA1
f5dc12d658402900a2b01af2f018d113619b96b8

SHA256
b212e59e4c7fe77f6f189138d9d8b151e50eb83a35d6eadfb1e4bb0b4262c484

SHA512
beba79f0b6710929871fbdf378d3c0a41f230ac30cbfa87173f7b77c35e06425f48db42ed3b16d5d9bcb7ef0098dffcd0d2947da8fb7ec1136ea62205f1afc76

Download Submit
C:\Users\Admin\AppData\Local\WcZI\ACTIVEDS.dll
Filesize
991KB

MD5
3d1ec3e34ee43840cdef46d16f3d6c92

SHA1
b53b5c0ffcbdcd141e6ecec50ec929dc23509726

SHA256
9bb8ac4b6ff06b914ea251fa4c989fcf89a5086d5f35982b4b5a2921e4adf4d1

SHA512
7df31fd65a874cf8d9a9745cc82dd96e8165a0c9b901d17aaf5e862cbd6af3521c91a2cfe5f774e4c955102a2a72212e49f64b1352031b1084444297114033a7

Download Submit
C:\Users\Admin\AppData\Local\hXcF\MFPlat.DLL
Filesize
996KB

MD5
b8c33e4184b9c2f0a3046d6ca5f9eb26

SHA1
f1c7d7c273fe4668729b39a13cce54eed9982ce5

SHA256
dd5b93b8f956e1bebfe7a2ca4f3fd0b8cf6bbc742057c9ab479d8e6a3206046d

SHA512
fb72248433ac021a1d6df4fbe084da39cda8c50ad1e90b230297ab874ec621911807886274341f72d300f5b2ee9856f32056e2247cc921fde98de74380b51a17

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Tkjddllshxzvy.lnk
Filesize
1KB

MD5
ebb0a79284bff2f539687400b35165b6

SHA1
83e4ec2ff18bdc7b7d5803c343a55dffd7e10c8e

SHA256
679873a6b7b28a972f11a1c43d7397dae75cd7b9f86d150df5a07d7435099aa2

SHA512
b5cd9ae37eaa46284f0cf92013951ea6001eed7e229514185e62b638955f974ff3cb02afa1aa352f94768adceedd1a0a6ba136f4739c1fdce68edb5ce648ee77

Download Submit
\Users\Admin\AppData\Local\WcZI\TpmInit.exe
Filesize
112KB

MD5
8b5eb38e08a678afa129e23129ca1e6d

SHA1
a27d30bb04f9fabdb5c92d5150661a75c5c7bc42

SHA256
4befa614e1b434b2f58c9e7ce947a946b1cf1834b219caeff42b3e36f22fd97c

SHA512
a7245cde299c68db85370ae1bdf32a26208e2cda1311afd06b0efd410664f36cafb62bf4b7ce058e203dcc515c45ebdef01543779ead864f3154175b7b36647d

Download Submit
\Users\Admin\AppData\Local\hXcF\mfpmp.exe
Filesize
24KB

MD5
2d8600b94de72a9d771cbb56b9f9c331

SHA1
a0e2ac409159546183aa45875497844c4adb5aac

SHA256
7d8d8918761b8b6c95758375a6e7cf7fb8e43abfdd3846476219883ef3f8c185

SHA512
3aaa6619f29434c294b9b197c3b86fdc5d88b0254c8f35f010c9b5f254fd47fbc3272412907e2a5a4f490bda2acfbbd7a90f968e25067abf921b934d2616eafc

Download Submit
memory/544-93-0x00000000001A0000-0x00000000001A7000-memory.dmp

Filesize
28KB

Download
memory/544-96-0x0000000140000000-0x00000001400FF000-memory.dmp

Filesize
1020KB

Download
memory/544-90-0x0000000140000000-0x00000001400FF000-memory.dmp

Filesize
1020KB

Download
memory/776-78-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/776-72-0x00000000001F0000-0x00000000001F7000-memory.dmp

Filesize
28KB

Download
memory/1144-37-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1144-24-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1144-13-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1144-12-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1144-11-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1144-10-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1144-36-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1144-4-0x0000000077506000-0x0000000077507000-memory.dmp

Filesize
4KB

Download
memory/1144-14-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1144-9-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1144-5-0x0000000002DD0000-0x0000000002DD1000-memory.dmp

Filesize
4KB

Download
memory/1144-7-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1144-8-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1144-25-0x0000000002DB0000-0x0000000002DB7000-memory.dmp

Filesize
28KB

Download
memory/1144-26-0x0000000077711000-0x0000000077712000-memory.dmp

Filesize
4KB

Download
memory/1144-71-0x0000000077506000-0x0000000077507000-memory.dmp

Filesize
4KB

Download
memory/1144-27-0x00000000778A0000-0x00000000778A2000-memory.dmp

Filesize
8KB

Download
memory/1144-15-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/2224-3-0x00000000002A0000-0x00000000002A7000-memory.dmp

Filesize
28KB

Download
memory/2224-45-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/2224-0-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/2436-59-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/2436-56-0x00000000000A0000-0x00000000000A7000-memory.dmp

Filesize
28KB

Download
memory/2436-53-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads