dridex | 4892d89738704f770fbfa938a4007eba643a13c62f68585489c950f12322f778

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
21-05-2024 20:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64ad7b6b4c821bc0f138e23a3ae8f98e_JaffaCakes118.dll
Size

1.2MB
MD5

64ad7b6b4c821bc0f138e23a3ae8f98e
SHA1

ff738b1f5284c28bdb0a2d5223ac0d6f05a47c44
SHA256

4892d89738704f770fbfa938a4007eba643a13c62f68585489c950f12322f778
SHA512

22021b36d63b082c6c7931d32153b4bc1d57756b3c950cdfd61be659b6d0a3920c5bff65a295fe4014e9940b6467bc2f99aaab9f1fa4302bb10964440416a60b
SSDEEP

24576:lVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:lV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex Shellcode 1 IoCs
Detects Dridex Payload shellcode injected in Explorer process.
botnet payload

Processes:

resource yara_rule

behavioral1/memory/1260-5-0x00000000025D0000-0x00000000025D1000-memory.dmp dridex_stager_shellcode
Executes dropped EXE 3 IoCs

Processes:

notepad.exeslui.exeSystemPropertiesPerformance.exe

pid process

2684 notepad.exe
2700 slui.exe
2744 SystemPropertiesPerformance.exe
Loads dropped DLL 7 IoCs

Processes:

notepad.exeslui.exeSystemPropertiesPerformance.exe

pid process

1260
2684 notepad.exe
1260
2700 slui.exe
1260
2744 SystemPropertiesPerformance.exe
1260

resource	yara_rule
behavioral1/memory/1260-5-0x00000000025D0000-0x00000000025D1000-memory.dmp	dridex_stager_shellcode

pid	process
2684	notepad.exe
2700	slui.exe
2744	SystemPropertiesPerformance.exe

pid	process
1260
2684	notepad.exe
1260
2700	slui.exe
1260
2744	SystemPropertiesPerformance.exe
1260

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Groztcac = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\ADMINI~1\\qW4rPk\\slui.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

SystemPropertiesPerformance.exerundll32.exenotepad.exeslui.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesPerformance.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	notepad.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	slui.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2392	rundll32.exe
2392	rundll32.exe
2392	rundll32.exe
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1260 wrote to memory of 2724	1260	notepad.exe
PID 1260 wrote to memory of 2724	1260	notepad.exe
PID 1260 wrote to memory of 2724	1260	notepad.exe
PID 1260 wrote to memory of 2684	1260	notepad.exe
PID 1260 wrote to memory of 2684	1260	notepad.exe
PID 1260 wrote to memory of 2684	1260	notepad.exe
PID 1260 wrote to memory of 1928	1260	slui.exe
PID 1260 wrote to memory of 1928	1260	slui.exe
PID 1260 wrote to memory of 1928	1260	slui.exe
PID 1260 wrote to memory of 2700	1260	slui.exe
PID 1260 wrote to memory of 2700	1260	slui.exe
PID 1260 wrote to memory of 2700	1260	slui.exe
PID 1260 wrote to memory of 2720	1260	SystemPropertiesPerformance.exe
PID 1260 wrote to memory of 2720	1260	SystemPropertiesPerformance.exe
PID 1260 wrote to memory of 2720	1260	SystemPropertiesPerformance.exe
PID 1260 wrote to memory of 2744	1260	SystemPropertiesPerformance.exe
PID 1260 wrote to memory of 2744	1260	SystemPropertiesPerformance.exe
PID 1260 wrote to memory of 2744	1260	SystemPropertiesPerformance.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\64ad7b6b4c821bc0f138e23a3ae8f98e_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2392

C:\Windows\system32\notepad.exe
C:\Windows\system32\notepad.exe
1⤵
PID:2724

C:\Users\Admin\AppData\Local\v6p\notepad.exe
C:\Users\Admin\AppData\Local\v6p\notepad.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2684

C:\Windows\system32\slui.exe
C:\Windows\system32\slui.exe
1⤵
PID:1928

C:\Users\Admin\AppData\Local\fpYCjOgQ\slui.exe
C:\Users\Admin\AppData\Local\fpYCjOgQ\slui.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2700

C:\Windows\system32\SystemPropertiesPerformance.exe
C:\Windows\system32\SystemPropertiesPerformance.exe
1⤵
PID:2720

C:\Users\Admin\AppData\Local\5hE\SystemPropertiesPerformance.exe
C:\Users\Admin\AppData\Local\5hE\SystemPropertiesPerformance.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2744

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\5hE\SYSDM.CPL
Filesize
1.2MB

MD5
c0eb04102f4512b2387bed72df675e8f

SHA1
098f410894b36d13ff9dae5742477ef3a21e53e0

SHA256
c1d346118371e6ec42408034500fa95b6aa7868fdc36ab9e36e45ebaccb8fc11

SHA512
8e26e1c813967f261843c8c7c4ddf15229376f2cbc7a8a700368288112853761400354e00f6130c53985f807718d9c8e26b6ffdc87070707647b25e1164df4af

Download Submit
C:\Users\Admin\AppData\Local\5hE\SystemPropertiesPerformance.exe
Filesize
80KB

MD5
870726cdcc241a92785572628b89cc07

SHA1
63d47cc4fe9beb75862add1abca1d8ae8235710a

SHA256
1ab77fa1ee0cbe59ca185c228c3c11abeba2b2008a162c91a06d3c40542e7fc6

SHA512
89b961c2a2716fe0800e54e0206c8b349a26f1bc2a463ec9bd12f3ab22bfcb13e6402b4c20ddcf284d838a3c66e73335af8f6dc4554d76646382e387242c6f72

Download Submit
C:\Users\Admin\AppData\Local\fpYCjOgQ\slc.dll
Filesize
1.2MB

MD5
65e5fb38251be1f47b6b11b1800dbf6a

SHA1
adf0241882279b6548ddb9b0c5bacae4d42cdac5

SHA256
f360bae5c34e5f94523267bda6bb235b3c5fbbe43ed83cd5bfc6c02224468915

SHA512
dcd69f8c9a7f5c858ce5733c24d96cf2bbf2cb768500008e15e3c4b15feef8f200ac7ec87bb0880015110f21f9366399500b7b2dda6da14d40eafb9cc844bc58

Download Submit
C:\Users\Admin\AppData\Local\v6p\VERSION.dll
Filesize
1.2MB

MD5
b38f64f6979ba66cff755f3e2283710e

SHA1
ced8e8235b94ed13b0f589a9050d1fd4349615bd

SHA256
df541051eeaa60f76dc9aeeb6d1efc85b2a31cde1d4da36f01f89df04f4ab1a4

SHA512
681f5930afae801d2d4aee3bc049363440898e39e8ac7541501265e6b6e2b43e3b938913c750bfc03e35afca918a4f57b139ebad57f74601c56ddfde40bd4964

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Aqrvnhd.lnk
Filesize
1KB

MD5
d97d78d2e44e6a8dfbaa401abf570254

SHA1
425d39b9f4d90a9ca3e93bc8b20a29914812cd67

SHA256
bb1470777635ab47e5e390768a1fd75e1dc9b759191e640d2938c77fd205f9ca

SHA512
223bffe894f3d3a226b24bb213b5310f3b9319e0d539206843e73289030638469ccc565745f62036787a6e5f2a6af28b80da091ace80d409f37b03ca8bd9b563

Download Submit
\Users\Admin\AppData\Local\fpYCjOgQ\slui.exe
Filesize
341KB

MD5
c5ce5ce799387e82b7698a0ee5544a6d

SHA1
ed37fdb169bb539271c117d3e8a5f14fd8df1c0d

SHA256
34aa7ca0ea833263a6883827e161a5c218576c5ad97e0ce386fad4250676b42c

SHA512
79453b45e1f38d164ee3dbc232f774ff121d4394c22783140f5c8c722f184a69f499f2fb9621bdb28f565065b791883526e1a1d4abef9df82289613c2ce97a5c

Download Submit
\Users\Admin\AppData\Local\v6p\notepad.exe
Filesize
189KB

MD5
f2c7bb8acc97f92e987a2d4087d021b1

SHA1
7eb0139d2175739b3ccb0d1110067820be6abd29

SHA256
142e1d688ef0568370c37187fd9f2351d7ddeda574f8bfa9b0fa4ef42db85aa2

SHA512
2f37a2e503cffbd7c05c7d8a125b55368ce11aad5b62f17aaac7aaf3391a6886fa6a0fd73223e9f30072419bf5762a8af7958e805a52d788ba41f61eb084bfe8

Download Submit
memory/1260-27-0x0000000076ED0000-0x0000000076ED2000-memory.dmp

Filesize
8KB

Download
memory/1260-15-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1260-26-0x0000000076D41000-0x0000000076D42000-memory.dmp

Filesize
4KB

Download
memory/1260-24-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1260-14-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1260-13-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1260-11-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1260-10-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1260-8-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1260-4-0x0000000076C36000-0x0000000076C37000-memory.dmp

Filesize
4KB

Download
memory/1260-37-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1260-36-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1260-5-0x00000000025D0000-0x00000000025D1000-memory.dmp

Filesize
4KB

Download
memory/1260-25-0x00000000025B0000-0x00000000025B7000-memory.dmp

Filesize
28KB

Download
memory/1260-12-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1260-7-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1260-9-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1260-64-0x0000000076C36000-0x0000000076C37000-memory.dmp

Filesize
4KB

Download
memory/2392-45-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/2392-3-0x0000000001D00000-0x0000000001D07000-memory.dmp

Filesize
28KB

Download
memory/2392-0-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/2684-56-0x00000000000A0000-0x00000000000A7000-memory.dmp

Filesize
28KB

Download
memory/2684-59-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/2684-53-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/2700-78-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/2700-75-0x00000000001A0000-0x00000000001A7000-memory.dmp

Filesize
28KB

Download
memory/2744-93-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download
memory/2744-96-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads