dridex | f9596306e520a651e3f91e376df0211f2cf382a5b0e69b4900357abb3c6b7a7e

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25-05-2024 22:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73675d3e6348ef7b1be6cc67b90f6333_JaffaCakes118.dll
Size

1.2MB
MD5

73675d3e6348ef7b1be6cc67b90f6333
SHA1

1acb6cc9cb689cf8c28eb1df47c9d82ff194aacc
SHA256

f9596306e520a651e3f91e376df0211f2cf382a5b0e69b4900357abb3c6b7a7e
SHA512

bba7f9e8b727bcdb716f2c9d19fd03700d1c8d4f5055c3329a2e31f6c4068d7ea0cf31c1cb659b66c22875ff383ef1087f95a96977e51ee14e80d10f082eb688
SSDEEP

24576:FVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:FV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex Shellcode 1 IoCs
Detects Dridex Payload shellcode injected in Explorer process.
botnet payload

Processes:

resource yara_rule

behavioral1/memory/1224-5-0x0000000002910000-0x0000000002911000-memory.dmp dridex_stager_shellcode
Executes dropped EXE 3 IoCs

Processes:

rrinstaller.exemstsc.exeSndVol.exe

pid process

2688 rrinstaller.exe
2648 mstsc.exe
1780 SndVol.exe
Loads dropped DLL 7 IoCs

Processes:

rrinstaller.exemstsc.exeSndVol.exe

pid process

1224
2688 rrinstaller.exe
1224
2648 mstsc.exe
1224
1780 SndVol.exe
1224

resource	yara_rule
behavioral1/memory/1224-5-0x0000000002910000-0x0000000002911000-memory.dmp	dridex_stager_shellcode

pid	process
2688	rrinstaller.exe
2648	mstsc.exe
1780	SndVol.exe

pid	process
1224
2688	rrinstaller.exe
1224
2648	mstsc.exe
1224
1780	SndVol.exe
1224

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Uxhwu = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\pHVSMb\\mstsc.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exerrinstaller.exemstsc.exeSndVol.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rrinstaller.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mstsc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SndVol.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1300	rundll32.exe
1300	rundll32.exe
1300	rundll32.exe
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1224 wrote to memory of 2524	1224	rrinstaller.exe
PID 1224 wrote to memory of 2524	1224	rrinstaller.exe
PID 1224 wrote to memory of 2524	1224	rrinstaller.exe
PID 1224 wrote to memory of 2688	1224	rrinstaller.exe
PID 1224 wrote to memory of 2688	1224	rrinstaller.exe
PID 1224 wrote to memory of 2688	1224	rrinstaller.exe
PID 1224 wrote to memory of 2484	1224	mstsc.exe
PID 1224 wrote to memory of 2484	1224	mstsc.exe
PID 1224 wrote to memory of 2484	1224	mstsc.exe
PID 1224 wrote to memory of 2648	1224	mstsc.exe
PID 1224 wrote to memory of 2648	1224	mstsc.exe
PID 1224 wrote to memory of 2648	1224	mstsc.exe
PID 1224 wrote to memory of 964	1224	SndVol.exe
PID 1224 wrote to memory of 964	1224	SndVol.exe
PID 1224 wrote to memory of 964	1224	SndVol.exe
PID 1224 wrote to memory of 1780	1224	SndVol.exe
PID 1224 wrote to memory of 1780	1224	SndVol.exe
PID 1224 wrote to memory of 1780	1224	SndVol.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\73675d3e6348ef7b1be6cc67b90f6333_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1300

C:\Windows\system32\rrinstaller.exe
C:\Windows\system32\rrinstaller.exe
1⤵
PID:2524

C:\Users\Admin\AppData\Local\M2AtSp8sQ\rrinstaller.exe
C:\Users\Admin\AppData\Local\M2AtSp8sQ\rrinstaller.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2688

C:\Windows\system32\mstsc.exe
C:\Windows\system32\mstsc.exe
1⤵
PID:2484

C:\Users\Admin\AppData\Local\VUGhKMR\mstsc.exe
C:\Users\Admin\AppData\Local\VUGhKMR\mstsc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2648

C:\Windows\system32\SndVol.exe
C:\Windows\system32\SndVol.exe
1⤵
PID:964

C:\Users\Admin\AppData\Local\FwDO8\SndVol.exe
C:\Users\Admin\AppData\Local\FwDO8\SndVol.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1780

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\FwDO8\UxTheme.dll
Filesize
1.2MB

MD5
aa2659a9b386e0ae5b4a6872f86ecd8d

SHA1
d7e273a52c5193dc2a625d2cfa70814acf0b00c7

SHA256
51c53c8b5496a84311b16fdea2e639ebae82d04b436b572d98a6b0f3493cc885

SHA512
fb95ad11b6e39b7fb04512a9cf6e15e2fab74d75ddd167af51568dd4e431dabde7655090f417cc252b84fdf58ee3d24a019e73b04079aa37bf613ba764019119

Download Submit
C:\Users\Admin\AppData\Local\M2AtSp8sQ\MFPlat.DLL
Filesize
1.2MB

MD5
b657e216eedef7ad068b1815065f8469

SHA1
18b456804c79427a83d0cec36f9c3e5ac953fc9b

SHA256
20175de4dc75edaf738c3d329120cb98c9c351a628e8858b1fb6c64e908b4cfb

SHA512
29e23784493fc8772eef2a87f033a315e2d911e6ea3ea8f44a9cd6b5e68150676a401aba3f3ba7f47ce2dc805da6cc680fc4c3e0ed835724a7fdcd15cb91f161

Download Submit
C:\Users\Admin\AppData\Local\VUGhKMR\credui.dll
Filesize
1.2MB

MD5
e4bfff935b2ffce68b40e3faff449c55

SHA1
f2b4a5e6fc97602a101e23ef0bdb5e8e60eaeab9

SHA256
1dca0d26231d2d0cff6227ef2924cd3834d069a9d204bbb0cea5e0776d5c9eda

SHA512
d26f4bb1c3d443409faad15240dce4623a275f41f9b985c7f0504e4f1aeb91fbf80227fb0e254850a4f99e2778757d59d3a407e77c170bcb42913b18a849675d

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dgsmy.lnk
Filesize
1KB

MD5
d3e9d1f93d6a0680ff6603920e1a078d

SHA1
0e58159258a31604493c0dc47a4f43c0d3b94c21

SHA256
05790ef45bc9f53378e5205d2d1d2ec5574d3a175c7e5fd8f37550c246132933

SHA512
94f27c1baf6837c26207140d6c4a7580d2e2b97c57960cf35cf861fbd839de32160b1d00483356e5f85ea6b0b99c9ffbc5bcd41779ced428e11b57674cf8ecd4

Download Submit
\Users\Admin\AppData\Local\FwDO8\SndVol.exe
Filesize
267KB

MD5
c3489639ec8e181044f6c6bfd3d01ac9

SHA1
e057c90b675a6da19596b0ac458c25d7440b7869

SHA256
a632ef1a1490d31d76f13997ee56f4f75796bf9e366c76446857e9ae855f4103

SHA512
63b96c8afb8c3f5f969459531d3a543f6e8714d5ca1664c6bbb01edd9f5e850856931d7923f363c9dc7d8843deeaad69722d15993641d04e786e02184446c0c9

Download Submit
\Users\Admin\AppData\Local\M2AtSp8sQ\rrinstaller.exe
Filesize
54KB

MD5
0d3a73b0b30252680b383532f1758649

SHA1
9f098d2037e4dd94eca6d04c37b3d4ad8b0cc931

SHA256
fc8a992b6ac311e1b1491ec3e31e273a41f7fdf3f68176321307b68489a03fbc

SHA512
a7961f4d8d0e07959d1501d721c7751b01af6704c7da5c1f31e40de5372ee6a1fce2f3e0077c8e6a1bed017e11ce4be9b0d17c04e30b222fb3f0df67b870b2d4

Download Submit
\Users\Admin\AppData\Local\VUGhKMR\mstsc.exe
Filesize
1.1MB

MD5
50f739538ef014b2e7ec59431749d838

SHA1
b439762b8efe8cfb977e7374c11a7e4d8ed05eb3

SHA256
85c510c7fa8d64c70886ea01ec99e7b9064594f021a95b4cf88359421e732be3

SHA512
02e231ddc4ac012c597b9db42f8a77fbf35ca8253c030d443a0dd4db3d76a9ee1cced600f12d7bb06305e7a4da4a8fda980faad335adcb12738d80d453cb3cc8

Download Submit
memory/1224-26-0x00000000028F0000-0x00000000028F7000-memory.dmp

Filesize
28KB

Download
memory/1224-8-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1224-4-0x0000000076D36000-0x0000000076D37000-memory.dmp

Filesize
4KB

Download
memory/1224-15-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1224-14-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1224-13-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1224-12-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1224-11-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1224-9-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1224-28-0x0000000076FD0000-0x0000000076FD2000-memory.dmp

Filesize
8KB

Download
memory/1224-27-0x0000000076E41000-0x0000000076E42000-memory.dmp

Filesize
4KB

Download
memory/1224-5-0x0000000002910000-0x0000000002911000-memory.dmp

Filesize
4KB

Download
memory/1224-38-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1224-39-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1224-16-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1224-25-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1224-54-0x0000000076D36000-0x0000000076D37000-memory.dmp

Filesize
4KB

Download
memory/1224-7-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1224-10-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1300-33-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1300-0-0x0000000001BC0000-0x0000000001BC7000-memory.dmp

Filesize
28KB

Download
memory/1300-1-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1780-96-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/2648-73-0x0000000000380000-0x0000000000387000-memory.dmp

Filesize
28KB

Download
memory/2648-74-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/2648-79-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/2688-61-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2688-56-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2688-55-0x00000000001F0000-0x00000000001F7000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads