dridex | a00e30735a9c57cf4ecc0b3f55291dd33cb224df7958275b4f4ee68240b2cc20

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25-05-2024 11:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

71c69de7c83209a1bf71d62abae46b83_JaffaCakes118.dll
Size

989KB
MD5

71c69de7c83209a1bf71d62abae46b83
SHA1

2bc4a12a267d0cf44de82094c44c3555f2e775ac
SHA256

a00e30735a9c57cf4ecc0b3f55291dd33cb224df7958275b4f4ee68240b2cc20
SHA512

8ba0c7e0dc7b8ba55a94792a3e4921792ee6ed314928e5e6a43897e5e8a6ca43a302a978195bb1a1d8bba348f66e656431686aba95fb9d7c580bca5d394b4e11
SSDEEP

24576:yVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:yV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex Shellcode 1 IoCs
Detects Dridex Payload shellcode injected in Explorer process.
botnet payload

Processes:

resource yara_rule

behavioral1/memory/1408-5-0x0000000002570000-0x0000000002571000-memory.dmp dridex_stager_shellcode
Executes dropped EXE 3 IoCs

Processes:

Netplwiz.exerdrleakdiag.exewusa.exe

pid process

2200 Netplwiz.exe
1012 rdrleakdiag.exe
2008 wusa.exe
Loads dropped DLL 7 IoCs

Processes:

Netplwiz.exerdrleakdiag.exewusa.exe

pid process

1408
2200 Netplwiz.exe
1408
1012 rdrleakdiag.exe
1408
2008 wusa.exe
1408

resource	yara_rule
behavioral1/memory/1408-5-0x0000000002570000-0x0000000002571000-memory.dmp	dridex_stager_shellcode

pid	process
2200	Netplwiz.exe
1012	rdrleakdiag.exe
2008	wusa.exe

pid	process
1408
2200	Netplwiz.exe
1408
1012	rdrleakdiag.exe
1408
2008	wusa.exe
1408

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Uxhwu = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\ACCESS~1\\4y0Uqh\\RDRLEA~1.EXE"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

wusa.exerundll32.exeNetplwiz.exerdrleakdiag.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wusa.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Netplwiz.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdrleakdiag.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2232	rundll32.exe
2232	rundll32.exe
2232	rundll32.exe
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1408 wrote to memory of 2356	1408	Netplwiz.exe
PID 1408 wrote to memory of 2356	1408	Netplwiz.exe
PID 1408 wrote to memory of 2356	1408	Netplwiz.exe
PID 1408 wrote to memory of 2200	1408	Netplwiz.exe
PID 1408 wrote to memory of 2200	1408	Netplwiz.exe
PID 1408 wrote to memory of 2200	1408	Netplwiz.exe
PID 1408 wrote to memory of 2848	1408	rdrleakdiag.exe
PID 1408 wrote to memory of 2848	1408	rdrleakdiag.exe
PID 1408 wrote to memory of 2848	1408	rdrleakdiag.exe
PID 1408 wrote to memory of 1012	1408	rdrleakdiag.exe
PID 1408 wrote to memory of 1012	1408	rdrleakdiag.exe
PID 1408 wrote to memory of 1012	1408	rdrleakdiag.exe
PID 1408 wrote to memory of 2372	1408	wusa.exe
PID 1408 wrote to memory of 2372	1408	wusa.exe
PID 1408 wrote to memory of 2372	1408	wusa.exe
PID 1408 wrote to memory of 2008	1408	wusa.exe
PID 1408 wrote to memory of 2008	1408	wusa.exe
PID 1408 wrote to memory of 2008	1408	wusa.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\71c69de7c83209a1bf71d62abae46b83_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2232

C:\Windows\system32\Netplwiz.exe
C:\Windows\system32\Netplwiz.exe
1⤵
PID:2356

C:\Users\Admin\AppData\Local\WkDfx\Netplwiz.exe
C:\Users\Admin\AppData\Local\WkDfx\Netplwiz.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2200

C:\Windows\system32\rdrleakdiag.exe
C:\Windows\system32\rdrleakdiag.exe
1⤵
PID:2848

C:\Users\Admin\AppData\Local\rwC\rdrleakdiag.exe
C:\Users\Admin\AppData\Local\rwC\rdrleakdiag.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1012

C:\Windows\system32\wusa.exe
C:\Windows\system32\wusa.exe
1⤵
PID:2372

C:\Users\Admin\AppData\Local\gQKIeNvh\wusa.exe
C:\Users\Admin\AppData\Local\gQKIeNvh\wusa.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2008

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\WkDfx\NETPLWIZ.dll
Filesize
989KB

MD5
a4ee8cb8af82c5a0ce7a03690ba8ee89

SHA1
40eb71806ecd23d5c136c2ac0db214696e3fb81e

SHA256
98c986ed41642779a9343c7871d0c661e679cd254debeb6a47c6d7b2ce000c09

SHA512
0a27a3cf1e8332825cc96ee0ff9c9e6f1e988c8612ff645cb421a63e99477170691b5e450f6e12dfb0ed07e362240f182dfbc8fd96d808f910650d66da1f04b7

Download Submit
C:\Users\Admin\AppData\Local\rwC\wer.dll
Filesize
992KB

MD5
b678c40ae1a79327ebe589c4964869d9

SHA1
8f72abd44861f5702e4b45c601a6740815fb372e

SHA256
6fabb5a2c56b7c319914ff139577672bb3c939f57be4c3633585cb77f3501cda

SHA512
f09845d1828cf9b7299dee6a664ef579e9e472ea48a73576c5ada4fe20131f8c4b6005a2d8c5a6c76a0dc15787899a904cf7723e587ebaa2262cac96319757ec

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dgsmy.lnk
Filesize
1KB

MD5
af51ff7b6e76ac5ec3ab2f9ab13ad193

SHA1
546abab3beddb94dd425b6ba0814f1e4a164ad44

SHA256
7ba59ba6e57472c32de778eac766017425cd6dd13bfd8f109920674d90d26afa

SHA512
86e348f7a7405be3e615bd6990f21cd5a99fcbc57b3ecec50f8cd0bf67fc7adb6ef93e2ceddc849614db4a70a6866abb900ce63cbe31200b9a28e9726fbcc6bf

Download Submit
\Users\Admin\AppData\Local\WkDfx\Netplwiz.exe
Filesize
26KB

MD5
e43ec3c800d4c0716613392e81fba1d9

SHA1
37de6a235e978ecf3bb0fc2c864016c5b0134348

SHA256
636606415a85a16a7e6c5c8fcbdf35494991bce1c37dfc19c75ecb7ce12dc65c

SHA512
176c6d8b87bc5a9ca06698e2542ff34d474bcbbf21278390127981366eda89769bd9dd712f3b34f4dd8332a0b40ee0e609276400f16b51999471c8ff24522a08

Download Submit
\Users\Admin\AppData\Local\gQKIeNvh\WTSAPI32.dll
Filesize
991KB

MD5
5976648fee6a647fff427ed727140ff7

SHA1
e2d6d7d67d5f743910f8417a479d5d04b13566f7

SHA256
2c6ef82bb8eaf5ff744840820af0305b2fd4488a8b7f3d691c4442d0e733da11

SHA512
9f8d42d1242c308ee5f18e505ed476b54e8dae4bdb98939dfd2786177018185bc1927c62b45853194e1e05d36f064528e39b4cdfd6cb4035e1cc37239f534b76

Download Submit
\Users\Admin\AppData\Local\gQKIeNvh\wusa.exe
Filesize
300KB

MD5
c15b3d813f4382ade98f1892350f21c7

SHA1
a45c5abc6751bc8b9041e5e07923fa4fc1b4542b

SHA256
8f067da98eb3ea9f1db2f0063ff54e07d992fbf051779b467e222639be4127e3

SHA512
6d028fe81fe45d0ef291741513ecf939e412912647347d4d5bad89571f33e1084dc0fd26eb7313c7191f938c3f50243f453e2690e2475fc3f5539a20c2ff2f3c

Download Submit
\Users\Admin\AppData\Local\rwC\rdrleakdiag.exe
Filesize
39KB

MD5
5e058566af53848541fa23fba4bb5b81

SHA1
769ce3bfc45e4d56ed01dbeeeca7be22f9b9eed6

SHA256
ae83b050fa722da7e4b19fc3d534f0126b1ec055643bb1f267b85b55160f4409

SHA512
352029cf0af7583a4c525cfd1da7467446bac410a885b2768d8052f39577ccce85b21d5bd946be6bf8341e7308c8e4f645e4d79232b93aaf6a92d6cd55f598d0

Download Submit
memory/1012-77-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1012-71-0x0000000000180000-0x0000000000187000-memory.dmp

Filesize
28KB

Download
memory/1408-35-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1408-11-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1408-10-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1408-9-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1408-24-0x0000000002550000-0x0000000002557000-memory.dmp

Filesize
28KB

Download
memory/1408-25-0x00000000773F1000-0x00000000773F2000-memory.dmp

Filesize
4KB

Download
memory/1408-26-0x0000000077580000-0x0000000077582000-memory.dmp

Filesize
8KB

Download
memory/1408-14-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1408-36-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1408-7-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1408-12-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1408-13-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1408-52-0x00000000772E6000-0x00000000772E7000-memory.dmp

Filesize
4KB

Download
memory/1408-8-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1408-4-0x00000000772E6000-0x00000000772E7000-memory.dmp

Filesize
4KB

Download
memory/1408-5-0x0000000002570000-0x0000000002571000-memory.dmp

Filesize
4KB

Download
memory/1408-23-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/2008-89-0x0000000000080000-0x0000000000087000-memory.dmp

Filesize
28KB

Download
memory/2008-95-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/2200-53-0x0000000000170000-0x0000000000177000-memory.dmp

Filesize
28KB

Download
memory/2200-59-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/2200-54-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/2232-38-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/2232-0-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/2232-1-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads