dridex | f85f26d71c527e7078122cfaee013e2881573630fdcfc8dcde64a24698824105

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
28-05-2024 23:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7ecdae8ff4ce7a29e1cc131d4ff098b0_JaffaCakes118.dll
Size

1.2MB
MD5

7ecdae8ff4ce7a29e1cc131d4ff098b0
SHA1

883913c06a7e5867ecadaa6c5943c2875066e9e1
SHA256

f85f26d71c527e7078122cfaee013e2881573630fdcfc8dcde64a24698824105
SHA512

7930e981d2eda7b6f9c2a76d1861ec65cbcf897b086f456296a9ea1d3979da2b432cace42dd9b3b24a23669df598566bb4e189c3c4956205658d6ceaf23278ee
SSDEEP

24576:iVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:iV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex Shellcode 1 IoCs
Detects Dridex Payload shellcode injected in Explorer process.
botnet payload

Processes:

resource yara_rule

behavioral1/memory/1216-5-0x0000000002160000-0x0000000002161000-memory.dmp dridex_stager_shellcode
Executes dropped EXE 3 IoCs

Processes:

osk.exeDisplaySwitch.exedialer.exe

pid process

2484 osk.exe
304 DisplaySwitch.exe
2296 dialer.exe
Loads dropped DLL 7 IoCs

Processes:

osk.exeDisplaySwitch.exedialer.exe

pid process

1216
2484 osk.exe
1216
304 DisplaySwitch.exe
1216
2296 dialer.exe
1216

resource	yara_rule
behavioral1/memory/1216-5-0x0000000002160000-0x0000000002161000-memory.dmp	dridex_stager_shellcode

pid	process
2484	osk.exe
304	DisplaySwitch.exe
2296	dialer.exe

pid	process
1216
2484	osk.exe
1216
304	DisplaySwitch.exe
1216
2296	dialer.exe
1216

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Aknlhzir = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\ddNcrhaG\\DisplaySwitch.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

DisplaySwitch.exedialer.exerundll32.exeosk.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DisplaySwitch.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dialer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	osk.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
844	rundll32.exe
844	rundll32.exe
844	rundll32.exe
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1216 wrote to memory of 1872	1216	osk.exe
PID 1216 wrote to memory of 1872	1216	osk.exe
PID 1216 wrote to memory of 1872	1216	osk.exe
PID 1216 wrote to memory of 2484	1216	osk.exe
PID 1216 wrote to memory of 2484	1216	osk.exe
PID 1216 wrote to memory of 2484	1216	osk.exe
PID 1216 wrote to memory of 3016	1216	DisplaySwitch.exe
PID 1216 wrote to memory of 3016	1216	DisplaySwitch.exe
PID 1216 wrote to memory of 3016	1216	DisplaySwitch.exe
PID 1216 wrote to memory of 304	1216	DisplaySwitch.exe
PID 1216 wrote to memory of 304	1216	DisplaySwitch.exe
PID 1216 wrote to memory of 304	1216	DisplaySwitch.exe
PID 1216 wrote to memory of 2092	1216	dialer.exe
PID 1216 wrote to memory of 2092	1216	dialer.exe
PID 1216 wrote to memory of 2092	1216	dialer.exe
PID 1216 wrote to memory of 2296	1216	dialer.exe
PID 1216 wrote to memory of 2296	1216	dialer.exe
PID 1216 wrote to memory of 2296	1216	dialer.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7ecdae8ff4ce7a29e1cc131d4ff098b0_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:844

C:\Windows\system32\osk.exe
C:\Windows\system32\osk.exe
1⤵
PID:1872

C:\Users\Admin\AppData\Local\dIBR\osk.exe
C:\Users\Admin\AppData\Local\dIBR\osk.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2484

C:\Windows\system32\DisplaySwitch.exe
C:\Windows\system32\DisplaySwitch.exe
1⤵
PID:3016

C:\Users\Admin\AppData\Local\55Aj7RtX\DisplaySwitch.exe
C:\Users\Admin\AppData\Local\55Aj7RtX\DisplaySwitch.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:304

C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
1⤵
PID:2092

C:\Users\Admin\AppData\Local\YmSRh\dialer.exe
C:\Users\Admin\AppData\Local\YmSRh\dialer.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2296

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\55Aj7RtX\slc.dll
Filesize
1.2MB

MD5
4246276b8e07c4bb5be474cd747293df

SHA1
0168b91ccee23f81b43664c2f7f141da286212db

SHA256
e34dd6a1470978df7378676bf2d0f687005bfdbb604e41197001db5eecadb8c5

SHA512
07a9d7ed95033a3a269afe14dbbae5aaf3fae0272c77925d06a4d4ba78f46d59085181127c9026ede801056198d6f93ad33703c47e570b913a4f0f68ab3ed8cf

Download Submit
C:\Users\Admin\AppData\Local\YmSRh\TAPI32.dll
Filesize
1.2MB

MD5
7d5323fa636cb1f2ad669197365bfd04

SHA1
2ebd638297e2924fed6538af2a6c4b80e9956ada

SHA256
0e42638fffd75fd00c68d6de3013bbdb27d247941f0ae9bac41d6f98f5ab2fb4

SHA512
c413afbeed24d06ae3cd377ceaffecf8d5355a99779b6778814769a1bdb1755500f3e41230b3ebbd9e347c16de245feaf0a92f305650b14403b6e919743891bf

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Qscjinkjzo.lnk
Filesize
1KB

MD5
819c3266f0471edf9a85cb5ba0e56ad4

SHA1
112e76b29d7ce17bc68e93a187bb58b0a2611953

SHA256
70499e29ae111a26d7fb70f1d0ea507e6e2eff2dee9e28a4874612867f5566fe

SHA512
eac12ae63c2c73d87a0bab5fa4f0975f8cfd30754218048ed87e1f919e774f84eef629b27c08b68714086ea234da9cce18023603ce23382cfafd378fd911c538

Download Submit
\Users\Admin\AppData\Local\55Aj7RtX\DisplaySwitch.exe
Filesize
517KB

MD5
b795e6138e29a37508285fc31e92bd78

SHA1
d0fe0c38c7c61adbb77e58d48b96cd4bf98ecd4a

SHA256
01a9733871baa8518092bade3fce62dcca14cdf6fc55b98218253580b38d7659

SHA512
8312174a77bab5fef7c4e9efff66c43d3515b02f5766ed1d3b9bd0abb3d7344a9a22cbac228132098428c122293d2b1898b3a2d75f5e4247b1dcb9aa9c7913b1

Download Submit
\Users\Admin\AppData\Local\YmSRh\dialer.exe
Filesize
34KB

MD5
46523e17ee0f6837746924eda7e9bac9

SHA1
d6b2a9cc6bd3588fa9804ada5197afda6a9e034b

SHA256
23d8a6a1d847a324c556c30e10c8f63c2004aeb42ac3f5a5ca362077f1517382

SHA512
c7117c3778650864e685bd89df599d7cdd9319d757344ddc7cfd9403d6673964127f6ff0c5ac48455fd3097af31a6ff09173f85dfa7be2d25f395cdf3692bb9a

Download Submit
\Users\Admin\AppData\Local\dIBR\dwmapi.dll
Filesize
1.2MB

MD5
8697a281f0cc756d6a596eb1b776bdf3

SHA1
85ffc4a0de329ad6e6b51ed766f7bdb517eb6994

SHA256
36372ddafdba2edf9da0c2757f945224c3222be35b3c8b0cf58085a8975a1c94

SHA512
29a86b749af5e899f8ba7d66fab691ae9055afb4a72629ad0d784695af0480dd553e1e286da5354187ecc40469e692a2e0f63ce0aa24944e83b3345599a354f4

Download Submit
\Users\Admin\AppData\Local\dIBR\osk.exe
Filesize
676KB

MD5
b918311a8e59fb8ccf613a110024deba

SHA1
a9a64a53d2d1c023d058cfe23db4c9b4fbe59d1b

SHA256
e1f7612086c2d01f15f2e74f1c22bc6abeb56f18e6bda058edce8d780aebb353

SHA512
e3a2480e546bf31509d6e0ffb5ce9dc5da3eb93a1a06d8e89b68165f2dd9ad520edac52af4c485c93fe6028dffaf7fcaadaafb04e524954dd117551afff87cf1

Download Submit
memory/304-78-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/304-72-0x0000000000420000-0x0000000000427000-memory.dmp

Filesize
28KB

Download
memory/844-3-0x0000000000130000-0x0000000000137000-memory.dmp

Filesize
28KB

Download
memory/844-0-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/844-45-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1216-36-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1216-14-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1216-11-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1216-10-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1216-25-0x0000000002140000-0x0000000002147000-memory.dmp

Filesize
28KB

Download
memory/1216-37-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1216-13-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1216-24-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1216-26-0x00000000778F1000-0x00000000778F2000-memory.dmp

Filesize
4KB

Download
memory/1216-27-0x0000000077A80000-0x0000000077A82000-memory.dmp

Filesize
8KB

Download
memory/1216-4-0x00000000777E6000-0x00000000777E7000-memory.dmp

Filesize
4KB

Download
memory/1216-5-0x0000000002160000-0x0000000002161000-memory.dmp

Filesize
4KB

Download
memory/1216-8-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1216-15-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1216-9-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1216-71-0x00000000777E6000-0x00000000777E7000-memory.dmp

Filesize
4KB

Download
memory/1216-12-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1216-7-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/2296-90-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/2296-96-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/2296-91-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/2484-59-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/2484-54-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/2484-53-0x0000000001AC0000-0x0000000001AC7000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads