dridex | 301841aaf350823c55016d1092ffe88785d5cd97263bc2eb025ef908dadef41a

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
31-05-2024 04:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8604774bbfe1f722a0064a287ae9309c_JaffaCakes118.dll
Size

987KB
MD5

8604774bbfe1f722a0064a287ae9309c
SHA1

ff9d68148a3e3e1b55421ec68745ae1b3f09c3d1
SHA256

301841aaf350823c55016d1092ffe88785d5cd97263bc2eb025ef908dadef41a
SHA512

eafac14440bec2452c1b36edc82fa7e536433e1fcbe8f80cda4cfe7e5a9b4f4cb080189d61c826c1aa090105eb42e50101f7f56c777a062ab93d9d691e323e42
SSDEEP

24576:WVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:WV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex Shellcode 1 IoCs
Detects Dridex Payload shellcode injected in Explorer process.
botnet payload

Processes:

resource yara_rule

behavioral1/memory/1196-5-0x0000000002E00000-0x0000000002E01000-memory.dmp dridex_stager_shellcode
Executes dropped EXE 3 IoCs

Processes:

perfmon.exeStikyNot.exeWindowsAnytimeUpgradeResults.exe

pid process

2736 perfmon.exe
2316 StikyNot.exe
2100 WindowsAnytimeUpgradeResults.exe
Loads dropped DLL 7 IoCs

Processes:

perfmon.exeStikyNot.exeWindowsAnytimeUpgradeResults.exe

pid process

1196
2736 perfmon.exe
1196
2316 StikyNot.exe
1196
2100 WindowsAnytimeUpgradeResults.exe
1196

resource	yara_rule
behavioral1/memory/1196-5-0x0000000002E00000-0x0000000002E01000-memory.dmp	dridex_stager_shellcode

pid	process
2736	perfmon.exe
2316	StikyNot.exe
2100	WindowsAnytimeUpgradeResults.exe

pid	process
1196
2736	perfmon.exe
1196
2316	StikyNot.exe
1196
2100	WindowsAnytimeUpgradeResults.exe
1196

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Yyeybzteybdsbj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\31v\\StikyNot.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeperfmon.exeStikyNot.exeWindowsAnytimeUpgradeResults.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	perfmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	StikyNot.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WindowsAnytimeUpgradeResults.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2104	rundll32.exe
2104	rundll32.exe
2104	rundll32.exe
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1196 wrote to memory of 2464	1196	perfmon.exe
PID 1196 wrote to memory of 2464	1196	perfmon.exe
PID 1196 wrote to memory of 2464	1196	perfmon.exe
PID 1196 wrote to memory of 2736	1196	perfmon.exe
PID 1196 wrote to memory of 2736	1196	perfmon.exe
PID 1196 wrote to memory of 2736	1196	perfmon.exe
PID 1196 wrote to memory of 2008	1196	StikyNot.exe
PID 1196 wrote to memory of 2008	1196	StikyNot.exe
PID 1196 wrote to memory of 2008	1196	StikyNot.exe
PID 1196 wrote to memory of 2316	1196	StikyNot.exe
PID 1196 wrote to memory of 2316	1196	StikyNot.exe
PID 1196 wrote to memory of 2316	1196	StikyNot.exe
PID 1196 wrote to memory of 3008	1196	WindowsAnytimeUpgradeResults.exe
PID 1196 wrote to memory of 3008	1196	WindowsAnytimeUpgradeResults.exe
PID 1196 wrote to memory of 3008	1196	WindowsAnytimeUpgradeResults.exe
PID 1196 wrote to memory of 2100	1196	WindowsAnytimeUpgradeResults.exe
PID 1196 wrote to memory of 2100	1196	WindowsAnytimeUpgradeResults.exe
PID 1196 wrote to memory of 2100	1196	WindowsAnytimeUpgradeResults.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\8604774bbfe1f722a0064a287ae9309c_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2104

C:\Windows\system32\perfmon.exe
C:\Windows\system32\perfmon.exe
1⤵
PID:2464

C:\Users\Admin\AppData\Local\Yly\perfmon.exe
C:\Users\Admin\AppData\Local\Yly\perfmon.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2736

C:\Windows\system32\StikyNot.exe
C:\Windows\system32\StikyNot.exe
1⤵
PID:2008

C:\Users\Admin\AppData\Local\6aWJy\StikyNot.exe
C:\Users\Admin\AppData\Local\6aWJy\StikyNot.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2316

C:\Windows\system32\WindowsAnytimeUpgradeResults.exe
C:\Windows\system32\WindowsAnytimeUpgradeResults.exe
1⤵
PID:3008

C:\Users\Admin\AppData\Local\GRi\WindowsAnytimeUpgradeResults.exe
C:\Users\Admin\AppData\Local\GRi\WindowsAnytimeUpgradeResults.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2100

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\6aWJy\dwmapi.dll
Filesize
988KB

MD5
27e4a3469bd7a8a49f6624ed1c7835d1

SHA1
7a17cb8aa777b5c1ab029ae4b20dc831bca6d8a4

SHA256
07fc39d6dc18e6c308f27f004d05486bd7c2e987df738a762e32c7daaffb0e91

SHA512
fb70a7bf8ae250a33ef0d01456081a860a71813e004eda2f20c46b97b762b195d2df3d26e6ec6f8a36d97e79f7061981c51bdfd9276e72c11c19579fa53182ad

Download Submit
C:\Users\Admin\AppData\Local\GRi\UxTheme.dll
Filesize
989KB

MD5
f801108c52b8ab3306c52ce022eecb8b

SHA1
2bfc596461f6f9a0129b32106ff4a20d0b0b7bd1

SHA256
ea4bff07ac3cbc0d208e8068fe90f65b86c2246f87fc8ee2cc59e1828f4beb9b

SHA512
a4b656b5c7465e321c4b2039a5d848358e9b7cae051d7380f8ffd61c1c318bcaa1a80505c8451acf709da18c8bc37e7d1649e284689d178ef8ced153b58f5c66

Download Submit
C:\Users\Admin\AppData\Local\GRi\WindowsAnytimeUpgradeResults.exe
Filesize
288KB

MD5
6f3f29905f0ec4ce22c1fd8acbf6c6de

SHA1
68bdfefe549dfa6262ad659f1578f3e87d862773

SHA256
e9c4d718d09a28de8a99386b0dd65429f433837c712314e98ec4f01031af595b

SHA512
16a9ad3183d7e11d9f0dd3c79363aa9a7af306f4f35a6f1e0cc1e175ef254e8052ec94dfd600dbe882f9ab41254d482cce9190ab7b0c005a34e46c66e8ff5f9e

Download Submit
C:\Users\Admin\AppData\Local\Yly\Secur32.dll
Filesize
990KB

MD5
4492aaa43d0c6f0d3c26b347e71f6487

SHA1
be20fc97e1803d6d2563f8edb6c21a28308fb3ff

SHA256
416fc1008d07755a52dbbc481d4ff108bac6cdbb9bea5fcde44044a013a11cf6

SHA512
8c9c30d2d6bb52d4e55d60de62922afa14ad000fd440595692720259c37770d2a94c0a95c3cf98054bf4ce0b65805ea091c7b339675f2d24115bf42117de5309

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Omdqupblcei.lnk
Filesize
832B

MD5
600a9f381a2c67e707a9b1bf08ec9426

SHA1
dff0f8b0774dc248942441c630507ca021e47bdc

SHA256
27b50b23b4bbeed68dd02407d26d60f2b83d0078f736a6e17c97041264a422ed

SHA512
234342d40a69d07f8eb457c53955ecb3467745e4642034dac51f81347b3b8c165907869b537ba281159f2233ac1b6e28fa5de47e940a9410b56086079c39e839

Download Submit
\Users\Admin\AppData\Local\6aWJy\StikyNot.exe
Filesize
417KB

MD5
b22cb67919ebad88b0e8bb9cda446010

SHA1
423a794d26d96d9f812d76d75fa89bffdc07d468

SHA256
2f744feac48ede7d6b6d2727f7ddfa80b26d9e3b0009741b00992b19ad85e128

SHA512
f40aad2a381b766aae0a353fae3ab759d5c536b2d00d135527bba37b601d2f24323f079bd09600355d79404d574ac59201d415ef64c1568877ad0ce0da2dd1d5

Download Submit
\Users\Admin\AppData\Local\Yly\perfmon.exe
Filesize
168KB

MD5
3eb98cff1c242167df5fdbc6441ce3c5

SHA1
730b27a1c92e8df1e60db5a6fc69ea1b24f68a69

SHA256
6d8d5a244bb5a23c95653853fec3d04d2bdd2df5cff8cffb9848bddeb6adb081

SHA512
f42be2a52d97fd1db2ed5a1a1a81a186a0aab41204980a103df33a4190632ba03f3cbb88fcea8da7ed9a5e15f60732d49a924b025fe6d3e623195ec1d37dfb35

Download Submit
memory/1196-13-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1196-14-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1196-12-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1196-11-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1196-10-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1196-9-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1196-28-0x0000000077D90000-0x0000000077D92000-memory.dmp

Filesize
8KB

Download
memory/1196-27-0x0000000077C01000-0x0000000077C02000-memory.dmp

Filesize
4KB

Download
memory/1196-23-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1196-36-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1196-35-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1196-4-0x00000000779F6000-0x00000000779F7000-memory.dmp

Filesize
4KB

Download
memory/1196-24-0x0000000002DE0000-0x0000000002DE7000-memory.dmp

Filesize
28KB

Download
memory/1196-5-0x0000000002E00000-0x0000000002E01000-memory.dmp

Filesize
4KB

Download
memory/1196-73-0x00000000779F6000-0x00000000779F7000-memory.dmp

Filesize
4KB

Download
memory/1196-7-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1196-8-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/2100-94-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/2104-3-0x00000000002A0000-0x00000000002A7000-memory.dmp

Filesize
28KB

Download
memory/2104-44-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/2104-0-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/2316-74-0x00000000001A0000-0x00000000001A7000-memory.dmp

Filesize
28KB

Download
memory/2316-77-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/2736-56-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/2736-55-0x0000000000130000-0x0000000000137000-memory.dmp

Filesize
28KB

Download
memory/2736-52-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads