dridex | 3f2488ce70762013f6f9676dd8befcbd5bbe5047ee4347721c2b3322e717c443

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
31-05-2024 13:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

873e68ab6613d1167288b61d0c678ffb_JaffaCakes118.dll
Size

988KB
MD5

873e68ab6613d1167288b61d0c678ffb
SHA1

d5ef0c7035ca42a6fa34f8bb2b17b713ba0ed767
SHA256

3f2488ce70762013f6f9676dd8befcbd5bbe5047ee4347721c2b3322e717c443
SHA512

f1ca4f58ee50b5e808bc88b3a22aacfa2d8c31113f7cf39091a50e09abc42efe69b83e5f4368a9f66c876e0b776380f1e9b1373d0bff05ba7c7eaad71121c798
SSDEEP

24576:WVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:WV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex Shellcode 1 IoCs
Detects Dridex Payload shellcode injected in Explorer process.
botnet payload

Processes:

resource yara_rule

behavioral1/memory/1196-5-0x0000000002D40000-0x0000000002D41000-memory.dmp dridex_stager_shellcode
Executes dropped EXE 3 IoCs

Processes:

vmicsvc.exeOptionalFeatures.exefvenotify.exe

pid process

2616 vmicsvc.exe
2580 OptionalFeatures.exe
2628 fvenotify.exe
Loads dropped DLL 7 IoCs

Processes:

vmicsvc.exeOptionalFeatures.exefvenotify.exe

pid process

1196
2616 vmicsvc.exe
1196
2580 OptionalFeatures.exe
1196
2628 fvenotify.exe
1196

resource	yara_rule
behavioral1/memory/1196-5-0x0000000002D40000-0x0000000002D41000-memory.dmp	dridex_stager_shellcode

pid	process
2616	vmicsvc.exe
2580	OptionalFeatures.exe
2628	fvenotify.exe

pid	process
1196
2616	vmicsvc.exe
1196
2580	OptionalFeatures.exe
1196
2628	fvenotify.exe
1196

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mwyjnbrrs = "C:\\Users\\Admin\\AppData\\Roaming\\MACROM~1\\FLASHP~1\\#SHARE~1\\PC2KZTNK\\2L\\OPTION~1.EXE"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exevmicsvc.exeOptionalFeatures.exefvenotify.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vmicsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OptionalFeatures.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fvenotify.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2328	rundll32.exe
2328	rundll32.exe
2328	rundll32.exe
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1196 wrote to memory of 2688	1196	vmicsvc.exe
PID 1196 wrote to memory of 2688	1196	vmicsvc.exe
PID 1196 wrote to memory of 2688	1196	vmicsvc.exe
PID 1196 wrote to memory of 2616	1196	vmicsvc.exe
PID 1196 wrote to memory of 2616	1196	vmicsvc.exe
PID 1196 wrote to memory of 2616	1196	vmicsvc.exe
PID 1196 wrote to memory of 2968	1196	OptionalFeatures.exe
PID 1196 wrote to memory of 2968	1196	OptionalFeatures.exe
PID 1196 wrote to memory of 2968	1196	OptionalFeatures.exe
PID 1196 wrote to memory of 2580	1196	OptionalFeatures.exe
PID 1196 wrote to memory of 2580	1196	OptionalFeatures.exe
PID 1196 wrote to memory of 2580	1196	OptionalFeatures.exe
PID 1196 wrote to memory of 2816	1196	fvenotify.exe
PID 1196 wrote to memory of 2816	1196	fvenotify.exe
PID 1196 wrote to memory of 2816	1196	fvenotify.exe
PID 1196 wrote to memory of 2628	1196	fvenotify.exe
PID 1196 wrote to memory of 2628	1196	fvenotify.exe
PID 1196 wrote to memory of 2628	1196	fvenotify.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\873e68ab6613d1167288b61d0c678ffb_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2328

C:\Windows\system32\vmicsvc.exe
C:\Windows\system32\vmicsvc.exe
1⤵
PID:2688

C:\Users\Admin\AppData\Local\hwTDnx2t5\vmicsvc.exe
C:\Users\Admin\AppData\Local\hwTDnx2t5\vmicsvc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2616

C:\Windows\system32\OptionalFeatures.exe
C:\Windows\system32\OptionalFeatures.exe
1⤵
PID:2968

C:\Users\Admin\AppData\Local\DYBus\OptionalFeatures.exe
C:\Users\Admin\AppData\Local\DYBus\OptionalFeatures.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2580

C:\Windows\system32\fvenotify.exe
C:\Windows\system32\fvenotify.exe
1⤵
PID:2816

C:\Users\Admin\AppData\Local\GxDfrz\fvenotify.exe
C:\Users\Admin\AppData\Local\GxDfrz\fvenotify.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2628

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\DYBus\appwiz.cpl
Filesize
988KB

MD5
37012a7fa00379533b8e43ab54e21083

SHA1
db520b77347f7192babb6f0042b5f7ba7dbcceab

SHA256
ee87879fb0228714af320dafa8e36166cfe097f6c82dfe59c9bc9d89f2346546

SHA512
7ee034a8c3a3d27cb93feba2a64f79dcbd81d76db0ae3b900350a1503faded510664cb0396223ae612c86c1c6533da2d5ea35eb9f6239149f9eafe934c23d927

Download Submit
C:\Users\Admin\AppData\Local\GxDfrz\slc.dll
Filesize
989KB

MD5
47cee31f1db5796e144c5cd8f2652cb6

SHA1
75d2acb9cbab6a22066a05c09e68cd84f9062fd9

SHA256
051284bf7452968bbd77ca2d0798ef8615bdd86b5a4238c2e4fbc443864bd4fe

SHA512
5da432f952105365329615d2b3cb48b283230c1600834b929e82805ca0ad26680c71e341fe52ba352ee1e33cfb69a911a1232589b30d4e6e749cb4ea66a073a5

Download Submit
C:\Users\Admin\AppData\Local\hwTDnx2t5\ACTIVEDS.dll
Filesize
989KB

MD5
9117d7d31516acee0bcb317eacb691bf

SHA1
a74dfda05dd2b3b16570521b80df70cd82d5a333

SHA256
c6dfc81a6ec7f00d7fe22e2b503aff3f36b119813872c30f8f30ddfdf11efc04

SHA512
a5ee5086597968dacec40f87ba53f0a87ff7a461348e266227f90be457019abe867c64647694ba60e25b941063a67ae66bfb75a80633807914d6981b03d96f94

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Pclfpjzoauil.lnk
Filesize
1KB

MD5
b529f92ddd05f624ce4bf9cd9fb9c871

SHA1
a1cb94f5e96229a953786512d20926aec33b95c7

SHA256
9adadb42595a38b4603ce1fbd23d5399ca783ba1c71e0780c8672b05d07d6d08

SHA512
c9d353d0462d734646fa1eb6c9741d9169ca36781fb5a00de0e26aab1112c9ebc189212bd2ed29e5732b6686d834f18f5ebf2a313e2fd0ea09d01154a510a3e6

Download Submit
\Users\Admin\AppData\Local\DYBus\OptionalFeatures.exe
Filesize
95KB

MD5
eae7af6084667c8f05412ddf096167fc

SHA1
0dbe8aba001447030e48e8ad5466fd23481e6140

SHA256
01feebd3aca961f31ba4eac45347b105d1c5772627b08f5538047721b61ff9bc

SHA512
172a8accaa35a6c9f86713a330c5899dfeeffe3b43413a3d276fc16d45cd62ed9237aa6bff29cc60a2022fba8dcc156959723c041df4b7463436a3bdabef2a9d

Download Submit
\Users\Admin\AppData\Local\GxDfrz\fvenotify.exe
Filesize
117KB

MD5
e61d644998e07c02f0999388808ac109

SHA1
183130ad81ff4c7997582a484e759bf7769592d6

SHA256
15a85cd6fbcb1ec57d78f986d6dd8908bd56231ce0cf65775075512303f7e5fa

SHA512
310141b73394ae12a35f8d4f0c097868ee8a8045a62dd402a5dfbe2151980dd4fe18409ae3ca9422e3b88b2fa9afb04c1acbf8ec23a937a0a242b32a9a1e9272

Download Submit
\Users\Admin\AppData\Local\hwTDnx2t5\vmicsvc.exe
Filesize
238KB

MD5
79e14b291ca96a02f1eb22bd721deccd

SHA1
4c8dbff611acd8a92cd2280239f78bebd2a9947e

SHA256
d829166db30923406a025bf33d6a0997be0a3df950114d1f34547a9525b749e8

SHA512
f3d1fa7732b6b027bbaf22530331d27ede85f92c9fd64f940139fd262bd7468211a8a54c835d3934b1974b3d8ecddefa79ea77901b9ef49ab36069963693f988

Download Submit
memory/1196-26-0x00000000774E0000-0x00000000774E2000-memory.dmp

Filesize
8KB

Download
memory/1196-24-0x0000000002D20000-0x0000000002D27000-memory.dmp

Filesize
28KB

Download
memory/1196-25-0x0000000077351000-0x0000000077352000-memory.dmp

Filesize
4KB

Download
memory/1196-23-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1196-13-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1196-12-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1196-10-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1196-9-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1196-8-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1196-35-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1196-36-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1196-4-0x0000000077146000-0x0000000077147000-memory.dmp

Filesize
4KB

Download
memory/1196-14-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1196-5-0x0000000002D40000-0x0000000002D41000-memory.dmp

Filesize
4KB

Download
memory/1196-73-0x0000000077146000-0x0000000077147000-memory.dmp

Filesize
4KB

Download
memory/1196-7-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1196-11-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/2328-0-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/2328-44-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/2328-3-0x0000000000120000-0x0000000000127000-memory.dmp

Filesize
28KB

Download
memory/2580-74-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download
memory/2580-77-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/2616-58-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/2616-55-0x0000000000180000-0x0000000000187000-memory.dmp

Filesize
28KB

Download
memory/2616-52-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/2628-92-0x00000000001A0000-0x00000000001A7000-memory.dmp

Filesize
28KB

Download
memory/2628-95-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads