dridex | 853e9859d31b351e3aa4d945f86649537f80d6f9eb5db5389d5e14fe96133ff8

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
02-06-2024 15:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8e9f9da05dd2ec3af6e062a95b717291_JaffaCakes118.dll
Size

1.2MB
MD5

8e9f9da05dd2ec3af6e062a95b717291
SHA1

aa8f45c4f03a62d34bdeaba4e592da0ba794b443
SHA256

853e9859d31b351e3aa4d945f86649537f80d6f9eb5db5389d5e14fe96133ff8
SHA512

215faa588cdab93807a396c4521cc23068df128000c2c2d953638e39eeed79d085fba3ea46da136680513ee5907b4cd230f0fbe70840aded2d0578cca6eac674
SSDEEP

24576:XyTonNVlKTt/Q5ECvVP7hpJMvjtKpvPf9+m6kLRqgSyI:XyWRKTt/QlPVp3h9

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex Shellcode 1 IoCs
Detects Dridex Payload shellcode injected in Explorer process.
botnet payload

Processes:

resource yara_rule

behavioral1/memory/1204-5-0x0000000003030000-0x0000000003031000-memory.dmp dridex_stager_shellcode
Executes dropped EXE 3 IoCs

Processes:

SoundRecorder.exexpsrchvw.exevmicsvc.exe

pid process

2700 SoundRecorder.exe
2172 xpsrchvw.exe
1964 vmicsvc.exe
Loads dropped DLL 7 IoCs

Processes:

SoundRecorder.exexpsrchvw.exevmicsvc.exe

pid process

1204
2700 SoundRecorder.exe
1204
2172 xpsrchvw.exe
1204
1964 vmicsvc.exe
1204

resource	yara_rule
behavioral1/memory/1204-5-0x0000000003030000-0x0000000003031000-memory.dmp	dridex_stager_shellcode

pid	process
2700	SoundRecorder.exe
2172	xpsrchvw.exe
1964	vmicsvc.exe

pid	process
1204
2700	SoundRecorder.exe
1204
2172	xpsrchvw.exe
1204
1964	vmicsvc.exe
1204

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Aknlhzir = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\GDJD4pr\\xpsrchvw.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

SoundRecorder.exexpsrchvw.exevmicsvc.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SoundRecorder.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	xpsrchvw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vmicsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2984	rundll32.exe
2984	rundll32.exe
2984	rundll32.exe
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1204 wrote to memory of 2580	1204	SoundRecorder.exe
PID 1204 wrote to memory of 2580	1204	SoundRecorder.exe
PID 1204 wrote to memory of 2580	1204	SoundRecorder.exe
PID 1204 wrote to memory of 2700	1204	SoundRecorder.exe
PID 1204 wrote to memory of 2700	1204	SoundRecorder.exe
PID 1204 wrote to memory of 2700	1204	SoundRecorder.exe
PID 1204 wrote to memory of 1276	1204	xpsrchvw.exe
PID 1204 wrote to memory of 1276	1204	xpsrchvw.exe
PID 1204 wrote to memory of 1276	1204	xpsrchvw.exe
PID 1204 wrote to memory of 2172	1204	xpsrchvw.exe
PID 1204 wrote to memory of 2172	1204	xpsrchvw.exe
PID 1204 wrote to memory of 2172	1204	xpsrchvw.exe
PID 1204 wrote to memory of 812	1204	vmicsvc.exe
PID 1204 wrote to memory of 812	1204	vmicsvc.exe
PID 1204 wrote to memory of 812	1204	vmicsvc.exe
PID 1204 wrote to memory of 1964	1204	vmicsvc.exe
PID 1204 wrote to memory of 1964	1204	vmicsvc.exe
PID 1204 wrote to memory of 1964	1204	vmicsvc.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\8e9f9da05dd2ec3af6e062a95b717291_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2984

C:\Windows\system32\SoundRecorder.exe
C:\Windows\system32\SoundRecorder.exe
1⤵
PID:2580

C:\Users\Admin\AppData\Local\VH98btt5\SoundRecorder.exe
C:\Users\Admin\AppData\Local\VH98btt5\SoundRecorder.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2700

C:\Windows\system32\xpsrchvw.exe
C:\Windows\system32\xpsrchvw.exe
1⤵
PID:1276

C:\Users\Admin\AppData\Local\1oBDn41Su\xpsrchvw.exe
C:\Users\Admin\AppData\Local\1oBDn41Su\xpsrchvw.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2172

C:\Windows\system32\vmicsvc.exe
C:\Windows\system32\vmicsvc.exe
1⤵
PID:812

C:\Users\Admin\AppData\Local\S71Q\vmicsvc.exe
C:\Users\Admin\AppData\Local\S71Q\vmicsvc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1964

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\1oBDn41Su\WINMM.dll
Filesize
1.2MB

MD5
3e2cd2851c536e832138b8ea369e14cd

SHA1
22b064ae68ffe7cb4b674754cc57b2f09b1e4d9f

SHA256
471599f678678bbb29cade38c26e3e60df69cd9b1162dde404966a3dddfd7d75

SHA512
be67a5bfebf854080bf2f7355983324e430ba7e1afceee70666cbcb05c621e38884baf674c355601515c9ba693bef343b80e07dff5115fd8a2b8610089276661

Download Submit
C:\Users\Admin\AppData\Local\S71Q\ACTIVEDS.dll
Filesize
1.2MB

MD5
bfdda244f9d59003f1f10577be8e5ad6

SHA1
31b2fae0a762e2cc418a1e255aa0477be03fad5b

SHA256
3e66d128815ac3ce96b0676f42195af410ade0df583c1af17c34395d9c00bfa1

SHA512
1cd814cb09bcf24ecb84f9076bdec88bf629cd3308d235e71a08ef8c7f94757b299dbc9927d3933196d449ea893b5829d6be46f5dbbea84b88cddc29ea301e88

Download Submit
C:\Users\Admin\AppData\Local\VH98btt5\UxTheme.dll
Filesize
1.2MB

MD5
899f504e1df6b3a295f09b57d82a5697

SHA1
504f894d2fdadc706970ac23900f5f41a9deeed6

SHA256
d7240b017b35c9eed997ef90287740d222288334756f7dbab83dca56a8a7f2e5

SHA512
9cd47ee6084f0c1c655c7b6f2ab44333b37136ae58e330fff027b0cccce8e256d3afff5fcdfa302d819fa08864adce60ce0a29d4913fb80f7cfe626259377b66

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Qscjinkjzo.lnk
Filesize
1KB

MD5
72a6657aa4f2761a6beab7159e7f6d2e

SHA1
fae988b34f769573df7cb196daff32ec4b855c8a

SHA256
256fb8d929e3ffd3f614d11bcc044c3523fff9626d63bcb273df879f7132667f

SHA512
90d03dbfa41f2bd38af19280c0edefaade304ad715bea5a26448b8f38cba6692a23366cef7e59358b7d391b43aea58af6c553ce077b6f60f5650dc4d0b926895

Download Submit
\Users\Admin\AppData\Local\1oBDn41Su\xpsrchvw.exe
Filesize
4.6MB

MD5
492cb6a624d5dad73ee0294b5db37dd6

SHA1
e74806af04a5147ccabfb5b167eb95a0177c43b3

SHA256
ccb4ecd48561ce024ea176b7036f0f2713b98bc82aa37347a30d8187762a8784

SHA512
63bf2931764efe767fb42f9576702dd585a032f74ad2be2481eaf309f34950f05974d77b5cb220a3ff89c92af0c7693dc558f8e3a3ee2a0be6c5c07171d03835

Download Submit
\Users\Admin\AppData\Local\S71Q\vmicsvc.exe
Filesize
238KB

MD5
79e14b291ca96a02f1eb22bd721deccd

SHA1
4c8dbff611acd8a92cd2280239f78bebd2a9947e

SHA256
d829166db30923406a025bf33d6a0997be0a3df950114d1f34547a9525b749e8

SHA512
f3d1fa7732b6b027bbaf22530331d27ede85f92c9fd64f940139fd262bd7468211a8a54c835d3934b1974b3d8ecddefa79ea77901b9ef49ab36069963693f988

Download Submit
\Users\Admin\AppData\Local\VH98btt5\SoundRecorder.exe
Filesize
139KB

MD5
47f0f526ad4982806c54b845b3289de1

SHA1
8420ea488a2e187fe1b7fcfb53040d10d5497236

SHA256
e81b11fe30b16fa4e3f08810513c245248adce8566355a8f2a19c63b1143ff5b

SHA512
4c9a1aa5ed55087538c91a77d7420932263b69e59dc57b1db738e59624265b734bf29e2b6ed8d0adb2e0dec5763bfbf86876fd7d1139c21e829001c7868d515d

Download Submit
memory/1204-26-0x0000000002FE0000-0x0000000002FE7000-memory.dmp

Filesize
28KB

Download
memory/1204-16-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1204-4-0x00000000776D6000-0x00000000776D7000-memory.dmp

Filesize
4KB

Download
memory/1204-15-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1204-13-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1204-12-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1204-11-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1204-10-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1204-8-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1204-30-0x0000000077A70000-0x0000000077A72000-memory.dmp

Filesize
8KB

Download
memory/1204-29-0x00000000778E1000-0x00000000778E2000-memory.dmp

Filesize
4KB

Download
memory/1204-39-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1204-37-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1204-5-0x0000000003030000-0x0000000003031000-memory.dmp

Filesize
4KB

Download
memory/1204-25-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1204-14-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1204-72-0x00000000776D6000-0x00000000776D7000-memory.dmp

Filesize
4KB

Download
memory/1204-7-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1204-9-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1964-94-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/2172-73-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/2172-74-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/2172-78-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/2700-60-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/2700-55-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/2700-54-0x0000000000390000-0x0000000000397000-memory.dmp

Filesize
28KB

Download
memory/2984-46-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/2984-0-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/2984-3-0x00000000002A0000-0x00000000002A7000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads