dridex | 6fb6d58a0d0e3b321319b4fed22048e320e7cdab695bd673c1162bb14e94a960

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
12-06-2024 19:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a20a9ea0f069c29005b8e3b222b43f4a_JaffaCakes118.dll
Size

986KB
MD5

a20a9ea0f069c29005b8e3b222b43f4a
SHA1

94b161727a86e53b73b5886af2653912f4a65907
SHA256

6fb6d58a0d0e3b321319b4fed22048e320e7cdab695bd673c1162bb14e94a960
SHA512

7b9ab0b25f6dde226a950bf4e0ac38d18b7686283bf40dd0c175e29e91571f76cf937612988ff12ab28e75badd69f133bf3f8a1456d2a63c34c267f0b074b9d9
SSDEEP

24576:CVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:CV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex Shellcode 1 IoCs
Detects Dridex Payload shellcode injected in Explorer process.
botnet payload

Processes:

resource yara_rule

behavioral1/memory/1268-5-0x0000000002190000-0x0000000002191000-memory.dmp dridex_stager_shellcode
Executes dropped EXE 3 IoCs

Processes:

winlogon.exesdclt.exelpksetup.exe

pid process

2588 winlogon.exe
588 sdclt.exe
2804 lpksetup.exe
Loads dropped DLL 7 IoCs

Processes:

winlogon.exesdclt.exelpksetup.exe

pid process

1268
2588 winlogon.exe
1268
588 sdclt.exe
1268
2804 lpksetup.exe
1268

resource	yara_rule
behavioral1/memory/1268-5-0x0000000002190000-0x0000000002191000-memory.dmp	dridex_stager_shellcode

pid	process
2588	winlogon.exe
588	sdclt.exe
2804	lpksetup.exe

pid	process
1268
2588	winlogon.exe
1268
588	sdclt.exe
1268
2804	lpksetup.exe
1268

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\Gqwtkfbnxxlbs = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\E8B1Xpe7EW\\sdclt.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

sdclt.exelpksetup.exerundll32.exewinlogon.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sdclt.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lpksetup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1200	rundll32.exe
1200	rundll32.exe
1200	rundll32.exe
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1268 wrote to memory of 2644	1268	winlogon.exe
PID 1268 wrote to memory of 2644	1268	winlogon.exe
PID 1268 wrote to memory of 2644	1268	winlogon.exe
PID 1268 wrote to memory of 2588	1268	winlogon.exe
PID 1268 wrote to memory of 2588	1268	winlogon.exe
PID 1268 wrote to memory of 2588	1268	winlogon.exe
PID 1268 wrote to memory of 1804	1268	sdclt.exe
PID 1268 wrote to memory of 1804	1268	sdclt.exe
PID 1268 wrote to memory of 1804	1268	sdclt.exe
PID 1268 wrote to memory of 588	1268	sdclt.exe
PID 1268 wrote to memory of 588	1268	sdclt.exe
PID 1268 wrote to memory of 588	1268	sdclt.exe
PID 1268 wrote to memory of 1664	1268	lpksetup.exe
PID 1268 wrote to memory of 1664	1268	lpksetup.exe
PID 1268 wrote to memory of 1664	1268	lpksetup.exe
PID 1268 wrote to memory of 2804	1268	lpksetup.exe
PID 1268 wrote to memory of 2804	1268	lpksetup.exe
PID 1268 wrote to memory of 2804	1268	lpksetup.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a20a9ea0f069c29005b8e3b222b43f4a_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1200

C:\Windows\system32\winlogon.exe
C:\Windows\system32\winlogon.exe
1⤵
PID:2644

C:\Users\Admin\AppData\Local\3rQFchl\winlogon.exe
C:\Users\Admin\AppData\Local\3rQFchl\winlogon.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2588

C:\Windows\system32\sdclt.exe
C:\Windows\system32\sdclt.exe
1⤵
PID:1804

C:\Users\Admin\AppData\Local\bqYim2\sdclt.exe
C:\Users\Admin\AppData\Local\bqYim2\sdclt.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:588

C:\Windows\system32\lpksetup.exe
C:\Windows\system32\lpksetup.exe
1⤵
PID:1664

C:\Users\Admin\AppData\Local\xfpSKYP1S\lpksetup.exe
C:\Users\Admin\AppData\Local\xfpSKYP1S\lpksetup.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2804

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\3rQFchl\winlogon.exe
Filesize
381KB

MD5
1151b1baa6f350b1db6598e0fea7c457

SHA1
434856b834baf163c5ea4d26434eeae775a507fb

SHA256
b1506e0a7e826eff0f5252ef5026070c46e2235438403a9a24d73ee69c0b8a49

SHA512
df728d06238da1dece96f8b8d67a2423ed4dcb344b42d5958768d23bd570a79e7189e7c5ba783c1628fe8ddd1deaebeacb1b471c59c8a7c9beb21b4f1eb9edab

Download Submit
C:\Users\Admin\AppData\Local\xfpSKYP1S\slc.dll
Filesize
987KB

MD5
9bdbe8310cc0cd89c904f203f3f6a0b3

SHA1
4f97af8cfcd76965bf6b27ea8aa20fe1c0eb77cb

SHA256
f6cba8ce9827eb593699a1fea1bdabb3dadd664f5c1869f3653360f21ba42cf9

SHA512
7920e49fefad3b1daeccadbea0fcdee62cb070c3b75f1bac302c01ebe89d3f4ad78c94c7aa00c2b8a4d2f5b860bb3e5eff483decc5a08837c9353dab7e5f9e50

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Egmip.lnk
Filesize
1005B

MD5
6cb8cff0a51b9ad7188979acde3f7349

SHA1
3a44945e9e8d5f894cb5f112e724b1b412f78805

SHA256
7537e39f6177dc5c4d63a234162173273fa9ae0875553c26d29642ece2efe547

SHA512
775e09eefc0401f6b2fef404cddb888f9146139cb014de444af584cf34ebc2136d12d57c09deb2bcacb98dc7b657abf16d18ffe5ebc2f348c7b51fab0db68023

Download Submit
\Users\Admin\AppData\Local\3rQFchl\WINSTA.dll
Filesize
991KB

MD5
49ace43f14352c10e075939dcb9f1e55

SHA1
a40640c7d8bcad131e5d4c196bf45b481d1cdbee

SHA256
516edc756143fe05e008e8350e83210355ab6deaa76e324aa7f8e6652d90b7bd

SHA512
f9513c5fa070162e74b79de0c4bfe63302aa3fb344262bdaa58fd8ec70fda9b0f85b181b8b238e56b2376edbb2ba31f6dd70334afc838b40449a0ee028584b91

Download Submit
\Users\Admin\AppData\Local\bqYim2\sdclt.exe
Filesize
1.2MB

MD5
cdebd55ffbda3889aa2a8ce52b9dc097

SHA1
4b3cbfff5e57fa0cb058e93e445e3851063646cf

SHA256
61bd24487c389fc2b939ce000721677cc173bde0edcafccff81069bbd9987bfd

SHA512
2af69742e90d3478ae0a770b2630bfdc469077311c1f755f941825399b9a411e3d8d124126f59b01049456cddc01b237a3114847f1fe53f9e7d1a97e4ba36f13

Download Submit
\Users\Admin\AppData\Local\bqYim2\slc.dll
Filesize
987KB

MD5
d900217c147446cd999d8632d89b1908

SHA1
bae124d5f9c264109b2c8ed1d7c270d579e9dce3

SHA256
c0a961526337c6ed1ea2bfa324bc7c599d2c2117c6818044fdf167929b879cf8

SHA512
b80bc5d78dfc40c647687a1ef796c4d5df0019722893e73016df0df6b7d633494c395686afe71764d7aaf8f2a8f3119019d89d2e5af6558397fb986c6246baad

Download Submit
\Users\Admin\AppData\Local\xfpSKYP1S\lpksetup.exe
Filesize
638KB

MD5
50d28f3f8b7c17056520c80a29efe17c

SHA1
1b1e62be0a0bdc9aec2e91842c35381297d8f01e

SHA256
71613ea48467d1a0b00f8bcaed270b7527fc5771f540a8eb0515b3a5fdc8604f

SHA512
92bc60402aacf1a62e47335adf8696a5c0d31637e624628d82b6ec1f17e1ee65ae8edf7e8dcd10933f59c892a4a74d8e461945df0991b706a4a53927c5fd3861

Download Submit
memory/588-74-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/588-79-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/588-77-0x00000000FFB60000-0x00000000FFC9A000-memory.dmp

Filesize
1.2MB

Download
memory/588-72-0x0000000000280000-0x0000000000287000-memory.dmp

Filesize
28KB

Download
memory/1200-44-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1200-1-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1200-0-0x00000000000A0000-0x00000000000A7000-memory.dmp

Filesize
28KB

Download
memory/1268-12-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1268-36-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1268-13-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1268-35-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1268-26-0x00000000775D0000-0x00000000775D2000-memory.dmp

Filesize
8KB

Download
memory/1268-10-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1268-11-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1268-9-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1268-71-0x0000000077336000-0x0000000077337000-memory.dmp

Filesize
4KB

Download
memory/1268-4-0x0000000077336000-0x0000000077337000-memory.dmp

Filesize
4KB

Download
memory/1268-8-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1268-25-0x0000000077441000-0x0000000077442000-memory.dmp

Filesize
4KB

Download
memory/1268-5-0x0000000002190000-0x0000000002191000-memory.dmp

Filesize
4KB

Download
memory/1268-14-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1268-23-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1268-24-0x0000000002170000-0x0000000002177000-memory.dmp

Filesize
28KB

Download
memory/1268-7-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/2588-52-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/2588-57-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/2588-55-0x0000000000500000-0x0000000000507000-memory.dmp

Filesize
28KB

Download
memory/2804-91-0x00000000000F0000-0x00000000000F7000-memory.dmp

Filesize
28KB

Download
memory/2804-97-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads