dridex | 5e7128b9f307672c789131c566326f4321f8544d6107f68f85bc8b217728fff8

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
13-06-2024 10:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a5074c49ab453feff2d948de6af25275_JaffaCakes118.dll
Size

1.2MB
MD5

a5074c49ab453feff2d948de6af25275
SHA1

099a358c3c87ff9a7cd4f236a31ffd3a2813ffdf
SHA256

5e7128b9f307672c789131c566326f4321f8544d6107f68f85bc8b217728fff8
SHA512

af7c7949656ac3d71b37a0c5810cfc22234a049a43446f5699a6ca21fb051cd6812783ddedd6fc2c034a3f1916365ee6a3d0b3a20b8105ff577d9b44e13ac02f
SSDEEP

24576:guYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9NiO:w9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex Shellcode 1 IoCs
Detects Dridex Payload shellcode injected in Explorer process.
botnet payload

Processes:

resource yara_rule

behavioral1/memory/1216-5-0x0000000002970000-0x0000000002971000-memory.dmp dridex_stager_shellcode
Executes dropped EXE 3 IoCs

Processes:

lpksetup.exeSystemPropertiesHardware.execttune.exe

pid process

2548 lpksetup.exe
520 SystemPropertiesHardware.exe
2828 cttune.exe
Loads dropped DLL 7 IoCs

Processes:

lpksetup.exeSystemPropertiesHardware.execttune.exe

pid process

1216
2548 lpksetup.exe
1216
520 SystemPropertiesHardware.exe
1216
2828 cttune.exe
1216

resource	yara_rule
behavioral1/memory/1216-5-0x0000000002970000-0x0000000002971000-memory.dmp	dridex_stager_shellcode

pid	process
2548	lpksetup.exe
520	SystemPropertiesHardware.exe
2828	cttune.exe

pid	process
1216
2548	lpksetup.exe
1216
520	SystemPropertiesHardware.exe
1216
2828	cttune.exe
1216

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\Gqwtkfbnxxlbs = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\BaFEQ\\SystemPropertiesHardware.exe"

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

SystemPropertiesHardware.execttune.exelpksetup.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesHardware.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cttune.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lpksetup.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

regsvr32.exe

pid	process
2852	regsvr32.exe
2852	regsvr32.exe
2852	regsvr32.exe
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1216 wrote to memory of 2480	1216	lpksetup.exe
PID 1216 wrote to memory of 2480	1216	lpksetup.exe
PID 1216 wrote to memory of 2480	1216	lpksetup.exe
PID 1216 wrote to memory of 2548	1216	lpksetup.exe
PID 1216 wrote to memory of 2548	1216	lpksetup.exe
PID 1216 wrote to memory of 2548	1216	lpksetup.exe
PID 1216 wrote to memory of 580	1216	SystemPropertiesHardware.exe
PID 1216 wrote to memory of 580	1216	SystemPropertiesHardware.exe
PID 1216 wrote to memory of 580	1216	SystemPropertiesHardware.exe
PID 1216 wrote to memory of 520	1216	SystemPropertiesHardware.exe
PID 1216 wrote to memory of 520	1216	SystemPropertiesHardware.exe
PID 1216 wrote to memory of 520	1216	SystemPropertiesHardware.exe
PID 1216 wrote to memory of 2856	1216	cttune.exe
PID 1216 wrote to memory of 2856	1216	cttune.exe
PID 1216 wrote to memory of 2856	1216	cttune.exe
PID 1216 wrote to memory of 2828	1216	cttune.exe
PID 1216 wrote to memory of 2828	1216	cttune.exe
PID 1216 wrote to memory of 2828	1216	cttune.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\a5074c49ab453feff2d948de6af25275_JaffaCakes118.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2852

C:\Windows\system32\lpksetup.exe
C:\Windows\system32\lpksetup.exe
1⤵
PID:2480

C:\Users\Admin\AppData\Local\3Xf\lpksetup.exe
C:\Users\Admin\AppData\Local\3Xf\lpksetup.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2548

C:\Windows\system32\SystemPropertiesHardware.exe
C:\Windows\system32\SystemPropertiesHardware.exe
1⤵
PID:580

C:\Users\Admin\AppData\Local\CVchcwK0\SystemPropertiesHardware.exe
C:\Users\Admin\AppData\Local\CVchcwK0\SystemPropertiesHardware.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:520

C:\Windows\system32\cttune.exe
C:\Windows\system32\cttune.exe
1⤵
PID:2856

C:\Users\Admin\AppData\Local\ZekEIVqHC\cttune.exe
C:\Users\Admin\AppData\Local\ZekEIVqHC\cttune.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2828

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\3Xf\lpksetup.exe
Filesize
638KB

MD5
50d28f3f8b7c17056520c80a29efe17c

SHA1
1b1e62be0a0bdc9aec2e91842c35381297d8f01e

SHA256
71613ea48467d1a0b00f8bcaed270b7527fc5771f540a8eb0515b3a5fdc8604f

SHA512
92bc60402aacf1a62e47335adf8696a5c0d31637e624628d82b6ec1f17e1ee65ae8edf7e8dcd10933f59c892a4a74d8e461945df0991b706a4a53927c5fd3861

Download Submit
C:\Users\Admin\AppData\Local\3Xf\slc.dll
Filesize
1.2MB

MD5
1891df1b6a4bbdb9eae315ab295e43b5

SHA1
53481dfc956f1b9bd73ea286c6ae50f29c8cb646

SHA256
52d7b164020c7690c022f3c368189fcaacb1413ba65019526f05dff8fbe1b38a

SHA512
aa83ed0d18237b33ebe3218db732a1fbb78fe305d0441ea6a96912fdad13ccc7ae77fcdef7d15e4504b0a018f84a8d4d2e6eb246c9d6db3cb3bf423f595c6cc9

Download Submit
C:\Users\Admin\AppData\Local\CVchcwK0\SYSDM.CPL
Filesize
1.2MB

MD5
a7c2cf8f6599a8aecf731ec86f56d561

SHA1
565a18513e522c2bd9edee00dca791a23d14811d

SHA256
78ca99ffb7a5a934f6708e9c7a0b31f4a38c7ef97f0fa769ba2f52c303b6cb6b

SHA512
75519ed3c5f9015425be41782e4e3f50188f61394d13eaf6d2eb2d176d380dc26335b18c2e628c3b12facf1d1a2ba945a761b8f646f4fa0814d6286fa8a9663b

Download Submit
C:\Users\Admin\AppData\Local\CVchcwK0\SystemPropertiesHardware.exe
Filesize
80KB

MD5
c63d722641c417764247f683f9fb43be

SHA1
948ec61ebf241c4d80efca3efdfc33fe746e3b98

SHA256
4759296b421d60c80db0bb112a30425e04883900374602e13ed97f7c03a49df2

SHA512
7223d1c81a4785ed790ec2303d5d9d7ebcae9404d7bf173b3145e51202564de9977e94ac10ab80c6fe49b5f697af3ec70dfd922a891915e8951b5a1b5841c8be

Download Submit
C:\Users\Admin\AppData\Local\ZekEIVqHC\OLEACC.dll
Filesize
1.2MB

MD5
5995f41faf5c3d46c7b992794619462b

SHA1
227386c64520ae8156ce15b60b0325bcb15d5ac8

SHA256
f2b849daf2e034820e772d5ffbf8ece01e111598be230f814860de0fa0d9ab2c

SHA512
61cf3be1c77ff3a9a341f08860b4b00b492456c73a9789a2d978000befd1d5a95984782733e1fa90a43451e720b932adf7cd66d041d8740907f869fd1eda3584

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Egmip.lnk
Filesize
1KB

MD5
ec072aaaf0308165eec1217f8daac1bc

SHA1
062fa10db1c78376907f73107093bfbeec74c0dc

SHA256
5982d0373eb510fd06bd5b8f7da333397a53e5d81e97ddf9abf7c26d2a72bdb5

SHA512
b54d2e1739a46a5586fa6ee41caafa3b194dafefe386810d2540af2082841e175627ad5c3e324635ba1e67bc52f73017e21e1d8d6993ac6c98ae0f55628da981

Download Submit
\Users\Admin\AppData\Local\ZekEIVqHC\cttune.exe
Filesize
314KB

MD5
7116848fd23e6195fcbbccdf83ce9af4

SHA1
35fb16a0b68f8a84d5dfac8c110ef5972f1bee93

SHA256
39937665f72725bdb3b82389a5dbd906c63f4c14208312d7f7a59d6067e1cfa6

SHA512
e38bf57eee5836b8598dd88dc3d266f497d911419a8426f73df6dcaa503611a965aabbd746181cb19bc38eebdb48db778a17f781a8f9e706cbd7a6ebec38f894

Download Submit
memory/520-77-0x000007FEF67E0000-0x000007FEF691B000-memory.dmp

Filesize
1.2MB

Download
memory/520-71-0x0000000000270000-0x0000000000277000-memory.dmp

Filesize
28KB

Download
memory/520-72-0x000007FEF67E0000-0x000007FEF691B000-memory.dmp

Filesize
1.2MB

Download
memory/1216-18-0x0000000140000000-0x000000014013A000-memory.dmp

Filesize
1.2MB

Download
memory/1216-19-0x0000000140000000-0x000000014013A000-memory.dmp

Filesize
1.2MB

Download
memory/1216-16-0x0000000140000000-0x000000014013A000-memory.dmp

Filesize
1.2MB

Download
memory/1216-15-0x0000000140000000-0x000000014013A000-memory.dmp

Filesize
1.2MB

Download
memory/1216-14-0x0000000140000000-0x000000014013A000-memory.dmp

Filesize
1.2MB

Download
memory/1216-13-0x0000000140000000-0x000000014013A000-memory.dmp

Filesize
1.2MB

Download
memory/1216-12-0x0000000140000000-0x000000014013A000-memory.dmp

Filesize
1.2MB

Download
memory/1216-11-0x0000000140000000-0x000000014013A000-memory.dmp

Filesize
1.2MB

Download
memory/1216-10-0x0000000140000000-0x000000014013A000-memory.dmp

Filesize
1.2MB

Download
memory/1216-9-0x0000000140000000-0x000000014013A000-memory.dmp

Filesize
1.2MB

Download
memory/1216-8-0x0000000140000000-0x000000014013A000-memory.dmp

Filesize
1.2MB

Download
memory/1216-4-0x00000000776F6000-0x00000000776F7000-memory.dmp

Filesize
4KB

Download
memory/1216-37-0x0000000140000000-0x000000014013A000-memory.dmp

Filesize
1.2MB

Download
memory/1216-36-0x0000000140000000-0x000000014013A000-memory.dmp

Filesize
1.2MB

Download
memory/1216-5-0x0000000002970000-0x0000000002971000-memory.dmp

Filesize
4KB

Download
memory/1216-17-0x0000000140000000-0x000000014013A000-memory.dmp

Filesize
1.2MB

Download
memory/1216-7-0x0000000140000000-0x000000014013A000-memory.dmp

Filesize
1.2MB

Download
memory/1216-32-0x0000000077A90000-0x0000000077A92000-memory.dmp

Filesize
8KB

Download
memory/1216-31-0x0000000077901000-0x0000000077902000-memory.dmp

Filesize
4KB

Download
memory/1216-63-0x00000000776F6000-0x00000000776F7000-memory.dmp

Filesize
4KB

Download
memory/1216-27-0x0000000140000000-0x000000014013A000-memory.dmp

Filesize
1.2MB

Download
memory/1216-28-0x0000000002950000-0x0000000002957000-memory.dmp

Filesize
28KB

Download
memory/2548-58-0x000007FEF6F60000-0x000007FEF709B000-memory.dmp

Filesize
1.2MB

Download
memory/2548-53-0x000007FEF6F60000-0x000007FEF709B000-memory.dmp

Filesize
1.2MB

Download
memory/2548-52-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download
memory/2828-89-0x0000000000280000-0x0000000000287000-memory.dmp

Filesize
28KB

Download
memory/2828-95-0x000007FEF67E0000-0x000007FEF691B000-memory.dmp

Filesize
1.2MB

Download
memory/2852-0-0x0000000000120000-0x0000000000127000-memory.dmp

Filesize
28KB

Download
memory/2852-33-0x000007FEF6F60000-0x000007FEF709A000-memory.dmp

Filesize
1.2MB

Download
memory/2852-1-0x000007FEF6F60000-0x000007FEF709A000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads