dridex | 5e7128b9f307672c789131c566326f4321f8544d6107f68f85bc8b217728fff8

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
13-06-2024 10:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a5074c49ab453feff2d948de6af25275_JaffaCakes118.dll
Size

1.2MB
MD5

a5074c49ab453feff2d948de6af25275
SHA1

099a358c3c87ff9a7cd4f236a31ffd3a2813ffdf
SHA256

5e7128b9f307672c789131c566326f4321f8544d6107f68f85bc8b217728fff8
SHA512

af7c7949656ac3d71b37a0c5810cfc22234a049a43446f5699a6ca21fb051cd6812783ddedd6fc2c034a3f1916365ee6a3d0b3a20b8105ff577d9b44e13ac02f
SSDEEP

24576:guYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9NiO:w9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex Shellcode 1 IoCs
Detects Dridex Payload shellcode injected in Explorer process.
botnet payload

Processes:

resource yara_rule

behavioral2/memory/3384-4-0x0000000002DB0000-0x0000000002DB1000-memory.dmp dridex_stager_shellcode
Executes dropped EXE 3 IoCs

Processes:

msdt.exeiexpress.exedccw.exe

pid process

1764 msdt.exe
1476 iexpress.exe
748 dccw.exe
Loads dropped DLL 3 IoCs

Processes:

msdt.exeiexpress.exedccw.exe

pid process

1764 msdt.exe
1476 iexpress.exe
748 dccw.exe

resource	yara_rule
behavioral2/memory/3384-4-0x0000000002DB0000-0x0000000002DB1000-memory.dmp	dridex_stager_shellcode

pid	process
1764	msdt.exe
1476	iexpress.exe
748	dccw.exe

pid	process
1764	msdt.exe
1476	iexpress.exe
748	dccw.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ehsiuzwuc = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\63z1\\iexpress.exe"

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

msdt.exeiexpress.exedccw.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msdt.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iexpress.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dccw.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

regsvr32.exe

pid	process
3428	regsvr32.exe
3428	regsvr32.exe
3428	regsvr32.exe
3428	regsvr32.exe
3428	regsvr32.exe
3428	regsvr32.exe
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3384

pid	process
3384

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3384 wrote to memory of 380	3384	msdt.exe
PID 3384 wrote to memory of 380	3384	msdt.exe
PID 3384 wrote to memory of 1764	3384	msdt.exe
PID 3384 wrote to memory of 1764	3384	msdt.exe
PID 3384 wrote to memory of 3992	3384	iexpress.exe
PID 3384 wrote to memory of 3992	3384	iexpress.exe
PID 3384 wrote to memory of 1476	3384	iexpress.exe
PID 3384 wrote to memory of 1476	3384	iexpress.exe
PID 3384 wrote to memory of 668	3384	dccw.exe
PID 3384 wrote to memory of 668	3384	dccw.exe
PID 3384 wrote to memory of 748	3384	dccw.exe
PID 3384 wrote to memory of 748	3384	dccw.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\a5074c49ab453feff2d948de6af25275_JaffaCakes118.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3428

C:\Windows\system32\msdt.exe
C:\Windows\system32\msdt.exe
1⤵
PID:380

C:\Users\Admin\AppData\Local\9men\msdt.exe
C:\Users\Admin\AppData\Local\9men\msdt.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1764

C:\Windows\system32\iexpress.exe
C:\Windows\system32\iexpress.exe
1⤵
PID:3992

C:\Users\Admin\AppData\Local\tVphsJH\iexpress.exe
C:\Users\Admin\AppData\Local\tVphsJH\iexpress.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1476

C:\Windows\system32\dccw.exe
C:\Windows\system32\dccw.exe
1⤵
PID:668

C:\Users\Admin\AppData\Local\YT0YPx\dccw.exe
C:\Users\Admin\AppData\Local\YT0YPx\dccw.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:748

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\9men\UxTheme.dll
Filesize
1.2MB

MD5
5b97e3cd29d2ac8551cfaaadfa68e117

SHA1
aa590db6fdc08e191bcca5e2728a35c84c5622f5

SHA256
557b0d5ce5142f134d922b6e7b74749ff0dab18ff737677b5f8a87c326f4780b

SHA512
25cae06e9edc15974c5f26bef70ef03d13f44099ed7fdc85e3053fc15064166c82b62f0653b1755d862240b79dbdaf57f9530fa74ee2b69c3281e58f4a11d911

Download Submit
C:\Users\Admin\AppData\Local\9men\msdt.exe
Filesize
421KB

MD5
992c3f0cc8180f2f51156671e027ae75

SHA1
942ec8c2ccfcacd75a1cd86cbe8873aee5115e29

SHA256
6859d1b5d1beaa2985b298f3fcee67f0aac747687a9dec2b4376585e99e9756f

SHA512
1f1b8d39e29274cfc87a9ef1510adb9c530086a421c121523376731c8933c6e234e9146310d3767ce888a8dce7a5713221f4d25e5b7b6398d06ae2be2b99eadf

Download Submit
C:\Users\Admin\AppData\Local\YT0YPx\dccw.exe
Filesize
101KB

MD5
cb9374911bf5237179785c739a322c0f

SHA1
3f4d3dd3d58c9f19dfbb414ded16969ebd9f74b9

SHA256
f7f3300b78148a34f6a35796c777a832b638b6d3193e11f4a37f45d4c6dfa845

SHA512
9d47521538148b1823c0a17baa86ddf932f06f46d5d8b63fa87b2cc220fb98ce3f933e32d771222937bb8e41c88030839d489d1cd78b062bffeb2980dc6864be

Download Submit
C:\Users\Admin\AppData\Local\YT0YPx\dxva2.dll
Filesize
1.2MB

MD5
d7be4118fae72fb8eb7a8c41105ca4b4

SHA1
edb456aa3f1ea651a85ec99261fa11294accd3b2

SHA256
4bf3e623b73ec11ac3ccb41c177ce3c384f293e67f9025928355debe63cda383

SHA512
7099eca67f592f523e1530c231c5276dc96b6bd21e2a8ffa840f09321e465f068beba0887b8b77971d354047e499938f3015a688837463f308f519fec03c619a

Download Submit
C:\Users\Admin\AppData\Local\tVphsJH\VERSION.dll
Filesize
1.2MB

MD5
7a726a6b0b3f3529977235106ce630de

SHA1
7053ec531743460a76a691c38bb7362a49b0c01d

SHA256
db55719bf8207d3e7d4c55c9055aa389dcb50f11e232cdfcd31370f6a5f45a11

SHA512
7760ee482f6f7f5860f29acd2bc9bfbc3a5f61c592a8dd634858f7264994c21cf1c31e601068eeed6f561ed79e80d68f0c3c5e87a85ccebce7f5e0083086dd8a

Download Submit
C:\Users\Admin\AppData\Local\tVphsJH\iexpress.exe
Filesize
166KB

MD5
17b93a43e25d821d01af40ba6babcc8c

SHA1
97c978d78056d995f751dfef1388d7cce4cc404a

SHA256
d070b79fa254c528babb73d607a7a8fd53db89795d751f42fc0a283b61a76fd3

SHA512
6b5743b37a3be8ae9ee2ab84e0749c32c60544298a7cce396470aa40bbd13f2e838d5d98159f21d500d20817c51ebce4b1d2f554e3e05f6c7fc97bc9d70ea391

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Jbphew.lnk
Filesize
1KB

MD5
ba28111bffe84ee306d6a72dbcf9665a

SHA1
66b92049feeba18088ac49b4d94539d6c36551eb

SHA256
932cd1b04d01f1a35326d31963463a76147d5fffb454ac8df723a8882870f10b

SHA512
e6ddad6afcdf776534c969afc312e1f5f19efc1ff52c463a9d7f164c86f9a44d45bedd35c3a8bb7d047e02a543956c1285ec57847eddc27cdeadac453b6b039e

Download Submit
memory/748-87-0x00007FFA02430000-0x00007FFA0256B000-memory.dmp

Filesize
1.2MB

Download
memory/1476-68-0x000001EA781A0000-0x000001EA781A7000-memory.dmp

Filesize
28KB

Download
memory/1476-71-0x00007FFA02430000-0x00007FFA0256B000-memory.dmp

Filesize
1.2MB

Download
memory/1764-54-0x00007FFA02430000-0x00007FFA0256B000-memory.dmp

Filesize
1.2MB

Download
memory/1764-49-0x00007FFA02430000-0x00007FFA0256B000-memory.dmp

Filesize
1.2MB

Download
memory/1764-48-0x00000250166A0000-0x00000250166A7000-memory.dmp

Filesize
28KB

Download
memory/3384-35-0x00007FFA0F9EA000-0x00007FFA0F9EB000-memory.dmp

Filesize
4KB

Download
memory/3384-15-0x0000000140000000-0x000000014013A000-memory.dmp

Filesize
1.2MB

Download
memory/3384-10-0x0000000140000000-0x000000014013A000-memory.dmp

Filesize
1.2MB

Download
memory/3384-9-0x0000000140000000-0x000000014013A000-memory.dmp

Filesize
1.2MB

Download
memory/3384-8-0x0000000140000000-0x000000014013A000-memory.dmp

Filesize
1.2MB

Download
memory/3384-7-0x0000000140000000-0x000000014013A000-memory.dmp

Filesize
1.2MB

Download
memory/3384-6-0x0000000140000000-0x000000014013A000-memory.dmp

Filesize
1.2MB

Download
memory/3384-38-0x0000000140000000-0x000000014013A000-memory.dmp

Filesize
1.2MB

Download
memory/3384-4-0x0000000002DB0000-0x0000000002DB1000-memory.dmp

Filesize
4KB

Download
memory/3384-12-0x0000000140000000-0x000000014013A000-memory.dmp

Filesize
1.2MB

Download
memory/3384-14-0x0000000140000000-0x000000014013A000-memory.dmp

Filesize
1.2MB

Download
memory/3384-11-0x0000000140000000-0x000000014013A000-memory.dmp

Filesize
1.2MB

Download
memory/3384-17-0x0000000140000000-0x000000014013A000-memory.dmp

Filesize
1.2MB

Download
memory/3384-18-0x0000000140000000-0x000000014013A000-memory.dmp

Filesize
1.2MB

Download
memory/3384-13-0x0000000140000000-0x000000014013A000-memory.dmp

Filesize
1.2MB

Download
memory/3384-36-0x0000000000DF0000-0x0000000000DF7000-memory.dmp

Filesize
28KB

Download
memory/3384-37-0x00007FFA10AD0000-0x00007FFA10AE0000-memory.dmp

Filesize
64KB

Download
memory/3384-26-0x0000000140000000-0x000000014013A000-memory.dmp

Filesize
1.2MB

Download
memory/3384-16-0x0000000140000000-0x000000014013A000-memory.dmp

Filesize
1.2MB

Download
memory/3428-3-0x00000000011B0000-0x00000000011B7000-memory.dmp

Filesize
28KB

Download
memory/3428-41-0x00007FFA02430000-0x00007FFA0256A000-memory.dmp

Filesize
1.2MB

Download
memory/3428-1-0x00007FFA02430000-0x00007FFA0256A000-memory.dmp

Filesize
1.2MB

Download