dridex | 4f1f5e5b9f30d646997d0de0b5fd38fb7f4b9c877643621807910391d8466431

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
17-06-2024 13:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b8da680c2ec2b54a1a927e4e687cc44e_JaffaCakes118.dll
Size

1.2MB
MD5

b8da680c2ec2b54a1a927e4e687cc44e
SHA1

5ba391ec8c41655ebb76732dfe1b4bd470e34dc6
SHA256

4f1f5e5b9f30d646997d0de0b5fd38fb7f4b9c877643621807910391d8466431
SHA512

99925a5e56d137785c13126b2d75472cfaf7d271ea4f2d434c86544f555d208816bd97c9a2c58b2316b452cdf9bb29b695fbbc23af0ae2e56b98f38fbb37e22d
SSDEEP

24576:duYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:39cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex Shellcode 1 IoCs
Detects Dridex Payload shellcode injected in Explorer process.
botnet payload

Processes:

resource yara_rule

behavioral1/memory/1284-5-0x00000000029D0000-0x00000000029D1000-memory.dmp dridex_stager_shellcode
Executes dropped EXE 3 IoCs

Processes:

wscript.exedccw.exeisoburn.exe

pid process

2452 wscript.exe
772 dccw.exe
2876 isoburn.exe
Loads dropped DLL 8 IoCs

Processes:

wscript.exedccw.exeisoburn.exe

pid process

1284
1284
2452 wscript.exe
1284
772 dccw.exe
1284
2876 isoburn.exe
1284

resource	yara_rule
behavioral1/memory/1284-5-0x00000000029D0000-0x00000000029D1000-memory.dmp	dridex_stager_shellcode

pid	process
2452	wscript.exe
772	dccw.exe
2876	isoburn.exe

pid	process
1284
1284
2452	wscript.exe
1284
772	dccw.exe
1284
2876	isoburn.exe
1284

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\Gqwtkfbnxxlbs = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\lMbf3\\dccw.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

dccw.exeisoburn.exerundll32.exewscript.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dccw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	isoburn.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wscript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2000	rundll32.exe
2000	rundll32.exe
2000	rundll32.exe
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1284 wrote to memory of 1524	1284	wscript.exe
PID 1284 wrote to memory of 1524	1284	wscript.exe
PID 1284 wrote to memory of 1524	1284	wscript.exe
PID 1284 wrote to memory of 2452	1284	wscript.exe
PID 1284 wrote to memory of 2452	1284	wscript.exe
PID 1284 wrote to memory of 2452	1284	wscript.exe
PID 1284 wrote to memory of 580	1284	dccw.exe
PID 1284 wrote to memory of 580	1284	dccw.exe
PID 1284 wrote to memory of 580	1284	dccw.exe
PID 1284 wrote to memory of 772	1284	dccw.exe
PID 1284 wrote to memory of 772	1284	dccw.exe
PID 1284 wrote to memory of 772	1284	dccw.exe
PID 1284 wrote to memory of 2852	1284	isoburn.exe
PID 1284 wrote to memory of 2852	1284	isoburn.exe
PID 1284 wrote to memory of 2852	1284	isoburn.exe
PID 1284 wrote to memory of 2876	1284	isoburn.exe
PID 1284 wrote to memory of 2876	1284	isoburn.exe
PID 1284 wrote to memory of 2876	1284	isoburn.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b8da680c2ec2b54a1a927e4e687cc44e_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2000

C:\Windows\system32\wscript.exe
C:\Windows\system32\wscript.exe
1⤵
PID:1524

C:\Users\Admin\AppData\Local\LLCjlf\wscript.exe
C:\Users\Admin\AppData\Local\LLCjlf\wscript.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2452

C:\Windows\system32\dccw.exe
C:\Windows\system32\dccw.exe
1⤵
PID:580

C:\Users\Admin\AppData\Local\r5e\dccw.exe
C:\Users\Admin\AppData\Local\r5e\dccw.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:772

C:\Windows\system32\isoburn.exe
C:\Windows\system32\isoburn.exe
1⤵
PID:2852

C:\Users\Admin\AppData\Local\vd8U\isoburn.exe
C:\Users\Admin\AppData\Local\vd8U\isoburn.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2876

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\LLCjlf\VERSION.dll
Filesize
1.2MB

MD5
e03788e945755c97d8214f368ffe0afe

SHA1
236da0d33c7a55a8f4e4c2469fe0f572b5739ccc

SHA256
13506050c32150bc65679e089b7f364773c5dd00fea69d587187fd37be7c35fa

SHA512
7b5b95325e503e107dcef467ce561c465d95317ecadf41bdd7bf76fb82e49808fe3b0ed7a3097bb7c4c5d6ea40a148bdbbcb0867cdbc8a378d2cb7088379297f

Download Submit
C:\Users\Admin\AppData\Local\r5e\dxva2.dll
Filesize
1.2MB

MD5
f9ef210e5503674c867371da1dde0104

SHA1
1f31c4f59da27a568fd6c96e59fd6166628f3d6d

SHA256
70b5c2c95bf08136ce1b9dd047d2cf2e1e0c4d3a1682c7fdce114a9b361a2248

SHA512
f8a58961a9e2633edb71624d87255fdb3242bf414a86091e75af58916b11349ecc88505a21941205532b96f649705574971d571a302c9d41f73f5094b41066da

Download Submit
C:\Users\Admin\AppData\Local\vd8U\UxTheme.dll
Filesize
1.2MB

MD5
384bb95dc6e053646389ea666ed4fe67

SHA1
45c0cbb39dd9481d4b456efc289a4db4d31b6acf

SHA256
72b93f7041b568473f246fbc8c5966ca9b289af5569671be1fc4227bf9d80056

SHA512
672b717d7ce1165623d5d519e393a7f543dfe0abbb8365f2124e728ff506424382a7a6e8defec201d4d0018a97264e9e9e0e12090b75aa33e673a47b13e90cf0

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Egmip.lnk
Filesize
1KB

MD5
77fa265923e59898909d3122f780c327

SHA1
056539b0586c573f5af12adf407be29a30cf2ffc

SHA256
6eba3a8cab93baf696ad07ebf47ad675228b09ca03273870e9fd8eba09415784

SHA512
725a9f3dc164c21ced403a796dfbc118529e389ede0f1cbf10378fd09aa1737c0efd7fda9e8cf8b11ec717a918c9f01fdd4a44d1dbd951f13b4ecadcf9e54378

Download Submit
\Users\Admin\AppData\Local\LLCjlf\wscript.exe
Filesize
165KB

MD5
8886e0697b0a93c521f99099ef643450

SHA1
851bd390bf559e702b8323062dbeb251d9f2f6f7

SHA256
d73f7ee4e6e992a618d02580bdbf4fd6ba7c683d110928001092f4073341e95f

SHA512
fc4a176f49a69c5600c427af72d3d274cfeacef48612b18cda966c3b4dda0b9d59c0fe8114d5ed8e0fec780744346e2cd503d1fd15c0c908908d067214b9d837

Download Submit
\Users\Admin\AppData\Local\r5e\dccw.exe
Filesize
861KB

MD5
a46cee731351eb4146db8e8a63a5c520

SHA1
8ea441e4a77642e12987ac842b36034230edd731

SHA256
283526a98a83524d21ff23f9109754c6587380b67f74cc02a9a4cd56fdb720d5

SHA512
3573c0ae21406db0c6fdda7c065fabde03235bde7f5589910822500bdfa37144f59f6e58e753e7347b899998db1dcb28050ac5a4e2c611558ae5fa405fbbc5cc

Download Submit
\Users\Admin\AppData\Local\vd8U\isoburn.exe
Filesize
89KB

MD5
f8051f06e1c4aa3f2efe4402af5919b1

SHA1
bbcf3711501dfb22b04b1a6f356d95a6d5998790

SHA256
50dcb4be409f50d26c0fc32dd9cdbf96bff4e19bf624221cb566ebeb3e09ce1a

SHA512
5f664d937abe4426ee7e0d8491a395f9ef4ffe7a51dba05b54b7ba27e80c9be37833400911c5878d3dec659f4fa1579ec8ba4cfc485fb2ce24dd37c321006daa

Download Submit
memory/772-85-0x000007FEF5E60000-0x000007FEF5FA2000-memory.dmp

Filesize
1.3MB

Download
memory/772-80-0x000007FEF5E60000-0x000007FEF5FA2000-memory.dmp

Filesize
1.3MB

Download
memory/772-79-0x00000000000F0000-0x00000000000F7000-memory.dmp

Filesize
28KB

Download
memory/1284-28-0x0000000076FD1000-0x0000000076FD2000-memory.dmp

Filesize
4KB

Download
memory/1284-38-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1284-12-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1284-13-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1284-11-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1284-10-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1284-9-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1284-29-0x0000000077160000-0x0000000077162000-memory.dmp

Filesize
8KB

Download
memory/1284-14-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1284-26-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1284-39-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1284-8-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1284-4-0x0000000076DC6000-0x0000000076DC7000-memory.dmp

Filesize
4KB

Download
memory/1284-16-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1284-17-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1284-5-0x00000000029D0000-0x00000000029D1000-memory.dmp

Filesize
4KB

Download
memory/1284-7-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1284-15-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1284-71-0x0000000076DC6000-0x0000000076DC7000-memory.dmp

Filesize
4KB

Download
memory/1284-18-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1284-27-0x00000000029E0000-0x00000000029E7000-memory.dmp

Filesize
28KB

Download
memory/2000-0-0x000007FEF5E60000-0x000007FEF5FA1000-memory.dmp

Filesize
1.3MB

Download
memory/2000-47-0x000007FEF5E60000-0x000007FEF5FA1000-memory.dmp

Filesize
1.3MB

Download
memory/2000-3-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/2452-64-0x000007FEF66B0000-0x000007FEF67F2000-memory.dmp

Filesize
1.3MB

Download
memory/2452-59-0x000007FEF66B0000-0x000007FEF67F2000-memory.dmp

Filesize
1.3MB

Download
memory/2452-58-0x00000000000E0000-0x00000000000E7000-memory.dmp

Filesize
28KB

Download
memory/2876-97-0x0000000000080000-0x0000000000087000-memory.dmp

Filesize
28KB

Download
memory/2876-103-0x000007FEF5E60000-0x000007FEF5FA2000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads