dridex | b35d422e788bddf8d9913a8ed346648a30819936ce48b91e79cc1499b7e4cda4

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
15-04-2024 12:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f110415e99bf9b3e5ea5fd55627636a5_JaffaCakes118.dll
Size

2.6MB
MD5

f110415e99bf9b3e5ea5fd55627636a5
SHA1

168999d2cbe268fd55c831e38e056a53fd0b07fd
SHA256

b35d422e788bddf8d9913a8ed346648a30819936ce48b91e79cc1499b7e4cda4
SHA512

630f0b19cf1624931d89c3ee579df51d3c8179762b476b1bfbeec5caee0b978be5ee155c0f72758e5ce6b7a72b87e0d436518d44db6db9358720990a08ad2515
SSDEEP

12288:eVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:DfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3484-5-0x0000000002540000-0x0000000002541000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

rdpshell.exeDxpserver.exequickassist.exe

pid process

4024 rdpshell.exe
2640 Dxpserver.exe
3516 quickassist.exe
Loads dropped DLL 3 IoCs

Processes:

rdpshell.exeDxpserver.exequickassist.exe

pid process

4024 rdpshell.exe
2640 Dxpserver.exe
3516 quickassist.exe

pid	process
4024	rdpshell.exe
2640	Dxpserver.exe
3516	quickassist.exe

pid	process
4024	rdpshell.exe
2640	Dxpserver.exe
3516	quickassist.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qowsdhwqvbww = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\xI4njP\\Dxpserver.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exerdpshell.exeDxpserver.exequickassist.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdpshell.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Dxpserver.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	quickassist.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
4692	rundll32.exe
4692	rundll32.exe
4692	rundll32.exe
4692	rundll32.exe
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3484 wrote to memory of 64	3484	rdpshell.exe
PID 3484 wrote to memory of 64	3484	rdpshell.exe
PID 3484 wrote to memory of 4024	3484	rdpshell.exe
PID 3484 wrote to memory of 4024	3484	rdpshell.exe
PID 3484 wrote to memory of 4076	3484	Dxpserver.exe
PID 3484 wrote to memory of 4076	3484	Dxpserver.exe
PID 3484 wrote to memory of 2640	3484	Dxpserver.exe
PID 3484 wrote to memory of 2640	3484	Dxpserver.exe
PID 3484 wrote to memory of 4932	3484	quickassist.exe
PID 3484 wrote to memory of 4932	3484	quickassist.exe
PID 3484 wrote to memory of 3516	3484	quickassist.exe
PID 3484 wrote to memory of 3516	3484	quickassist.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f110415e99bf9b3e5ea5fd55627636a5_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4692

C:\Windows\system32\rdpshell.exe
C:\Windows\system32\rdpshell.exe
1⤵
PID:64

C:\Users\Admin\AppData\Local\HYfhayh22\rdpshell.exe
C:\Users\Admin\AppData\Local\HYfhayh22\rdpshell.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4024

C:\Windows\system32\Dxpserver.exe
C:\Windows\system32\Dxpserver.exe
1⤵
PID:4076

C:\Users\Admin\AppData\Local\BplW1GPp\Dxpserver.exe
C:\Users\Admin\AppData\Local\BplW1GPp\Dxpserver.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2640

C:\Windows\system32\quickassist.exe
C:\Windows\system32\quickassist.exe
1⤵
PID:4932

C:\Users\Admin\AppData\Local\urkudW6Bv\quickassist.exe
C:\Users\Admin\AppData\Local\urkudW6Bv\quickassist.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3516

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\BplW1GPp\Dxpserver.exe
Filesize
310KB

MD5
6344f1a7d50da5732c960e243c672165

SHA1
b6d0236f79d4f988640a8445a5647aff5b5410f7

SHA256
b1081651ac33610824e2088ff64d1655993dd3d6073af1e5ffe0b4a0027f502f

SHA512
73f6fa01b880e6619fafa065c171bd0a2b7b2d908762b5aca15f2b8d856b5501b3884e3566ef9b8032c8cbf9bb15116e60c22fded4656c8857c974cda4213d65

Download Submit
C:\Users\Admin\AppData\Local\BplW1GPp\XmlLite.dll
Filesize
2.7MB

MD5
76f7569fe82c61193d2356dc76cf098b

SHA1
6e91663c83c018353de6ca6a1abed609276aec9e

SHA256
159b8c9f558bdbfc86372f83d92e496203afdadad206a414ff07f50629b9de39

SHA512
f3644ddffe682b49496b66c38264dc24c5e797aada2adaf0b1a04ea32d3187c19a33938ad76a20b27bd4833b3d6bf1e8c7bdb299ef7567025598fc782b1248be

Download Submit
C:\Users\Admin\AppData\Local\HYfhayh22\WTSAPI32.dll
Filesize
2.7MB

MD5
136ec821e7dd891b7ee117efe97f5db9

SHA1
e104058762ddcef34682fe99032b8e324e171905

SHA256
c7deeef62daedff4cf2cb5b3f3cbb912dbddf4822ee6ac55ec9a43ddfa416671

SHA512
0eedb62d7597a3ad9998eee2cbd5e39a7acae660aa60dca15ccc21556c813bec150586b900fad96c64ee81c14ca9c4e9691f26df334fc5b3f20d44a133e8c106

Download Submit
C:\Users\Admin\AppData\Local\HYfhayh22\rdpshell.exe
Filesize
468KB

MD5
428066713f225bb8431340fa670671d4

SHA1
47f6878ff33317c3fc09c494df729a463bda174c

SHA256
da6c395a2018d3439ad580a19e6a1ca5ff29ef9074411ee9f9f1b0a6365dfebd

SHA512
292aad2762ae4dc519c69411aa114a29894f60ffac103813db4946f2fac4f5a166f66523c421529d6847c0882d8ab467392ee8da1e3a4fca0d6d4e6ebda5b737

Download Submit
C:\Users\Admin\AppData\Local\urkudW6Bv\UxTheme.dll
Filesize
2.7MB

MD5
d532f477b945df5a9b6b847a0d1c25e8

SHA1
a8ff806d53babb2ad75010d071b673f724e39899

SHA256
0e4c934315e3c285e8c0de16037a1d68945dddeb8db4bb617c1fa50f4ea849ef

SHA512
6e118293de6d7d7795579bf99780cfa1a037a6320b46b3443ce45c33ee6ee7383dfa2d611a87312494c90b1f22544d1c9de7000699de48bf45d5cc15c6171dc1

Download Submit
C:\Users\Admin\AppData\Local\urkudW6Bv\quickassist.exe
Filesize
665KB

MD5
d1216f9b9a64fd943539cc2b0ddfa439

SHA1
6fad9aeb7780bdfd88a9a5a73b35b3e843605e6c

SHA256
c1e8fda00da574e8759ba262d76b6edc1d5f4a80620730ef0be7527e0d803db2

SHA512
c5fd7d81d1d478056fcbed0ba887ce551832f0104e7c31753c3c8760b4d63f38324f74e996684042acc8f9682fce8a8c85172741a868257e87d5e0f988c4e567

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Fhpbstajjyb.lnk
Filesize
1KB

MD5
34ba2c7fdf303fe9ca6883b6b42e0aad

SHA1
3a038334946f35db99b8c04bb80aef5a9e4dd193

SHA256
04f20ab2b0cb001ff3dd31e2db2b3e7872ed8fbb69aecd24533587e489798367

SHA512
27f30c63ddddfbbd2cc81a2dc56d986edd91f45d1f25e444edda947d76d1c1c92651a05ca5841544b27bdf4e2a8fb8e5fc332566db4b1c2d2c821bb5f1305777

Download Submit
memory/2640-121-0x0000000140000000-0x00000001402A7000-memory.dmp

Filesize
2.7MB

Download
memory/2640-117-0x00000249E6B30000-0x00000249E6B37000-memory.dmp

Filesize
28KB

Download
memory/2640-115-0x0000000140000000-0x00000001402A7000-memory.dmp

Filesize
2.7MB

Download
memory/3484-46-0x0000000140000000-0x00000001402A6000-memory.dmp

Filesize
2.6MB

Download
memory/3484-52-0x0000000140000000-0x00000001402A6000-memory.dmp

Filesize
2.6MB

Download
memory/3484-19-0x0000000140000000-0x00000001402A6000-memory.dmp

Filesize
2.6MB

Download
memory/3484-20-0x0000000140000000-0x00000001402A6000-memory.dmp

Filesize
2.6MB

Download
memory/3484-21-0x0000000140000000-0x00000001402A6000-memory.dmp

Filesize
2.6MB

Download
memory/3484-24-0x0000000140000000-0x00000001402A6000-memory.dmp

Filesize
2.6MB

Download
memory/3484-22-0x0000000140000000-0x00000001402A6000-memory.dmp

Filesize
2.6MB

Download
memory/3484-26-0x0000000140000000-0x00000001402A6000-memory.dmp

Filesize
2.6MB

Download
memory/3484-23-0x0000000140000000-0x00000001402A6000-memory.dmp

Filesize
2.6MB

Download
memory/3484-25-0x0000000140000000-0x00000001402A6000-memory.dmp

Filesize
2.6MB

Download
memory/3484-27-0x0000000140000000-0x00000001402A6000-memory.dmp

Filesize
2.6MB

Download
memory/3484-28-0x0000000140000000-0x00000001402A6000-memory.dmp

Filesize
2.6MB

Download
memory/3484-29-0x0000000140000000-0x00000001402A6000-memory.dmp

Filesize
2.6MB

Download
memory/3484-30-0x0000000140000000-0x00000001402A6000-memory.dmp

Filesize
2.6MB

Download
memory/3484-31-0x0000000140000000-0x00000001402A6000-memory.dmp

Filesize
2.6MB

Download
memory/3484-33-0x0000000140000000-0x00000001402A6000-memory.dmp

Filesize
2.6MB

Download
memory/3484-34-0x0000000140000000-0x00000001402A6000-memory.dmp

Filesize
2.6MB

Download
memory/3484-32-0x0000000140000000-0x00000001402A6000-memory.dmp

Filesize
2.6MB

Download
memory/3484-36-0x0000000140000000-0x00000001402A6000-memory.dmp

Filesize
2.6MB

Download
memory/3484-35-0x0000000140000000-0x00000001402A6000-memory.dmp

Filesize
2.6MB

Download
memory/3484-37-0x0000000140000000-0x00000001402A6000-memory.dmp

Filesize
2.6MB

Download
memory/3484-38-0x0000000140000000-0x00000001402A6000-memory.dmp

Filesize
2.6MB

Download
memory/3484-41-0x0000000140000000-0x00000001402A6000-memory.dmp

Filesize
2.6MB

Download
memory/3484-40-0x0000000140000000-0x00000001402A6000-memory.dmp

Filesize
2.6MB

Download
memory/3484-39-0x0000000140000000-0x00000001402A6000-memory.dmp

Filesize
2.6MB

Download
memory/3484-42-0x0000000140000000-0x00000001402A6000-memory.dmp

Filesize
2.6MB

Download
memory/3484-44-0x0000000140000000-0x00000001402A6000-memory.dmp

Filesize
2.6MB

Download
memory/3484-43-0x0000000140000000-0x00000001402A6000-memory.dmp

Filesize
2.6MB

Download
memory/3484-5-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/3484-45-0x0000000140000000-0x00000001402A6000-memory.dmp

Filesize
2.6MB

Download
memory/3484-47-0x0000000140000000-0x00000001402A6000-memory.dmp

Filesize
2.6MB

Download
memory/3484-49-0x0000000140000000-0x00000001402A6000-memory.dmp

Filesize
2.6MB

Download
memory/3484-48-0x0000000140000000-0x00000001402A6000-memory.dmp

Filesize
2.6MB

Download
memory/3484-50-0x0000000140000000-0x00000001402A6000-memory.dmp

Filesize
2.6MB

Download
memory/3484-51-0x0000000140000000-0x00000001402A6000-memory.dmp

Filesize
2.6MB

Download
memory/3484-18-0x0000000140000000-0x00000001402A6000-memory.dmp

Filesize
2.6MB

Download
memory/3484-53-0x0000000140000000-0x00000001402A6000-memory.dmp

Filesize
2.6MB

Download
memory/3484-54-0x0000000140000000-0x00000001402A6000-memory.dmp

Filesize
2.6MB

Download
memory/3484-55-0x0000000140000000-0x00000001402A6000-memory.dmp

Filesize
2.6MB

Download
memory/3484-56-0x0000000140000000-0x00000001402A6000-memory.dmp

Filesize
2.6MB

Download
memory/3484-58-0x0000000140000000-0x00000001402A6000-memory.dmp

Filesize
2.6MB

Download
memory/3484-59-0x0000000140000000-0x00000001402A6000-memory.dmp

Filesize
2.6MB

Download
memory/3484-60-0x0000000140000000-0x00000001402A6000-memory.dmp

Filesize
2.6MB

Download
memory/3484-64-0x0000000140000000-0x00000001402A6000-memory.dmp

Filesize
2.6MB

Download
memory/3484-63-0x0000000140000000-0x00000001402A6000-memory.dmp

Filesize
2.6MB

Download
memory/3484-62-0x0000000140000000-0x00000001402A6000-memory.dmp

Filesize
2.6MB

Download
memory/3484-61-0x0000000140000000-0x00000001402A6000-memory.dmp

Filesize
2.6MB

Download
memory/3484-57-0x0000000140000000-0x00000001402A6000-memory.dmp

Filesize
2.6MB

Download
memory/3484-66-0x0000000002530000-0x0000000002537000-memory.dmp

Filesize
28KB

Download
memory/3484-65-0x0000000140000000-0x00000001402A6000-memory.dmp

Filesize
2.6MB

Download
memory/3484-74-0x00007FFA2DAC0000-0x00007FFA2DAD0000-memory.dmp

Filesize
64KB

Download
memory/3484-17-0x0000000140000000-0x00000001402A6000-memory.dmp

Filesize
2.6MB

Download
memory/3484-9-0x0000000140000000-0x00000001402A6000-memory.dmp

Filesize
2.6MB

Download
memory/3484-10-0x00007FFA2D5FA000-0x00007FFA2D5FB000-memory.dmp

Filesize
4KB

Download
memory/3484-11-0x0000000140000000-0x00000001402A6000-memory.dmp

Filesize
2.6MB

Download
memory/3484-16-0x0000000140000000-0x00000001402A6000-memory.dmp

Filesize
2.6MB

Download
memory/3484-14-0x0000000140000000-0x00000001402A6000-memory.dmp

Filesize
2.6MB

Download
memory/3484-15-0x0000000140000000-0x00000001402A6000-memory.dmp

Filesize
2.6MB

Download
memory/3484-13-0x0000000140000000-0x00000001402A6000-memory.dmp

Filesize
2.6MB

Download
memory/3484-7-0x0000000140000000-0x00000001402A6000-memory.dmp

Filesize
2.6MB

Download
memory/3484-12-0x0000000140000000-0x00000001402A6000-memory.dmp

Filesize
2.6MB

Download
memory/3516-134-0x0000017D130F0000-0x0000017D130F7000-memory.dmp

Filesize
28KB

Download
memory/3516-139-0x0000000140000000-0x00000001402A7000-memory.dmp

Filesize
2.7MB

Download
memory/4024-102-0x0000000140000000-0x00000001402A7000-memory.dmp

Filesize
2.7MB

Download
memory/4024-97-0x000001A088EF0000-0x000001A088EF7000-memory.dmp

Filesize
28KB

Download
memory/4024-95-0x0000000140000000-0x00000001402A7000-memory.dmp

Filesize
2.7MB

Download
memory/4692-1-0x0000000140000000-0x00000001402A6000-memory.dmp

Filesize
2.6MB

Download
memory/4692-4-0x000001C604400000-0x000001C604407000-memory.dmp

Filesize
28KB

Download
memory/4692-8-0x0000000140000000-0x00000001402A6000-memory.dmp

Filesize
2.6MB

Download