dridex | bf69701383654649697c0a1b2ff900751ffd006daad2d58b688913fcf360f5a7

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
17-04-2024 09:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f579600a6574f3180a38366e521e062d_JaffaCakes118.dll
Size

1.5MB
MD5

f579600a6574f3180a38366e521e062d
SHA1

cc123d182933a36f5989fc689bc537f9bf7f89c2
SHA256

bf69701383654649697c0a1b2ff900751ffd006daad2d58b688913fcf360f5a7
SHA512

51bf19b830c2a7254f9b75ea1fb81d89924f24bc111fe69eeedfdcca716bcf13599849bc4db933b2a79d79f26a24064f8368e0f79af1448294fd9f93fb40c910
SSDEEP

12288:ZVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:YfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3460-4-0x0000000002A00000-0x0000000002A01000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 4 IoCs

pid	Process
1172	WMPDMC.exe
4780	msconfig.exe
1356	Narrator.exe
2008	dxgiadaptercache.exe

Loads dropped DLL 4 IoCs

pid	Process
1172	WMPDMC.exe
4780	msconfig.exe
2008	dxgiadaptercache.exe
2008	dxgiadaptercache.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Zmupasrg = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Word\\2oP\\msconfig.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WMPDMC.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msconfig.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dxgiadaptercache.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1124	rundll32.exe
1124	rundll32.exe
1124	rundll32.exe
1124	rundll32.exe
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found
3460	Process not Found

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3460 wrote to memory of 2668	3460	Process not Found	85
PID 3460 wrote to memory of 2668	3460	Process not Found	85
PID 3460 wrote to memory of 1172	3460	Process not Found	86
PID 3460 wrote to memory of 1172	3460	Process not Found	86
PID 3460 wrote to memory of 2548	3460	Process not Found	87
PID 3460 wrote to memory of 2548	3460	Process not Found	87
PID 3460 wrote to memory of 4780	3460	Process not Found	88
PID 3460 wrote to memory of 4780	3460	Process not Found	88
PID 3460 wrote to memory of 3064	3460	Process not Found	89
PID 3460 wrote to memory of 3064	3460	Process not Found	89
PID 3460 wrote to memory of 2816	3460	Process not Found	91
PID 3460 wrote to memory of 2816	3460	Process not Found	91
PID 3460 wrote to memory of 2008	3460	Process not Found	92
PID 3460 wrote to memory of 2008	3460	Process not Found	92

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f579600a6574f3180a38366e521e062d_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1124

C:\Windows\system32\WMPDMC.exe
C:\Windows\system32\WMPDMC.exe
1⤵
PID:2668

C:\Users\Admin\AppData\Local\N0db\WMPDMC.exe
C:\Users\Admin\AppData\Local\N0db\WMPDMC.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1172

C:\Windows\system32\msconfig.exe
C:\Windows\system32\msconfig.exe
1⤵
PID:2548

C:\Users\Admin\AppData\Local\eVO\msconfig.exe
C:\Users\Admin\AppData\Local\eVO\msconfig.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4780

C:\Windows\system32\Narrator.exe
C:\Windows\system32\Narrator.exe
1⤵
PID:3064

C:\Users\Admin\AppData\Local\SIvsx\Narrator.exe
C:\Users\Admin\AppData\Local\SIvsx\Narrator.exe
1⤵
- Executes dropped EXE
PID:1356

C:\Windows\system32\dxgiadaptercache.exe
C:\Windows\system32\dxgiadaptercache.exe
1⤵
PID:2816

C:\Users\Admin\AppData\Local\aS8VYyp\dxgiadaptercache.exe
C:\Users\Admin\AppData\Local\aS8VYyp\dxgiadaptercache.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\N0db\WMPDMC.exe

Filesize
1.5MB

MD5
59ce6e554da0a622febce19eb61c4d34

SHA1
176a4a410cb97b3d4361d2aea0edbf17e15d04c7

SHA256
c36eba7186f7367fe717595f3372a49503c9613893c2ab2eff38b625a50d04ba

SHA512
e9b0d310416b66e0055381391bb6b0c19ee26bbcf0e3bb9ea7d696d5851e6efbdd9bdeb250c74638b7d73b20528ea1dfb718e75ad5977aaad77aae36cc7b7e18

Download Submit
C:\Users\Admin\AppData\Local\N0db\dwmapi.dll

Filesize
1.5MB

MD5
fb2d27c2980af17a4f1a5867b2c31314

SHA1
791eee078245d8f8d4295d8115232af3a8aa0a13

SHA256
3c52e2821eb91940a3b03cd44c30bbade790382afde50f0afe7dbfbea326f5ce

SHA512
69cc9858f17eada71e5f44818ab2a4871393fed01075e6433b04f3152ddde2ed09286a0966502c61bd7fa492f65def81722a713818a4de8917856b03e789e547

Download Submit
C:\Users\Admin\AppData\Local\SIvsx\Narrator.exe

Filesize
521KB

MD5
d92defaa4d346278480d2780325d8d18

SHA1
6494d55b2e5064ffe8add579edfcd13c3e69fffe

SHA256
69b8c93d9b262b36e2bdc223cc0d6e312cc471b49d7cc36befbba1f863a05d83

SHA512
b82c0fbc07361e4ad6e4ab171e55e1e41e9312ba995dce90696ca90f734f5d1ea11371ca046e8680ea566a1c2e0643ab86f1f6dcf6cbd05aed8448425a2830b5

Download Submit
C:\Users\Admin\AppData\Local\aS8VYyp\dxgi.dll

Filesize
1.5MB

MD5
c9a924f747fcc06161cb89e2a253dcd6

SHA1
547e72339637ea5b05ac47707dabff89e0cc3e6b

SHA256
9ce821dde76e7e9bc99aa964daeb14a5374420d1a9383c1796a4939b9fcbb8d5

SHA512
4cad1acc8d494b7131a1ed82fcec403beb11d462fd8f4f252b2a1a5257430a8178b035afccb6d8c1dca0dbcde70bb8becce4d7e54e92200df795a9a86ec40d58

Download Submit
C:\Users\Admin\AppData\Local\aS8VYyp\dxgiadaptercache.exe

Filesize
230KB

MD5
e62f89130b7253f7780a862ed9aff294

SHA1
b031e64a36e93f95f2061be5b0383069efac2070

SHA256
4bea9f741fe4ca9d6262477849896b9fa6377326d11af044561c31bde2d994b5

SHA512
05649d38a0b5d825bb8442549427b0ff77b139c9dd297b04d6c0fb1415504c95ed750cd79efea2ff514abfc5d1003e6251a3cd871d352dcea06be0cdeb0304f7

Download Submit
C:\Users\Admin\AppData\Local\eVO\VERSION.dll

Filesize
1.5MB

MD5
243c617ecb339fe1bf536c2b70bfd546

SHA1
faeea50585b2e040af75fa739a99b5057831c50a

SHA256
7f4173bb22218b45a76711b81d29eb841f4f0996ea47b306144fe9d223754fa9

SHA512
e5ab2faeb38646709e29b9c5564b35e2f0662faeac58a8cf61ac855c367446c221ff2af68b7280b077be2b49078ae646d3405af125e4133d6f88d04a8811236e

Download Submit
C:\Users\Admin\AppData\Local\eVO\msconfig.exe

Filesize
193KB

MD5
39009536cafe30c6ef2501fe46c9df5e

SHA1
6ff7b4d30f31186de899665c704a105227704b72

SHA256
93d2604f7fdf7f014ac5bef63ab177b6107f3cfc26da6cbd9a7ab50c96564a04

SHA512
95c9a8bc61c79108634f5578825544323e3d980ae97a105a325c58bc0e44b1d500637459969602f08d6d23d346baec6acd07d8351803981000c797190d48f03a

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Hxqqcbifk.lnk

Filesize
1KB

MD5
ef56cad5851a39022fc5c10851cad454

SHA1
0e853a62da8c0c4eb639df771d73e8ecf11e8306

SHA256
5ed18a2c49d745b05c2c507a3664926f7a62db13005cd984049f140dbde3fcbd

SHA512
6bb5019a4585031cf2d7414dfb9aa8edfe0226b7f3d1041c97e67072094a2bd40a5523311708713533c6f318f92338acc01541fbb19882f2bd7d3f1efd02e15e

Download Submit
memory/1124-8-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/1124-1-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/1124-0-0x00000255CAC10000-0x00000255CAC17000-memory.dmp

Filesize
28KB

Download
memory/1172-78-0x0000000140000000-0x0000000140180000-memory.dmp

Filesize
1.5MB

Download
memory/1172-72-0x0000000140000000-0x0000000140180000-memory.dmp

Filesize
1.5MB

Download
memory/1172-73-0x000002615F1F0000-0x000002615F1F7000-memory.dmp

Filesize
28KB

Download
memory/2008-115-0x000001B04A230000-0x000001B04A237000-memory.dmp

Filesize
28KB

Download
memory/3460-33-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/3460-42-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/3460-20-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/3460-21-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/3460-22-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/3460-23-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/3460-24-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/3460-25-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/3460-26-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/3460-27-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/3460-28-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/3460-29-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/3460-30-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/3460-31-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/3460-32-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/3460-18-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/3460-34-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/3460-35-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/3460-36-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/3460-37-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/3460-38-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/3460-39-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/3460-41-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/3460-19-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/3460-40-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/3460-43-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/3460-44-0x00000000029F0000-0x00000000029F7000-memory.dmp

Filesize
28KB

Download
memory/3460-51-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/3460-52-0x00007FFC89400000-0x00007FFC89410000-memory.dmp

Filesize
64KB

Download
memory/3460-61-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/3460-63-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/3460-17-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/3460-16-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/3460-15-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/3460-14-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/3460-13-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/3460-7-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/3460-12-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/3460-5-0x00007FFC87D2A000-0x00007FFC87D2B000-memory.dmp

Filesize
4KB

Download
memory/3460-4-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/3460-11-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/3460-10-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/3460-9-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/4780-95-0x0000000140000000-0x0000000140180000-memory.dmp

Filesize
1.5MB

Download
memory/4780-89-0x00000229D7290000-0x00000229D7297000-memory.dmp

Filesize
28KB

Download