dridex | 339daa6caefda7397da9e0e67e855cacb27afed32537c22bd975e3352f340513

Analysis

max time kernel
120s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
20-04-2024 08:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc4b33a58a3e5a3d9e79c705f1c4684b_JaffaCakes118.dll
Size

2.0MB
MD5

fc4b33a58a3e5a3d9e79c705f1c4684b
SHA1

7e51a8e6a888eef2018cf6877f715ef75e3f4edb
SHA256

339daa6caefda7397da9e0e67e855cacb27afed32537c22bd975e3352f340513
SHA512

f2ae2697d3b2def9b98fc1a1a9dfe9522befc6b53b477b851f846ac089ea73a354fa9012e4236856608f725d8b18728a2e16d3bdfdbc2007d78443ecb8dbe8fe
SSDEEP

12288:MVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:5fP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3356-4-0x00000000010A0000-0x00000000010A1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 4 IoCs

Processes:

Narrator.exeSystemPropertiesPerformance.exeAgentService.exedwm.exe

pid process

4136 Narrator.exe
3204 SystemPropertiesPerformance.exe
2776 AgentService.exe
4456 dwm.exe
Loads dropped DLL 6 IoCs

Processes:

SystemPropertiesPerformance.exeAgentService.exedwm.exe

pid process

3204 SystemPropertiesPerformance.exe
2776 AgentService.exe
4456 dwm.exe
4456 dwm.exe
4456 dwm.exe
4456 dwm.exe

pid	process
4136	Narrator.exe
3204	SystemPropertiesPerformance.exe
2776	AgentService.exe
4456	dwm.exe

pid	process
3204	SystemPropertiesPerformance.exe
2776	AgentService.exe
4456	dwm.exe
4456	dwm.exe
4456	dwm.exe
4456	dwm.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Xcdbzlxvqxxhz = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\CloudStore\\r4UAZOtEx5o\\AgentService.exe"

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

SystemPropertiesPerformance.exeAgentService.exedwm.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesPerformance.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	AgentService.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

regsvr32.exe

pid	process
2436	regsvr32.exe
2436	regsvr32.exe
2436	regsvr32.exe
2436	regsvr32.exe
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356
3356

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

description	pid	target process
PID 3356 wrote to memory of 2184	3356	Narrator.exe
PID 3356 wrote to memory of 2184	3356	Narrator.exe
PID 3356 wrote to memory of 5020	3356	SystemPropertiesPerformance.exe
PID 3356 wrote to memory of 5020	3356	SystemPropertiesPerformance.exe
PID 3356 wrote to memory of 3204	3356	SystemPropertiesPerformance.exe
PID 3356 wrote to memory of 3204	3356	SystemPropertiesPerformance.exe
PID 3356 wrote to memory of 4360	3356	AgentService.exe
PID 3356 wrote to memory of 4360	3356	AgentService.exe
PID 3356 wrote to memory of 2776	3356	AgentService.exe
PID 3356 wrote to memory of 2776	3356	AgentService.exe
PID 3356 wrote to memory of 3576	3356	dwm.exe
PID 3356 wrote to memory of 3576	3356	dwm.exe
PID 3356 wrote to memory of 4456	3356	dwm.exe
PID 3356 wrote to memory of 4456	3356	dwm.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\fc4b33a58a3e5a3d9e79c705f1c4684b_JaffaCakes118.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2436

C:\Windows\system32\Narrator.exe
C:\Windows\system32\Narrator.exe
1⤵
PID:2184

C:\Users\Admin\AppData\Local\F8MFBoD\Narrator.exe
C:\Users\Admin\AppData\Local\F8MFBoD\Narrator.exe
1⤵
- Executes dropped EXE
PID:4136

C:\Windows\system32\SystemPropertiesPerformance.exe
C:\Windows\system32\SystemPropertiesPerformance.exe
1⤵
PID:5020

C:\Users\Admin\AppData\Local\AA8IiAo3W\SystemPropertiesPerformance.exe
C:\Users\Admin\AppData\Local\AA8IiAo3W\SystemPropertiesPerformance.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3204

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
PID:4360

C:\Users\Admin\AppData\Local\qoJdw\AgentService.exe
C:\Users\Admin\AppData\Local\qoJdw\AgentService.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2776

C:\Windows\system32\dwm.exe
C:\Windows\system32\dwm.exe
1⤵
PID:3576

C:\Users\Admin\AppData\Local\O2f0Q\dwm.exe
C:\Users\Admin\AppData\Local\O2f0Q\dwm.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3644 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:8
1⤵
PID:4272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\AA8IiAo3W\SYSDM.CPL

Filesize
2.0MB

MD5
e6df52a2bdb4a4c13fd83aacb5444b6b

SHA1
f0ad1605b819fe77e72c3238215dab6f20f9892f

SHA256
9979ab6405536bcfd1a0491134d829cdf43d26d79d838741fc53b0cdc4bd9147

SHA512
47377946616956985499ff15e33a6f07827b4ae8672da10b3ebc6f608d4688397809197054e4e20e5d26a65a1a58eaeddd1cba99e484033de02780ef80568470

Download Submit
C:\Users\Admin\AppData\Local\AA8IiAo3W\SystemPropertiesPerformance.exe

Filesize
82KB

MD5
e4fbf7cab8669c7c9cef92205d2f2ffc

SHA1
adbfa782b7998720fa85678cc85863b961975e28

SHA256
b266318d45a4245556a2e39b763f2f11eca780969105f6f103e53dd0a492bb30

SHA512
c5c62578d04133352d6cb7b018df96a7b55c18d6111ab8bf2bfe232a3315a63b07047fa5b0b88551d152085776c66169b47566242c8c4c5e0333c55adc64e1b6

Download Submit
C:\Users\Admin\AppData\Local\F8MFBoD\Narrator.exe

Filesize
521KB

MD5
d92defaa4d346278480d2780325d8d18

SHA1
6494d55b2e5064ffe8add579edfcd13c3e69fffe

SHA256
69b8c93d9b262b36e2bdc223cc0d6e312cc471b49d7cc36befbba1f863a05d83

SHA512
b82c0fbc07361e4ad6e4ab171e55e1e41e9312ba995dce90696ca90f734f5d1ea11371ca046e8680ea566a1c2e0643ab86f1f6dcf6cbd05aed8448425a2830b5

Download Submit
C:\Users\Admin\AppData\Local\O2f0Q\dwm.exe

Filesize
92KB

MD5
5c27608411832c5b39ba04e33d53536c

SHA1
f92f8b7439ce1de4c297046ed1d3ff9f20bc97af

SHA256
0ac827c9e35cdaa492ddd435079415805dcc276352112b040bcd34ef122cf565

SHA512
1fa25eabc08dff9ea25dfa7da310a677927c6344b76815696b0483f8860fa1469820ff15d88a78ed32f712d03003631d9aceaf9c9851de5dd40c1fc2a7bc1309

Download Submit
C:\Users\Admin\AppData\Local\O2f0Q\dxgi.dll

Filesize
2.0MB

MD5
2437c57ffe11802f7c69b0bc73f1ed97

SHA1
4b4e0fe448bd7706d6d7728dffb14e36df2ab041

SHA256
73e64a85f603319351cb7fad6186db2069375bf800aba8decb306c84f26a3292

SHA512
ecf5098f07b556f4da7082fac497e748560ad39d0a2e07e0eff6b0a3027f5327baa54c7bf92c2548f8d42abc7071f0e3f532ee831c8aff7c06e21cdadbad74f2

Download Submit
C:\Users\Admin\AppData\Local\qoJdw\ACTIVEDS.dll

Filesize
2.0MB

MD5
f7ead90fe4a32e9f4c39fb85a5ddbc89

SHA1
3d21482382a1ae0e2dee9c436f1b0a99dea1a4b6

SHA256
bc20498a887a1bcdf678eed33feecd3fdbec354d7dc3d0d541a75c70caa30af1

SHA512
5b226b45688109a8f6d0369f9757f284055db6bd2bf23bf68c5ad7d4859c38f8654d663dfc58287f61bb27edac5468cc0a85f26592f1b848116f06f151283450

Download Submit
C:\Users\Admin\AppData\Local\qoJdw\AgentService.exe

Filesize
1.2MB

MD5
f8bac206def3e87ceb8ef3cb0fb5a194

SHA1
a28ea816e7b5ca511da4576262a5887a75171276

SHA256
c69e4520d5dd84a409c2df1825ba30ec367400e4f7b001c8e971da8bef1a2268

SHA512
8df9a814c738e79492a3b72ba359bf3aedfb89fe02215ef58e743c541a2194ba47e227969d76c55387eee6eb367ca68e4b3cdf054022cb86e62376cc2fdef909

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Axoeay.lnk

Filesize
1KB

MD5
82867539cc718efd7abf51af475926a4

SHA1
a71a04702a7a4ed9b27a4748edeb24dcf301a1d0

SHA256
a8bbc806cee2e58589d6b0b2ed5c361fedf9929682074652d46c59c3fb5a32a7

SHA512
d03aa50e022b0419924ef7f25306505e09b2af73c682ea03fc6c41e42d1a4df5be4d8bc8fbaed63c40548ab0cc99585611e11a4157b3fd2cc188c89b33654f74

Download Submit
memory/2436-0-0x0000000002690000-0x0000000002697000-memory.dmp

Filesize
28KB

Download
memory/2436-14-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/2436-1-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/2776-107-0x0000015A438B0000-0x0000015A438B7000-memory.dmp

Filesize
28KB

Download
memory/3204-92-0x000002A89C2B0000-0x000002A89C2B7000-memory.dmp

Filesize
28KB

Download
memory/3356-32-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/3356-40-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/3356-7-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/3356-15-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/3356-17-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/3356-16-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/3356-18-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/3356-19-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/3356-20-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/3356-21-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/3356-22-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/3356-23-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/3356-24-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/3356-26-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/3356-27-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/3356-25-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/3356-28-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/3356-29-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/3356-31-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/3356-12-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/3356-30-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/3356-34-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/3356-33-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/3356-35-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/3356-36-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/3356-37-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/3356-39-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/3356-13-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/3356-38-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/3356-41-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/3356-42-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/3356-43-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/3356-44-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/3356-46-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/3356-45-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/3356-47-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/3356-48-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/3356-49-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/3356-50-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/3356-51-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/3356-52-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/3356-54-0x0000000001060000-0x0000000001067000-memory.dmp

Filesize
28KB

Download
memory/3356-53-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/3356-11-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/3356-10-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/3356-9-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/3356-8-0x00007FF999B7A000-0x00007FF999B7B000-memory.dmp

Filesize
4KB

Download
memory/3356-6-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/3356-61-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/3356-62-0x00007FF99AA80000-0x00007FF99AA90000-memory.dmp

Filesize
64KB

Download
memory/3356-71-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/3356-73-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/3356-4-0x00000000010A0000-0x00000000010A1000-memory.dmp

Filesize
4KB

Download
memory/4456-128-0x0000017700950000-0x0000017700957000-memory.dmp

Filesize
28KB

Download