dridex | f3b0395084b9f2b7a4a01141e120cba2a6418b5e0115c49f117f92644ccef6a9

Analysis

max time kernel
150s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
03-05-2024 13:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1096fcd872148014eb60b91a9775c4ef_JaffaCakes118.dll
Size

989KB
MD5

1096fcd872148014eb60b91a9775c4ef
SHA1

fb906fa1446b0379d3560255c1c1e710b1f52255
SHA256

f3b0395084b9f2b7a4a01141e120cba2a6418b5e0115c49f117f92644ccef6a9
SHA512

011ac98ebfa19fd70c7766fee7ca22915d1a922792cc91a7c6b4088072eca36119e0b2145d35b2c85c8f8efe730f721162b96f8de04908b7fd92c6463f945e45
SSDEEP

24576:5VHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:5V8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3368-4-0x00000000030A0000-0x00000000030A1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 4 IoCs

Processes:

upfc.exeWindowsActionDialog.exePresentationHost.exerstrui.exe

pid process

4264 upfc.exe
5028 WindowsActionDialog.exe
4924 PresentationHost.exe
1720 rstrui.exe
Loads dropped DLL 5 IoCs

Processes:

upfc.exeWindowsActionDialog.exePresentationHost.exerstrui.exe

pid process

4264 upfc.exe
5028 WindowsActionDialog.exe
4924 PresentationHost.exe
4924 PresentationHost.exe
1720 rstrui.exe

pid	process
4264	upfc.exe
5028	WindowsActionDialog.exe
4924	PresentationHost.exe
1720	rstrui.exe

pid	process
4264	upfc.exe
5028	WindowsActionDialog.exe
4924	PresentationHost.exe
4924	PresentationHost.exe
1720	rstrui.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Eeaxmqtu = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Vault\\j0wREc\\WindowsActionDialog.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeupfc.exeWindowsActionDialog.exerstrui.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	upfc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WindowsActionDialog.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rstrui.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
4136	rundll32.exe
4136	rundll32.exe
4136	rundll32.exe
4136	rundll32.exe
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

description	pid	target process
PID 3368 wrote to memory of 1180	3368	upfc.exe
PID 3368 wrote to memory of 1180	3368	upfc.exe
PID 3368 wrote to memory of 4264	3368	upfc.exe
PID 3368 wrote to memory of 4264	3368	upfc.exe
PID 3368 wrote to memory of 2696	3368	WindowsActionDialog.exe
PID 3368 wrote to memory of 2696	3368	WindowsActionDialog.exe
PID 3368 wrote to memory of 5028	3368	WindowsActionDialog.exe
PID 3368 wrote to memory of 5028	3368	WindowsActionDialog.exe
PID 3368 wrote to memory of 1276	3368	PresentationHost.exe
PID 3368 wrote to memory of 1276	3368	PresentationHost.exe
PID 3368 wrote to memory of 4924	3368	PresentationHost.exe
PID 3368 wrote to memory of 4924	3368	PresentationHost.exe
PID 3368 wrote to memory of 3620	3368	rstrui.exe
PID 3368 wrote to memory of 3620	3368	rstrui.exe
PID 3368 wrote to memory of 1720	3368	rstrui.exe
PID 3368 wrote to memory of 1720	3368	rstrui.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1096fcd872148014eb60b91a9775c4ef_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4136

C:\Windows\system32\upfc.exe
C:\Windows\system32\upfc.exe
1⤵
PID:1180

C:\Users\Admin\AppData\Local\2iv\upfc.exe
C:\Users\Admin\AppData\Local\2iv\upfc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4264

C:\Windows\system32\WindowsActionDialog.exe
C:\Windows\system32\WindowsActionDialog.exe
1⤵
PID:2696

C:\Users\Admin\AppData\Local\o3I\WindowsActionDialog.exe
C:\Users\Admin\AppData\Local\o3I\WindowsActionDialog.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:5028

C:\Windows\system32\PresentationHost.exe
C:\Windows\system32\PresentationHost.exe
1⤵
PID:1276

C:\Users\Admin\AppData\Local\UQRGr\PresentationHost.exe
C:\Users\Admin\AppData\Local\UQRGr\PresentationHost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4924

C:\Windows\system32\rstrui.exe
C:\Windows\system32\rstrui.exe
1⤵
PID:3620

C:\Users\Admin\AppData\Local\kMNQcvtQ\rstrui.exe
C:\Users\Admin\AppData\Local\kMNQcvtQ\rstrui.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1720

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\2iv\XmlLite.dll
Filesize
990KB

MD5
70715e0dae4da8ff7c18e6a4d8eceff8

SHA1
0c4a18518deb039d31eb14f7847124f71d705571

SHA256
41bdcca050fd50700cb1395017e416886befd17695bb50cdf73a431caea82fef

SHA512
9b982e429310608f2919d8e0b63ad923e5961887dc5ff6ac5f4aacbf6c5dbf2c0d1e7776ff6f65b4e189256bbb54c3ea5b9499f077f30da4f25e143f2f9e3099

Download Submit
C:\Users\Admin\AppData\Local\2iv\upfc.exe
Filesize
118KB

MD5
299ea296575ccb9d2c1a779062535d5c

SHA1
2497169c13b0ba46a6be8a1fe493b250094079b7

SHA256
ee44fe14df89c4e5eaf8398f8fb4823fd910c5a94d913653d6b9e831254f6cc2

SHA512
02fc2b25167ebd7dfcc7b8aa74613e7004fdf33dfccccba6c3427434cca981c2eb50f4a801969b3a40c495a9bb0eac8176f4f2ec9091916cf3509a7f909b30fa

Download Submit
C:\Users\Admin\AppData\Local\UQRGr\PresentationHost.exe
Filesize
276KB

MD5
ef27d65b92d89e8175e6751a57ed9d93

SHA1
7279b58e711b459434f047e9098f9131391c3778

SHA256
17d6dcfaced6873a4ac0361ff14f48313f270ac9c465e9f02b5c12b5a5274c48

SHA512
40f46c3a131bb0388b8a3f7aee422936f6e2aa8d2cda547c43c4e7979c163d06c5aa20033a5156d3eeee5d455eeb929cbce89bcc8bb1766cbb65d7f03dd23e2e

Download Submit
C:\Users\Admin\AppData\Local\UQRGr\VERSION.dll
Filesize
990KB

MD5
5159ca4403bf28d04809c3575f708d43

SHA1
eb6af11f2c85771af8c63c39787ee11132dc61c0

SHA256
d7d4402d02d5f704dcc687f42e169ca1fa4fabaad7c5feae183f7c5b2731e535

SHA512
8bbe4a2de6772e43cb4ff3c76ca7afc468a915e01c1d83b4cf4e705314a53d2ead8c833c9b04097aaeeeacbb56976a8dbd7d8c676b4877d6cc3625b6c93bddec

Download Submit
C:\Users\Admin\AppData\Local\kMNQcvtQ\SPP.dll
Filesize
990KB

MD5
22e983e256fe7778801220df7da30619

SHA1
db9175de9d0a58bb8a09c2d29d7e216299a3afdc

SHA256
72f01e36ba5786ff44057aadc518e825108ec1ea8eaaf8ccecacf5b7c285e513

SHA512
defc2c81d8142dd9e8a6aeba9069705f542b7bd005e719213df3da6ac7331afd4737b353e3d017204b05a2781a1a0b30bff19d2f658cd0d193138e27cc4c7cd7

Download Submit
C:\Users\Admin\AppData\Local\kMNQcvtQ\rstrui.exe
Filesize
268KB

MD5
4cad10846e93e85790865d5c0ab6ffd9

SHA1
8a223f4bab28afa4c7ed630f29325563c5dcda1a

SHA256
9ddcfcaf2ebc810cc2e593446681bc4ccbad39756b1712cf045db8dee6310b4b

SHA512
c0db44de0d35a70277f8621a318c5099378da675376e47545cfbfa7412e70a870fd05c92e0d6523ea2e0139d54d9eeaed14973762341fa3154406ae36f4ce7c6

Download Submit
C:\Users\Admin\AppData\Local\o3I\DUI70.dll
Filesize
1.2MB

MD5
686e333393846e849bad340914e23ebe

SHA1
fc3069c232e7481774a8f8663a9fda7222f7994f

SHA256
0e908a29b7fc0221b21ed5c4a3da6814ddc074e42f9f90cd173e261faaa46e35

SHA512
c92e4d2cc550d7a90df32dcac68c0508c1a017def14d5d49aa146d063546ae0314222787f2ca1cdf1e5a4814064434ba7787f2d8e91e9859baefd2abc5e85014

Download Submit
C:\Users\Admin\AppData\Local\o3I\WindowsActionDialog.exe
Filesize
61KB

MD5
73c523b6556f2dc7eefc662338d66f8d

SHA1
1e6f9a1d885efa4d76f1e7a8be2e974f2b65cea5

SHA256
0c6397bfbcd7b1fcefb6de01a506578e36651725a61078c69708f1f92c41ea31

SHA512
69d0f23d1abaad657dd4672532936ef35f0e9d443caf9e19898017656a66ed46e75e7e05261c7e7636799c58feccd01dc93975d6a598cbb73242ddb48c6ec912

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Rkjap.lnk
Filesize
1KB

MD5
c861046e85941085f8c350123c8a60c0

SHA1
78ed2daca5c33fdf60f471c72ddbf1d5be71aeca

SHA256
b91d57bb7d08f3f12413b1648561c23228df8083e823b9baeeb8be7f68bc79fb

SHA512
f2d629d15bac0b2f57fdac4132fe12813c6d5f5c7b702540638bd634d741920ffb42c00897675d317c0c89135da8f7d79ed7078f45a4a8bf1b2af171047de35a

Download Submit
memory/1720-92-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3368-28-0x00007FFDBC6F0000-0x00007FFDBC700000-memory.dmp

Filesize
64KB

Download
memory/3368-26-0x00007FFDBAEEA000-0x00007FFDBAEEB000-memory.dmp

Filesize
4KB

Download
memory/3368-10-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3368-9-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3368-8-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3368-7-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3368-13-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3368-11-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3368-34-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3368-27-0x0000000000F80000-0x0000000000F87000-memory.dmp

Filesize
28KB

Download
memory/3368-22-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3368-12-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3368-6-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3368-4-0x00000000030A0000-0x00000000030A1000-memory.dmp

Filesize
4KB

Download
memory/4136-37-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/4136-0-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/4136-3-0x0000014872170000-0x0000014872177000-memory.dmp

Filesize
28KB

Download
memory/4264-50-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/4264-44-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/4264-47-0x000002B843760000-0x000002B843767000-memory.dmp

Filesize
28KB

Download
memory/5028-61-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/5028-67-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/5028-64-0x000001D366300000-0x000001D366307000-memory.dmp

Filesize
28KB

Download