dridex | 4f846f7de56d607a034e7566c78afbf3c2f6ed27f89ef5f23952f35ebe4db627

Analysis

max time kernel
149s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11-05-2024 17:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

35c0649f734b4df238a3a0581b9d1a63_JaffaCakes118.dll
Size

995KB
MD5

35c0649f734b4df238a3a0581b9d1a63
SHA1

7e1b4b8b440c0148073bb1f6a480210001781630
SHA256

4f846f7de56d607a034e7566c78afbf3c2f6ed27f89ef5f23952f35ebe4db627
SHA512

8983fb656cefb48156367ec3ca87235eea04911e48ecc0a0c5c94a4c78cd081483d9bc08f38d030c6a61010cadd24aaab8ffefaacf4ac316143ff045b32210d3
SSDEEP

24576:tVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:tV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3408-4-0x0000000002460000-0x0000000002461000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 4 IoCs

Processes:

rdpclip.exePresentationHost.exeperfmon.exeUtilman.exe

pid process

3996 rdpclip.exe
3536 PresentationHost.exe
2844 perfmon.exe
2900 Utilman.exe
Loads dropped DLL 5 IoCs

Processes:

rdpclip.exePresentationHost.exeperfmon.exeUtilman.exe

pid process

3996 rdpclip.exe
3536 PresentationHost.exe
3536 PresentationHost.exe
2844 perfmon.exe
2900 Utilman.exe

pid	process
3996	rdpclip.exe
3536	PresentationHost.exe
2844	perfmon.exe
2900	Utilman.exe

pid	process
3996	rdpclip.exe
3536	PresentationHost.exe
3536	PresentationHost.exe
2844	perfmon.exe
2900	Utilman.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Hkwligutpbxhkv = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\CachedFiles\\KgRlDY\\perfmon.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exerdpclip.exeperfmon.exeUtilman.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdpclip.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	perfmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Utilman.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
4456	rundll32.exe
4456	rundll32.exe
4456	rundll32.exe
4456	rundll32.exe
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

description	pid	target process
PID 3408 wrote to memory of 3148	3408	rdpclip.exe
PID 3408 wrote to memory of 3148	3408	rdpclip.exe
PID 3408 wrote to memory of 3996	3408	rdpclip.exe
PID 3408 wrote to memory of 3996	3408	rdpclip.exe
PID 3408 wrote to memory of 3480	3408	PresentationHost.exe
PID 3408 wrote to memory of 3480	3408	PresentationHost.exe
PID 3408 wrote to memory of 3536	3408	PresentationHost.exe
PID 3408 wrote to memory of 3536	3408	PresentationHost.exe
PID 3408 wrote to memory of 2700	3408	perfmon.exe
PID 3408 wrote to memory of 2700	3408	perfmon.exe
PID 3408 wrote to memory of 2844	3408	perfmon.exe
PID 3408 wrote to memory of 2844	3408	perfmon.exe
PID 3408 wrote to memory of 2288	3408	Utilman.exe
PID 3408 wrote to memory of 2288	3408	Utilman.exe
PID 3408 wrote to memory of 2900	3408	Utilman.exe
PID 3408 wrote to memory of 2900	3408	Utilman.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\35c0649f734b4df238a3a0581b9d1a63_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4456

C:\Windows\system32\rdpclip.exe
C:\Windows\system32\rdpclip.exe
1⤵
PID:3148

C:\Users\Admin\AppData\Local\q90NgBrpF\rdpclip.exe
C:\Users\Admin\AppData\Local\q90NgBrpF\rdpclip.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3996

C:\Windows\system32\PresentationHost.exe
C:\Windows\system32\PresentationHost.exe
1⤵
PID:3480

C:\Users\Admin\AppData\Local\tEMCZfKI\PresentationHost.exe
C:\Users\Admin\AppData\Local\tEMCZfKI\PresentationHost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3536

C:\Windows\system32\perfmon.exe
C:\Windows\system32\perfmon.exe
1⤵
PID:2700

C:\Users\Admin\AppData\Local\pICm\perfmon.exe
C:\Users\Admin\AppData\Local\pICm\perfmon.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2844

C:\Windows\system32\Utilman.exe
C:\Windows\system32\Utilman.exe
1⤵
PID:2288

C:\Users\Admin\AppData\Local\1aiE\Utilman.exe
C:\Users\Admin\AppData\Local\1aiE\Utilman.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2900

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\1aiE\DUI70.dll
Filesize
1.2MB

MD5
08f9fbb5b8817132630d299a02395f55

SHA1
0c4c0bea0131d054e18e48ac296c2172d35905af

SHA256
8b0aa99b04db63c28680f666284fff53b69aa29f46039b1443cd61ebf01c7a49

SHA512
97c3fc527dd3583c821b050bd451aa6cba16d7beb22c9c5e7550a7b9afcdc2fe62ce43589771fc68ecbbf6cbf35d7a14b883debd7bbae382890b39ba12745351

Download Submit
C:\Users\Admin\AppData\Local\1aiE\Utilman.exe
Filesize
123KB

MD5
a117edc0e74ab4770acf7f7e86e573f7

SHA1
5ceffb1a5e05e52aafcbc2d44e1e8445440706f3

SHA256
b5bc4fce58403ea554691db678e6c8c448310fe59990990f0e37cd4357567d37

SHA512
72883f794ff585fe7e86e818d4d8c54fa9781cab6c3fac6f6956f58a016a91f676e70d14691cbe054ae7b7469c6b4783152fbb694e92b940d9e3595fe3f41d97

Download Submit
C:\Users\Admin\AppData\Local\pICm\credui.dll
Filesize
996KB

MD5
5b57912d82942b43cfa8eaa016142814

SHA1
37f0af4c268d0b316009376dcf4f565555725ddc

SHA256
2f7c51558ee0175998a2169208ce03f01b04d95909b3688da49f81740326230c

SHA512
0bd01f16ebf32d50de32c5b50ce6ff228e9b9303c23c0a11c502da2fd8a535fc186b5bc0f1ed8b3e06b189c071ddb8801119d2df91beac0a8e867b5ca2aeae6e

Download Submit
C:\Users\Admin\AppData\Local\pICm\perfmon.exe
Filesize
177KB

MD5
d38aa59c3bea5456bd6f95c73ad3c964

SHA1
40170eab389a6ba35e949f9c92962646a302d9ef

SHA256
5f041cff346fb37e5c5c9dab3c1272c76f8b5f579205170e97d2248d04a4ea0c

SHA512
59fa552a46e5d6237c7244b03d09d60e9489217b4319a212e822c73fe1f31a81837cb906ae7da92072bd3d9263fe0b967e073110ba81da3a90126f25115fff68

Download Submit
C:\Users\Admin\AppData\Local\q90NgBrpF\WINSTA.dll
Filesize
1002KB

MD5
99214203e76a6075a95fd934379efa8f

SHA1
83a37cf57516b44ecdf2ffa37e3e4c61a952ffd9

SHA256
eba338a5ed9ae34e658d442c5a1d36965acb80bc69c1a908aee217480089bbdb

SHA512
3fd88d69bcbf5b21bbb01cddd5eccce9e0ab7e01ea1506398d67c6a8da5d64d82d624822a363e9fb32228831b48d1ca0c59414b1da7d2ad1b119135736d59457

Download Submit
C:\Users\Admin\AppData\Local\q90NgBrpF\rdpclip.exe
Filesize
446KB

MD5
a52402d6bd4e20a519a2eeec53332752

SHA1
129f2b6409395ef877b9ca39dd819a2703946a73

SHA256
9d5be181d9309dea98039d2ce619afe745fc8a9a1b1c05cf860b3620b5203308

SHA512
632dda67066cff2b940f27e3f409e164684994a02bda57d74e958c462b9a0963e922be4a487c06126cecc9ef34d34913ef8315524bf8422f83c0c135b8af924e

Download Submit
C:\Users\Admin\AppData\Local\tEMCZfKI\PresentationHost.exe
Filesize
276KB

MD5
ef27d65b92d89e8175e6751a57ed9d93

SHA1
7279b58e711b459434f047e9098f9131391c3778

SHA256
17d6dcfaced6873a4ac0361ff14f48313f270ac9c465e9f02b5c12b5a5274c48

SHA512
40f46c3a131bb0388b8a3f7aee422936f6e2aa8d2cda547c43c4e7979c163d06c5aa20033a5156d3eeee5d455eeb929cbce89bcc8bb1766cbb65d7f03dd23e2e

Download Submit
C:\Users\Admin\AppData\Local\tEMCZfKI\VERSION.dll
Filesize
996KB

MD5
f14746075a4425e8852fae45b29215a2

SHA1
4490efe87e3de0e5af18fd8143bf1e394304d736

SHA256
dc59d70065fc6626aabca7da612d2a4d9f39070ec9c48de3778cfd8196deadb7

SHA512
a34d0820bafc0252d5aec8926d4de43f9e0a3a229bff3a35ac1ee624870c309e8fe4fd6b4492f4d3903ffed6b53d6c6856a6f1b24c378e714a24be7977ff117b

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Zgbuverbplpthj.lnk
Filesize
1KB

MD5
8464358899ce793bc146474c053db80f

SHA1
ddad1691b0050b065f2caa529e7d9c628fe29990

SHA256
47103810a1dcdc3a11f7973a45affb676a27e2aa5b53415c9aef6c27c3a708d8

SHA512
c01f2c94f426f7889da7b6c622b5cc5d1da61af132d64546547ae26d457b92fdf9abbebedc4e79cb11faeb4abbccdb01360a218eb65a1c59f2a2c2199056ed1a

Download Submit
memory/2844-77-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/2844-71-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/2844-74-0x00000246C1AF0000-0x00000246C1AF7000-memory.dmp

Filesize
28KB

Download
memory/2900-88-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/2900-93-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3408-33-0x0000000000990000-0x0000000000997000-memory.dmp

Filesize
28KB

Download
memory/3408-14-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3408-7-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3408-4-0x0000000002460000-0x0000000002461000-memory.dmp

Filesize
4KB

Download
memory/3408-8-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3408-9-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3408-6-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3408-13-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3408-23-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3408-10-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3408-11-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3408-12-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3408-32-0x00007FF8064DA000-0x00007FF8064DB000-memory.dmp

Filesize
4KB

Download
memory/3408-35-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3408-34-0x00007FF807D10000-0x00007FF807D20000-memory.dmp

Filesize
64KB

Download
memory/3996-51-0x0000000140000000-0x00000001400FF000-memory.dmp

Filesize
1020KB

Download
memory/3996-45-0x00000175CBFE0000-0x00000175CBFE7000-memory.dmp

Filesize
28KB

Download
memory/3996-46-0x0000000140000000-0x00000001400FF000-memory.dmp

Filesize
1020KB

Download
memory/4456-0-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/4456-38-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/4456-3-0x000001D167630000-0x000001D167637000-memory.dmp

Filesize
28KB

Download