dridex | f9596306e520a651e3f91e376df0211f2cf382a5b0e69b4900357abb3c6b7a7e

Analysis

max time kernel
150s
max time network
110s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
25-05-2024 22:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73675d3e6348ef7b1be6cc67b90f6333_JaffaCakes118.dll
Size

1.2MB
MD5

73675d3e6348ef7b1be6cc67b90f6333
SHA1

1acb6cc9cb689cf8c28eb1df47c9d82ff194aacc
SHA256

f9596306e520a651e3f91e376df0211f2cf382a5b0e69b4900357abb3c6b7a7e
SHA512

bba7f9e8b727bcdb716f2c9d19fd03700d1c8d4f5055c3329a2e31f6c4068d7ea0cf31c1cb659b66c22875ff383ef1087f95a96977e51ee14e80d10f082eb688
SSDEEP

24576:FVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:FV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3516-4-0x00000000077A0000-0x00000000077A1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 4 IoCs

Processes:

usocoreworker.exesdclt.exeie4uinit.exeMDMAppInstaller.exe

pid process

4060 usocoreworker.exe
4608 sdclt.exe
4340 ie4uinit.exe
1092 MDMAppInstaller.exe
Loads dropped DLL 6 IoCs

Processes:

usocoreworker.exesdclt.exeie4uinit.exeMDMAppInstaller.exe

pid process

4060 usocoreworker.exe
4608 sdclt.exe
4340 ie4uinit.exe
4340 ie4uinit.exe
4340 ie4uinit.exe
1092 MDMAppInstaller.exe

pid	process
4060	usocoreworker.exe
4608	sdclt.exe
4340	ie4uinit.exe
1092	MDMAppInstaller.exe

pid	process
4060	usocoreworker.exe
4608	sdclt.exe
4340	ie4uinit.exe
4340	ie4uinit.exe
4340	ie4uinit.exe
1092	MDMAppInstaller.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ihmks = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\WINDOW~1\\76p\\sdclt.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

usocoreworker.exesdclt.exeMDMAppInstaller.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	usocoreworker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sdclt.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MDMAppInstaller.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Modifies registry class 1 IoCs

Processes:

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2952	rundll32.exe
2952	rundll32.exe
2952	rundll32.exe
2952	rundll32.exe
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3516
Token: SeCreatePagefilePrivilege	3516
Token: SeShutdownPrivilege	3516
Token: SeCreatePagefilePrivilege	3516
Token: SeShutdownPrivilege	3516
Token: SeCreatePagefilePrivilege	3516
Token: SeShutdownPrivilege	3516
Token: SeCreatePagefilePrivilege	3516
Token: SeShutdownPrivilege	3516
Token: SeCreatePagefilePrivilege	3516
Token: SeShutdownPrivilege	3516
Token: SeCreatePagefilePrivilege	3516

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

3516
3516
Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3516

pid	process
3516
3516

pid	process
3516

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

description	pid	target process
PID 3516 wrote to memory of 3608	3516	usocoreworker.exe
PID 3516 wrote to memory of 3608	3516	usocoreworker.exe
PID 3516 wrote to memory of 4060	3516	usocoreworker.exe
PID 3516 wrote to memory of 4060	3516	usocoreworker.exe
PID 3516 wrote to memory of 4080	3516	sdclt.exe
PID 3516 wrote to memory of 4080	3516	sdclt.exe
PID 3516 wrote to memory of 4608	3516	sdclt.exe
PID 3516 wrote to memory of 4608	3516	sdclt.exe
PID 3516 wrote to memory of 4588	3516	ie4uinit.exe
PID 3516 wrote to memory of 4588	3516	ie4uinit.exe
PID 3516 wrote to memory of 4340	3516	ie4uinit.exe
PID 3516 wrote to memory of 4340	3516	ie4uinit.exe
PID 3516 wrote to memory of 1468	3516	MDMAppInstaller.exe
PID 3516 wrote to memory of 1468	3516	MDMAppInstaller.exe
PID 3516 wrote to memory of 1092	3516	MDMAppInstaller.exe
PID 3516 wrote to memory of 1092	3516	MDMAppInstaller.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\73675d3e6348ef7b1be6cc67b90f6333_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2952

C:\Windows\system32\usocoreworker.exe
C:\Windows\system32\usocoreworker.exe
1⤵
PID:3608

C:\Users\Admin\AppData\Local\zF1vSK5R\usocoreworker.exe
C:\Users\Admin\AppData\Local\zF1vSK5R\usocoreworker.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4060

C:\Windows\system32\sdclt.exe
C:\Windows\system32\sdclt.exe
1⤵
PID:4080

C:\Users\Admin\AppData\Local\YtcD2BRaU\sdclt.exe
C:\Users\Admin\AppData\Local\YtcD2BRaU\sdclt.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4608

C:\Windows\system32\ie4uinit.exe
C:\Windows\system32\ie4uinit.exe
1⤵
PID:4588

C:\Users\Admin\AppData\Local\Hhix4NU\ie4uinit.exe
C:\Users\Admin\AppData\Local\Hhix4NU\ie4uinit.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4340

C:\Windows\system32\MDMAppInstaller.exe
C:\Windows\system32\MDMAppInstaller.exe
1⤵
PID:1468

C:\Users\Admin\AppData\Local\xKm1boy\MDMAppInstaller.exe
C:\Users\Admin\AppData\Local\xKm1boy\MDMAppInstaller.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1092

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Hhix4NU\VERSION.dll
Filesize
1.2MB

MD5
3dba25d7800303dff3fd0a9a86a50164

SHA1
eb6eba52b530fc64e6d5c8eabf533d43287ab19d

SHA256
48f277da8b45b86af6366ae7e863be01cea1c854af29e3a3b13e981726152e9c

SHA512
c078d48a79dcce25ccff05683044b5bf612e34bf197664700bccbafd2fab5d5b91f38f5603f7ba9afbe340bd06defc9317e716031f06d0a4621eb83b80849167

Download Submit
C:\Users\Admin\AppData\Local\Hhix4NU\ie4uinit.exe
Filesize
262KB

MD5
a2f0104edd80ca2c24c24356d5eacc4f

SHA1
8269b9fd9231f04ed47419bd565c69dc677fab56

SHA256
5d85c4d62cc26996826b9d96a9153f7e05a2260342bd913b3730610a1809203c

SHA512
e7bb87f9f6c82cb945b95f62695be98b3fa827a24fa8c4187fe836d4e7d3e7ae3b95101edd3c41d65f6cb684910f5954a67307d450072acd8d475212db094390

Download Submit
C:\Users\Admin\AppData\Local\YtcD2BRaU\ReAgent.dll
Filesize
1.2MB

MD5
c00eb4ef3067ebe90801b8926f435105

SHA1
76a09c764e937e137c14bef85b6baa40f20141b4

SHA256
96e813b8bc3179b887cc5da004f41be11fab9a50b927c84e9db68c657b6abfae

SHA512
3c9cee7194fe1094d9eb7cfe566533faf9c61c79cf2fbbd0653352eaa24285bc80786b103ae37e55368b8b7ac086cf0d74c5abcf271a9992f1e4bf0830326f9e

Download Submit
C:\Users\Admin\AppData\Local\YtcD2BRaU\sdclt.exe
Filesize
1.2MB

MD5
e09d48f225e7abcab14ebd3b8a9668ec

SHA1
1c5b9322b51c09a407d182df481609f7cb8c425d

SHA256
efd238ea79b93d07852d39052f1411618c36e7597e8af0966c4a3223f0021dc3

SHA512
384d606b90c4803e5144b4de24edc537cb22dd59336a18a58d229500ed36aec92c8467cae6d3f326647bd044d8074931da553c7809727fb70227e99c257df0b4

Download Submit
C:\Users\Admin\AppData\Local\xKm1boy\MDMAppInstaller.exe
Filesize
151KB

MD5
30e978cc6830b04f1e7ed285cccaa746

SHA1
e915147c17e113c676c635e2102bbff90fb7aa52

SHA256
dc821931f63117962e2266acd3266e86bf8116d4a14b3adbebfade1d40b84766

SHA512
331923fa479f71c4c80b0e86ea238628666f95b6cf61cf4d741ae4a27ea2b8c636864dfac543d14599b4873f3b2ab397d07c4e4c17aca3f3b4e5871e24e50214

Download Submit
C:\Users\Admin\AppData\Local\xKm1boy\WTSAPI32.dll
Filesize
1.2MB

MD5
94aced4c6ab4298f8e42af70834452ad

SHA1
56ccb0c6312c2e5694b3a75c254a6c16522f8a6a

SHA256
f07ed7090589c5f9d51152b386ff1453006260f8d9145d324e771d65031c89d7

SHA512
c3323e075daae5ff1438ab69b9a9e3c8baee18887936fa1abf1c2abf4f51105bc75f54c234232407e3214351953002716ae50d4acd227e7cfbab5ca73948edd6

Download Submit
C:\Users\Admin\AppData\Local\zF1vSK5R\XmlLite.dll
Filesize
1.2MB

MD5
e248e58a0f8414c144598cf183bfefd2

SHA1
3bc8247c4856d779d1a1c7519c4441ac788ef05b

SHA256
938167f889a1bb2a23c60278315d8c9db3104cc7a6aca0a98bebba31a038defe

SHA512
5828f46884e76d9c2849010fba090b7f0f23be929ba3b27d17b1053ffd4b8b1421a15107dc1dd5678a494e9de8c3da29652605bd67cae823713187d60d35868b

Download Submit
C:\Users\Admin\AppData\Local\zF1vSK5R\usocoreworker.exe
Filesize
1.3MB

MD5
2c5efb321aa64af37dedc6383ce3198e

SHA1
a06d7020dd43a57047a62bfb443091cd9de946ba

SHA256
0fb6688a32340036f3eaab4a09a82dee533bfb2ca266c36f6142083134de6f0e

SHA512
5448ea01b24af7444505bda80064849a2efcc459011d32879e021e836fd573c9b1b9d3b37291d3f53ff536c691ac13a545b12f318a16c8a367421986bbf002ed

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yvephsk.lnk
Filesize
1KB

MD5
a770f6fbe64f07e718ebe3bfc6631ebf

SHA1
5672e940296ebf54818c9313953ebf1ef77fe348

SHA256
a9d447697a146e34a6cf5ad28e442ec62383958b28c8144e532332f84d458cb0

SHA512
372931098742cf34480539f02fcebf1260bf853d92629154d5169d715db313bdcf4515d7df6fc1cbb87fb956f7e8b1169150ccc09ca5e55e1f4a80b4f4061660

Download Submit
memory/1092-97-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/2952-1-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/2952-39-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/2952-3-0x0000018DA4580000-0x0000018DA4587000-memory.dmp

Filesize
28KB

Download
memory/3516-34-0x0000000007780000-0x0000000007787000-memory.dmp

Filesize
28KB

Download
memory/3516-13-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3516-25-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3516-9-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3516-7-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3516-10-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3516-11-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3516-12-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3516-6-0x00007FFE8AC3A000-0x00007FFE8AC3B000-memory.dmp

Filesize
4KB

Download
memory/3516-4-0x00000000077A0000-0x00000000077A1000-memory.dmp

Filesize
4KB

Download
memory/3516-14-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3516-8-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3516-35-0x00007FFE8CB70000-0x00007FFE8CB80000-memory.dmp

Filesize
64KB

Download
memory/3516-15-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3516-16-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3516-36-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/4060-52-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/4060-46-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/4060-49-0x000001FEAFD60000-0x000001FEAFD67000-memory.dmp

Filesize
28KB

Download
memory/4340-82-0x00000180EA840000-0x00000180EA984000-memory.dmp

Filesize
1.3MB

Download
memory/4340-83-0x00000180EA6F0000-0x00000180EA834000-memory.dmp

Filesize
1.3MB

Download
memory/4608-69-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/4608-66-0x0000027A29A40000-0x0000027A29A47000-memory.dmp

Filesize
28KB

Download