dridex | 80945307d35592bafc62a4521f865dccdee21e442dc15d533675207d6c012614

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15/06/2024, 21:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b0386ba950a1b343ae0b01e8c98e0a4c_JaffaCakes118.dll
Size

1.4MB
MD5

b0386ba950a1b343ae0b01e8c98e0a4c
SHA1

5f2cca191a83203b55710072c5cef194bdfc7b83
SHA256

80945307d35592bafc62a4521f865dccdee21e442dc15d533675207d6c012614
SHA512

088224073d06521d9c43ecea1b493d12bb39ffa3f40db879c0b69c462a621db343cf7c03740304e063158b18d41ab747ecd99980c865068abcb8ced2125eda5c
SSDEEP

24576:4uYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9NP:I9cKrUqZWLAcUH

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3572-4-0x0000000002640000-0x0000000002641000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
3044	SysResetErr.exe
2512	rdpclip.exe
60	sethc.exe

Loads dropped DLL 3 IoCs

pid	Process
3044	SysResetErr.exe
2512	rdpclip.exe
60	sethc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bhelxfhv = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\SYSTEM~1\\2mMyy\\rdpclip.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdpclip.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sethc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SysResetErr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2184	rundll32.exe
2184	rundll32.exe
2184	rundll32.exe
2184	rundll32.exe
2184	rundll32.exe
2184	rundll32.exe
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3572	Process not Found
3572	Process not Found
3572	Process not Found

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3572	Process not Found
3572	Process not Found
3572	Process not Found

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3572	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3572 wrote to memory of 4756	3572	Process not Found	84
PID 3572 wrote to memory of 4756	3572	Process not Found	84
PID 3572 wrote to memory of 3044	3572	Process not Found	85
PID 3572 wrote to memory of 3044	3572	Process not Found	85
PID 3572 wrote to memory of 2768	3572	Process not Found	86
PID 3572 wrote to memory of 2768	3572	Process not Found	86
PID 3572 wrote to memory of 2512	3572	Process not Found	87
PID 3572 wrote to memory of 2512	3572	Process not Found	87
PID 3572 wrote to memory of 344	3572	Process not Found	88
PID 3572 wrote to memory of 344	3572	Process not Found	88
PID 3572 wrote to memory of 60	3572	Process not Found	89
PID 3572 wrote to memory of 60	3572	Process not Found	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b0386ba950a1b343ae0b01e8c98e0a4c_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2184

C:\Windows\system32\SysResetErr.exe
C:\Windows\system32\SysResetErr.exe
1⤵
PID:4756

C:\Users\Admin\AppData\Local\AB0\SysResetErr.exe
C:\Users\Admin\AppData\Local\AB0\SysResetErr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3044

C:\Windows\system32\rdpclip.exe
C:\Windows\system32\rdpclip.exe
1⤵
PID:2768

C:\Users\Admin\AppData\Local\FFzd012uj\rdpclip.exe
C:\Users\Admin\AppData\Local\FFzd012uj\rdpclip.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2512

C:\Windows\system32\sethc.exe
C:\Windows\system32\sethc.exe
1⤵
PID:344

C:\Users\Admin\AppData\Local\7xmqnl\sethc.exe
C:\Users\Admin\AppData\Local\7xmqnl\sethc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:60

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\7xmqnl\WTSAPI32.dll

Filesize
1.4MB

MD5
245409dfc447b77520336c8252b2012e

SHA1
7f8fb399c14876f6b0644825a030005644a0fa9f

SHA256
b81b76e6d70439cad03d1a357c84f021d2ca27b563ad7831626812a80b7c8e62

SHA512
788516a14dae692e087cefb18b512c6c1b7c68326f555760ebdd6a7c29e38c35c8dc84163cc84ebc424e9a58eca52324f9045fae98005f84e753ffc779a86cf6

Download Submit
C:\Users\Admin\AppData\Local\7xmqnl\sethc.exe

Filesize
104KB

MD5
8ba3a9702a3f1799431cad6a290223a6

SHA1
9c7dc9b6830297c8f759d1f46c8b36664e26c031

SHA256
615b2f2d7e3fce340839a9b54bdc3445eb2333d0fafee477d6113379e90935b8

SHA512
680c216d54f4fd2a14f0398e4461c8340ac15acdca75c36a42083625e1081d5e7d262c4c12296b6f21ba2f593f92816edf1c9a0cf4cbee23588e590713b87746

Download Submit
C:\Users\Admin\AppData\Local\AB0\DUI70.dll

Filesize
1.7MB

MD5
4b1cbfe3639482825f57ac2e955bbc8f

SHA1
c0f69986e33c39d5914d28f5d6731a37fc795ed9

SHA256
6f8b78ea572014ce5e6a2d666b9bfffccb30f5f39c0ea488b4a440b0f616d27c

SHA512
36fe7aff76793b2f1ca36145a335a78fc96495613ed16d3207f47188f18b734cab77614f5426073aa5cd03b6b02e410e1b93a265e6d1e0b61b7b9a7aa04b8d0d

Download Submit
C:\Users\Admin\AppData\Local\AB0\SysResetErr.exe

Filesize
41KB

MD5
090c6f458d61b7ddbdcfa54e761b8b57

SHA1
c5a93e9d6eca4c3842156cc0262933b334113864

SHA256
a324e3ba7309164f215645a6db3e74ed35c7034cc07a011ebed2fa60fda4d9cd

SHA512
c9ef79397f3a843dcf2bcb5f761d90a4bdadb08e2ca85a35d8668cb13c308b275ed6aa2c8b9194a1f29964e0754ad05e89589025a0b670656386a8d448a1f542

Download Submit
C:\Users\Admin\AppData\Local\FFzd012uj\WINSTA.dll

Filesize
1.4MB

MD5
84969a4330ff6bc147535cd879588215

SHA1
2f08a07e756e6a7a12c0d581e01c3d5e25d520a8

SHA256
124af552359d01f72355c347e8d4d60901359b8a98c1cca087806337e8dde1eb

SHA512
d27a4a6fa92e82813ee81408e2f4fb46fd208d5621948b5f1f1c54da4fb7d92daa5350d0b85a85904480fa1a67c519cfa25367e4aba2f519d9f0de6581169ffb

Download Submit
C:\Users\Admin\AppData\Local\FFzd012uj\rdpclip.exe

Filesize
446KB

MD5
a52402d6bd4e20a519a2eeec53332752

SHA1
129f2b6409395ef877b9ca39dd819a2703946a73

SHA256
9d5be181d9309dea98039d2ce619afe745fc8a9a1b1c05cf860b3620b5203308

SHA512
632dda67066cff2b940f27e3f409e164684994a02bda57d74e958c462b9a0963e922be4a487c06126cecc9ef34d34913ef8315524bf8422f83c0c135b8af924e

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Oabtankaq.lnk

Filesize
1KB

MD5
4e8177e72653790e439104fcb6ec0d60

SHA1
f5da707f630441fd7d062b7818023005a3d0deef

SHA256
4c5a8b6fc66fd7c17149a398442a1f52f6f2e1eb45f0e065d67e911d8d20af55

SHA512
cfde9e9fb771734528c0672087f3f16565b89dfdeef270de9a31d1ce84ac1815e5b027bc202f794e06dc627f058293b0b9a61cc587d31496ef7e3dc1c627eae5

Download Submit
memory/60-85-0x0000024C30410000-0x0000024C30417000-memory.dmp

Filesize
28KB

Download
memory/60-82-0x00007FFBA7D20000-0x00007FFBA7E8F000-memory.dmp

Filesize
1.4MB

Download
memory/60-88-0x00007FFBA7D20000-0x00007FFBA7E8F000-memory.dmp

Filesize
1.4MB

Download
memory/2184-0-0x00007FFBA8650000-0x00007FFBA87BE000-memory.dmp

Filesize
1.4MB

Download
memory/2184-41-0x00007FFBA8650000-0x00007FFBA87BE000-memory.dmp

Filesize
1.4MB

Download
memory/2184-3-0x000001D7BE2E0000-0x000001D7BE2E7000-memory.dmp

Filesize
28KB

Download
memory/2512-71-0x00007FFBA81B0000-0x00007FFBA8320000-memory.dmp

Filesize
1.4MB

Download
memory/2512-65-0x00007FFBA81B0000-0x00007FFBA8320000-memory.dmp

Filesize
1.4MB

Download
memory/2512-68-0x00000136F7F10000-0x00000136F7F17000-memory.dmp

Filesize
28KB

Download
memory/3044-54-0x00007FFBA8160000-0x00007FFBA8314000-memory.dmp

Filesize
1.7MB

Download
memory/3044-51-0x0000014CB5590000-0x0000014CB5597000-memory.dmp

Filesize
28KB

Download
memory/3044-48-0x00007FFBA8160000-0x00007FFBA8314000-memory.dmp

Filesize
1.7MB

Download
memory/3572-35-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/3572-26-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/3572-7-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/3572-8-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/3572-9-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/3572-10-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/3572-11-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/3572-12-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/3572-13-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/3572-14-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/3572-15-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/3572-16-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/3572-38-0x00007FFBB6CCA000-0x00007FFBB6CCB000-memory.dmp

Filesize
4KB

Download
memory/3572-39-0x0000000002600000-0x0000000002607000-memory.dmp

Filesize
28KB

Download
memory/3572-40-0x00007FFBB6E70000-0x00007FFBB6E80000-memory.dmp

Filesize
64KB

Download
memory/3572-18-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/3572-17-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/3572-6-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/3572-4-0x0000000002640000-0x0000000002641000-memory.dmp

Filesize
4KB

Download