dridex | 692edebbe453068bc42b4ca091ef8eaf27c544777b71b2f17930bde34cd67698

Analysis

max time kernel
150s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
18/07/2024, 04:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

563694b5b3e24156272e80505a060dfb_JaffaCakes118.dll
Size

1.2MB
MD5

563694b5b3e24156272e80505a060dfb
SHA1

e95033c6a1c1a711134aedc993f56b953cd86efb
SHA256

692edebbe453068bc42b4ca091ef8eaf27c544777b71b2f17930bde34cd67698
SHA512

7fe4a9bb7d9ed79a7aba262c0bbb664ff2c6685a61ef8810f7b30fe17a888c44adfa2427c896087d567511098745c1e876f4f326024e9302248f9df83c0dba6a
SSDEEP

12288:rVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:qfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3420-4-0x00000000027B0000-0x00000000027B1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
4964	perfmon.exe
348	CameraSettingsUIHost.exe
3192	EhStorAuthn.exe

Loads dropped DLL 3 IoCs

pid	Process
4964	perfmon.exe
348	CameraSettingsUIHost.exe
3192	EhStorAuthn.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ycquegmnm = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\TEMPLA~1\\LIVECO~1\\16\\Managed\\WORDDO~2\\JjScy\\CAMERA~1.EXE"	Process not Found

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	perfmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	CameraSettingsUIHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	EhStorAuthn.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1568	regsvr32.exe
1568	regsvr32.exe
1568	regsvr32.exe
1568	regsvr32.exe
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3420	Process not Found
Token: SeCreatePagefilePrivilege	3420	Process not Found
Token: SeShutdownPrivilege	3420	Process not Found
Token: SeCreatePagefilePrivilege	3420	Process not Found

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3420	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3420 wrote to memory of 2296	3420	Process not Found	89
PID 3420 wrote to memory of 2296	3420	Process not Found	89
PID 3420 wrote to memory of 4964	3420	Process not Found	90
PID 3420 wrote to memory of 4964	3420	Process not Found	90
PID 3420 wrote to memory of 2016	3420	Process not Found	93
PID 3420 wrote to memory of 2016	3420	Process not Found	93
PID 3420 wrote to memory of 348	3420	Process not Found	94
PID 3420 wrote to memory of 348	3420	Process not Found	94
PID 3420 wrote to memory of 1272	3420	Process not Found	95
PID 3420 wrote to memory of 1272	3420	Process not Found	95
PID 3420 wrote to memory of 3192	3420	Process not Found	96
PID 3420 wrote to memory of 3192	3420	Process not Found	96

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\563694b5b3e24156272e80505a060dfb_JaffaCakes118.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1568

C:\Windows\system32\perfmon.exe
C:\Windows\system32\perfmon.exe
1⤵
PID:2296

C:\Users\Admin\AppData\Local\8up\perfmon.exe
C:\Users\Admin\AppData\Local\8up\perfmon.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4964

C:\Windows\system32\CameraSettingsUIHost.exe
C:\Windows\system32\CameraSettingsUIHost.exe
1⤵
PID:2016

C:\Users\Admin\AppData\Local\RvFD\CameraSettingsUIHost.exe
C:\Users\Admin\AppData\Local\RvFD\CameraSettingsUIHost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:348

C:\Windows\system32\EhStorAuthn.exe
C:\Windows\system32\EhStorAuthn.exe
1⤵
PID:1272

C:\Users\Admin\AppData\Local\f4WcRte2C\EhStorAuthn.exe
C:\Users\Admin\AppData\Local\f4WcRte2C\EhStorAuthn.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\8up\credui.dll

Filesize
1.2MB

MD5
7f1e8de85f7d7116ccb1e461fe7f2f85

SHA1
9675734c6c9d924a593c3b83d41f2b8d0997755f

SHA256
48d5f0af6a42bbc6d576068033e855f8c81583d8466719139d6abb654111cc84

SHA512
e706c34f55da3f2a999a92f02ba008c9800cc4b4be6abd0c6e63b59d3ea84c45b6da2c66ff89a0f11898b62078e688915641b79f73756fb70c66217b173cdcef

Download Submit
C:\Users\Admin\AppData\Local\8up\perfmon.exe

Filesize
177KB

MD5
d38aa59c3bea5456bd6f95c73ad3c964

SHA1
40170eab389a6ba35e949f9c92962646a302d9ef

SHA256
5f041cff346fb37e5c5c9dab3c1272c76f8b5f579205170e97d2248d04a4ea0c

SHA512
59fa552a46e5d6237c7244b03d09d60e9489217b4319a212e822c73fe1f31a81837cb906ae7da92072bd3d9263fe0b967e073110ba81da3a90126f25115fff68

Download Submit
C:\Users\Admin\AppData\Local\RvFD\CameraSettingsUIHost.exe

Filesize
31KB

MD5
9e98636523a653c7a648f37be229cf69

SHA1
bd4da030e7cf4d55b7c644dfacd26b152e6a14c4

SHA256
3bf20bc5a208dfa1ea26a042fd0010b1268dcfedc94ed775f11890bc1d95e717

SHA512
41966166e2ddfe40e6f4e6da26bc490775caac9997465c6dd94ba6a664d3a797ffc2aa5684c95702e8657e5cea62a46a75aee3e7d5e07a47dcaaa5c4da565e78

Download Submit
C:\Users\Admin\AppData\Local\RvFD\DUI70.dll

Filesize
1.5MB

MD5
ea8899bc4eb70c2053137fa1038e5336

SHA1
e2b9b512fa6439342405ff186bfd469a1bc58898

SHA256
fd232ac68401db20ed1da991b575695da80ab6449997baebdf0a1c2ad5beb6c3

SHA512
2f85f7a20c31e01954056e8d6ec804a50baa23f4209e843dde4135d7a4c98f6202dd7b795435c2e06b39e5253d2a78f58b1fd3b66ec03ac8ecfe12f2b4ef544c

Download Submit
C:\Users\Admin\AppData\Local\f4WcRte2C\EhStorAuthn.exe

Filesize
128KB

MD5
d45618e58303edb4268a6cca5ec99ecc

SHA1
1f8049fc5ea8b57bb68e19fb55cb9dc1e18e9513

SHA256
d527323643be9df4d174c3169c6f2c7854a59b781654bcaebd154cb51fb4219c

SHA512
5d7ae663dcfedfaf00836dc018131851e5a40778bd582b417b9f0bbd4bb6d1b2eb8f37f7f5a01cd2beed78b6037ef6eb2a3290248d5e901173b1407990a202bd

Download Submit
C:\Users\Admin\AppData\Local\f4WcRte2C\UxTheme.dll

Filesize
1.2MB

MD5
5af1ab71c6b5836db7d45ccf6de06411

SHA1
e125ac7141267f568f88443817f112557992094a

SHA256
9ac6f80634d22e14af3928f9bef4ce14a959a1a9ec52881bc299ee76fc5fa131

SHA512
02d786d81ec0b98a1d25ce39b2750e4d5d448314022954911ad76ae9a6f11d40f8bf8ee22a20ecda30944c45deac8f992e570370f2157420a263b15ede96160e

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ggpqvgel.lnk

Filesize
1KB

MD5
c9cb56b6e6ddf9eda3335130b5dffe29

SHA1
087cae6639dad20849c5275ae896612b29cbb644

SHA256
a477c210bbc2084f14a59951540fd688b6796fbfd793dda8320a2625758e0342

SHA512
aea78ed57496cc82f687ada3c3520271faea71c6aeaa0ff413128714ab48ad2671dd039efdf325638969107c5ce1d49066793468b63a9c807b3ca3cb86248cc9

Download Submit
memory/348-95-0x000001D356FE0000-0x000001D356FE7000-memory.dmp

Filesize
28KB

Download
memory/348-92-0x0000000140000000-0x0000000140181000-memory.dmp

Filesize
1.5MB

Download
memory/1568-44-0x0000000140000000-0x000000014013B000-memory.dmp

Filesize
1.2MB

Download
memory/1568-3-0x00000000021A0000-0x00000000021A7000-memory.dmp

Filesize
28KB

Download
memory/1568-1-0x0000000140000000-0x000000014013B000-memory.dmp

Filesize
1.2MB

Download
memory/3192-114-0x000001A611D30000-0x000001A611D37000-memory.dmp

Filesize
28KB

Download
memory/3420-27-0x0000000140000000-0x000000014013B000-memory.dmp

Filesize
1.2MB

Download
memory/3420-18-0x0000000140000000-0x000000014013B000-memory.dmp

Filesize
1.2MB

Download
memory/3420-45-0x0000000140000000-0x000000014013B000-memory.dmp

Filesize
1.2MB

Download
memory/3420-43-0x0000000140000000-0x000000014013B000-memory.dmp

Filesize
1.2MB

Download
memory/3420-42-0x0000000140000000-0x000000014013B000-memory.dmp

Filesize
1.2MB

Download
memory/3420-41-0x0000000140000000-0x000000014013B000-memory.dmp

Filesize
1.2MB

Download
memory/3420-40-0x0000000140000000-0x000000014013B000-memory.dmp

Filesize
1.2MB

Download
memory/3420-39-0x0000000140000000-0x000000014013B000-memory.dmp

Filesize
1.2MB

Download
memory/3420-37-0x0000000140000000-0x000000014013B000-memory.dmp

Filesize
1.2MB

Download
memory/3420-36-0x0000000140000000-0x000000014013B000-memory.dmp

Filesize
1.2MB

Download
memory/3420-35-0x0000000140000000-0x000000014013B000-memory.dmp

Filesize
1.2MB

Download
memory/3420-34-0x0000000140000000-0x000000014013B000-memory.dmp

Filesize
1.2MB

Download
memory/3420-33-0x0000000140000000-0x000000014013B000-memory.dmp

Filesize
1.2MB

Download
memory/3420-32-0x0000000140000000-0x000000014013B000-memory.dmp

Filesize
1.2MB

Download
memory/3420-30-0x0000000140000000-0x000000014013B000-memory.dmp

Filesize
1.2MB

Download
memory/3420-29-0x0000000140000000-0x000000014013B000-memory.dmp

Filesize
1.2MB

Download
memory/3420-28-0x0000000140000000-0x000000014013B000-memory.dmp

Filesize
1.2MB

Download
memory/3420-63-0x0000000140000000-0x000000014013B000-memory.dmp

Filesize
1.2MB

Download
memory/3420-26-0x0000000140000000-0x000000014013B000-memory.dmp

Filesize
1.2MB

Download
memory/3420-25-0x0000000140000000-0x000000014013B000-memory.dmp

Filesize
1.2MB

Download
memory/3420-24-0x0000000140000000-0x000000014013B000-memory.dmp

Filesize
1.2MB

Download
memory/3420-23-0x0000000140000000-0x000000014013B000-memory.dmp

Filesize
1.2MB

Download
memory/3420-22-0x0000000140000000-0x000000014013B000-memory.dmp

Filesize
1.2MB

Download
memory/3420-21-0x0000000140000000-0x000000014013B000-memory.dmp

Filesize
1.2MB

Download
memory/3420-19-0x0000000140000000-0x000000014013B000-memory.dmp

Filesize
1.2MB

Download
memory/3420-61-0x0000000140000000-0x000000014013B000-memory.dmp

Filesize
1.2MB

Download
memory/3420-16-0x0000000140000000-0x000000014013B000-memory.dmp

Filesize
1.2MB

Download
memory/3420-15-0x0000000140000000-0x000000014013B000-memory.dmp

Filesize
1.2MB

Download
memory/3420-13-0x0000000140000000-0x000000014013B000-memory.dmp

Filesize
1.2MB

Download
memory/3420-12-0x0000000140000000-0x000000014013B000-memory.dmp

Filesize
1.2MB

Download
memory/3420-10-0x0000000140000000-0x000000014013B000-memory.dmp

Filesize
1.2MB

Download
memory/3420-9-0x0000000140000000-0x000000014013B000-memory.dmp

Filesize
1.2MB

Download
memory/3420-8-0x0000000140000000-0x000000014013B000-memory.dmp

Filesize
1.2MB

Download
memory/3420-7-0x0000000140000000-0x000000014013B000-memory.dmp

Filesize
1.2MB

Download
memory/3420-6-0x0000000140000000-0x000000014013B000-memory.dmp

Filesize
1.2MB

Download
memory/3420-38-0x0000000140000000-0x000000014013B000-memory.dmp

Filesize
1.2MB

Download
memory/3420-31-0x0000000140000000-0x000000014013B000-memory.dmp

Filesize
1.2MB

Download
memory/3420-20-0x0000000140000000-0x000000014013B000-memory.dmp

Filesize
1.2MB

Download
memory/3420-17-0x0000000140000000-0x000000014013B000-memory.dmp

Filesize
1.2MB

Download
memory/3420-4-0x00000000027B0000-0x00000000027B1000-memory.dmp

Filesize
4KB

Download
memory/3420-11-0x0000000140000000-0x000000014013B000-memory.dmp

Filesize
1.2MB

Download
memory/3420-69-0x0000000000800000-0x0000000000807000-memory.dmp

Filesize
28KB

Download
memory/3420-70-0x00007FFAED17A000-0x00007FFAED17B000-memory.dmp

Filesize
4KB

Download
memory/3420-71-0x00007FFAED340000-0x00007FFAED350000-memory.dmp

Filesize
64KB

Download
memory/3420-52-0x0000000140000000-0x000000014013B000-memory.dmp

Filesize
1.2MB

Download
memory/3420-14-0x0000000140000000-0x000000014013B000-memory.dmp

Filesize
1.2MB

Download
memory/4964-80-0x000001B441CD0000-0x000001B441CD7000-memory.dmp

Filesize
28KB

Download
memory/4964-81-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/4964-75-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download