dridex | bb2072b180f158e3c9473af4d94abe6989741d81f72861e4230c35ca2cb04b04

Analysis

max time kernel
149s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
25-07-2024 11:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6f7a623c394f68d9d01256a739dc60b8_JaffaCakes118.dll
Size

816KB
MD5

6f7a623c394f68d9d01256a739dc60b8
SHA1

80236913566d2427f3f39e866340434ba501726b
SHA256

bb2072b180f158e3c9473af4d94abe6989741d81f72861e4230c35ca2cb04b04
SHA512

fbc4702c4005335ab90a6f038d92947050d5626c5560b40ce6bfc07bc1ccd9fe7927879de97717a294349124a37517f4f22850ffb82f42479aedb1eeb56d38e5
SSDEEP

12288:zdMIwS97wJs6tSKDXEabXaC+jhc1S8XXk7CZzHsZH9dq0T:BMIJxSDX3bqjhcfHk7MzH6z

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3468-3-0x0000000008940000-0x0000000008941000-memory.dmp	dridex_stager_shellcode

Dridex payload 10 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

resource	yara_rule
behavioral2/memory/2028-0-0x0000000140000000-0x00000001400CC000-memory.dmp	dridex_payload
behavioral2/memory/3468-57-0x0000000140000000-0x00000001400CC000-memory.dmp	dridex_payload
behavioral2/memory/3468-46-0x0000000140000000-0x00000001400CC000-memory.dmp	dridex_payload
behavioral2/memory/2028-60-0x0000000140000000-0x00000001400CC000-memory.dmp	dridex_payload
behavioral2/memory/4540-67-0x0000000140000000-0x00000001400CD000-memory.dmp	dridex_payload
behavioral2/memory/4540-72-0x0000000140000000-0x00000001400CD000-memory.dmp	dridex_payload
behavioral2/memory/3656-84-0x000001D289E90000-0x000001D289F5D000-memory.dmp	dridex_payload
behavioral2/memory/3656-89-0x000001D289E90000-0x000001D289F5D000-memory.dmp	dridex_payload
behavioral2/memory/1452-100-0x0000000140000000-0x0000000140112000-memory.dmp	dridex_payload
behavioral2/memory/1452-104-0x0000000140000000-0x0000000140112000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

pid	Process
4540	omadmclient.exe
3656	ie4uinit.exe
1452	systemreset.exe

Loads dropped DLL 4 IoCs

pid	Process
4540	omadmclient.exe
3656	ie4uinit.exe
3656	ie4uinit.exe
1452	systemreset.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ghvkd = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Extensions\\fkTcSv\\ie4uinit.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	omadmclient.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ie4uinit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	systemreset.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2028	rundll32.exe
2028	rundll32.exe
2028	rundll32.exe
2028	rundll32.exe
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3468	Process not Found
Token: SeCreatePagefilePrivilege	3468	Process not Found
Token: SeShutdownPrivilege	3468	Process not Found
Token: SeCreatePagefilePrivilege	3468	Process not Found
Token: SeShutdownPrivilege	3468	Process not Found
Token: SeCreatePagefilePrivilege	3468	Process not Found
Token: SeShutdownPrivilege	3468	Process not Found
Token: SeCreatePagefilePrivilege	3468	Process not Found

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3468	Process not Found
3468	Process not Found

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3468	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3468 wrote to memory of 2936	3468	Process not Found	95
PID 3468 wrote to memory of 2936	3468	Process not Found	95
PID 3468 wrote to memory of 4540	3468	Process not Found	96
PID 3468 wrote to memory of 4540	3468	Process not Found	96
PID 3468 wrote to memory of 4356	3468	Process not Found	97
PID 3468 wrote to memory of 4356	3468	Process not Found	97
PID 3468 wrote to memory of 3656	3468	Process not Found	98
PID 3468 wrote to memory of 3656	3468	Process not Found	98
PID 3468 wrote to memory of 5028	3468	Process not Found	99
PID 3468 wrote to memory of 5028	3468	Process not Found	99
PID 3468 wrote to memory of 1452	3468	Process not Found	100
PID 3468 wrote to memory of 1452	3468	Process not Found	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6f7a623c394f68d9d01256a739dc60b8_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2028

C:\Windows\system32\omadmclient.exe
C:\Windows\system32\omadmclient.exe
1⤵
PID:2936

C:\Users\Admin\AppData\Local\GBt\omadmclient.exe
C:\Users\Admin\AppData\Local\GBt\omadmclient.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4540

C:\Windows\system32\ie4uinit.exe
C:\Windows\system32\ie4uinit.exe
1⤵
PID:4356

C:\Users\Admin\AppData\Local\Cqi1g\ie4uinit.exe
C:\Users\Admin\AppData\Local\Cqi1g\ie4uinit.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3656

C:\Windows\system32\systemreset.exe
C:\Windows\system32\systemreset.exe
1⤵
PID:5028

C:\Users\Admin\AppData\Local\Eb7b\systemreset.exe
C:\Users\Admin\AppData\Local\Eb7b\systemreset.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Cqi1g\VERSION.dll

Filesize
820KB

MD5
d74a35e904bbeb5c691077573b526047

SHA1
4c7b2ea66baf43e4b01e61ce2ab401c8194623fb

SHA256
6a4f70a767972a787a1f0fb017d2dc60ee16d4f953094b9dcd43570ae25aa680

SHA512
086c9e052fb62e879fd22abb8478522fbe1a3f0c411fa13de34530a0f865c28d772740afeefb93fde5f97b4d69bd00c5e144ccfb091ed45140fd98846c3dff9d

Download Submit
C:\Users\Admin\AppData\Local\Cqi1g\ie4uinit.exe

Filesize
262KB

MD5
a2f0104edd80ca2c24c24356d5eacc4f

SHA1
8269b9fd9231f04ed47419bd565c69dc677fab56

SHA256
5d85c4d62cc26996826b9d96a9153f7e05a2260342bd913b3730610a1809203c

SHA512
e7bb87f9f6c82cb945b95f62695be98b3fa827a24fa8c4187fe836d4e7d3e7ae3b95101edd3c41d65f6cb684910f5954a67307d450072acd8d475212db094390

Download Submit
C:\Users\Admin\AppData\Local\Eb7b\DUI70.dll

Filesize
1.1MB

MD5
0d272adca3eceb60b83b81e2f23c578d

SHA1
d327d8a3f98a3fe439d3bccd386c3907d3dfa2a3

SHA256
442c8d41dd05eebc5cb20479a07ff5225cc738d8ac71ffe8ff2ae85ef468b467

SHA512
6f91aeb8ff7fbbac116b270d159a0aeb04c2924d0b3182a7bb96c9466ebe5c097f20d892cd1f6d3d7b7d48f894660b54e1b7a3a57bbbb99dc3c9af241f023dba

Download Submit
C:\Users\Admin\AppData\Local\Eb7b\systemreset.exe

Filesize
508KB

MD5
325ff647506adb89514defdd1c372194

SHA1
84234ff97d6ddc8a4ea21303ea842aa76a74e0ea

SHA256
ebff6159a7627234f94f606afa2e55e98e1548fd197d22779a5fcff24aa477ad

SHA512
8a9758f4af0264be08d684125827ef11efe651138059f6b463c52476f8a8e1bed94d093042f85893cb3e37c5f3ba7b55c6ce9394595001e661bccbc578da3868

Download Submit
C:\Users\Admin\AppData\Local\GBt\XmlLite.dll

Filesize
820KB

MD5
27942e520cbe63851928aaddbf2fda5e

SHA1
18acb6aff6ce4d38db0bf915836e595604d16195

SHA256
1091968093deaab610532c3e0aaed71733f65997d8da0e93e4fb389e82a5b024

SHA512
3bf526b5cedaeb9789f84cc00364afec269812b4cb17dd24e20e3e5b498ff4ac9ea7a950dff0f3d3bfa3903980f41c3c3de3f3b0335abed6579b5122fb24b20d

Download Submit
C:\Users\Admin\AppData\Local\GBt\omadmclient.exe

Filesize
425KB

MD5
8992b5b28a996eb83761dafb24959ab4

SHA1
697ecb33b8ff5b0e73ef29ce471153b368b1b729

SHA256
e0c6c1b082c5d61be95b7fad95155b7cb2e516d6dcd51b8e1554a176876699e7

SHA512
4ab0d71f6f9e5a5d0870d8e6eaa4b5db74ea6148de0a00603e3e56303d0fec4722172e0207b9678a5bd0136f2d43d43b9d34907183369ab3b9b9c1484034fe3d

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Pxpploirwyf.lnk

Filesize
1KB

MD5
3317085d556f23942cb075bb04ca63f0

SHA1
b3307f9f89e5e4160593c4983afc1de8a7f2e84a

SHA256
be0137b442b6f7d78dd59a9ba0e29aed7ecc184aa4a9c1e25a2338f47c22493e

SHA512
e8dfb911ac3a20c5ed0cdae6ffd026f1490bd387d7d16b805dcbcbb1287992eb2463c6eade6d43eaac7dedf160ec0eadd3b64a337e46b65c9e607d16b32d58f7

Download Submit
memory/1452-104-0x0000000140000000-0x0000000140112000-memory.dmp

Filesize
1.1MB

Download
memory/1452-100-0x0000000140000000-0x0000000140112000-memory.dmp

Filesize
1.1MB

Download
memory/2028-0-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/2028-2-0x000001A58C220000-0x000001A58C227000-memory.dmp

Filesize
28KB

Download
memory/2028-60-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/3468-33-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/3468-8-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/3468-35-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/3468-32-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/3468-31-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/3468-29-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/3468-28-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/3468-27-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/3468-26-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/3468-25-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/3468-24-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/3468-22-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/3468-21-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/3468-20-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/3468-18-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/3468-17-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/3468-16-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/3468-15-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/3468-14-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/3468-13-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/3468-12-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/3468-11-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/3468-9-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/3468-34-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/3468-7-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/3468-30-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/3468-6-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/3468-23-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/3468-5-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/3468-46-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/3468-47-0x00007FFCC8620000-0x00007FFCC8630000-memory.dmp

Filesize
64KB

Download
memory/3468-48-0x00007FFCC8610000-0x00007FFCC8620000-memory.dmp

Filesize
64KB

Download
memory/3468-3-0x0000000008940000-0x0000000008941000-memory.dmp

Filesize
4KB

Download
memory/3468-10-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/3468-19-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/3468-57-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/3468-44-0x00007FFCC71CA000-0x00007FFCC71CB000-memory.dmp

Filesize
4KB

Download
memory/3468-36-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/3468-45-0x0000000008500000-0x0000000008507000-memory.dmp

Filesize
28KB

Download
memory/3656-89-0x000001D289E90000-0x000001D289F5D000-memory.dmp

Filesize
820KB

Download
memory/3656-86-0x000001D289D70000-0x000001D289D77000-memory.dmp

Filesize
28KB

Download
memory/3656-84-0x000001D289E90000-0x000001D289F5D000-memory.dmp

Filesize
820KB

Download
memory/4540-72-0x0000000140000000-0x00000001400CD000-memory.dmp

Filesize
820KB

Download
memory/4540-69-0x000002D1B4AC0000-0x000002D1B4AC7000-memory.dmp

Filesize
28KB

Download
memory/4540-67-0x0000000140000000-0x00000001400CD000-memory.dmp

Filesize
820KB

Download