dridex | 501fed924342c7023015068c2dc4317c7f23a301ac6d62442880dfa0afda68d6

Analysis

max time kernel
149s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
28-07-2024 23:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b619456f28686f6e8a7626fe7b24a57_JaffaCakes118.dll
Size

1.2MB
MD5

2b619456f28686f6e8a7626fe7b24a57
SHA1

64bf0dee2bbe9994547303b29d6725536ccf6b04
SHA256

501fed924342c7023015068c2dc4317c7f23a301ac6d62442880dfa0afda68d6
SHA512

92a1882ff972e34da28be4e115ab349ae9cf85519266a26def634d0eade600d2fb900dabd494956ab620aa0ec056fc58b07f0bfa509e373888655a1d801a14aa
SSDEEP

24576:WuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:W9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3412-4-0x0000000002A90000-0x0000000002A91000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
4412	sigverif.exe
4036	iexpress.exe
1824	recdisc.exe

Loads dropped DLL 3 IoCs

pid	Process
4412	sigverif.exe
4036	iexpress.exe
1824	recdisc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-807826884-2440573969-3755798217-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ahvkwrxhngjqh = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\TEMPLA~1\\LIVECO~1\\16\\User\\SMARTA~1\\R6BrEt\\iexpress.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sigverif.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iexpress.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	recdisc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1560	rundll32.exe
1560	rundll32.exe
1560	rundll32.exe
1560	rundll32.exe
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3412	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3412 wrote to memory of 1616	3412	Process not Found	84
PID 3412 wrote to memory of 1616	3412	Process not Found	84
PID 3412 wrote to memory of 4412	3412	Process not Found	85
PID 3412 wrote to memory of 4412	3412	Process not Found	85
PID 3412 wrote to memory of 3972	3412	Process not Found	86
PID 3412 wrote to memory of 3972	3412	Process not Found	86
PID 3412 wrote to memory of 4036	3412	Process not Found	87
PID 3412 wrote to memory of 4036	3412	Process not Found	87
PID 3412 wrote to memory of 3084	3412	Process not Found	88
PID 3412 wrote to memory of 3084	3412	Process not Found	88
PID 3412 wrote to memory of 1824	3412	Process not Found	89
PID 3412 wrote to memory of 1824	3412	Process not Found	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2b619456f28686f6e8a7626fe7b24a57_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1560

C:\Windows\system32\sigverif.exe
C:\Windows\system32\sigverif.exe
1⤵
PID:1616

C:\Users\Admin\AppData\Local\bVb6N\sigverif.exe
C:\Users\Admin\AppData\Local\bVb6N\sigverif.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4412

C:\Windows\system32\iexpress.exe
C:\Windows\system32\iexpress.exe
1⤵
PID:3972

C:\Users\Admin\AppData\Local\HzfA\iexpress.exe
C:\Users\Admin\AppData\Local\HzfA\iexpress.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4036

C:\Windows\system32\recdisc.exe
C:\Windows\system32\recdisc.exe
1⤵
PID:3084

C:\Users\Admin\AppData\Local\qAdqy8lP\recdisc.exe
C:\Users\Admin\AppData\Local\qAdqy8lP\recdisc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\HzfA\VERSION.dll

Filesize
1.2MB

MD5
95b23fa4a35c5ca5417501e700c4fe42

SHA1
4a6ca062b3b74d6c1133576fcde8de02d4e30570

SHA256
58e2afca29fd78e0c22df4b9e022c595d2d049ab494fb7078c3ea34c94c20d87

SHA512
868864b8331840257ebbb289f0d4f12405ecc637bbb6abdef9d1b9c626b7c7a747aaa30156a3cb37032d0107f9bee53ae6d9206c63e4edd1b51d1daee70eeb21

Download Submit
C:\Users\Admin\AppData\Local\HzfA\iexpress.exe

Filesize
166KB

MD5
17b93a43e25d821d01af40ba6babcc8c

SHA1
97c978d78056d995f751dfef1388d7cce4cc404a

SHA256
d070b79fa254c528babb73d607a7a8fd53db89795d751f42fc0a283b61a76fd3

SHA512
6b5743b37a3be8ae9ee2ab84e0749c32c60544298a7cce396470aa40bbd13f2e838d5d98159f21d500d20817c51ebce4b1d2f554e3e05f6c7fc97bc9d70ea391

Download Submit
C:\Users\Admin\AppData\Local\bVb6N\VERSION.dll

Filesize
1.2MB

MD5
55189a5d2ec91aadbd07a9feddc09b9c

SHA1
f79e8eca6826abe1d7afa300cb50e62ca6e45359

SHA256
d45e572ca0dc4e3fd3501423b6d848bbfedd1a3f6f68eaf85610b8f2796a4949

SHA512
2da248ff0fe19855b9281fa73be546370fcbf4e31c130fae9fc5bfdaca7597df1df49fe4db0a871c232a072e5cba9c91c208969b9a8089dc03f996c39ef9e067

Download Submit
C:\Users\Admin\AppData\Local\bVb6N\sigverif.exe

Filesize
77KB

MD5
2151a535274b53ba8a728e542cbc07a8

SHA1
a2304c0f2616a7d12298540dce459dd9ccf07443

SHA256
064de47877b00dc35886e829a697e4adb3d3cfdf294ddba13b6009a0f415b1bd

SHA512
e6fd520ee1bd80a5fe8a7c2ae6446dcaabd4e335a602c36356f85305abef751b7dffa7eaac1ec13c105ccd8c3e9070bd32ed4b14bc8a9e52dc5f47b936d69a9f

Download Submit
C:\Users\Admin\AppData\Local\qAdqy8lP\ReAgent.dll

Filesize
1.2MB

MD5
3dc77b51d7ad0e544681c9e50a934ff3

SHA1
f94719cd7379b89520b60b8a25628de8e3048f2d

SHA256
4096e22d1b3caa135b0ced5de65852bb6d9a5f8653a9b81dee3a2ac47c7ae85e

SHA512
aeb337e5b1ea723a38e9a0b7dc7e2c236a2faf0035de1a211529a00d629957207afcd2ad1c640f24a620eebf5f14314afbbbfc3e548c8ecfd03dbf653c157506

Download Submit
C:\Users\Admin\AppData\Local\qAdqy8lP\recdisc.exe

Filesize
193KB

MD5
18afee6824c84bf5115bada75ff0a3e7

SHA1
d10f287a7176f57b3b2b315a5310d25b449795aa

SHA256
0787b37cf197595b8149ffe3784f9c59eacde3616011f185513ff5c075a5ac4e

SHA512
517356165b401dbebf15437d3b17746aef5a6a4cc62a0afe45966abc92b4cf377eee4514a36ee28b1e88e55a22a2f8a6c997df45971e7f354b66ac7d9e141845

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Arrotspbllekcvw.lnk

Filesize
1KB

MD5
c215487a434ebe7a5d06dd3c72e26f48

SHA1
c9a885d2181bc6014b4213c831506238a1759f6e

SHA256
f8abc56f62b180375e6447e00d9f0e0155ab328ac6bcc3cea43cf02c399ed84a

SHA512
cae39fe546ba1b7da8d774fd57bf0955e169dcbe03aabf29d32aa1f8f3919949d9943af7308717ef15b69da4fffe8726040bef3f7ae43092aed7f344a3b63287

Download Submit
memory/1560-1-0x00007FFBDC6D0000-0x00007FFBDC801000-memory.dmp

Filesize
1.2MB

Download
memory/1560-3-0x0000015E20F00000-0x0000015E20F07000-memory.dmp

Filesize
28KB

Download
memory/1560-39-0x00007FFBDC6D0000-0x00007FFBDC801000-memory.dmp

Filesize
1.2MB

Download
memory/1824-86-0x00007FFBDC6D0000-0x00007FFBDC802000-memory.dmp

Filesize
1.2MB

Download
memory/1824-83-0x000001EDE33A0000-0x000001EDE33A7000-memory.dmp

Filesize
28KB

Download
memory/3412-8-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3412-33-0x00000000024F0000-0x00000000024F7000-memory.dmp

Filesize
28KB

Download
memory/3412-10-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3412-9-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3412-12-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3412-7-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3412-6-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3412-15-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3412-32-0x00007FFBEA8CA000-0x00007FFBEA8CB000-memory.dmp

Filesize
4KB

Download
memory/3412-24-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3412-4-0x0000000002A90000-0x0000000002A91000-memory.dmp

Filesize
4KB

Download
memory/3412-13-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3412-14-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3412-34-0x00007FFBEB150000-0x00007FFBEB160000-memory.dmp

Filesize
64KB

Download
memory/3412-36-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3412-16-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3412-11-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/4036-69-0x00007FFBDC6D0000-0x00007FFBDC802000-memory.dmp

Filesize
1.2MB

Download
memory/4036-66-0x000001FECAFF0000-0x000001FECAFF7000-memory.dmp

Filesize
28KB

Download
memory/4412-52-0x00007FFBDC6D0000-0x00007FFBDC802000-memory.dmp

Filesize
1.2MB

Download
memory/4412-46-0x00007FFBDC6D0000-0x00007FFBDC802000-memory.dmp

Filesize
1.2MB

Download
memory/4412-49-0x0000013E52B20000-0x0000013E52B27000-memory.dmp

Filesize
28KB

Download