dridex | 33dc43b0e4574bbc29a2f77c51fd830184c8b3c2f9ae34c4b9a762e44b8b5b82

Analysis

max time kernel
149s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
28-07-2024 23:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2c083f8ebf66a7c0ead55769be9f6585_JaffaCakes118.dll
Size

1.2MB
MD5

2c083f8ebf66a7c0ead55769be9f6585
SHA1

cefc2e8de8b5d48136afb11147374028cac9cddb
SHA256

33dc43b0e4574bbc29a2f77c51fd830184c8b3c2f9ae34c4b9a762e44b8b5b82
SHA512

b3a9c52ca44616593d8a6c72bde20962a20ee71ae0f5c9c886d797d89c5f3dc7d9834865cf829dac10f00dad867d69c8369755fdccaa14d8b8df698dd7963f5b
SSDEEP

24576:guYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:w9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3400-4-0x00000000009B0000-0x00000000009B1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
3852	MusNotificationUx.exe
4232	dxgiadaptercache.exe
2456	printfilterpipelinesvc.exe

Loads dropped DLL 5 IoCs

pid	Process
3852	MusNotificationUx.exe
4232	dxgiadaptercache.exe
2456	printfilterpipelinesvc.exe
2456	printfilterpipelinesvc.exe
2456	printfilterpipelinesvc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1266786182-1874524688-71015548-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Zdgdcgkgx = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\ACCESS~1\\t0\\DXGIAD~1.EXE"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MusNotificationUx.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dxgiadaptercache.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	printfilterpipelinesvc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3652	rundll32.exe
3652	rundll32.exe
3652	rundll32.exe
3652	rundll32.exe
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found
3400	Process not Found

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3400	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3400 wrote to memory of 2060	3400	Process not Found	84
PID 3400 wrote to memory of 2060	3400	Process not Found	84
PID 3400 wrote to memory of 3852	3400	Process not Found	85
PID 3400 wrote to memory of 3852	3400	Process not Found	85
PID 3400 wrote to memory of 4048	3400	Process not Found	86
PID 3400 wrote to memory of 4048	3400	Process not Found	86
PID 3400 wrote to memory of 4232	3400	Process not Found	87
PID 3400 wrote to memory of 4232	3400	Process not Found	87
PID 3400 wrote to memory of 2276	3400	Process not Found	88
PID 3400 wrote to memory of 2276	3400	Process not Found	88
PID 3400 wrote to memory of 2456	3400	Process not Found	89
PID 3400 wrote to memory of 2456	3400	Process not Found	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2c083f8ebf66a7c0ead55769be9f6585_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3652

C:\Windows\system32\MusNotificationUx.exe
C:\Windows\system32\MusNotificationUx.exe
1⤵
PID:2060

C:\Users\Admin\AppData\Local\95pX\MusNotificationUx.exe
C:\Users\Admin\AppData\Local\95pX\MusNotificationUx.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3852

C:\Windows\system32\dxgiadaptercache.exe
C:\Windows\system32\dxgiadaptercache.exe
1⤵
PID:4048

C:\Users\Admin\AppData\Local\hPCm85\dxgiadaptercache.exe
C:\Users\Admin\AppData\Local\hPCm85\dxgiadaptercache.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4232

C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe
1⤵
PID:2276

C:\Users\Admin\AppData\Local\6IIZAJ1H7\printfilterpipelinesvc.exe
C:\Users\Admin\AppData\Local\6IIZAJ1H7\printfilterpipelinesvc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\6IIZAJ1H7\XmlLite.dll

Filesize
1.2MB

MD5
54416c0ff1109d6ef85832c02ee85ae6

SHA1
d99d2d602b7a09814b834c57f6fd0f064a2dac45

SHA256
a362944ff20c773122ddba5f34354ddc644cc16ea2d534d28ed555c40831f13f

SHA512
2abcbdd643eff4c1bcc600e5734957eb47cd11580b4e3c1f987f1d341a9c803f2f2d882d46af40eaf42b413f0b882784bf33fba1994928357279c23ba42e8c62

Download Submit
C:\Users\Admin\AppData\Local\6IIZAJ1H7\printfilterpipelinesvc.exe

Filesize
813KB

MD5
331a40eabaa5870e316b401bd81c4861

SHA1
ddff65771ca30142172c0d91d5bfff4eb1b12b73

SHA256
105099819555ed87ef3dab70a2eaf2cb61076f453266cec57ffccb8f4c00df88

SHA512
29992dbf10f327d77865af5e6ebbe66b937a5b4ad04c68cafbf4e6adbd6c6532c8a82ac7e638d97c1f053353a7c8a6d7e379f389af15443c94a1e8f9b16be5f8

Download Submit
C:\Users\Admin\AppData\Local\95pX\MusNotificationUx.exe

Filesize
615KB

MD5
869a214114a81712199f3de5d69d9aad

SHA1
be973e4188eff0d53fdf0e9360106e8ad946d89f

SHA256
405c2df9a36d7cfb5c8382c96f04792eb88c11a6cfa36b1d2ec3e0bec8d17361

SHA512
befcdeb8de6e68b9ee0bacd4cbc80f7393a0213d4039b239c98585e0cd5db1755c75559a62372374cbfb7132b6a7973ea9e6a31952e0e0ba007079c56e6d9012

Download Submit
C:\Users\Admin\AppData\Local\95pX\XmlLite.dll

Filesize
1.2MB

MD5
557dfa5470924c21e4683ea89084d193

SHA1
1592093de0cc30ac5fc84339dd49ba9485ada8bc

SHA256
7e07f0b8678a2b26cee90dfacc98b5ed98ac836bdd68a9eed8a173564ea97b6c

SHA512
b9ad1c87f304394cfddaa2809edeaa8a357765e9094de88cb0aa93f7f21010f1e32036bb5f044f60b8135fa8029ee5faf7f4b13b1974110b6e390033e642fb7a

Download Submit
C:\Users\Admin\AppData\Local\hPCm85\dxgi.dll

Filesize
1.2MB

MD5
d4da42b2a2206b491b6c3b249cf50e48

SHA1
ed70e714cc9fee2182e922baeb6e0dcad2adeade

SHA256
ab729014f4a1033297ea5e223178a9f8200630ea34374e2b176515f790b81db0

SHA512
acb67c76a5500f5eca89740558474077b0b34e6bbb1533a4bb871495b80bb8ac45a73498f0e02cbac85e79c7a6c4577e29aa82e9b9d1762bbc85cbbcfae2cd41

Download Submit
C:\Users\Admin\AppData\Local\hPCm85\dxgiadaptercache.exe

Filesize
230KB

MD5
e62f89130b7253f7780a862ed9aff294

SHA1
b031e64a36e93f95f2061be5b0383069efac2070

SHA256
4bea9f741fe4ca9d6262477849896b9fa6377326d11af044561c31bde2d994b5

SHA512
05649d38a0b5d825bb8442549427b0ff77b139c9dd297b04d6c0fb1415504c95ed750cd79efea2ff514abfc5d1003e6251a3cd871d352dcea06be0cdeb0304f7

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ozpfed.lnk

Filesize
1KB

MD5
8784ac5fccdf0f1393c12cc4c80e23bc

SHA1
1372fd8393bd5f08aa06142b03389ee3150e5349

SHA256
1e710f7e99004d704a088843fbce661f2f482dae4707f00bc976ed1afa5e3736

SHA512
9f3c0d23d539d1cb5ee35478c3ec102115760b488445abcbe1bcced3ab89706988a8cf74df7a913062fb6f0d3a1f1a084344081e170709f2820db3b7f30ce7a7

Download Submit
memory/2456-87-0x00007FF93A510000-0x00007FF93A642000-memory.dmp

Filesize
1.2MB

Download
memory/2456-82-0x00007FF93A510000-0x00007FF93A642000-memory.dmp

Filesize
1.2MB

Download
memory/3400-9-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3400-7-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3400-15-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3400-13-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3400-12-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3400-10-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3400-11-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3400-14-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3400-8-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3400-24-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3400-6-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3400-32-0x00007FF9457CA000-0x00007FF9457CB000-memory.dmp

Filesize
4KB

Download
memory/3400-33-0x0000000000940000-0x0000000000947000-memory.dmp

Filesize
28KB

Download
memory/3400-16-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3400-34-0x00007FF945B70000-0x00007FF945B80000-memory.dmp

Filesize
64KB

Download
memory/3400-4-0x00000000009B0000-0x00000000009B1000-memory.dmp

Filesize
4KB

Download
memory/3400-36-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3652-3-0x00000199E9B70000-0x00000199E9B77000-memory.dmp

Filesize
28KB

Download
memory/3652-39-0x00007FF93A550000-0x00007FF93A681000-memory.dmp

Filesize
1.2MB

Download
memory/3652-0-0x00007FF93A550000-0x00007FF93A681000-memory.dmp

Filesize
1.2MB

Download
memory/3852-49-0x000001DE4E9B0000-0x000001DE4E9B7000-memory.dmp

Filesize
28KB

Download
memory/3852-52-0x00007FF936E50000-0x00007FF936F82000-memory.dmp

Filesize
1.2MB

Download
memory/3852-46-0x00007FF936E50000-0x00007FF936F82000-memory.dmp

Filesize
1.2MB

Download
memory/4232-69-0x00007FF93A550000-0x00007FF93A682000-memory.dmp

Filesize
1.2MB

Download
memory/4232-64-0x00007FF93A550000-0x00007FF93A682000-memory.dmp

Filesize
1.2MB

Download
memory/4232-63-0x000001A463050000-0x000001A463057000-memory.dmp

Filesize
28KB

Download