dridex | 7e33cdea0bbc985977bc213b140f31ca542a35ed3d3b2f7d69bf52d691776039

Analysis

max time kernel
149s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
28-07-2024 03:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

07a9c9069fed354bde90b7a3483fe350_JaffaCakes118.dll
Size

1.2MB
MD5

07a9c9069fed354bde90b7a3483fe350
SHA1

859af6f560ebc2bf44d5c61c517dfa89141c924b
SHA256

7e33cdea0bbc985977bc213b140f31ca542a35ed3d3b2f7d69bf52d691776039
SHA512

5cb95b1b195b0594f34c1736036498457ad1eb2ee772d415dc14461ed92c0dfb801e012da9a4f758085e5cdbe1cc8c89f20aa6ed4c5147b3fd2384de013be885
SSDEEP

24576:muYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:G9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3476-4-0x0000000007840000-0x0000000007841000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
3508	sigverif.exe
716	Dxpserver.exe
2448	PasswordOnWakeSettingFlyout.exe

Loads dropped DLL 3 IoCs

pid	Process
3508	sigverif.exe
716	Dxpserver.exe
2448	PasswordOnWakeSettingFlyout.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tsgtjspwhizloud = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\pjMf8\\Dxpserver.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sigverif.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Dxpserver.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	PasswordOnWakeSettingFlyout.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3344	rundll32.exe
3344	rundll32.exe
3344	rundll32.exe
3344	rundll32.exe
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3476	Process not Found
Token: SeCreatePagefilePrivilege	3476	Process not Found
Token: SeShutdownPrivilege	3476	Process not Found
Token: SeCreatePagefilePrivilege	3476	Process not Found

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3476	Process not Found
3476	Process not Found

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3476	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3476 wrote to memory of 1632	3476	Process not Found	95
PID 3476 wrote to memory of 1632	3476	Process not Found	95
PID 3476 wrote to memory of 3508	3476	Process not Found	96
PID 3476 wrote to memory of 3508	3476	Process not Found	96
PID 3476 wrote to memory of 1668	3476	Process not Found	97
PID 3476 wrote to memory of 1668	3476	Process not Found	97
PID 3476 wrote to memory of 716	3476	Process not Found	98
PID 3476 wrote to memory of 716	3476	Process not Found	98
PID 3476 wrote to memory of 2628	3476	Process not Found	99
PID 3476 wrote to memory of 2628	3476	Process not Found	99
PID 3476 wrote to memory of 2448	3476	Process not Found	100
PID 3476 wrote to memory of 2448	3476	Process not Found	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\07a9c9069fed354bde90b7a3483fe350_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3344

C:\Windows\system32\sigverif.exe
C:\Windows\system32\sigverif.exe
1⤵
PID:1632

C:\Users\Admin\AppData\Local\VA1SVLZ\sigverif.exe
C:\Users\Admin\AppData\Local\VA1SVLZ\sigverif.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3508

C:\Windows\system32\Dxpserver.exe
C:\Windows\system32\Dxpserver.exe
1⤵
PID:1668

C:\Users\Admin\AppData\Local\ksutV\Dxpserver.exe
C:\Users\Admin\AppData\Local\ksutV\Dxpserver.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:716

C:\Windows\system32\PasswordOnWakeSettingFlyout.exe
C:\Windows\system32\PasswordOnWakeSettingFlyout.exe
1⤵
PID:2628

C:\Users\Admin\AppData\Local\hDxBmkr\PasswordOnWakeSettingFlyout.exe
C:\Users\Admin\AppData\Local\hDxBmkr\PasswordOnWakeSettingFlyout.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\VA1SVLZ\VERSION.dll

Filesize
1.2MB

MD5
510518a688f22c9d8a968183bcb6937a

SHA1
b99cc6ca104e97b503b1b3dbe3025fc652f46a14

SHA256
b3998448ec43ed0623bf8f64017a87179aa65cf95902c9001740facf009f5b78

SHA512
fee200b78ed4850e8b8914671afaf1b76619eff9c8c29b036b20fd97a49074031730ab9059e68bfa3e47de7ecec48dfc1685ae0af4bf8cd0968b228f297c838a

Download Submit
C:\Users\Admin\AppData\Local\VA1SVLZ\sigverif.exe

Filesize
77KB

MD5
2151a535274b53ba8a728e542cbc07a8

SHA1
a2304c0f2616a7d12298540dce459dd9ccf07443

SHA256
064de47877b00dc35886e829a697e4adb3d3cfdf294ddba13b6009a0f415b1bd

SHA512
e6fd520ee1bd80a5fe8a7c2ae6446dcaabd4e335a602c36356f85305abef751b7dffa7eaac1ec13c105ccd8c3e9070bd32ed4b14bc8a9e52dc5f47b936d69a9f

Download Submit
C:\Users\Admin\AppData\Local\hDxBmkr\PasswordOnWakeSettingFlyout.exe

Filesize
44KB

MD5
591a98c65f624c52882c2b238d6cd4c4

SHA1
c960d08c19d777069cf265dcc281807fbd8502d7

SHA256
5e6ed524c955fb1ea3e24f132987143da3ec81db5041a0edcfa7bf3ac790eb06

SHA512
1999f23c90d85857461f8ddc5342470296f6939a654ac015780c2977f293c1f799fc992462f3d4d9181c97ab960db3291b85ea7c0537edcb57755706b20b6074

Download Submit
C:\Users\Admin\AppData\Local\hDxBmkr\UxTheme.dll

Filesize
1.2MB

MD5
17034163021c1f3089163bb082dd2709

SHA1
fe573916f584774a242f36d05045ab2d3d6fdca1

SHA256
5f7e5e7866edf7a11ac52f86d8f9b078bef6b7de0b5ae6c2b69c3e30f8c72fba

SHA512
bf8459863911a18aa3381d194a1a053fac44c27efc14cd936554fdb621515ed466a1ea52b71a4c82a743d2496fcec7c70ef5beed546385acc9c8e694b331f535

Download Submit
C:\Users\Admin\AppData\Local\ksutV\Dxpserver.exe

Filesize
310KB

MD5
6344f1a7d50da5732c960e243c672165

SHA1
b6d0236f79d4f988640a8445a5647aff5b5410f7

SHA256
b1081651ac33610824e2088ff64d1655993dd3d6073af1e5ffe0b4a0027f502f

SHA512
73f6fa01b880e6619fafa065c171bd0a2b7b2d908762b5aca15f2b8d856b5501b3884e3566ef9b8032c8cbf9bb15116e60c22fded4656c8857c974cda4213d65

Download Submit
C:\Users\Admin\AppData\Local\ksutV\XmlLite.dll

Filesize
1.2MB

MD5
eaa84f6bcce9492e021cee2355834dad

SHA1
2d48bc079a8c9acb6648af9def05099ae3818c20

SHA256
66ac7c1a1058fe79db61b8755772e77babf6258326b40dbc19496369864c0111

SHA512
580a32e1e7f50d0bf38976e0417a5a34bd6f962423049cd0c0c4fc6223c833c5fa1f802d486c48d2e52365e5e35fd3a147ccb04a503f4f2b43c77684f9d6a57d

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Txrhelfambrw.lnk

Filesize
1KB

MD5
ebc3c6869ecd4c3c129107f979f5f4ee

SHA1
34da365c983a5af2c9610b1659a2765a5e6b66c1

SHA256
c043a2163e675ef089247890b105bafd01a556972085d32a0dfc2f9e1e10ed31

SHA512
2d2e5b163d0bb72881eae496fc536931b01195a9a356ec88c334905f2ff1cb0b55efe10ef2f404f322bd40a6be927f327ae3036be76a0168c34b1d8d3332d5e0

Download Submit
memory/716-63-0x00000166C4110000-0x00000166C4117000-memory.dmp

Filesize
28KB

Download
memory/716-69-0x00007FFE951D0000-0x00007FFE95302000-memory.dmp

Filesize
1.2MB

Download
memory/2448-80-0x00007FFE95020000-0x00007FFE95152000-memory.dmp

Filesize
1.2MB

Download
memory/2448-83-0x0000025C77260000-0x0000025C77267000-memory.dmp

Filesize
28KB

Download
memory/2448-86-0x00007FFE95020000-0x00007FFE95152000-memory.dmp

Filesize
1.2MB

Download
memory/3344-0-0x00000255C3390000-0x00000255C3397000-memory.dmp

Filesize
28KB

Download
memory/3344-1-0x00007FFEA4A20000-0x00007FFEA4B51000-memory.dmp

Filesize
1.2MB

Download
memory/3344-39-0x00007FFEA4A20000-0x00007FFEA4B51000-memory.dmp

Filesize
1.2MB

Download
memory/3476-7-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3476-36-0x00007FFEB302A000-0x00007FFEB302B000-memory.dmp

Filesize
4KB

Download
memory/3476-24-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3476-6-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3476-9-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3476-11-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3476-12-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3476-4-0x0000000007840000-0x0000000007841000-memory.dmp

Filesize
4KB

Download
memory/3476-10-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3476-14-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3476-13-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3476-15-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3476-16-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3476-8-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3476-37-0x0000000007820000-0x0000000007827000-memory.dmp

Filesize
28KB

Download
memory/3476-33-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3476-38-0x00007FFEB36F0000-0x00007FFEB3700000-memory.dmp

Filesize
64KB

Download
memory/3508-52-0x00007FFE951D0000-0x00007FFE95302000-memory.dmp

Filesize
1.2MB

Download
memory/3508-49-0x000001FD14D00000-0x000001FD14D07000-memory.dmp

Filesize
28KB

Download
memory/3508-46-0x00007FFE951D0000-0x00007FFE95302000-memory.dmp

Filesize
1.2MB

Download