dridex | 723519dfffc2771cf0f37492379c8d64abc5744b91118f8cac3ea792273fb2b3

Analysis

max time kernel
149s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
28-07-2024 08:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

11157abacceb621b196ead613c8629f3_JaffaCakes118.dll
Size

1.2MB
MD5

11157abacceb621b196ead613c8629f3
SHA1

5d1e650acd82a4c5f55dfce2f3ed03c94efb1078
SHA256

723519dfffc2771cf0f37492379c8d64abc5744b91118f8cac3ea792273fb2b3
SHA512

11768525b7e9865cce1ba0d371f19de9ae7111f271b3065a371ea1e9e9581641f1d42df5fc760ed9dd4d08030cd7b4649e4009d0c201b4ed5a4d690df3335485
SSDEEP

24576:0uYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:s9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence privilege_escalation trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3528-4-0x0000000002870000-0x0000000002871000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
4236	dpapimig.exe
1456	LicensingUI.exe
3232	DisplaySwitch.exe

Loads dropped DLL 3 IoCs

pid	Process
4236	dpapimig.exe
1456	LicensingUI.exe
3232	DisplaySwitch.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3089151618-2647890268-2710988337-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Apmppbkgasojkwm = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Vault\\Rkgx\\LicensingUI.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dpapimig.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	LicensingUI.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DisplaySwitch.exe

Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3320	rundll32.exe
3320	rundll32.exe
3320	rundll32.exe
3320	rundll32.exe
3528	Process not Found
3528	Process not Found
3528	Process not Found
3528	Process not Found
3528	Process not Found
3528	Process not Found
3528	Process not Found
3528	Process not Found
3528	Process not Found
3528	Process not Found
3528	Process not Found
3528	Process not Found
3528	Process not Found
3528	Process not Found
3528	Process not Found
3528	Process not Found
3528	Process not Found
3528	Process not Found
3528	Process not Found
3528	Process not Found
3528	Process not Found
3528	Process not Found
3528	Process not Found
3528	Process not Found
3528	Process not Found
3528	Process not Found
3528	Process not Found
3528	Process not Found
3528	Process not Found
3528	Process not Found
3528	Process not Found
3528	Process not Found
3528	Process not Found
3528	Process not Found
3528	Process not Found
3528	Process not Found
3528	Process not Found
3528	Process not Found
3528	Process not Found
3528	Process not Found
3528	Process not Found
3528	Process not Found
3528	Process not Found
3528	Process not Found
3528	Process not Found
3528	Process not Found
3528	Process not Found
3528	Process not Found
3528	Process not Found
3528	Process not Found
3528	Process not Found
3528	Process not Found
3528	Process not Found
3528	Process not Found
3528	Process not Found
3528	Process not Found
3528	Process not Found
3528	Process not Found
3528	Process not Found
3528	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3528 wrote to memory of 3692	3528	Process not Found	84
PID 3528 wrote to memory of 3692	3528	Process not Found	84
PID 3528 wrote to memory of 4236	3528	Process not Found	85
PID 3528 wrote to memory of 4236	3528	Process not Found	85
PID 3528 wrote to memory of 4092	3528	Process not Found	86
PID 3528 wrote to memory of 4092	3528	Process not Found	86
PID 3528 wrote to memory of 1456	3528	Process not Found	87
PID 3528 wrote to memory of 1456	3528	Process not Found	87
PID 3528 wrote to memory of 1476	3528	Process not Found	88
PID 3528 wrote to memory of 1476	3528	Process not Found	88
PID 3528 wrote to memory of 3232	3528	Process not Found	89
PID 3528 wrote to memory of 3232	3528	Process not Found	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\11157abacceb621b196ead613c8629f3_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3320

C:\Windows\system32\dpapimig.exe
C:\Windows\system32\dpapimig.exe
1⤵
PID:3692

C:\Users\Admin\AppData\Local\Ie4Nf\dpapimig.exe
C:\Users\Admin\AppData\Local\Ie4Nf\dpapimig.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4236

C:\Windows\system32\LicensingUI.exe
C:\Windows\system32\LicensingUI.exe
1⤵
PID:4092

C:\Users\Admin\AppData\Local\uVAjJPBO\LicensingUI.exe
C:\Users\Admin\AppData\Local\uVAjJPBO\LicensingUI.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1456

C:\Windows\system32\DisplaySwitch.exe
C:\Windows\system32\DisplaySwitch.exe
1⤵
PID:1476

C:\Users\Admin\AppData\Local\pcI\DisplaySwitch.exe
C:\Users\Admin\AppData\Local\pcI\DisplaySwitch.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Ie4Nf\DUI70.dll

Filesize
1.4MB

MD5
5d8abc73b926cea2b0b54cb640f7a140

SHA1
15d61407b3f58fbdf29469bb2bd68ef89097b64e

SHA256
7c115a1394d4f7c958fb74f9b5ed27780a59b7b9cfddb1a56e4efd01bfaeccfe

SHA512
bbfc5a5d473daa5561ecd2467f74acbbecaee07a9b0a3f272f2d90c7db5eac422c5516f4a2bd92d4711acbcfbe1ea3637013dfafa2953814961e29e878fccece

Download Submit
C:\Users\Admin\AppData\Local\Ie4Nf\dpapimig.exe

Filesize
76KB

MD5
b6d6477a0c90a81624c6a8548026b4d0

SHA1
e6eac6941d27f76bbd306c2938c0a962dbf1ced1

SHA256
a8147d08b82609c72d588a0a604cd3c1f2076befcc719d282c7cbd6525ae89eb

SHA512
72ec8b79e3438f0f981129a323ad39db84df7dd14a796a820bdbc74ea8fa13eee843d1ea030a0c1caeda2e2d69952f14a821a73825b38dd9415047aca597b1fe

Download Submit
C:\Users\Admin\AppData\Local\pcI\DisplaySwitch.exe

Filesize
1.8MB

MD5
5338d4beddf23db817eb5c37500b5735

SHA1
1b5c56f00b53fca3205ff24770203af46cbc7c54

SHA256
8b581f1d15a6920e4ecfe172d8ef753d0a2bf1a47e686a8d5d8e01147fa4c65e

SHA512
173170b83e0048ee05da18c0c957744204954da58a93c532b669d62edb632c4c73d0744c13eb864ecf357ff12831aa46c4f2445dc33b62a4547385b9e0297b0c

Download Submit
C:\Users\Admin\AppData\Local\pcI\WINSTA.dll

Filesize
1.2MB

MD5
02da0e9bf175b1509905c1dbe8aa07df

SHA1
aa64b67b6732d52f26dd6f3a32946d800b2d698d

SHA256
44a1fe6965a457181e6a2a2856685dd07ef2578f35da49aeace3641ba3b91479

SHA512
2aa63ed33c959c9bbd8ad08aec3e9b58a55ad858e6bc6b9b63daed6de2cdb33d3081d324554642d55708b8885c4f1c000216960680836555a2c622d1520f6785

Download Submit
C:\Users\Admin\AppData\Local\uVAjJPBO\DUI70.dll

Filesize
1.4MB

MD5
70e6b646374e672a95af5f7c87d2c237

SHA1
fb0fb9a5ae755355dfda63cfcf5802c4b745ce8d

SHA256
a0fb74ef70d709cd46f76a5478674748282b4a9b84dcd0e9e989ee8b93840fb6

SHA512
ba12ae3728f7b701fcb0facea5618f781d16f582bdbec0427ae3e012c7cd5f15abc8088ec80a16691508797a1ba19c7873e7d549f55d3f7de80f5e64656e0698

Download Submit
C:\Users\Admin\AppData\Local\uVAjJPBO\LicensingUI.exe

Filesize
142KB

MD5
8b4abc637473c79a003d30bb9c7a05e5

SHA1
d1cab953c16d4fdec2b53262f56ac14a914558ca

SHA256
0e9eb89aa0df9bb84a8f11b0bb3e9d89905355de34c91508968b4cb78bc3f6c5

SHA512
5a40c846c5b3a53ae09114709239d8238c322a7d3758b20ed3fc8e097fc1409f62b4990557c1192e894eabfa89741a9d88bd5175850d039b97dfdf380d1c6eeb

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ojzvdc.lnk

Filesize
1KB

MD5
f24b589796774bd12d134a6ebae1202a

SHA1
6b92ae9f5f7d3e75db9558954d273e9272686d41

SHA256
31967bd9b545207b0087f4d2373dd23d3744cdc2ec4fe9f764947661dcca3efd

SHA512
913bfb0e84dda8d1089fdbf4e307e11491b35781a187a44fdc9438d4da254e85d50816080c3963076e4c9b964add4ac20d27f78ae33853b829119ecc0c048bc2

Download Submit
memory/1456-68-0x00007FFAA93D0000-0x00007FFAA9547000-memory.dmp

Filesize
1.5MB

Download
memory/1456-65-0x000001D894CE0000-0x000001D894CE7000-memory.dmp

Filesize
28KB

Download
memory/3232-79-0x00007FFAA9410000-0x00007FFAA9543000-memory.dmp

Filesize
1.2MB

Download
memory/3232-82-0x0000013E89970000-0x0000013E89977000-memory.dmp

Filesize
28KB

Download
memory/3232-85-0x00007FFAA9410000-0x00007FFAA9543000-memory.dmp

Filesize
1.2MB

Download
memory/3320-0-0x00000210D00B0000-0x00000210D00B7000-memory.dmp

Filesize
28KB

Download
memory/3320-38-0x00007FFAAD7E0000-0x00007FFAAD911000-memory.dmp

Filesize
1.2MB

Download
memory/3320-1-0x00007FFAAD7E0000-0x00007FFAAD911000-memory.dmp

Filesize
1.2MB

Download
memory/3528-26-0x00007FFAB6DBA000-0x00007FFAB6DBB000-memory.dmp

Filesize
4KB

Download
memory/3528-11-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3528-35-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3528-7-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3528-8-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3528-10-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3528-4-0x0000000002870000-0x0000000002871000-memory.dmp

Filesize
4KB

Download
memory/3528-9-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3528-13-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3528-6-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3528-12-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3528-14-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3528-15-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3528-27-0x0000000000A20000-0x0000000000A27000-memory.dmp

Filesize
28KB

Download
memory/3528-28-0x00007FFAB7C30000-0x00007FFAB7C40000-memory.dmp

Filesize
64KB

Download
memory/3528-23-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/4236-51-0x00007FFAA93D0000-0x00007FFAA9547000-memory.dmp

Filesize
1.5MB

Download
memory/4236-46-0x00007FFAA93D0000-0x00007FFAA9547000-memory.dmp

Filesize
1.5MB

Download
memory/4236-45-0x000001575E420000-0x000001575E427000-memory.dmp

Filesize
28KB

Download