dridex | 1c96cd76a5127c8080f7a82d9d488dcb7914d8f412ae35a26c6ba45216e60d6c

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
28/07/2024, 10:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

144023104c70b0a9aa922598713dc3ff_JaffaCakes118.dll
Size

1.2MB
MD5

144023104c70b0a9aa922598713dc3ff
SHA1

85f48200ea9ff6a73c6ae805a8f3533a1197431e
SHA256

1c96cd76a5127c8080f7a82d9d488dcb7914d8f412ae35a26c6ba45216e60d6c
SHA512

b6b501105c3411e120cc9786840248f7dfecc24325e8c74b6c2434f4340aa26a4925ee81faa9e3e64fe88e29c4b5bb7a5f3820ea9d0f7a829fa37e4ff6378069
SSDEEP

24576:LuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:V9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3432-4-0x0000000000930000-0x0000000000931000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
3868	SysResetErr.exe
1480	wbengine.exe
2280	bdeunlock.exe

Loads dropped DLL 3 IoCs

pid	Process
3868	SysResetErr.exe
1480	wbengine.exe
2280	bdeunlock.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-857544305-989156968-2929034274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bapkbs = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\Keys\\ito8kV\\wbengine.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SysResetErr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wbengine.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bdeunlock.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3952	rundll32.exe
3952	rundll32.exe
3952	rundll32.exe
3952	rundll32.exe
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3432 wrote to memory of 1680	3432	Process not Found	84
PID 3432 wrote to memory of 1680	3432	Process not Found	84
PID 3432 wrote to memory of 3868	3432	Process not Found	85
PID 3432 wrote to memory of 3868	3432	Process not Found	85
PID 3432 wrote to memory of 4640	3432	Process not Found	86
PID 3432 wrote to memory of 4640	3432	Process not Found	86
PID 3432 wrote to memory of 1480	3432	Process not Found	87
PID 3432 wrote to memory of 1480	3432	Process not Found	87
PID 3432 wrote to memory of 4312	3432	Process not Found	88
PID 3432 wrote to memory of 4312	3432	Process not Found	88
PID 3432 wrote to memory of 2280	3432	Process not Found	89
PID 3432 wrote to memory of 2280	3432	Process not Found	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\144023104c70b0a9aa922598713dc3ff_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3952

C:\Windows\system32\SysResetErr.exe
C:\Windows\system32\SysResetErr.exe
1⤵
PID:1680

C:\Users\Admin\AppData\Local\XAd\SysResetErr.exe
C:\Users\Admin\AppData\Local\XAd\SysResetErr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3868

C:\Windows\system32\wbengine.exe
C:\Windows\system32\wbengine.exe
1⤵
PID:4640

C:\Users\Admin\AppData\Local\NpTv\wbengine.exe
C:\Users\Admin\AppData\Local\NpTv\wbengine.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1480

C:\Windows\system32\bdeunlock.exe
C:\Windows\system32\bdeunlock.exe
1⤵
PID:4312

C:\Users\Admin\AppData\Local\T10GY\bdeunlock.exe
C:\Users\Admin\AppData\Local\T10GY\bdeunlock.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\NpTv\XmlLite.dll

Filesize
1.2MB

MD5
43872d3fadd5352103287eeccd7e3135

SHA1
0fb707749805f7ceb259decb348de5ce4aa1eb4a

SHA256
e11e03e6fb44a22ea265cdcd921f9f6e8e64d328d7d1585778d25b1c45cff9f9

SHA512
0c62383e8f0eca483b25acd41647e9f529f9154fbb40ee92838a5d654f6ed666711f57dcbf173694f6677ba5041779a0766b4d1c5d1b04fab091c3178ac4bdf1

Download Submit
C:\Users\Admin\AppData\Local\NpTv\wbengine.exe

Filesize
1.5MB

MD5
17270a354a66590953c4aac1cf54e507

SHA1
715babcc8e46b02ac498f4f06df7937904d9798d

SHA256
9954394b43783061f9290706320cc65597c29176d5b8e7a26fa1d6b3536832b4

SHA512
6be0ba6be84d01ab47f5a4ca98a6b940c43bd2d1e1a273d41c3e88aca47da11d932024b007716d1a6ffe6cee396b0e3e6971ab2afc293e72472f2e61c17b2a89

Download Submit
C:\Users\Admin\AppData\Local\T10GY\DUser.dll

Filesize
1.2MB

MD5
a84d4c91e6ffaafb46a63d6df5b9e8e2

SHA1
0eced520d5e022330537b94c92c13dfe57a507d6

SHA256
8a15863b04219f42f8d30036d43c6bc112a9383d82707264a2de33eaf94d7cb9

SHA512
382f8f1a1ea138a8e2b25afc62bb19275718469b4fea48a517eb00ddd2ddadbebca61db4c7183c15394cd75334ac5e7492d5524e9ad753a35e887857ac0df4ff

Download Submit
C:\Users\Admin\AppData\Local\T10GY\bdeunlock.exe

Filesize
279KB

MD5
fef5d67150c249db3c1f4b30a2a5a22e

SHA1
41ca037b0229be9338da4d78244b4f0ea5a3d5f3

SHA256
dcfdd67bf3244ff86cadaaea50b43cce5479014ea2021c0c2fb40b7c856e5603

SHA512
4ded9ca87d9d30c31ab2baededaa6e26681741ea1742d80c318173536c643a01bc049e03a03c3b45b3cb8860464a855830e12e87670503e65eedcdd5e9b2d1e7

Download Submit
C:\Users\Admin\AppData\Local\XAd\DUI70.dll

Filesize
1.4MB

MD5
467b5d3f5e26401090a234480ad17783

SHA1
c92e0c2b8658c9fc332dc566adc005cdd7cde5df

SHA256
2c6283ee2c1a5f16d10eddb9110529fed71d25897342d8de5a137caa29ab01c2

SHA512
07c01788df2d11290650ccbd903dece600035e93391a9a97c867f1eacea294101f5ad00c8da071b500925392e1ec5298dc6313f5d79abb4d3bdc1a11d2031b38

Download Submit
C:\Users\Admin\AppData\Local\XAd\SysResetErr.exe

Filesize
41KB

MD5
090c6f458d61b7ddbdcfa54e761b8b57

SHA1
c5a93e9d6eca4c3842156cc0262933b334113864

SHA256
a324e3ba7309164f215645a6db3e74ed35c7034cc07a011ebed2fa60fda4d9cd

SHA512
c9ef79397f3a843dcf2bcb5f761d90a4bdadb08e2ca85a35d8668cb13c308b275ed6aa2c8b9194a1f29964e0754ad05e89589025a0b670656386a8d448a1f542

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Vmoyh.lnk

Filesize
1KB

MD5
4a4b87854569f016a54a43abe972b700

SHA1
d01e4e272e2c080d058ce38a5f4c532c870ce3b7

SHA256
590e38c48bedf82fa7e08f77442bfbf52c35bafb7685ecd002633b377321d890

SHA512
a1f5d225d88bb3f53e5e336dfdad19018ec6929aaa9b218c72987570e3c418845002572d1b6f5eeba9b556877dcb1d358d12d3518f2293b51357e4ed724d8e2c

Download Submit
memory/1480-62-0x00007FF971250000-0x00007FF971381000-memory.dmp

Filesize
1.2MB

Download
memory/1480-65-0x0000025E1B4A0000-0x0000025E1B4A7000-memory.dmp

Filesize
28KB

Download
memory/1480-68-0x00007FF971250000-0x00007FF971381000-memory.dmp

Filesize
1.2MB

Download
memory/2280-79-0x00000243EB9B0000-0x00000243EB9B7000-memory.dmp

Filesize
28KB

Download
memory/2280-80-0x00007FF971250000-0x00007FF971382000-memory.dmp

Filesize
1.2MB

Download
memory/2280-85-0x00007FF971250000-0x00007FF971382000-memory.dmp

Filesize
1.2MB

Download
memory/3432-28-0x0000000000840000-0x0000000000847000-memory.dmp

Filesize
28KB

Download
memory/3432-13-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3432-10-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3432-8-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3432-7-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3432-4-0x0000000000930000-0x0000000000931000-memory.dmp

Filesize
4KB

Download
memory/3432-11-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3432-14-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3432-6-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3432-12-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3432-23-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3432-9-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3432-15-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3432-27-0x00007FF97E31A000-0x00007FF97E31B000-memory.dmp

Filesize
4KB

Download
memory/3432-29-0x00007FF97F2D0000-0x00007FF97F2E0000-memory.dmp

Filesize
64KB

Download
memory/3432-35-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3868-51-0x00007FF970C30000-0x00007FF970DA6000-memory.dmp

Filesize
1.5MB

Download
memory/3868-48-0x00000204B3840000-0x00000204B3847000-memory.dmp

Filesize
28KB

Download
memory/3868-45-0x00007FF970C30000-0x00007FF970DA6000-memory.dmp

Filesize
1.5MB

Download
memory/3952-0-0x00007FF971260000-0x00007FF971390000-memory.dmp

Filesize
1.2MB

Download
memory/3952-38-0x00007FF971260000-0x00007FF971390000-memory.dmp

Filesize
1.2MB

Download
memory/3952-3-0x00000211DFAE0000-0x00000211DFAE7000-memory.dmp

Filesize
28KB

Download