dridex | 3fd4e602beb3bc04479f55c761c27cb0ef1d8011db499266eb6615d75d53c067

Analysis

max time kernel
150s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
28/07/2024, 10:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1452f13dc50be7b78017d4984f0b98c2_JaffaCakes118.dll
Size

1.2MB
MD5

1452f13dc50be7b78017d4984f0b98c2
SHA1

df176b802a4a5c9d9bad302c5116b7688c219859
SHA256

3fd4e602beb3bc04479f55c761c27cb0ef1d8011db499266eb6615d75d53c067
SHA512

af5e290af613a833236deb680d3bff9be6cfc60a71f0581edc7b15351cf385c79d5053366e39597030334dc6a3d7a62f32cc01ace478b9640c4fa4fdc28e5d4b
SSDEEP

24576:yuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:a9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3572-4-0x00000000023A0000-0x00000000023A1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
224	ie4uinit.exe
1496	ApplySettingsTemplateCatalog.exe
2036	mfpmp.exe

Loads dropped DLL 4 IoCs

pid	Process
224	ie4uinit.exe
224	ie4uinit.exe
1496	ApplySettingsTemplateCatalog.exe
2036	mfpmp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3881032017-2947584075-2120384563-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ofwfdysxg = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\TEMPLA~1\\LIVECO~1\\16\\Managed\\DOCUME~1\\plk\\APPLYS~1.EXE"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ie4uinit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ApplySettingsTemplateCatalog.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mfpmp.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2380	rundll32.exe
2380	rundll32.exe
2380	rundll32.exe
2380	rundll32.exe
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3572 wrote to memory of 1360	3572	Process not Found	84
PID 3572 wrote to memory of 1360	3572	Process not Found	84
PID 3572 wrote to memory of 224	3572	Process not Found	85
PID 3572 wrote to memory of 224	3572	Process not Found	85
PID 3572 wrote to memory of 1048	3572	Process not Found	86
PID 3572 wrote to memory of 1048	3572	Process not Found	86
PID 3572 wrote to memory of 1496	3572	Process not Found	87
PID 3572 wrote to memory of 1496	3572	Process not Found	87
PID 3572 wrote to memory of 2736	3572	Process not Found	88
PID 3572 wrote to memory of 2736	3572	Process not Found	88
PID 3572 wrote to memory of 2036	3572	Process not Found	89
PID 3572 wrote to memory of 2036	3572	Process not Found	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1452f13dc50be7b78017d4984f0b98c2_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2380

C:\Windows\system32\ie4uinit.exe
C:\Windows\system32\ie4uinit.exe
1⤵
PID:1360

C:\Users\Admin\AppData\Local\ThF\ie4uinit.exe
C:\Users\Admin\AppData\Local\ThF\ie4uinit.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:224

C:\Windows\system32\ApplySettingsTemplateCatalog.exe
C:\Windows\system32\ApplySettingsTemplateCatalog.exe
1⤵
PID:1048

C:\Users\Admin\AppData\Local\l2y\ApplySettingsTemplateCatalog.exe
C:\Users\Admin\AppData\Local\l2y\ApplySettingsTemplateCatalog.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1496

C:\Windows\system32\mfpmp.exe
C:\Windows\system32\mfpmp.exe
1⤵
PID:2736

C:\Users\Admin\AppData\Local\UQdYt\mfpmp.exe
C:\Users\Admin\AppData\Local\UQdYt\mfpmp.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ThF\VERSION.dll

Filesize
1.2MB

MD5
950285ebb513b0a69c9fdb0887d9bef8

SHA1
5b2b3d8657c85602c40381f5a7abb4d5a8049bc6

SHA256
93d06ab7ff633199f07bd6e5e77351e40311eff5aed53a4fb05b9bab067f99f1

SHA512
073de0bf8b0f9f2aee3378565388ba74e2f44eb16b7a256a2658deab79e38d32fde50f57eb5fe723c40afdb52c1d87c6e291f14a3de2fb795c1dc9946ad753d6

Download Submit
C:\Users\Admin\AppData\Local\ThF\ie4uinit.exe

Filesize
262KB

MD5
a2f0104edd80ca2c24c24356d5eacc4f

SHA1
8269b9fd9231f04ed47419bd565c69dc677fab56

SHA256
5d85c4d62cc26996826b9d96a9153f7e05a2260342bd913b3730610a1809203c

SHA512
e7bb87f9f6c82cb945b95f62695be98b3fa827a24fa8c4187fe836d4e7d3e7ae3b95101edd3c41d65f6cb684910f5954a67307d450072acd8d475212db094390

Download Submit
C:\Users\Admin\AppData\Local\UQdYt\MFPlat.DLL

Filesize
1.2MB

MD5
106b7860e5e5810731c5cb5101daab36

SHA1
c1ccb2d688dfb2b1305e391b3b82af93c697516b

SHA256
b6718a611552b043c0a66b0704e2c1ab70521869c2c8bd2fde175468be7a3ea3

SHA512
37f4d956249ccc53ff5fc0ec166a72e31b609b77ba73161e0aa1b9a898af4cff1b0a1fb9600c51d6351f840115f5bef7a89017b502d0e0abce2d51af42dbf3cb

Download Submit
C:\Users\Admin\AppData\Local\UQdYt\mfpmp.exe

Filesize
46KB

MD5
8f8fd1988973bac0c5244431473b96a5

SHA1
ce81ea37260d7cafe27612606cf044921ad1304c

SHA256
27287ac874cef86be03aee7b6d34fdc3bd208070ed20e44621a305865fb7579e

SHA512
a91179e1561168b3b58f5ca893bce425d35f4a02aec20ac3d6fb944f5eb3c06b0a1b9d9f3fb9ea87869d65671d2b89b4ae19acf794372bdbd27f5e9756c5a8ab

Download Submit
C:\Users\Admin\AppData\Local\l2y\ACTIVEDS.dll

Filesize
1.2MB

MD5
e2004b52c67b5b25e3be808c2258effe

SHA1
d244efa1eaa77c3f880c4358d0897b0c88e0cc6a

SHA256
9f33fce72ed702771a9a25a8e8fd4f0615991cf441d772c732e0dd2feb93b296

SHA512
7f98a08091ee0f9940ccb113aa35325001285888a9642004a802d0f9e1aa9a25fefd71458d08b5e430fad8cc540f0ef2065122722467680ca7d379e3ac59939c

Download Submit
C:\Users\Admin\AppData\Local\l2y\ApplySettingsTemplateCatalog.exe

Filesize
1.1MB

MD5
13af41b1c1c53c7360cd582a82ec2093

SHA1
7425f893d1245e351483ab4a20a5f59d114df4e1

SHA256
a462f29efaaa3c30411e76f32608a2ba5b7d21af3b9804e5dda99e342ba8c429

SHA512
c7c82acef623d964c520f1a458dbfe34099981de0b781fb56e14b1f82632e3a8437db6434e7c20988aa3b39efde47aab8d188e80845e841a13e74b079285706a

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Evbxgkmeevkeagz.lnk

Filesize
1KB

MD5
83a8b9f2772443cf868c132f6fad5eb7

SHA1
e534bc93321d5f15259e270bf9e62706b2a3ce4a

SHA256
d13c34a4a02dd8e3c0fc94203480c2e2b624ae2d73b19c4561f3fb2e258e4b7f

SHA512
3c47c6bff9ed6fe45473ea738546ed53e13fb69b2b4c8129ec5ee326026880295202c3be97d7ae69660202fbf5a3829afe554e49666698974acb12a62f9191b4

Download Submit
memory/224-53-0x00007FFE4CF70000-0x00007FFE4D0A3000-memory.dmp

Filesize
1.2MB

Download
memory/224-50-0x000001BA3CA20000-0x000001BA3CA27000-memory.dmp

Filesize
28KB

Download
memory/224-47-0x00007FFE4CF70000-0x00007FFE4D0A3000-memory.dmp

Filesize
1.2MB

Download
memory/1496-67-0x000001C67ADB0000-0x000001C67ADB7000-memory.dmp

Filesize
28KB

Download
memory/1496-70-0x00007FFE4CF70000-0x00007FFE4D0A3000-memory.dmp

Filesize
1.2MB

Download
memory/2036-81-0x00007FFE4CF70000-0x00007FFE4D0A4000-memory.dmp

Filesize
1.2MB

Download
memory/2036-86-0x00007FFE4CF70000-0x00007FFE4D0A4000-memory.dmp

Filesize
1.2MB

Download
memory/2380-1-0x00007FFE4CF70000-0x00007FFE4D0A2000-memory.dmp

Filesize
1.2MB

Download
memory/2380-39-0x00007FFE4CF70000-0x00007FFE4D0A2000-memory.dmp

Filesize
1.2MB

Download
memory/2380-0-0x000001EFBA780000-0x000001EFBA787000-memory.dmp

Filesize
28KB

Download
memory/3572-34-0x0000000000610000-0x0000000000617000-memory.dmp

Filesize
28KB

Download
memory/3572-7-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3572-8-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3572-9-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3572-10-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3572-11-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3572-12-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3572-13-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3572-15-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3572-16-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3572-33-0x00007FFE5ACAA000-0x00007FFE5ACAB000-memory.dmp

Filesize
4KB

Download
memory/3572-35-0x00007FFE5B650000-0x00007FFE5B660000-memory.dmp

Filesize
64KB

Download
memory/3572-36-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3572-24-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3572-14-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3572-6-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3572-4-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download