dridex | f73f90888a503e9599d2845337707f5d38ac1585fade9bd3eff224e65cbaa340

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
28-07-2024 21:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

246baf200fe0776877875b48895018aa_JaffaCakes118.dll
Size

1.2MB
MD5

246baf200fe0776877875b48895018aa
SHA1

4305c8cdb722247ffebfea9f06b9233339a606f9
SHA256

f73f90888a503e9599d2845337707f5d38ac1585fade9bd3eff224e65cbaa340
SHA512

78947ad93fc4cecb64f9351531519bd04c41f8ddf73cbd1ad3de58ccb027b646f9cff9cdcd438260271c076ae01c846cdecd5c0950b706df597ac88b39ada54c
SSDEEP

24576:kuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:89cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3404-4-0x0000000002480000-0x0000000002481000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
1972	ApplicationFrameHost.exe
3448	DWWIN.EXE
704	PasswordOnWakeSettingFlyout.exe

Loads dropped DLL 3 IoCs

pid	Process
1972	ApplicationFrameHost.exe
3448	DWWIN.EXE
704	PasswordOnWakeSettingFlyout.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3774859476-2260090144-3466365324-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Lkmfajh = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\9Qduu6kQ\\DWWIN.EXE"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ApplicationFrameHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DWWIN.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	PasswordOnWakeSettingFlyout.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4444	rundll32.exe
4444	rundll32.exe
4444	rundll32.exe
4444	rundll32.exe
4444	rundll32.exe
4444	rundll32.exe
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3404	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3404 wrote to memory of 1480	3404	Process not Found	84
PID 3404 wrote to memory of 1480	3404	Process not Found	84
PID 3404 wrote to memory of 1972	3404	Process not Found	85
PID 3404 wrote to memory of 1972	3404	Process not Found	85
PID 3404 wrote to memory of 3820	3404	Process not Found	86
PID 3404 wrote to memory of 3820	3404	Process not Found	86
PID 3404 wrote to memory of 3448	3404	Process not Found	87
PID 3404 wrote to memory of 3448	3404	Process not Found	87
PID 3404 wrote to memory of 1632	3404	Process not Found	88
PID 3404 wrote to memory of 1632	3404	Process not Found	88
PID 3404 wrote to memory of 704	3404	Process not Found	89
PID 3404 wrote to memory of 704	3404	Process not Found	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\246baf200fe0776877875b48895018aa_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4444

C:\Windows\system32\ApplicationFrameHost.exe
C:\Windows\system32\ApplicationFrameHost.exe
1⤵
PID:1480

C:\Users\Admin\AppData\Local\fhD\ApplicationFrameHost.exe
C:\Users\Admin\AppData\Local\fhD\ApplicationFrameHost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1972

C:\Windows\system32\DWWIN.EXE
C:\Windows\system32\DWWIN.EXE
1⤵
PID:3820

C:\Users\Admin\AppData\Local\mP7VpG\DWWIN.EXE
C:\Users\Admin\AppData\Local\mP7VpG\DWWIN.EXE
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3448

C:\Windows\system32\PasswordOnWakeSettingFlyout.exe
C:\Windows\system32\PasswordOnWakeSettingFlyout.exe
1⤵
PID:1632

C:\Users\Admin\AppData\Local\QooC1XT\PasswordOnWakeSettingFlyout.exe
C:\Users\Admin\AppData\Local\QooC1XT\PasswordOnWakeSettingFlyout.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\QooC1XT\DUI70.dll

Filesize
1.4MB

MD5
5b8de384a197e5fbbb352934527dc03d

SHA1
0b0b7e280ebe3bd9c7b46d2f1b22a8b076119e8b

SHA256
e9d19ee3b3a0c28db0c6130e9af0fc7a3be286cf9e0985c3f83c24df39e5f815

SHA512
b865f12962dc2c7044b47923758553ac216f7759dd94a43fcb6750f76257f09d32afbda1abf0fba300336a3c6420e8f05d6decab6c2c5ba1a7b1619d5d058082

Download Submit
C:\Users\Admin\AppData\Local\QooC1XT\PasswordOnWakeSettingFlyout.exe

Filesize
44KB

MD5
591a98c65f624c52882c2b238d6cd4c4

SHA1
c960d08c19d777069cf265dcc281807fbd8502d7

SHA256
5e6ed524c955fb1ea3e24f132987143da3ec81db5041a0edcfa7bf3ac790eb06

SHA512
1999f23c90d85857461f8ddc5342470296f6939a654ac015780c2977f293c1f799fc992462f3d4d9181c97ab960db3291b85ea7c0537edcb57755706b20b6074

Download Submit
C:\Users\Admin\AppData\Local\fhD\ApplicationFrameHost.exe

Filesize
76KB

MD5
d58a8a987a8dafad9dc32a548cc061e7

SHA1
f79fc9e0ab066cad530b949c2153c532a5223156

SHA256
cf58e424b86775e6f2354291052126a646f842fff811b730714dfbbd8ebc71a4

SHA512
93df28b65af23a5f82124ba644e821614e2e2074c98dbb2bd7319d1dfe9e2179b9d660d7720913c79a8e7b2f8560440789ad5e170b9d94670589885060c14265

Download Submit
C:\Users\Admin\AppData\Local\fhD\dxgi.dll

Filesize
1.2MB

MD5
b8ac04fde9296d1309e62fb2a514bd9e

SHA1
3e3776d343cd298a55496204d7b169c4b2119066

SHA256
4b7d4914dc2d6ac82d6884a1a9d116d9609e956f00e19ba12b6335ee8f99e590

SHA512
3ad07b4b84ae53f385109d7545fff2d9b0453111de91eccc545d84784c3a07796232418a31e49873e52b7680345fd48abf7af1ff85998fcc296652be5ef17ab9

Download Submit
C:\Users\Admin\AppData\Local\mP7VpG\DWWIN.EXE

Filesize
229KB

MD5
444cc4d3422a0fdd45c1b78070026c60

SHA1
97162ff341fff1ec54b827ec02f8b86fd2d41a97

SHA256
4b3f620272e709ce3e01ae5b19ef0300bd476f2da6412637f703bbaded2821f0

SHA512
21742d330a6a5763ea41a8fed4d71b98e4a1b4c685675c4cfeb7253033c3a208c23902caf0efdf470a85e0770cb8fac8af0eb6d3a8511445b0570054b42d5553

Download Submit
C:\Users\Admin\AppData\Local\mP7VpG\VERSION.dll

Filesize
1.2MB

MD5
607d37f48554ef27a2c68c2e03cc1afc

SHA1
de9471ab5a3486812cc52ba7f66ee362b2ba0ac8

SHA256
1961829cd9dca0dd39618e9bc3955be76b5bb62c1eafc268a07cf4ec23c3de08

SHA512
242a98d769a9db9916eda5f183ae161c283d55e211cf0ec163586d32111bb59ac9788432059c76176141f7bbfe51d8cdf565ec88db8b543e5eca99efcf5d2b94

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Rlbqg.lnk

Filesize
1KB

MD5
8c03a6d55f6f0cf846edcf7247a55b22

SHA1
446017b5428b27a953ab47b24894ab55923a31bf

SHA256
6114ac1b86b878cf137e9ac4f695f25387b5e54ec143ed6b4d2453adb1c25b66

SHA512
401873e136bea708aff41a5ec27ebf09dca8f5989f1a8383804529a2155c1bb45f03621bbe189974ae5331f534441b11e176ac40ad07d68d4e554f72b85f2e77

Download Submit
memory/704-80-0x00007FF896B40000-0x00007FF896CB8000-memory.dmp

Filesize
1.5MB

Download
memory/704-83-0x000001602BE70000-0x000001602BE77000-memory.dmp

Filesize
28KB

Download
memory/704-86-0x00007FF896B40000-0x00007FF896CB8000-memory.dmp

Filesize
1.5MB

Download
memory/1972-52-0x00007FF897030000-0x00007FF897163000-memory.dmp

Filesize
1.2MB

Download
memory/1972-46-0x00007FF897030000-0x00007FF897163000-memory.dmp

Filesize
1.2MB

Download
memory/1972-49-0x000001D1FF290000-0x000001D1FF297000-memory.dmp

Filesize
28KB

Download
memory/3404-29-0x00007FF8A489A000-0x00007FF8A489B000-memory.dmp

Filesize
4KB

Download
memory/3404-31-0x00007FF8A5110000-0x00007FF8A5120000-memory.dmp

Filesize
64KB

Download
memory/3404-7-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3404-6-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3404-11-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3404-36-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3404-4-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/3404-9-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3404-10-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3404-13-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3404-15-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3404-16-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3404-12-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3404-30-0x0000000000480000-0x0000000000487000-memory.dmp

Filesize
28KB

Download
memory/3404-14-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3404-24-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3404-8-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3448-69-0x00007FF897030000-0x00007FF897163000-memory.dmp

Filesize
1.2MB

Download
memory/3448-66-0x0000025A2A4A0000-0x0000025A2A4A7000-memory.dmp

Filesize
28KB

Download
memory/4444-1-0x00007FF897030000-0x00007FF897162000-memory.dmp

Filesize
1.2MB

Download
memory/4444-39-0x00007FF897030000-0x00007FF897162000-memory.dmp

Filesize
1.2MB

Download
memory/4444-3-0x0000020433D20000-0x0000020433D27000-memory.dmp

Filesize
28KB

Download