dridex | d62f7d5f5612a00f40af40dd9e4d077879f57a394e6c54cfdd8ac3c643212844

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
29-07-2024 01:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

31b7ddc62f5f53c4e73e7e6fc2ac8a8e_JaffaCakes118.dll
Size

1.2MB
MD5

31b7ddc62f5f53c4e73e7e6fc2ac8a8e
SHA1

90bc55e8741ad80cc692f8916879afe1136d300c
SHA256

d62f7d5f5612a00f40af40dd9e4d077879f57a394e6c54cfdd8ac3c643212844
SHA512

2c1de038b2c6a2b090f0f17a1fc0118bbed7837496a7c7df345295039d16e1731c5274cde666880b5323eed51547b10a93a22efd7d2deffd14f0bcc1e8f611dc
SSDEEP

24576:luYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:f9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence privilege_escalation trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3188-4-0x0000000000EB0000-0x0000000000EB1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
3060	osk.exe
4760	tabcal.exe
3884	sdclt.exe

Loads dropped DLL 3 IoCs

pid	Process
3060	osk.exe
4760	tabcal.exe
3884	sdclt.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1266786182-1874524688-71015548-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Zdgdcgkgx = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\Keys\\Y1J2o7bZYo\\tabcal.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	osk.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	tabcal.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sdclt.exe

Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2768	rundll32.exe
2768	rundll32.exe
2768	rundll32.exe
2768	rundll32.exe
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3188 wrote to memory of 1708	3188	Process not Found	84
PID 3188 wrote to memory of 1708	3188	Process not Found	84
PID 3188 wrote to memory of 3060	3188	Process not Found	85
PID 3188 wrote to memory of 3060	3188	Process not Found	85
PID 3188 wrote to memory of 1532	3188	Process not Found	86
PID 3188 wrote to memory of 1532	3188	Process not Found	86
PID 3188 wrote to memory of 4760	3188	Process not Found	87
PID 3188 wrote to memory of 4760	3188	Process not Found	87
PID 3188 wrote to memory of 4188	3188	Process not Found	88
PID 3188 wrote to memory of 4188	3188	Process not Found	88
PID 3188 wrote to memory of 3884	3188	Process not Found	89
PID 3188 wrote to memory of 3884	3188	Process not Found	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\31b7ddc62f5f53c4e73e7e6fc2ac8a8e_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2768

C:\Windows\system32\osk.exe
C:\Windows\system32\osk.exe
1⤵
PID:1708

C:\Users\Admin\AppData\Local\yK74CC\osk.exe
C:\Users\Admin\AppData\Local\yK74CC\osk.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3060

C:\Windows\system32\tabcal.exe
C:\Windows\system32\tabcal.exe
1⤵
PID:1532

C:\Users\Admin\AppData\Local\DY1byr\tabcal.exe
C:\Users\Admin\AppData\Local\DY1byr\tabcal.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4760

C:\Windows\system32\sdclt.exe
C:\Windows\system32\sdclt.exe
1⤵
PID:4188

C:\Users\Admin\AppData\Local\M2K\sdclt.exe
C:\Users\Admin\AppData\Local\M2K\sdclt.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\DY1byr\HID.DLL

Filesize
1.2MB

MD5
f59d9d89e1cce8073dc8a87b04eef236

SHA1
d58d813ee30edce427a3392f8fc94801101086a2

SHA256
2d2631c2257166ce9a4ca512eda924caca61c6f536be0a7e95f6c51285050c49

SHA512
e3191479389c04a4294a7873a4554435bced3e2623f366c8d81f5be4de37eb889c01f6aad577e31dc270c1fda59c7ccad32ed5acd3030b0c9da9e349d147929d

Download Submit
C:\Users\Admin\AppData\Local\DY1byr\tabcal.exe

Filesize
84KB

MD5
40f4014416ff0cbf92a9509f67a69754

SHA1
1798ff7324724a32c810e2075b11c09b41e4fede

SHA256
f31b4c751dbca276446119ba775787c3eb032da72eabcd40ad96a55826a3f33c

SHA512
646dfe4cfe90d068c3da4c35f7053bb0f57687875a0f3469c0683e707306e6a42b0baca3e944d78f9be5c564bb0600202c32c223a770f89d3e2b07a24673c259

Download Submit
C:\Users\Admin\AppData\Local\M2K\SPP.dll

Filesize
1.2MB

MD5
93889f396a53a3181dd87f3afcd9011b

SHA1
88b8033430596649cbaf4c1f5a6f039416d395e1

SHA256
be022f8c878ec74b5b0b4e1384089ddd95876df390e074f37c13a187e98b37e3

SHA512
7e7174ba6cc3134059ae367b79bdff9210e6a98a30bf13bb4da60241477b81ca1108e3aad0983ce15fa3819530640e219895307b70da178a0d3da83386c5f5ef

Download Submit
C:\Users\Admin\AppData\Local\M2K\sdclt.exe

Filesize
1.2MB

MD5
e09d48f225e7abcab14ebd3b8a9668ec

SHA1
1c5b9322b51c09a407d182df481609f7cb8c425d

SHA256
efd238ea79b93d07852d39052f1411618c36e7597e8af0966c4a3223f0021dc3

SHA512
384d606b90c4803e5144b4de24edc537cb22dd59336a18a58d229500ed36aec92c8467cae6d3f326647bd044d8074931da553c7809727fb70227e99c257df0b4

Download Submit
C:\Users\Admin\AppData\Local\yK74CC\DUI70.dll

Filesize
1.4MB

MD5
b85ca7d0eebc4b29c25ec14341f1829e

SHA1
734b1f6b79bb396e1d853611e07c3d074a41c012

SHA256
9a5057bbfe805fadf00ffbbb6bc2c7ada0f1049a5cd1788420e7465dc6987b98

SHA512
f0ea1d9d4a13b01724be519e568179af2f575d548e4146aefc12568e09e07150ceb8a14e4ee13f721533268bb690d2625fe905cdddb630295ce0b7d4d8ee6685

Download Submit
C:\Users\Admin\AppData\Local\yK74CC\osk.exe

Filesize
638KB

MD5
745f2df5beed97b8c751df83938cb418

SHA1
2f9fc33b1bf28e0f14fd75646a7b427ddbe14d25

SHA256
f67ef6e31fa0eaed44bfbab5b908be06b56cbc7d5a16ab2a72334d91f2bb6a51

SHA512
2125d021e6f45a81bd75c9129f4b098ad9aa15c25d270051f4da42458a9737bff44d6adf17aa1f2547715d159fb621829f7cd3b9d42f1521c919549cc7deb228

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ozpfed.lnk

Filesize
1KB

MD5
f7fd5d7535ccaa450f6b09d7688aa068

SHA1
a04d5beaa804a478150dd8783c89876b8d5b21e5

SHA256
f12c211507faed9cc932ce51a570a9617abf8ad64018e208cac129edaa12a3f3

SHA512
47ec978cd1c068a8873ee1c96470e918fa7c55b17c849843dd57e7a60607734b5ac022bf562c78770ab5ad164158ce2a3d24948dbbf96576cb7a9582194c70fc

Download Submit
memory/2768-39-0x00007FFAD9B30000-0x00007FFAD9C61000-memory.dmp

Filesize
1.2MB

Download
memory/2768-2-0x00007FFAD9B30000-0x00007FFAD9C61000-memory.dmp

Filesize
1.2MB

Download
memory/2768-0-0x0000022062F50000-0x0000022062F57000-memory.dmp

Filesize
28KB

Download
memory/3060-52-0x00007FFAD9370000-0x00007FFAD94E7000-memory.dmp

Filesize
1.5MB

Download
memory/3060-47-0x00007FFAD9370000-0x00007FFAD94E7000-memory.dmp

Filesize
1.5MB

Download
memory/3060-46-0x000001B53EE90000-0x000001B53EE97000-memory.dmp

Filesize
28KB

Download
memory/3188-36-0x00007FFAE57BA000-0x00007FFAE57BB000-memory.dmp

Filesize
4KB

Download
memory/3188-37-0x0000000000AF0000-0x0000000000AF7000-memory.dmp

Filesize
28KB

Download
memory/3188-9-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3188-8-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3188-7-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3188-6-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3188-12-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3188-13-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3188-15-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3188-16-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3188-33-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3188-10-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3188-38-0x00007FFAE76F0000-0x00007FFAE7700000-memory.dmp

Filesize
64KB

Download
memory/3188-24-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3188-4-0x0000000000EB0000-0x0000000000EB1000-memory.dmp

Filesize
4KB

Download
memory/3188-11-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3188-14-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3884-83-0x000001DE398F0000-0x000001DE398F7000-memory.dmp

Filesize
28KB

Download
memory/3884-86-0x00007FFAD9B30000-0x00007FFAD9C62000-memory.dmp

Filesize
1.2MB

Download
memory/4760-69-0x00007FFAD9B30000-0x00007FFAD9C62000-memory.dmp

Filesize
1.2MB

Download
memory/4760-66-0x0000019C3E7B0000-0x0000019C3E7B7000-memory.dmp

Filesize
28KB

Download
memory/4760-64-0x00007FFAD9B30000-0x00007FFAD9C62000-memory.dmp

Filesize
1.2MB

Download