dridex | f2ddef77e116e27aaf7edd19d8e311c890be77abd321a104a19bb4beb6a760d5

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
29-07-2024 01:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

305ed1795e2e32ab6474f11e8a2b90da_JaffaCakes118.dll
Size

1.2MB
MD5

305ed1795e2e32ab6474f11e8a2b90da
SHA1

36691323644bafb435d160a6d91caabba435a6de
SHA256

f2ddef77e116e27aaf7edd19d8e311c890be77abd321a104a19bb4beb6a760d5
SHA512

eab5c510385fef3fc598f15b65c6b91e966ba1590de17c839e4a5a9816526463f91501a5006209e781e15befd240ff7cdb53e57103dabd319483598926f85500
SSDEEP

24576:yuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:a9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3516-4-0x00000000031F0000-0x00000000031F1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
4396	EhStorAuthn.exe
3204	DWWIN.EXE
2148	SystemSettingsRemoveDevice.exe

Loads dropped DLL 3 IoCs

pid	Process
4396	EhStorAuthn.exe
3204	DWWIN.EXE
2148	SystemSettingsRemoveDevice.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-807826884-2440573969-3755798217-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ahvkwrxhngjqh = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\ACCESS~2\\DR6J6P~1\\DWWIN.EXE"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemSettingsRemoveDevice.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	EhStorAuthn.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DWWIN.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5004	rundll32.exe
5004	rundll32.exe
5004	rundll32.exe
5004	rundll32.exe
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3516	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3516 wrote to memory of 2124	3516	Process not Found	84
PID 3516 wrote to memory of 2124	3516	Process not Found	84
PID 3516 wrote to memory of 4396	3516	Process not Found	85
PID 3516 wrote to memory of 4396	3516	Process not Found	85
PID 3516 wrote to memory of 5040	3516	Process not Found	86
PID 3516 wrote to memory of 5040	3516	Process not Found	86
PID 3516 wrote to memory of 3204	3516	Process not Found	87
PID 3516 wrote to memory of 3204	3516	Process not Found	87
PID 3516 wrote to memory of 112	3516	Process not Found	88
PID 3516 wrote to memory of 112	3516	Process not Found	88
PID 3516 wrote to memory of 2148	3516	Process not Found	89
PID 3516 wrote to memory of 2148	3516	Process not Found	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\305ed1795e2e32ab6474f11e8a2b90da_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:5004

C:\Windows\system32\EhStorAuthn.exe
C:\Windows\system32\EhStorAuthn.exe
1⤵
PID:2124

C:\Users\Admin\AppData\Local\G35NadLhv\EhStorAuthn.exe
C:\Users\Admin\AppData\Local\G35NadLhv\EhStorAuthn.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4396

C:\Windows\system32\DWWIN.EXE
C:\Windows\system32\DWWIN.EXE
1⤵
PID:5040

C:\Users\Admin\AppData\Local\ohZIs\DWWIN.EXE
C:\Users\Admin\AppData\Local\ohZIs\DWWIN.EXE
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3204

C:\Windows\system32\SystemSettingsRemoveDevice.exe
C:\Windows\system32\SystemSettingsRemoveDevice.exe
1⤵
PID:112

C:\Users\Admin\AppData\Local\XGltj\SystemSettingsRemoveDevice.exe
C:\Users\Admin\AppData\Local\XGltj\SystemSettingsRemoveDevice.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\G35NadLhv\EhStorAuthn.exe

Filesize
128KB

MD5
d45618e58303edb4268a6cca5ec99ecc

SHA1
1f8049fc5ea8b57bb68e19fb55cb9dc1e18e9513

SHA256
d527323643be9df4d174c3169c6f2c7854a59b781654bcaebd154cb51fb4219c

SHA512
5d7ae663dcfedfaf00836dc018131851e5a40778bd582b417b9f0bbd4bb6d1b2eb8f37f7f5a01cd2beed78b6037ef6eb2a3290248d5e901173b1407990a202bd

Download Submit
C:\Users\Admin\AppData\Local\G35NadLhv\UxTheme.dll

Filesize
1.2MB

MD5
e94ceedbe1c19f150765e4b818f07e94

SHA1
b959ce2c2a3fa10d471abc3ea6fd5eed1b158d17

SHA256
489c5a21ecc5b587160314f6f1dda44f3d2c56d672177a52a03e1370bc7759a4

SHA512
9b4d9cbeaa21f0f9868708e1f3521bbfd39b7f3e495511b40fdd122dc6c7c650b60a1cf112170fbe3993f7805f3aaa5fef99cc292fedd282fb82a5842ccca334

Download Submit
C:\Users\Admin\AppData\Local\XGltj\DUI70.dll

Filesize
1.4MB

MD5
a5213bba342f1833576de9bb3ef6b7c0

SHA1
8dd8d975cf9e5dedca06d4b80856a671f54f6018

SHA256
3e5a99741e5c497ef362a3b2118007912a7662a29813db0ccd64b3e4392f0bd5

SHA512
2b0c214ab13fd33c5961474fd468ae8be666e4061b7eb634d229ad5bfd00fa82d3887cbfc1186d00ac333120c298670b8c83cabf122c43044d763bc13cdfa5a0

Download Submit
C:\Users\Admin\AppData\Local\XGltj\SystemSettingsRemoveDevice.exe

Filesize
39KB

MD5
7853f1c933690bb7c53c67151cbddeb0

SHA1
d47a1ad0ccba4c988c8ffc5cbf9636fd4f4fa6e6

SHA256
9500731b2a3442f11dfd08a8adfe027e7f32ef5834c628eed4b78be74168470d

SHA512
831993d610539d44422d769de6561a4622e1b9cb3d73253774b6cecabf57654a74cd88b4ebe20921585ea96d977225b9501f02a0f6a1fc7d2cad6824fd539304

Download Submit
C:\Users\Admin\AppData\Local\ohZIs\DWWIN.EXE

Filesize
229KB

MD5
444cc4d3422a0fdd45c1b78070026c60

SHA1
97162ff341fff1ec54b827ec02f8b86fd2d41a97

SHA256
4b3f620272e709ce3e01ae5b19ef0300bd476f2da6412637f703bbaded2821f0

SHA512
21742d330a6a5763ea41a8fed4d71b98e4a1b4c685675c4cfeb7253033c3a208c23902caf0efdf470a85e0770cb8fac8af0eb6d3a8511445b0570054b42d5553

Download Submit
C:\Users\Admin\AppData\Local\ohZIs\VERSION.dll

Filesize
1.2MB

MD5
62c3c9778ae8c7d0319344c15a3dd67c

SHA1
e0c261ae0107912742a32df5649cbe7c050914c8

SHA256
b79cfe71a8b6f491fac23d52d2b4d8608b46c3fd037bfaaf4ccdc68e0efac423

SHA512
cf46ef078a3adb53db884183ddaba9de27458107beaa6e8259cdb5059e5f0f20748cbb1de9d92a86a5ae30c2caa0f0bf7d2d07bda36e18353a9fde8a002f1c42

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Arrotspbllekcvw.lnk

Filesize
1KB

MD5
02ebe9579518a5c4148b6a7c8ca7802f

SHA1
3eb9e3cca1a0486074b85331a08209a536da2341

SHA256
f31b811e512133fdcde61f6ad0d95977c1bfa724e79c260d51f70f618ca8ce99

SHA512
3da366bdaf8b9e181e59cf64dcf932d5e47d0282a21641fb56020ef3aab8d0ae41e1de8988ceb8298e5926274f3c5a72cb34f82911ec2168dff41279b1da1ff5

Download Submit
memory/2148-83-0x0000013F17610000-0x0000013F17617000-memory.dmp

Filesize
28KB

Download
memory/2148-86-0x00007FFADC0D0000-0x00007FFADC247000-memory.dmp

Filesize
1.5MB

Download
memory/2148-80-0x00007FFADC0D0000-0x00007FFADC247000-memory.dmp

Filesize
1.5MB

Download
memory/3204-69-0x00007FFADC110000-0x00007FFADC242000-memory.dmp

Filesize
1.2MB

Download
memory/3204-63-0x0000012D6C250000-0x0000012D6C257000-memory.dmp

Filesize
28KB

Download
memory/3516-16-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3516-29-0x0000000001490000-0x0000000001497000-memory.dmp

Filesize
28KB

Download
memory/3516-8-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3516-7-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3516-4-0x00000000031F0000-0x00000000031F1000-memory.dmp

Filesize
4KB

Download
memory/3516-6-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3516-37-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3516-11-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3516-12-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3516-13-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3516-14-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3516-10-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3516-30-0x00007FFAEAE30000-0x00007FFAEAE40000-memory.dmp

Filesize
64KB

Download
memory/3516-15-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3516-24-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3516-28-0x00007FFAE8F9A000-0x00007FFAE8F9B000-memory.dmp

Filesize
4KB

Download
memory/3516-9-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/4396-52-0x00007FFADC110000-0x00007FFADC242000-memory.dmp

Filesize
1.2MB

Download
memory/4396-47-0x00007FFADC110000-0x00007FFADC242000-memory.dmp

Filesize
1.2MB

Download
memory/4396-46-0x000001FDBC660000-0x000001FDBC667000-memory.dmp

Filesize
28KB

Download
memory/5004-39-0x00007FFADC110000-0x00007FFADC241000-memory.dmp

Filesize
1.2MB

Download
memory/5004-2-0x00007FFADC110000-0x00007FFADC241000-memory.dmp

Filesize
1.2MB

Download
memory/5004-0-0x0000022B99B70000-0x0000022B99B77000-memory.dmp

Filesize
28KB

Download