dridex | 5f25e058ec1e4e713a06af4af810eaeee84640b5b6a3995d8bb384e06e958f74

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
29-07-2024 02:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

32537f50522e3740a5c02b2b70095c69_JaffaCakes118.dll
Size

1.4MB
MD5

32537f50522e3740a5c02b2b70095c69
SHA1

33c1010b9daea842501a2c4c854d4084d726880d
SHA256

5f25e058ec1e4e713a06af4af810eaeee84640b5b6a3995d8bb384e06e958f74
SHA512

660606f2c7cd54ae91a1be2fcbd41d52472ca3ac97880aefffa178b02f1c14df18a901b02267cfb58cfa441f123617f353ca7ce6d7c3b61daef5afb150d5b1e1
SSDEEP

24576:guYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9NF:w9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3380-4-0x00000000025C0000-0x00000000025C1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
1172	RdpSaUacHelper.exe
4152	MusNotifyIcon.exe
3192	CustomShellHost.exe

Loads dropped DLL 3 IoCs

pid	Process
1172	RdpSaUacHelper.exe
4152	MusNotifyIcon.exe
3192	CustomShellHost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3774859476-2260090144-3466365324-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Lkmfajh = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\osNw\\MusNotifyIcon.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RdpSaUacHelper.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MusNotifyIcon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	CustomShellHost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3224	rundll32.exe
3224	rundll32.exe
3224	rundll32.exe
3224	rundll32.exe
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found
3380	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3380 wrote to memory of 1888	3380	Process not Found	84
PID 3380 wrote to memory of 1888	3380	Process not Found	84
PID 3380 wrote to memory of 1172	3380	Process not Found	85
PID 3380 wrote to memory of 1172	3380	Process not Found	85
PID 3380 wrote to memory of 1712	3380	Process not Found	86
PID 3380 wrote to memory of 1712	3380	Process not Found	86
PID 3380 wrote to memory of 4152	3380	Process not Found	87
PID 3380 wrote to memory of 4152	3380	Process not Found	87
PID 3380 wrote to memory of 1392	3380	Process not Found	88
PID 3380 wrote to memory of 1392	3380	Process not Found	88
PID 3380 wrote to memory of 3192	3380	Process not Found	89
PID 3380 wrote to memory of 3192	3380	Process not Found	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\32537f50522e3740a5c02b2b70095c69_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3224

C:\Windows\system32\RdpSaUacHelper.exe
C:\Windows\system32\RdpSaUacHelper.exe
1⤵
PID:1888

C:\Users\Admin\AppData\Local\JstnLnZT\RdpSaUacHelper.exe
C:\Users\Admin\AppData\Local\JstnLnZT\RdpSaUacHelper.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1172

C:\Windows\system32\MusNotifyIcon.exe
C:\Windows\system32\MusNotifyIcon.exe
1⤵
PID:1712

C:\Users\Admin\AppData\Local\60u0ImD\MusNotifyIcon.exe
C:\Users\Admin\AppData\Local\60u0ImD\MusNotifyIcon.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4152

C:\Windows\system32\CustomShellHost.exe
C:\Windows\system32\CustomShellHost.exe
1⤵
PID:1392

C:\Users\Admin\AppData\Local\6fdIIj\CustomShellHost.exe
C:\Users\Admin\AppData\Local\6fdIIj\CustomShellHost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\60u0ImD\MusNotifyIcon.exe

Filesize
629KB

MD5
c54b1a69a21e03b83ebb0aeb3758b6f7

SHA1
b32ee7e5b813554c4b8e8f96f176570e0f6e8b6c

SHA256
ac3e12011b70144cc84539bbccacdfae35bd4ea3ee61b4a9fca5f082d044d8bf

SHA512
2680ab501ffe7d40fed28eb207d812880c8a71d71a29d59ba3da27c0bae98c74893e04807d93fba7b5e673c3e13a1ad21bfaab10bdb871d83349ff4e7c614b19

Download Submit
C:\Users\Admin\AppData\Local\60u0ImD\UxTheme.dll

Filesize
1.4MB

MD5
519fef1556d3c9e048107f3ba5c7ea6b

SHA1
0eae9747e087265ad415d21a1d19efc7a0c4ee5c

SHA256
5aa3707f5a7182040775c3398361a13b94eb7e0bf503d7c5f08ce8de701e6fe1

SHA512
8da8603030a6463797a0617bce47547cb61b567a2c4efe17816795f05d16ecd031fb02682dacfba295b74ca08a627dff5478e335b3de95173deffda1c8cc115f

Download Submit
C:\Users\Admin\AppData\Local\6fdIIj\CustomShellHost.exe

Filesize
835KB

MD5
70400e78b71bc8efdd063570428ae531

SHA1
cd86ecd008914fdd0389ac2dc00fe92d87746096

SHA256
91333f3282a2420359ae9d3adf537688741d21e964f021e2b152ab293447f289

SHA512
53005dda237fb23af79f54779c74a09835ad4cad3ca7b9dcec80e3793a60dd262f45b910bef96ab9c8e69d0c6990fea6ca5fee85d7f8425db523ae658372959e

Download Submit
C:\Users\Admin\AppData\Local\6fdIIj\WTSAPI32.dll

Filesize
1.4MB

MD5
29cdd613fc5931580b935e46eb4f98df

SHA1
3df906c855cd9a3aaaa7c010f2269c0e25d38899

SHA256
ff5b9b711449c5f4d308058b82bb1d2b28bdc2d8d138ede02eade869cf3ba461

SHA512
ae07c647740a377a73c723fb1cb0cd7727903f6647f84d0f7327a1006907c3f0adedcf64d9bdd3abca14872b387be48db1f443fbf7603b958366ac706a13e789

Download Submit
C:\Users\Admin\AppData\Local\JstnLnZT\RdpSaUacHelper.exe

Filesize
33KB

MD5
0d5b016ac7e7b6257c069e8bb40845de

SHA1
5282f30e90cbd1be8da95b73bc1b6a7d041e43c2

SHA256
6a6fdd834af9c79c5ffc5e6b51700030259aeae535f8626df84b07b7d2cee067

SHA512
cd44d8b70fc67c692e6966b4ad86a7de9c96df0bade1b3a80cb4767be159d64f3cc04dc5934f7d843b15101865089e43b8aecabddc370b22caf0c48b56b3430e

Download Submit
C:\Users\Admin\AppData\Local\JstnLnZT\WINSTA.dll

Filesize
1.4MB

MD5
995ef3d76e209db15c52fa530f0d098c

SHA1
4623a9ffd0d42088397fe86a463deb2763078fd2

SHA256
9efa681d1ce4a2bf558534d1d47b0bbd4bf151cafd85ef0496c067e2e6b68b99

SHA512
7065cfb36a9c3d4c4f915bcdc0746bdad1ed94aa77b255caf9fef95517d0455c6e4fbdb99cbf7a085d2b07636ef2aeb4ed6124b9797c37aae8a7f3781f1cc75d

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Rlbqg.lnk

Filesize
1KB

MD5
f7d743eeaa84d01c5be1960e39ea5cd3

SHA1
d08571b8bbf712b3b1fdca131aeb0660db482fbf

SHA256
7a0c5e7e41d5a439f9ab31ce244153ad7fca29ad743065d74cd051cae6648776

SHA512
1c088a648722fca5598131a2191e7689b7387c90a7621fc282d664fbe63f38b5e9160be33b0871629a11e97dd7ea8599b177f2b31af2aa33920f2afcb0550920

Download Submit
memory/1172-51-0x00007FFBD2190000-0x00007FFBD22F5000-memory.dmp

Filesize
1.4MB

Download
memory/1172-48-0x00000227D4380000-0x00000227D4387000-memory.dmp

Filesize
28KB

Download
memory/1172-45-0x00007FFBD2190000-0x00007FFBD22F5000-memory.dmp

Filesize
1.4MB

Download
memory/3192-85-0x00007FFBD2190000-0x00007FFBD22F4000-memory.dmp

Filesize
1.4MB

Download
memory/3192-79-0x000001C751EF0000-0x000001C751EF7000-memory.dmp

Filesize
28KB

Download
memory/3224-38-0x00007FFBD2190000-0x00007FFBD22F3000-memory.dmp

Filesize
1.4MB

Download
memory/3224-0-0x00007FFBD2190000-0x00007FFBD22F3000-memory.dmp

Filesize
1.4MB

Download
memory/3224-3-0x0000014834E40000-0x0000014834E47000-memory.dmp

Filesize
28KB

Download
memory/3380-31-0x00007FFBDE93A000-0x00007FFBDE93B000-memory.dmp

Filesize
4KB

Download
memory/3380-14-0x0000000140000000-0x0000000140163000-memory.dmp

Filesize
1.4MB

Download
memory/3380-36-0x0000000140000000-0x0000000140163000-memory.dmp

Filesize
1.4MB

Download
memory/3380-15-0x0000000140000000-0x0000000140163000-memory.dmp

Filesize
1.4MB

Download
memory/3380-7-0x0000000140000000-0x0000000140163000-memory.dmp

Filesize
1.4MB

Download
memory/3380-8-0x0000000140000000-0x0000000140163000-memory.dmp

Filesize
1.4MB

Download
memory/3380-9-0x0000000140000000-0x0000000140163000-memory.dmp

Filesize
1.4MB

Download
memory/3380-11-0x0000000140000000-0x0000000140163000-memory.dmp

Filesize
1.4MB

Download
memory/3380-12-0x0000000140000000-0x0000000140163000-memory.dmp

Filesize
1.4MB

Download
memory/3380-6-0x0000000140000000-0x0000000140163000-memory.dmp

Filesize
1.4MB

Download
memory/3380-32-0x0000000000A00000-0x0000000000A07000-memory.dmp

Filesize
28KB

Download
memory/3380-4-0x00000000025C0000-0x00000000025C1000-memory.dmp

Filesize
4KB

Download
memory/3380-10-0x0000000140000000-0x0000000140163000-memory.dmp

Filesize
1.4MB

Download
memory/3380-13-0x0000000140000000-0x0000000140163000-memory.dmp

Filesize
1.4MB

Download
memory/3380-33-0x00007FFBE0750000-0x00007FFBE0760000-memory.dmp

Filesize
64KB

Download
memory/3380-23-0x0000000140000000-0x0000000140163000-memory.dmp

Filesize
1.4MB

Download
memory/4152-68-0x00007FFBD2190000-0x00007FFBD22F4000-memory.dmp

Filesize
1.4MB

Download
memory/4152-65-0x0000019E87310000-0x0000019E87317000-memory.dmp

Filesize
28KB

Download
memory/4152-62-0x00007FFBD2190000-0x00007FFBD22F4000-memory.dmp

Filesize
1.4MB

Download