dridex | 484d7dea43a0c0e76df55b04cb19202f7fb13e23ed41cbd7746cabcd90a1c5c2

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
30-07-2024 01:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6d024b9363b39a0acd1de39d9e8e25dc_JaffaCakes118.dll
Size

1.2MB
MD5

6d024b9363b39a0acd1de39d9e8e25dc
SHA1

abcfbed32e6c09c582051971904f85a8b88bbb5a
SHA256

484d7dea43a0c0e76df55b04cb19202f7fb13e23ed41cbd7746cabcd90a1c5c2
SHA512

984397e85bba6831163f155bf27a50956ed69d22fde69186bb9c74f1a76d12ea09cc01528d3bc9364fa3a8629eb2a838ddd65049f97cd1305ef0b8451c7a5389
SSDEEP

24576:muYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:G9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3424-4-0x00000000076A0000-0x00000000076A1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
2000	usocoreworker.exe
2856	CameraSettingsUIHost.exe
1832	msra.exe

Loads dropped DLL 3 IoCs

pid	Process
2000	usocoreworker.exe
2856	CameraSettingsUIHost.exe
1832	msra.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tsgtjspwhizloud = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\1EYSw\\CAMERA~1.EXE"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msra.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	usocoreworker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	CameraSettingsUIHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1424	rundll32.exe
1424	rundll32.exe
1424	rundll32.exe
1424	rundll32.exe
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3424	Process not Found
3424	Process not Found

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3424	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3424 wrote to memory of 5108	3424	Process not Found	95
PID 3424 wrote to memory of 5108	3424	Process not Found	95
PID 3424 wrote to memory of 2000	3424	Process not Found	96
PID 3424 wrote to memory of 2000	3424	Process not Found	96
PID 3424 wrote to memory of 4512	3424	Process not Found	97
PID 3424 wrote to memory of 4512	3424	Process not Found	97
PID 3424 wrote to memory of 2856	3424	Process not Found	98
PID 3424 wrote to memory of 2856	3424	Process not Found	98
PID 3424 wrote to memory of 3296	3424	Process not Found	99
PID 3424 wrote to memory of 3296	3424	Process not Found	99
PID 3424 wrote to memory of 1832	3424	Process not Found	100
PID 3424 wrote to memory of 1832	3424	Process not Found	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6d024b9363b39a0acd1de39d9e8e25dc_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1424

C:\Windows\system32\usocoreworker.exe
C:\Windows\system32\usocoreworker.exe
1⤵
PID:5108

C:\Users\Admin\AppData\Local\LOYSbakyZ\usocoreworker.exe
C:\Users\Admin\AppData\Local\LOYSbakyZ\usocoreworker.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2000

C:\Windows\system32\CameraSettingsUIHost.exe
C:\Windows\system32\CameraSettingsUIHost.exe
1⤵
PID:4512

C:\Users\Admin\AppData\Local\Ax3k\CameraSettingsUIHost.exe
C:\Users\Admin\AppData\Local\Ax3k\CameraSettingsUIHost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2856

C:\Windows\system32\msra.exe
C:\Windows\system32\msra.exe
1⤵
PID:3296

C:\Users\Admin\AppData\Local\vQshI1K77\msra.exe
C:\Users\Admin\AppData\Local\vQshI1K77\msra.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Ax3k\CameraSettingsUIHost.exe

Filesize
31KB

MD5
9e98636523a653c7a648f37be229cf69

SHA1
bd4da030e7cf4d55b7c644dfacd26b152e6a14c4

SHA256
3bf20bc5a208dfa1ea26a042fd0010b1268dcfedc94ed775f11890bc1d95e717

SHA512
41966166e2ddfe40e6f4e6da26bc490775caac9997465c6dd94ba6a664d3a797ffc2aa5684c95702e8657e5cea62a46a75aee3e7d5e07a47dcaaa5c4da565e78

Download Submit
C:\Users\Admin\AppData\Local\Ax3k\DUI70.dll

Filesize
1.4MB

MD5
cc3f6d3cb4df254ab32a1ce259c76683

SHA1
d64b410ba9ac3b054bf5b76590cfe1115edf6b26

SHA256
436b2e495961e65989fd550584cb400ed87ed17a03ea76d4630ec6dcde3bee6b

SHA512
fa5dc8da261b2d43028251a06f1f196c73b5966613d4d02ee9d13a74d20266777807279f2f69b79530a16066a756753e32938f28f4f864af46aed70e16bb79fe

Download Submit
C:\Users\Admin\AppData\Local\LOYSbakyZ\XmlLite.dll

Filesize
1.2MB

MD5
7aef04b51b214372176ceebc5d7c65f4

SHA1
c94bbbbd342aad3af1da7a3aa6565e515a8dd90f

SHA256
3e21152c135cfa9053c8f910817d9149b991b54ef194c5f3fee432cfb68f74aa

SHA512
1bc5ea6446faa009f9bedf488753c5b9d21a7dfb01b86cdd951d77dd61870164e79b739b8c6075204811d1dcb77410ea17a6a95548fea1af450a3aabc27b725f

Download Submit
C:\Users\Admin\AppData\Local\LOYSbakyZ\usocoreworker.exe

Filesize
1.3MB

MD5
2c5efb321aa64af37dedc6383ce3198e

SHA1
a06d7020dd43a57047a62bfb443091cd9de946ba

SHA256
0fb6688a32340036f3eaab4a09a82dee533bfb2ca266c36f6142083134de6f0e

SHA512
5448ea01b24af7444505bda80064849a2efcc459011d32879e021e836fd573c9b1b9d3b37291d3f53ff536c691ac13a545b12f318a16c8a367421986bbf002ed

Download Submit
C:\Users\Admin\AppData\Local\vQshI1K77\UxTheme.dll

Filesize
1.2MB

MD5
759a2ea17866bd64380c716dbf80a5b0

SHA1
2adb2904990b02c55437c086ec74e94d735f8435

SHA256
f70a9f739a1cdd3ab8f71cfc6111c3ab62e225c671b8aa2e92a8f18a28713ff1

SHA512
b934e0c9bd98b9ea38437d34b24ad7889ba2cc534281281682189578c3896cda49b54d48a58a7dcff5dd1c072d8d054533a61bf4e18516adb9c78c0361e1be27

Download Submit
C:\Users\Admin\AppData\Local\vQshI1K77\msra.exe

Filesize
579KB

MD5
dcda3b7b8eb0bfbccb54b4d6a6844ad6

SHA1
316a2925e451f739f45e31bc233a95f91bf775fa

SHA256
011e1decd6683afe5f1e397fe9697f2cf592ae21766a7629e234682f721658ae

SHA512
18e8c99f8b86375627aba0d2b10cf4db24ee5ac61a3d6a73d382a83ec63217c7e455570d4fa7dcdbb188dcc73988689661f8cab2337ae8c615fa6bc9a08f71f5

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Txrhelfambrw.lnk

Filesize
1KB

MD5
101197411128aec0974276935dd094a9

SHA1
972aaad59860ed4060fd0403aabc8c643cee69ec

SHA256
fcdeaa643de96bc169f1a3c0fc4f6455c4006b05e110f79332ed55fb165e9dee

SHA512
d2ac2fd14751d6fd1b3f0ace1147ae40a5754d38a9fa44e7ba32cd0186f2f348b7246ac467c1184a6cea9cbdc06073892652f4749387fa5e1872552f0255436a

Download Submit
memory/1424-0-0x00007FFF77790000-0x00007FFF778C1000-memory.dmp

Filesize
1.2MB

Download
memory/1424-39-0x00007FFF77790000-0x00007FFF778C1000-memory.dmp

Filesize
1.2MB

Download
memory/1424-3-0x00000254D7130000-0x00000254D7137000-memory.dmp

Filesize
28KB

Download
memory/1832-80-0x0000020EF7DD0000-0x0000020EF7DD7000-memory.dmp

Filesize
28KB

Download
memory/1832-86-0x00007FFF690D0000-0x00007FFF69202000-memory.dmp

Filesize
1.2MB

Download
memory/2000-52-0x00007FFF690D0000-0x00007FFF69202000-memory.dmp

Filesize
1.2MB

Download
memory/2000-46-0x00007FFF690D0000-0x00007FFF69202000-memory.dmp

Filesize
1.2MB

Download
memory/2000-49-0x000001CF79270000-0x000001CF79277000-memory.dmp

Filesize
28KB

Download
memory/2856-66-0x00000226373B0000-0x00000226373B7000-memory.dmp

Filesize
28KB

Download
memory/2856-63-0x00007FFF69090000-0x00007FFF69207000-memory.dmp

Filesize
1.5MB

Download
memory/2856-69-0x00007FFF69090000-0x00007FFF69207000-memory.dmp

Filesize
1.5MB

Download
memory/3424-29-0x0000000007680000-0x0000000007687000-memory.dmp

Filesize
28KB

Download
memory/3424-7-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3424-8-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3424-9-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3424-10-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3424-11-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3424-12-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3424-13-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3424-15-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3424-17-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3424-28-0x00007FFF84E8A000-0x00007FFF84E8B000-memory.dmp

Filesize
4KB

Download
memory/3424-30-0x00007FFF869F0000-0x00007FFF86A00000-memory.dmp

Filesize
64KB

Download
memory/3424-36-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3424-24-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3424-14-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3424-6-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3424-4-0x00000000076A0000-0x00000000076A1000-memory.dmp

Filesize
4KB

Download