dridex | 01ff8188c74308b5694f1f5417b8dc8a2c5ac2fe59b4b10d792273dfd00c40d9

Analysis

max time kernel
150s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
31-07-2024 06:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7b85a378b5aa0e00ad580ced76cf24c4_JaffaCakes118.dll
Size

1.2MB
MD5

7b85a378b5aa0e00ad580ced76cf24c4
SHA1

0252c8d455476716c277a75f0ff0846f0ffceba5
SHA256

01ff8188c74308b5694f1f5417b8dc8a2c5ac2fe59b4b10d792273dfd00c40d9
SHA512

79811bfd3cc4afa16bcfb48a2ced69b540b0bb710b6d4a8e0ae2e4e2f0c1349940248ca35ed485254c0e675e2925f1e7a5a2f190ac83cd00daa3ef5d64deb6b2
SSDEEP

24576:auYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:C9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3432-4-0x0000000000EE0000-0x0000000000EE1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
732	CustomShellHost.exe
1700	SystemSettingsRemoveDevice.exe
5016	Dxpserver.exe

Loads dropped DLL 3 IoCs

pid	Process
732	CustomShellHost.exe
1700	SystemSettingsRemoveDevice.exe
5016	Dxpserver.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2077438316-259605770-1264560426-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Pjlpxjignwwhtsp = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\TEMPLA~1\\LIVECO~1\\16\\User\\SMARTA~1\\1033\\SYN3\\SYSTEM~1.EXE"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	CustomShellHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemSettingsRemoveDevice.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Dxpserver.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3136	rundll32.exe
3136	rundll32.exe
3136	rundll32.exe
3136	rundll32.exe
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3432 wrote to memory of 2568	3432	Process not Found	84
PID 3432 wrote to memory of 2568	3432	Process not Found	84
PID 3432 wrote to memory of 732	3432	Process not Found	85
PID 3432 wrote to memory of 732	3432	Process not Found	85
PID 3432 wrote to memory of 2368	3432	Process not Found	86
PID 3432 wrote to memory of 2368	3432	Process not Found	86
PID 3432 wrote to memory of 1700	3432	Process not Found	87
PID 3432 wrote to memory of 1700	3432	Process not Found	87
PID 3432 wrote to memory of 2952	3432	Process not Found	88
PID 3432 wrote to memory of 2952	3432	Process not Found	88
PID 3432 wrote to memory of 5016	3432	Process not Found	89
PID 3432 wrote to memory of 5016	3432	Process not Found	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7b85a378b5aa0e00ad580ced76cf24c4_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3136

C:\Windows\system32\CustomShellHost.exe
C:\Windows\system32\CustomShellHost.exe
1⤵
PID:2568

C:\Users\Admin\AppData\Local\wty\CustomShellHost.exe
C:\Users\Admin\AppData\Local\wty\CustomShellHost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:732

C:\Windows\system32\SystemSettingsRemoveDevice.exe
C:\Windows\system32\SystemSettingsRemoveDevice.exe
1⤵
PID:2368

C:\Users\Admin\AppData\Local\nxiaA\SystemSettingsRemoveDevice.exe
C:\Users\Admin\AppData\Local\nxiaA\SystemSettingsRemoveDevice.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1700

C:\Windows\system32\Dxpserver.exe
C:\Windows\system32\Dxpserver.exe
1⤵
PID:2952

C:\Users\Admin\AppData\Local\EUQPFLh\Dxpserver.exe
C:\Users\Admin\AppData\Local\EUQPFLh\Dxpserver.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:5016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\EUQPFLh\Dxpserver.exe

Filesize
310KB

MD5
6344f1a7d50da5732c960e243c672165

SHA1
b6d0236f79d4f988640a8445a5647aff5b5410f7

SHA256
b1081651ac33610824e2088ff64d1655993dd3d6073af1e5ffe0b4a0027f502f

SHA512
73f6fa01b880e6619fafa065c171bd0a2b7b2d908762b5aca15f2b8d856b5501b3884e3566ef9b8032c8cbf9bb15116e60c22fded4656c8857c974cda4213d65

Download Submit
C:\Users\Admin\AppData\Local\EUQPFLh\dwmapi.dll

Filesize
1.2MB

MD5
40624d4c41d3dca97f9f35e7630af4c7

SHA1
5678113d465694aecbda1cfbea6f72fe735a282f

SHA256
635ddcf1bcfbca5dc8612d7ab7ff192ed842b890641068db14b630f518a9d2c4

SHA512
6abd60287c6970c9be4d3fa59e69903f3af3382421c5841633920485191554938f357427bf7f19588f683efc03a37a3aea9b96b714785419d5c37c0fd257bbd0

Download Submit
C:\Users\Admin\AppData\Local\nxiaA\DUI70.dll

Filesize
1.4MB

MD5
adb16bfaaf8aaa1ad7a41799eee69588

SHA1
656c30d67cd8752b4ea4131bb53c6154e8de8768

SHA256
fc2ed3fb6aafcb9f5ea5d3400c53b26b8be06dce4da13e6e51535523a783cd57

SHA512
fcc3d4d0407a00f610bf4e649bd8522d465dce6f4f1b48975dfc8da45a6b08655ec24e2f0db069d7e30b8febecc511f86820a11ce2e352d25ec7cacb75a36f9f

Download Submit
C:\Users\Admin\AppData\Local\nxiaA\SystemSettingsRemoveDevice.exe

Filesize
39KB

MD5
7853f1c933690bb7c53c67151cbddeb0

SHA1
d47a1ad0ccba4c988c8ffc5cbf9636fd4f4fa6e6

SHA256
9500731b2a3442f11dfd08a8adfe027e7f32ef5834c628eed4b78be74168470d

SHA512
831993d610539d44422d769de6561a4622e1b9cb3d73253774b6cecabf57654a74cd88b4ebe20921585ea96d977225b9501f02a0f6a1fc7d2cad6824fd539304

Download Submit
C:\Users\Admin\AppData\Local\wty\CustomShellHost.exe

Filesize
835KB

MD5
70400e78b71bc8efdd063570428ae531

SHA1
cd86ecd008914fdd0389ac2dc00fe92d87746096

SHA256
91333f3282a2420359ae9d3adf537688741d21e964f021e2b152ab293447f289

SHA512
53005dda237fb23af79f54779c74a09835ad4cad3ca7b9dcec80e3793a60dd262f45b910bef96ab9c8e69d0c6990fea6ca5fee85d7f8425db523ae658372959e

Download Submit
C:\Users\Admin\AppData\Local\wty\WTSAPI32.dll

Filesize
1.2MB

MD5
d0659d9c565b5736d499caf62e989dd8

SHA1
915a16930152f21a01c6a3189f30e32cb3f3a793

SHA256
cac717495c0ca765255fd4d811fa8476dee1f7c3a87256a1368a1fdb6b48b861

SHA512
e88b6911fb27546d0a202dc9756aee230649aa382a2d4f5e43733764c94fb337be52810603658b03b271cb69ffd01d5eec81ad3dfc96fa606e48442aec53ce5a

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Swgfzbi.lnk

Filesize
1KB

MD5
5e01d51bb71ef2ef57f327db8753a916

SHA1
cd8e75dbb5bd4edda89a5b29b64ae785d014c575

SHA256
32293e4e50c21b82ce591adc3c1de570fcb3f6270a20f298c893900e17224e82

SHA512
9902d4f1721a2af836eadb6dfa5279c6391dbdda70d91715cd57607d6b401c66c6eef30d28855770fa7a0df890111760b722c9d39bc39fa7e62f200174097129

Download Submit
memory/732-47-0x00007FF93FAD0000-0x00007FF93FC02000-memory.dmp

Filesize
1.2MB

Download
memory/732-52-0x00007FF93FAD0000-0x00007FF93FC02000-memory.dmp

Filesize
1.2MB

Download
memory/732-46-0x000002740E890000-0x000002740E897000-memory.dmp

Filesize
28KB

Download
memory/1700-66-0x000001AB63160000-0x000001AB63167000-memory.dmp

Filesize
28KB

Download
memory/1700-63-0x00007FF93C160000-0x00007FF93C2D7000-memory.dmp

Filesize
1.5MB

Download
memory/1700-69-0x00007FF93C160000-0x00007FF93C2D7000-memory.dmp

Filesize
1.5MB

Download
memory/3136-0-0x00007FF93FAD0000-0x00007FF93FC01000-memory.dmp

Filesize
1.2MB

Download
memory/3136-39-0x00007FF93FAD0000-0x00007FF93FC01000-memory.dmp

Filesize
1.2MB

Download
memory/3136-3-0x0000010E7A340000-0x0000010E7A347000-memory.dmp

Filesize
28KB

Download
memory/3432-34-0x0000000000E10000-0x0000000000E17000-memory.dmp

Filesize
28KB

Download
memory/3432-16-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3432-6-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3432-8-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3432-9-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3432-10-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3432-11-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3432-13-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3432-15-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3432-7-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3432-33-0x00007FF9490DA000-0x00007FF9490DB000-memory.dmp

Filesize
4KB

Download
memory/3432-35-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3432-37-0x00007FF94B010000-0x00007FF94B020000-memory.dmp

Filesize
64KB

Download
memory/3432-24-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3432-14-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3432-12-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3432-4-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

Filesize
4KB

Download
memory/5016-86-0x00007FF93FAD0000-0x00007FF93FC02000-memory.dmp

Filesize
1.2MB

Download
memory/5016-84-0x000001790BDD0000-0x000001790BDD7000-memory.dmp

Filesize
28KB

Download