dridex | 2f443db9f9fc25883037a0bf7b22ce1a62c2bc507bde6377337cced692e7b2b1

Analysis

max time kernel
150s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
31-07-2024 16:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7d1d5e824e0aef34e48a227d488b888b_JaffaCakes118.dll
Size

1.2MB
MD5

7d1d5e824e0aef34e48a227d488b888b
SHA1

682317d1da0374c00dd29ea14f4f310e84abd8c3
SHA256

2f443db9f9fc25883037a0bf7b22ce1a62c2bc507bde6377337cced692e7b2b1
SHA512

3bfc039ef2440ea24cd143d480e7d512ef95de46d5b680a9013e0cbe29bf17df2fb1da385788002578e73c535ff564bf6877213063f7f53e3d5244104bd79a24
SSDEEP

24576:WuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:W9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3432-4-0x0000000002830000-0x0000000002831000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 4 IoCs

Processes:

consent.exemmc.exeSppExtComObj.Exeisoburn.exe

pid	Process
2400	consent.exe
2028	mmc.exe
4684	SppExtComObj.Exe
1060	isoburn.exe

Loads dropped DLL 3 IoCs

Processes:

mmc.exeSppExtComObj.Exeisoburn.exe

pid	Process
2028	mmc.exe
4684	SppExtComObj.Exe
1060	isoburn.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1266786182-1874524688-71015548-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Zdgdcgkgx = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\TEMPLA~1\\LIVECO~1\\16\\User\\WORDDO~2\\EABGCC~1\\SPPEXT~1.EXE"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exemmc.exeSppExtComObj.Exeisoburn.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mmc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SppExtComObj.Exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	isoburn.exe

Modifies registry class 1 IoCs

Processes:

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	Process
2216	rundll32.exe
2216	rundll32.exe
2216	rundll32.exe
2216	rundll32.exe
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

description	pid	Process
Token: SeShutdownPrivilege	3432
Token: SeCreatePagefilePrivilege	3432
Token: SeShutdownPrivilege	3432
Token: SeCreatePagefilePrivilege	3432

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid	Process
3432
3432

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid	Process
3432

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

description	pid	procid_target
PID 3432 wrote to memory of 1520	3432	89
PID 3432 wrote to memory of 1520	3432	89
PID 3432 wrote to memory of 2400	3432	90
PID 3432 wrote to memory of 2400	3432	90
PID 3432 wrote to memory of 1072	3432	91
PID 3432 wrote to memory of 1072	3432	91
PID 3432 wrote to memory of 2028	3432	92
PID 3432 wrote to memory of 2028	3432	92
PID 3432 wrote to memory of 1572	3432	93
PID 3432 wrote to memory of 1572	3432	93
PID 3432 wrote to memory of 4684	3432	94
PID 3432 wrote to memory of 4684	3432	94
PID 3432 wrote to memory of 4168	3432	95
PID 3432 wrote to memory of 4168	3432	95
PID 3432 wrote to memory of 1060	3432	96
PID 3432 wrote to memory of 1060	3432	96

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7d1d5e824e0aef34e48a227d488b888b_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2216

C:\Windows\system32\consent.exe
C:\Windows\system32\consent.exe
1⤵
PID:1520

C:\Users\Admin\AppData\Local\7mv\consent.exe
C:\Users\Admin\AppData\Local\7mv\consent.exe
1⤵
- Executes dropped EXE
PID:2400

C:\Windows\system32\mmc.exe
C:\Windows\system32\mmc.exe
1⤵
PID:1072

C:\Users\Admin\AppData\Local\B4Z46hi\mmc.exe
C:\Users\Admin\AppData\Local\B4Z46hi\mmc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2028

C:\Windows\system32\SppExtComObj.Exe
C:\Windows\system32\SppExtComObj.Exe
1⤵
PID:1572

C:\Users\Admin\AppData\Local\VWhndmCm6\SppExtComObj.Exe
C:\Users\Admin\AppData\Local\VWhndmCm6\SppExtComObj.Exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4684

C:\Windows\system32\isoburn.exe
C:\Windows\system32\isoburn.exe
1⤵
PID:4168

C:\Users\Admin\AppData\Local\q4OYiAtWe\isoburn.exe
C:\Users\Admin\AppData\Local\q4OYiAtWe\isoburn.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\7mv\consent.exe

Filesize
162KB

MD5
6646631ce4ad7128762352da81f3b030

SHA1
1095bd4b63360fc2968d75622aa745e5523428ab

SHA256
56b2d516376328129132b815e22379ae8e7176825f059c9374a33cc844482e64

SHA512
1c00ed5d8568f6ebd119524b61573cfe71ca828bd8fbdd150158ec8b5db65fa066908d120d201fce6222707bcb78e0c1151b82fdc1dccf3ada867cb810feb6da

Download Submit
C:\Users\Admin\AppData\Local\B4Z46hi\UxTheme.dll

Filesize
1.2MB

MD5
eb1da2418fab3adefd99e001fa2466ac

SHA1
cfdeaf5a714543ca590aa74fd891188dab833c60

SHA256
1220a0995fe65f5125a9dde46a8ccef94ddb5e386d70b1780e8eeb58c3702743

SHA512
46cf1074423f0b6f6d95f62c14ddcb7c1343ef56a79b07bb8f79183f85c835781320e6c25920e2febea0bf7991cb4376d1fe0fe73918dcf71b9b41e34936dc8c

Download Submit
C:\Users\Admin\AppData\Local\B4Z46hi\mmc.exe

Filesize
1.8MB

MD5
8c86b80518406f14a4952d67185032d6

SHA1
9269f1fbcf65fefbc88a2e239519c21efe0f6ba5

SHA256
895eef1eda5700a425934ae3782d4741dfefb7deafa53891bde490150187b98a

SHA512
1bbdaa3ae8b5716ad2bd517055533e286ddb8a6c23cbc7aa602143dbb1ae132b513088ab61527c49737c554269c51416cceb80206ac8128ac6b003f1864eb099

Download Submit
C:\Users\Admin\AppData\Local\VWhndmCm6\ACTIVEDS.dll

Filesize
1.2MB

MD5
264cc7f2574e82c4186e36bd583257a4

SHA1
9916109dc8445cff3c52fc49d6ed8ae7e8dd2151

SHA256
8e34402ddb01a2f5bc443bd6a201419b58d7d9dd91b4080419ce193171b18485

SHA512
89fb5da124533e8a4b6a85022eb711be3f613a85e97535cdbab8c535d071dfa8821e7b7e2aff49fcc53d58f3ed88111a3efde9b41f08e417dffa20ea0b229741

Download Submit
C:\Users\Admin\AppData\Local\VWhndmCm6\SppExtComObj.Exe

Filesize
559KB

MD5
728a78909aa69ca0e976e94482350700

SHA1
6508dfcbf37df25cae8ae68cf1fcd4b78084abb7

SHA256
2a6581576305771044f07ea0fef27f77859996dbf66c2017e938f90bfc1e010c

SHA512
22bf985e71afa58a1365cc733c0aa03dabd4b44e7c6a136eb5f9b870db14470201b4ef88a19fa3864af6c44e79e1a01d6f8806062d9d4861ba7dac77d82074f1

Download Submit
C:\Users\Admin\AppData\Local\q4OYiAtWe\UxTheme.dll

Filesize
1.2MB

MD5
83e19d4750fdd4318a37ff95b920cc5d

SHA1
daae5681ef36bb9c286afcdca97a922d6eb45078

SHA256
77a8735deda666f76d9111a6ec2c3604ee87cf5aec68f462692e54600e67d531

SHA512
98222003814f0ef4dc30e0e272362487cf60596252a04ca5c85d6eba91284cdcae2d4412ffa6d04d86394eb6c63000cef62d69796552c3777802c064f4731282

Download Submit
C:\Users\Admin\AppData\Local\q4OYiAtWe\isoburn.exe

Filesize
119KB

MD5
68078583d028a4873399ae7f25f64bad

SHA1
a3c928fe57856a10aed7fee17670627fe663e6fe

SHA256
9478c095afe212bce91d2de1a3c3647109f2d54e46b9bf70843e839324458567

SHA512
25503a47c53fe83eeb56726b5a5eec5cb01bc783e866306f92242a7a8cbafa20a3209217e0f4561febfec78d2f64f1725727a6b2d3ee6da512618984d0bb0bc1

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ozpfed.lnk

Filesize
1KB

MD5
4c202381da45240b559041e06ad37bc8

SHA1
50daf6c0bddb05ddd82713911a77287de5238a14

SHA256
708b15ed5712e41dbabda9e9f4b1eb20d6ba6602446825f2491757239bff4301

SHA512
71dc9beb82afac6ae7ea02c819da36167b25c52317714dc1182d98d941602a67efffe78baed16ea5859d1f7ddf2ee8e46a83d958d6be378dd29423a80bcc1320

Download Submit
memory/1060-89-0x00007FFE550C0000-0x00007FFE551F1000-memory.dmp

Filesize
1.2MB

Download
memory/2028-58-0x00007FFE512B0000-0x00007FFE513E1000-memory.dmp

Filesize
1.2MB

Download
memory/2028-57-0x0000000002B90000-0x0000000002B97000-memory.dmp

Filesize
28KB

Download
memory/2028-54-0x00007FFE512B0000-0x00007FFE513E1000-memory.dmp

Filesize
1.2MB

Download
memory/2216-0-0x00007FFE550D0000-0x00007FFE55200000-memory.dmp

Filesize
1.2MB

Download
memory/2216-38-0x00007FFE550D0000-0x00007FFE55200000-memory.dmp

Filesize
1.2MB

Download
memory/2216-3-0x0000026675780000-0x0000026675787000-memory.dmp

Filesize
28KB

Download
memory/3432-29-0x00007FFE60810000-0x00007FFE60820000-memory.dmp

Filesize
64KB

Download
memory/3432-28-0x00000000008F0000-0x00000000008F7000-memory.dmp

Filesize
28KB

Download
memory/3432-7-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3432-10-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3432-11-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3432-12-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3432-14-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3432-16-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3432-27-0x00007FFE5E96A000-0x00007FFE5E96B000-memory.dmp

Filesize
4KB

Download
memory/3432-9-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3432-35-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3432-23-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3432-4-0x0000000002830000-0x0000000002831000-memory.dmp

Filesize
4KB

Download
memory/3432-8-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3432-6-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3432-13-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/4684-73-0x00007FFE550C0000-0x00007FFE551F1000-memory.dmp

Filesize
1.2MB

Download
memory/4684-68-0x00007FFE550C0000-0x00007FFE551F1000-memory.dmp

Filesize
1.2MB

Download
memory/4684-67-0x00000272A2FD0000-0x00000272A2FD7000-memory.dmp

Filesize
28KB

Download