dridex | dc23e2b53c2f9f56939cd4765aaea383fb37e638afe4db25e55fcc33a065792c

Analysis

max time kernel
150s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
01-08-2024 01:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7ec087fb5c9ac0a2ed26f817ccbe872a_JaffaCakes118.dll
Size

1.2MB
MD5

7ec087fb5c9ac0a2ed26f817ccbe872a
SHA1

7e186b2401393151ba721cfb79533dd277235f30
SHA256

dc23e2b53c2f9f56939cd4765aaea383fb37e638afe4db25e55fcc33a065792c
SHA512

dfcf6d814a56829c535b1742be85c718839f386ef29e09281dce0afdf79046b4b507de23b30c1810938c26dfbb235ab8e650a6b7353560021db47903e026d12e
SSDEEP

24576:SuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:69cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence privilege_escalation trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3536-4-0x00000000026C0000-0x00000000026C1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 4 IoCs

Processes:

Narrator.exerecdisc.exerdpshell.exesessionmsg.exe

pid	Process
4620	Narrator.exe
4600	recdisc.exe
1960	rdpshell.exe
3296	sessionmsg.exe

Loads dropped DLL 3 IoCs

Processes:

recdisc.exerdpshell.exesessionmsg.exe

pid	Process
4600	recdisc.exe
1960	rdpshell.exe
3296	sessionmsg.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2077438316-259605770-1264560426-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Pjlpxjignwwhtsp = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\TEMPLA~1\\LIVECO~1\\16\\Managed\\WORDDO~1\\v83iS\\rdpshell.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

sessionmsg.exerundll32.exerecdisc.exerdpshell.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sessionmsg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	recdisc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdpshell.exe

Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	Process
1916	rundll32.exe
1916	rundll32.exe
1916	rundll32.exe
1916	rundll32.exe
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

description	pid	procid_target
PID 3536 wrote to memory of 1920	3536	86
PID 3536 wrote to memory of 1920	3536	86
PID 3536 wrote to memory of 864	3536	88
PID 3536 wrote to memory of 864	3536	88
PID 3536 wrote to memory of 4600	3536	89
PID 3536 wrote to memory of 4600	3536	89
PID 3536 wrote to memory of 2872	3536	90
PID 3536 wrote to memory of 2872	3536	90
PID 3536 wrote to memory of 1960	3536	91
PID 3536 wrote to memory of 1960	3536	91
PID 3536 wrote to memory of 4528	3536	92
PID 3536 wrote to memory of 4528	3536	92
PID 3536 wrote to memory of 3296	3536	93
PID 3536 wrote to memory of 3296	3536	93

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7ec087fb5c9ac0a2ed26f817ccbe872a_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1916

C:\Windows\system32\Narrator.exe
C:\Windows\system32\Narrator.exe
1⤵
PID:1920

C:\Users\Admin\AppData\Local\Um6nbLk\Narrator.exe
C:\Users\Admin\AppData\Local\Um6nbLk\Narrator.exe
1⤵
- Executes dropped EXE
PID:4620

C:\Windows\system32\recdisc.exe
C:\Windows\system32\recdisc.exe
1⤵
PID:864

C:\Users\Admin\AppData\Local\ct35MDqh\recdisc.exe
C:\Users\Admin\AppData\Local\ct35MDqh\recdisc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4600

C:\Windows\system32\rdpshell.exe
C:\Windows\system32\rdpshell.exe
1⤵
PID:2872

C:\Users\Admin\AppData\Local\x3RiHH\rdpshell.exe
C:\Users\Admin\AppData\Local\x3RiHH\rdpshell.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1960

C:\Windows\system32\sessionmsg.exe
C:\Windows\system32\sessionmsg.exe
1⤵
PID:4528

C:\Users\Admin\AppData\Local\QLn4ah71c\sessionmsg.exe
C:\Users\Admin\AppData\Local\QLn4ah71c\sessionmsg.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\QLn4ah71c\DUI70.dll

Filesize
1.4MB

MD5
68eca9bac52fefe618ad8da74154c027

SHA1
4ec4ce4c25f675bb1a20b4f02759621df8f9d3a9

SHA256
e7ca4ce5ed4a99b6a332bc2a621d2a292b220104b35fc5ebf98f897f8c6f1afc

SHA512
ddc429c011e32d144c05bb7c77770fed3b19f3ccacc9981497bdaacaa3e7f388c4c9801bf21adb8485e26381354c51e3d1def691817862cfe1784ba5c484b694

Download Submit
C:\Users\Admin\AppData\Local\QLn4ah71c\sessionmsg.exe

Filesize
85KB

MD5
480f710806b68dfe478ca1ec7d7e79cc

SHA1
b4fc97fed2dbff9c4874cb65ede7b50699db37cd

SHA256
2416cd4aa577dbb2f8790a61e36fbab2b30bff81a4e1f67a5151c2fec29585bc

SHA512
29d3d234ebc45049a533b6a91b246ac043a56b9af67276aaf493b014ae34d73000f99a6b0c0b85d2dfb7fba54811cf8bbdfd167a9eed01a8617b7f05bf2971db

Download Submit
C:\Users\Admin\AppData\Local\Um6nbLk\Narrator.exe

Filesize
521KB

MD5
d92defaa4d346278480d2780325d8d18

SHA1
6494d55b2e5064ffe8add579edfcd13c3e69fffe

SHA256
69b8c93d9b262b36e2bdc223cc0d6e312cc471b49d7cc36befbba1f863a05d83

SHA512
b82c0fbc07361e4ad6e4ab171e55e1e41e9312ba995dce90696ca90f734f5d1ea11371ca046e8680ea566a1c2e0643ab86f1f6dcf6cbd05aed8448425a2830b5

Download Submit
C:\Users\Admin\AppData\Local\ct35MDqh\ReAgent.dll

Filesize
1.2MB

MD5
99d4d810785e01404e15acd5142064ec

SHA1
5315ea4e3335bafcbfb143a372968be5bd1dbdfd

SHA256
f8002b77ade1bbed4313465e7d33c858ba6a36cb78e9b2835c82042fac868501

SHA512
aef812f9ddbea1ab9886eb79dfa812d4c9cc75746e5834ec159fd2707e0f0cd0dc04ffbe808c45b842d5134f941c3a61c34ad75083c61c90cff34e5b6775096f

Download Submit
C:\Users\Admin\AppData\Local\ct35MDqh\recdisc.exe

Filesize
193KB

MD5
18afee6824c84bf5115bada75ff0a3e7

SHA1
d10f287a7176f57b3b2b315a5310d25b449795aa

SHA256
0787b37cf197595b8149ffe3784f9c59eacde3616011f185513ff5c075a5ac4e

SHA512
517356165b401dbebf15437d3b17746aef5a6a4cc62a0afe45966abc92b4cf377eee4514a36ee28b1e88e55a22a2f8a6c997df45971e7f354b66ac7d9e141845

Download Submit
C:\Users\Admin\AppData\Local\x3RiHH\WINSTA.dll

Filesize
1.2MB

MD5
d82630c74a6f56395ab90e9c456ee911

SHA1
555e8fe14d0373668f5d5ff9280bacaf6c5bdb34

SHA256
e5aae55bbfabb29bdea35a1765feb47e8bd15571fe423ff2c5e073287e796c34

SHA512
8f8fdaeb980df84e2a5e6c1ccf23a75b4cc4d4c6a93f4bc167b8e6115226ca3e2ea1bfc2a8b8ae5d3e6507ab4ba3ba714a64533ac3a7a770e76b656e58fa986d

Download Submit
C:\Users\Admin\AppData\Local\x3RiHH\rdpshell.exe

Filesize
468KB

MD5
428066713f225bb8431340fa670671d4

SHA1
47f6878ff33317c3fc09c494df729a463bda174c

SHA256
da6c395a2018d3439ad580a19e6a1ca5ff29ef9074411ee9f9f1b0a6365dfebd

SHA512
292aad2762ae4dc519c69411aa114a29894f60ffac103813db4946f2fac4f5a166f66523c421529d6847c0882d8ab467392ee8da1e3a4fca0d6d4e6ebda5b737

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Swgfzbi.lnk

Filesize
1KB

MD5
f573fff362bbd3b2390ef7050e3cd57f

SHA1
bfa72133d8bcf4b53e783d36ca598e9c4bec04bc

SHA256
6731eb0c4745adc545d1dc3560c81ecdc2dbb92dd0fc44af6d7c0ce84c312703

SHA512
ec47e8a50a462a5020d97140f9dedf981790539ea270cb8345a87c3aeb60099a250abd170b9a178593cee4e655b3f8472038c7f55667aac0c679144bd4b76df9

Download Submit
memory/1916-2-0x00007FFDA14B0000-0x00007FFDA15E1000-memory.dmp

Filesize
1.2MB

Download
memory/1916-39-0x00007FFDA14B0000-0x00007FFDA15E1000-memory.dmp

Filesize
1.2MB

Download
memory/1916-0-0x00000210DF3B0000-0x00000210DF3B7000-memory.dmp

Filesize
28KB

Download
memory/1960-77-0x00007FFDAFB30000-0x00007FFDAFC63000-memory.dmp

Filesize
1.2MB

Download
memory/1960-74-0x00000221D97F0000-0x00000221D97F7000-memory.dmp

Filesize
28KB

Download
memory/1960-71-0x00007FFDAFB30000-0x00007FFDAFC63000-memory.dmp

Filesize
1.2MB

Download
memory/3296-91-0x000001D48E810000-0x000001D48E817000-memory.dmp

Filesize
28KB

Download
memory/3296-88-0x00007FFDAFAF0000-0x00007FFDAFC67000-memory.dmp

Filesize
1.5MB

Download
memory/3296-94-0x00007FFDAFAF0000-0x00007FFDAFC67000-memory.dmp

Filesize
1.5MB

Download
memory/3536-32-0x0000000002680000-0x0000000002687000-memory.dmp

Filesize
28KB

Download
memory/3536-13-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3536-8-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3536-9-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3536-11-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3536-12-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3536-6-0x00007FFDBE71A000-0x00007FFDBE71B000-memory.dmp

Filesize
4KB

Download
memory/3536-4-0x00000000026C0000-0x00000000026C1000-memory.dmp

Filesize
4KB

Download
memory/3536-10-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3536-7-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3536-14-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3536-16-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3536-17-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3536-36-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3536-34-0x00007FFDBEA90000-0x00007FFDBEAA0000-memory.dmp

Filesize
64KB

Download
memory/3536-25-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3536-15-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/4600-60-0x00007FFDAFB30000-0x00007FFDAFC62000-memory.dmp

Filesize
1.2MB

Download
memory/4600-57-0x0000023A90B50000-0x0000023A90B57000-memory.dmp

Filesize
28KB

Download
memory/4600-54-0x00007FFDAFB30000-0x00007FFDAFC62000-memory.dmp

Filesize
1.2MB

Download