dridex | cae8edf96ad41267994ab6e5ed6831a50acf695c3a706f4b5fa0fbc41d9efc6d

Analysis

max time kernel
150s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10-08-2024 04:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

84e153b09cdcf94c51fb28dd948c40ce_JaffaCakes118.dll
Size

1.2MB
MD5

84e153b09cdcf94c51fb28dd948c40ce
SHA1

a62a91ac31a93b7e788388017017dcaddafc2c50
SHA256

cae8edf96ad41267994ab6e5ed6831a50acf695c3a706f4b5fa0fbc41d9efc6d
SHA512

23fbe66b8768326e23f657d57e6643e38dd19d137c42594fb73c946680b3114871e20a1695fc58c979fe1de77f0eba4f9dda97c76828949a93d1cc24b306ac85
SSDEEP

24576:MuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:k9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3456-4-0x0000000002DE0000-0x0000000002DE1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
2076	bdechangepin.exe
3292	SysResetErr.exe
5096	MDMAppInstaller.exe

Loads dropped DLL 3 IoCs

pid	Process
2076	bdechangepin.exe
3292	SysResetErr.exe
5096	MDMAppInstaller.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Veuhujsfce = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\BaNm\\SysResetErr.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bdechangepin.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SysResetErr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MDMAppInstaller.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4072	rundll32.exe
4072	rundll32.exe
4072	rundll32.exe
4072	rundll32.exe
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3456	Process not Found
Token: SeCreatePagefilePrivilege	3456	Process not Found
Token: SeShutdownPrivilege	3456	Process not Found
Token: SeCreatePagefilePrivilege	3456	Process not Found
Token: SeShutdownPrivilege	3456	Process not Found
Token: SeCreatePagefilePrivilege	3456	Process not Found
Token: SeShutdownPrivilege	3456	Process not Found
Token: SeCreatePagefilePrivilege	3456	Process not Found
Token: SeShutdownPrivilege	3456	Process not Found
Token: SeCreatePagefilePrivilege	3456	Process not Found
Token: SeShutdownPrivilege	3456	Process not Found
Token: SeCreatePagefilePrivilege	3456	Process not Found
Token: SeShutdownPrivilege	3456	Process not Found
Token: SeCreatePagefilePrivilege	3456	Process not Found
Token: SeShutdownPrivilege	3456	Process not Found
Token: SeCreatePagefilePrivilege	3456	Process not Found
Token: SeShutdownPrivilege	3456	Process not Found
Token: SeCreatePagefilePrivilege	3456	Process not Found
Token: SeShutdownPrivilege	3456	Process not Found
Token: SeCreatePagefilePrivilege	3456	Process not Found
Token: SeShutdownPrivilege	3456	Process not Found
Token: SeCreatePagefilePrivilege	3456	Process not Found
Token: SeShutdownPrivilege	3456	Process not Found
Token: SeCreatePagefilePrivilege	3456	Process not Found

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3456	Process not Found
3456	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3456 wrote to memory of 4524	3456	Process not Found	94
PID 3456 wrote to memory of 4524	3456	Process not Found	94
PID 3456 wrote to memory of 2076	3456	Process not Found	95
PID 3456 wrote to memory of 2076	3456	Process not Found	95
PID 3456 wrote to memory of 4768	3456	Process not Found	96
PID 3456 wrote to memory of 4768	3456	Process not Found	96
PID 3456 wrote to memory of 3292	3456	Process not Found	97
PID 3456 wrote to memory of 3292	3456	Process not Found	97
PID 3456 wrote to memory of 4896	3456	Process not Found	98
PID 3456 wrote to memory of 4896	3456	Process not Found	98
PID 3456 wrote to memory of 5096	3456	Process not Found	99
PID 3456 wrote to memory of 5096	3456	Process not Found	99

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\84e153b09cdcf94c51fb28dd948c40ce_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4072

C:\Windows\system32\bdechangepin.exe
C:\Windows\system32\bdechangepin.exe
1⤵
PID:4524

C:\Users\Admin\AppData\Local\bO9iI\bdechangepin.exe
C:\Users\Admin\AppData\Local\bO9iI\bdechangepin.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2076

C:\Windows\system32\SysResetErr.exe
C:\Windows\system32\SysResetErr.exe
1⤵
PID:4768

C:\Users\Admin\AppData\Local\ehsRAqfF\SysResetErr.exe
C:\Users\Admin\AppData\Local\ehsRAqfF\SysResetErr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3292

C:\Windows\system32\MDMAppInstaller.exe
C:\Windows\system32\MDMAppInstaller.exe
1⤵
PID:4896

C:\Users\Admin\AppData\Local\vMPPH\MDMAppInstaller.exe
C:\Users\Admin\AppData\Local\vMPPH\MDMAppInstaller.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:5096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\bO9iI\DUI70.dll

Filesize
1.4MB

MD5
5b708e393b74ffc6b424bcbff1b2cb3e

SHA1
a4dc54407d05a3cddd92333d0a6b7d0002a5ad5c

SHA256
5df14e604ffa804ae1cf8972c14bb524f0a0b9077c1752c847d91a53bae8fae3

SHA512
3872e5a3d523e2a3c0b2eb3d803f455bca620c37a58e3f9c306f6b46fa94d375e2079fae3c65344d15b54fd891a773b8cf6daaa566c55dc22a41256f627a0bda

Download Submit
C:\Users\Admin\AppData\Local\bO9iI\bdechangepin.exe

Filesize
373KB

MD5
601a28eb2d845d729ddd7330cbae6fd6

SHA1
5cf9f6f9135c903d42a7756c638333db8621e642

SHA256
4d43f37576a0ebbaf97024cd5597d968ffe59c871b483554aea302dccb7253f6

SHA512
1687044612ceb705f79c806b176f885fd01449251b0097c2df70280b7d10a2b830ee30ac0f645a7e8d8067892f6562d933624de694295e22318863260222859d

Download Submit
C:\Users\Admin\AppData\Local\ehsRAqfF\DUI70.dll

Filesize
1.4MB

MD5
5b00c698bdc6b0c57e90293f51c0f893

SHA1
990742dd393caf7bbec99a8f5e0140a6f432a2c4

SHA256
54f710b8b8a5463b5b5702bce0bef9b45fbc8e03a8ea762faeff8fabb48bfe2d

SHA512
066c20bbde8528fa627e8a029d2f805f5aa8e7b39ea8ed725b83c7ed88eebd2821dc07c870fa569144979b751e9427b7471e3137892cba4c69842a2efefa378d

Download Submit
C:\Users\Admin\AppData\Local\ehsRAqfF\SysResetErr.exe

Filesize
41KB

MD5
090c6f458d61b7ddbdcfa54e761b8b57

SHA1
c5a93e9d6eca4c3842156cc0262933b334113864

SHA256
a324e3ba7309164f215645a6db3e74ed35c7034cc07a011ebed2fa60fda4d9cd

SHA512
c9ef79397f3a843dcf2bcb5f761d90a4bdadb08e2ca85a35d8668cb13c308b275ed6aa2c8b9194a1f29964e0754ad05e89589025a0b670656386a8d448a1f542

Download Submit
C:\Users\Admin\AppData\Local\vMPPH\MDMAppInstaller.exe

Filesize
151KB

MD5
30e978cc6830b04f1e7ed285cccaa746

SHA1
e915147c17e113c676c635e2102bbff90fb7aa52

SHA256
dc821931f63117962e2266acd3266e86bf8116d4a14b3adbebfade1d40b84766

SHA512
331923fa479f71c4c80b0e86ea238628666f95b6cf61cf4d741ae4a27ea2b8c636864dfac543d14599b4873f3b2ab397d07c4e4c17aca3f3b4e5871e24e50214

Download Submit
C:\Users\Admin\AppData\Local\vMPPH\WTSAPI32.dll

Filesize
1.2MB

MD5
f3228b9b198f3f8f4c3cc9a7db905008

SHA1
0b32b8c10704604730574c1efd5a4ea576bebaa4

SHA256
65224bfdcdb298999cfe1c2573a7eec9bc2359c9fe31b00023a4a82fd62801c8

SHA512
2c55ec09be3d8a7fade7268304696163dd295ed075d1f0a2ae950c901d026e27db12a07668aae58265ddc86348f60db646c9392122d891b62ea457049df4d331

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Piobvoh.lnk

Filesize
1KB

MD5
cdce8d2a69f76b1a9fec9909901940f2

SHA1
514571e3164da445ca4bd95f4c5ce5e9b89dd7a5

SHA256
3f12aa3d56a4d0fa40b2f287791c8fc3ffdc5fa6c5abb8bd16ef62cafd7b55b3

SHA512
96243793d7c824eb5845712f4dc1f5b987148454484f71a1d7b63f9778080f333c7d3956362dc11d33fb96b9dbe5e20786e93b3c0c0cfd8f51d294e00d854477

Download Submit
memory/2076-52-0x00007FFD69EB0000-0x00007FFD6A027000-memory.dmp

Filesize
1.5MB

Download
memory/2076-49-0x000001E809DB0000-0x000001E809DB7000-memory.dmp

Filesize
28KB

Download
memory/2076-46-0x00007FFD69EB0000-0x00007FFD6A027000-memory.dmp

Filesize
1.5MB

Download
memory/3292-69-0x00007FFD69EB0000-0x00007FFD6A027000-memory.dmp

Filesize
1.5MB

Download
memory/3292-66-0x00000152ADC10000-0x00000152ADC17000-memory.dmp

Filesize
28KB

Download
memory/3456-36-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3456-30-0x0000000002DC0000-0x0000000002DC7000-memory.dmp

Filesize
28KB

Download
memory/3456-11-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3456-10-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3456-9-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3456-8-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3456-17-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3456-6-0x00007FFD865AA000-0x00007FFD865AB000-memory.dmp

Filesize
4KB

Download
memory/3456-13-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3456-14-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3456-16-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3456-12-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3456-4-0x0000000002DE0000-0x0000000002DE1000-memory.dmp

Filesize
4KB

Download
memory/3456-31-0x00007FFD876D0000-0x00007FFD876E0000-memory.dmp

Filesize
64KB

Download
memory/3456-25-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3456-15-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3456-7-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/4072-0-0x0000023FD7B10000-0x0000023FD7B17000-memory.dmp

Filesize
28KB

Download
memory/4072-39-0x00007FFD78F10000-0x00007FFD79041000-memory.dmp

Filesize
1.2MB

Download
memory/4072-1-0x00007FFD78F10000-0x00007FFD79041000-memory.dmp

Filesize
1.2MB

Download
memory/5096-80-0x00007FFD69EF0000-0x00007FFD6A022000-memory.dmp

Filesize
1.2MB

Download
memory/5096-83-0x000001B73E150000-0x000001B73E157000-memory.dmp

Filesize
28KB

Download
memory/5096-86-0x00007FFD69EF0000-0x00007FFD6A022000-memory.dmp

Filesize
1.2MB

Download