dridex | f11eb150d3899616f4e6857c247bf09496fefc2f44d9badbbba02b85dedb8f9d

Analysis

max time kernel
149s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13-08-2024 15:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

93ae5f6059247d99d43a26e7968f6553_JaffaCakes118.dll
Size

1.2MB
MD5

93ae5f6059247d99d43a26e7968f6553
SHA1

725d664d5358124d996b425828f6f1412e9cb7e6
SHA256

f11eb150d3899616f4e6857c247bf09496fefc2f44d9badbbba02b85dedb8f9d
SHA512

01755678f491dce52317eebf5f4f48dba124dddb364e3ef97174f4bd42d2410e00737ba3d429302a7b1964d0a6ed845cb96ea10fc280d2aa5b0a1584561f0ada
SSDEEP

24576:4uYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:I9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3492-4-0x0000000002680000-0x0000000002681000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
4868	WMPDMC.exe
1752	rdpclip.exe
2924	slui.exe

Loads dropped DLL 3 IoCs

pid	Process
4868	WMPDMC.exe
1752	rdpclip.exe
2924	slui.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wdtbxtklooytt = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\USERPI~1\\TaskBar\\xe9\\rdpclip.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WMPDMC.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdpclip.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	slui.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3504	regsvr32.exe
3504	regsvr32.exe
3504	regsvr32.exe
3504	regsvr32.exe
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found
3492	Process not Found

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3492	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3492 wrote to memory of 2524	3492	Process not Found	94
PID 3492 wrote to memory of 2524	3492	Process not Found	94
PID 3492 wrote to memory of 4868	3492	Process not Found	95
PID 3492 wrote to memory of 4868	3492	Process not Found	95
PID 3492 wrote to memory of 3524	3492	Process not Found	96
PID 3492 wrote to memory of 3524	3492	Process not Found	96
PID 3492 wrote to memory of 1752	3492	Process not Found	97
PID 3492 wrote to memory of 1752	3492	Process not Found	97
PID 3492 wrote to memory of 1688	3492	Process not Found	98
PID 3492 wrote to memory of 1688	3492	Process not Found	98
PID 3492 wrote to memory of 2924	3492	Process not Found	99
PID 3492 wrote to memory of 2924	3492	Process not Found	99

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\93ae5f6059247d99d43a26e7968f6553_JaffaCakes118.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3504

C:\Windows\system32\WMPDMC.exe
C:\Windows\system32\WMPDMC.exe
1⤵
PID:2524

C:\Users\Admin\AppData\Local\ZNx\WMPDMC.exe
C:\Users\Admin\AppData\Local\ZNx\WMPDMC.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4868

C:\Windows\system32\rdpclip.exe
C:\Windows\system32\rdpclip.exe
1⤵
PID:3524

C:\Users\Admin\AppData\Local\uZ6ttVjJ\rdpclip.exe
C:\Users\Admin\AppData\Local\uZ6ttVjJ\rdpclip.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1752

C:\Windows\system32\slui.exe
C:\Windows\system32\slui.exe
1⤵
PID:1688

C:\Users\Admin\AppData\Local\iLe8dUO9t\slui.exe
C:\Users\Admin\AppData\Local\iLe8dUO9t\slui.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ZNx\UxTheme.dll

Filesize
1.2MB

MD5
652e6330ab9063335b93b91038da6a43

SHA1
c63560896321e58684e83dc79ee85dbf30979b1d

SHA256
23fbfb6501dae5a7011960995ced849764204e98f606f52e1ae193335c71beb9

SHA512
602766efc1337ab80e00bcc346beb290203b7c7714a4165420c86fe849da05a4b20f08a95cf2dfb1b06df44a7f6552038d846368e3c30218ba2a37b82fbaf428

Download Submit
C:\Users\Admin\AppData\Local\ZNx\WMPDMC.exe

Filesize
1.5MB

MD5
59ce6e554da0a622febce19eb61c4d34

SHA1
176a4a410cb97b3d4361d2aea0edbf17e15d04c7

SHA256
c36eba7186f7367fe717595f3372a49503c9613893c2ab2eff38b625a50d04ba

SHA512
e9b0d310416b66e0055381391bb6b0c19ee26bbcf0e3bb9ea7d696d5851e6efbdd9bdeb250c74638b7d73b20528ea1dfb718e75ad5977aaad77aae36cc7b7e18

Download Submit
C:\Users\Admin\AppData\Local\iLe8dUO9t\WTSAPI32.dll

Filesize
1.2MB

MD5
c4281f8a8fa825ffd33003d12acf39da

SHA1
5bd4ac4a691f4e4f006c46e3f2b927e56ae880f3

SHA256
8d12996b3a4bd80585ec879e03e584cbffa05527c8187104af74e5c6deeed5a6

SHA512
14ece63da71401e4cccf4ef194bb7fb315bae5b87352d1db07d5c4b19a43bb86f22bdea290fde765b97d184c66358ae5e3fe38a882dc96827982005904dd01b1

Download Submit
C:\Users\Admin\AppData\Local\iLe8dUO9t\slui.exe

Filesize
534KB

MD5
eb725ea35a13dc18eac46aa81e7f2841

SHA1
c0b3304c970324952e18c4a51073e3bdec73440b

SHA256
25e7624d469a592934ab8c509d12c153c2799e604c2a4b8a83650a7268577dff

SHA512
39192a1fad29654b3769f007298eff049d0688a3cb51390833ec563f44f9931cd3f6f8693db37b649b061b5aab379b166c15dade56d0fc414375243320375b26

Download Submit
C:\Users\Admin\AppData\Local\uZ6ttVjJ\dwmapi.dll

Filesize
1.2MB

MD5
2011ea993247e0645f02ec32edda8aa5

SHA1
26ec2da4893cb245fb9a8dce7de2c63c64405921

SHA256
d8d01842eaf545d94c5c1401389487513e1235f024135b01c5b15f37341a23d9

SHA512
635ebb7f409ec3ee6876035e6953fa3b4c622a04c8ee72af9d9aae1fe19fa4aa58c4bf376d3740da54c845c2bff8e6c7b1577ac8f6168efd2d97b3d0040df6a0

Download Submit
C:\Users\Admin\AppData\Local\uZ6ttVjJ\rdpclip.exe

Filesize
446KB

MD5
a52402d6bd4e20a519a2eeec53332752

SHA1
129f2b6409395ef877b9ca39dd819a2703946a73

SHA256
9d5be181d9309dea98039d2ce619afe745fc8a9a1b1c05cf860b3620b5203308

SHA512
632dda67066cff2b940f27e3f409e164684994a02bda57d74e958c462b9a0963e922be4a487c06126cecc9ef34d34913ef8315524bf8422f83c0c135b8af924e

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ahvhgxnkgdxqlh.lnk

Filesize
938B

MD5
42af50b445b193d3613284766149177c

SHA1
554ec1e7f911a1fe49f7402f4666ccef5ad6e7b6

SHA256
11ea822ba4b6575c6681c914a23418279c8666a8b6d118154c57feed7bf0298d

SHA512
43738dbd0f5fd641c8f23799be1fcd64179b111a8e86e04963dfaa9ecb7a2351259e8bb2933145201fadf8bae98d0cf4274552af488c450294217c3bd23988b9

Download Submit
memory/1752-69-0x00007FFD536F0000-0x00007FFD53822000-memory.dmp

Filesize
1.2MB

Download
memory/1752-66-0x000001F67FCD0000-0x000001F67FCD7000-memory.dmp

Filesize
28KB

Download
memory/2924-85-0x00007FFD536F0000-0x00007FFD53822000-memory.dmp

Filesize
1.2MB

Download
memory/3492-9-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3492-36-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3492-12-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3492-13-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3492-11-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3492-10-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3492-6-0x00007FFD6F34A000-0x00007FFD6F34B000-memory.dmp

Filesize
4KB

Download
memory/3492-8-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3492-25-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3492-4-0x0000000002680000-0x0000000002681000-memory.dmp

Filesize
4KB

Download
memory/3492-16-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3492-34-0x00000000026A0000-0x00000000026A7000-memory.dmp

Filesize
28KB

Download
memory/3492-7-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3492-15-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3492-17-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3492-35-0x00007FFD71270000-0x00007FFD71280000-memory.dmp

Filesize
64KB

Download
memory/3492-14-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3504-39-0x00007FFD62500000-0x00007FFD62631000-memory.dmp

Filesize
1.2MB

Download
memory/3504-0-0x00007FFD62500000-0x00007FFD62631000-memory.dmp

Filesize
1.2MB

Download
memory/3504-3-0x0000000002FA0000-0x0000000002FA7000-memory.dmp

Filesize
28KB

Download
memory/4868-52-0x00007FFD536F0000-0x00007FFD53822000-memory.dmp

Filesize
1.2MB

Download
memory/4868-46-0x00007FFD536F0000-0x00007FFD53822000-memory.dmp

Filesize
1.2MB

Download
memory/4868-49-0x000002A2903A0000-0x000002A2903A7000-memory.dmp

Filesize
28KB

Download