dridex | abdd071d272c602d9eb594c38b82fab881b995e75614c0956470c44f7e1654a6

Analysis

max time kernel
150s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13-08-2024 19:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

946f198f08b87a5905b23ba3874d29f8_JaffaCakes118.dll
Size

1.2MB
MD5

946f198f08b87a5905b23ba3874d29f8
SHA1

415cd2e62beb581b477c633373aee2f0ab850035
SHA256

abdd071d272c602d9eb594c38b82fab881b995e75614c0956470c44f7e1654a6
SHA512

7806161254fb434014babf4794ff8bf8b1f4f2727a2fabd59d84b951fdbd28787bcf6a888f55620fb78161c5094eb99e5925884e8db473c08ccf96dfa944634b
SSDEEP

24576:AuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:Q9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3424-4-0x0000000002850000-0x0000000002851000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

tabcal.exerdpinit.exeApplicationFrameHost.exe

pid	Process
1904	tabcal.exe
552	rdpinit.exe
4320	ApplicationFrameHost.exe

Loads dropped DLL 3 IoCs

Processes:

tabcal.exerdpinit.exeApplicationFrameHost.exe

pid	Process
1904	tabcal.exe
552	rdpinit.exe
4320	ApplicationFrameHost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wdtbxtklooytt = "C:\\Users\\Admin\\AppData\\Roaming\\Sun\\5C\\rdpinit.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exetabcal.exerdpinit.exeApplicationFrameHost.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	tabcal.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdpinit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ApplicationFrameHost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	Process
2072	rundll32.exe
2072	rundll32.exe
2072	rundll32.exe
2072	rundll32.exe
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid	Process
3424

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	procid_target
PID 3424 wrote to memory of 2868	3424	94
PID 3424 wrote to memory of 2868	3424	94
PID 3424 wrote to memory of 1904	3424	95
PID 3424 wrote to memory of 1904	3424	95
PID 3424 wrote to memory of 2044	3424	96
PID 3424 wrote to memory of 2044	3424	96
PID 3424 wrote to memory of 552	3424	97
PID 3424 wrote to memory of 552	3424	97
PID 3424 wrote to memory of 4328	3424	98
PID 3424 wrote to memory of 4328	3424	98
PID 3424 wrote to memory of 4320	3424	99
PID 3424 wrote to memory of 4320	3424	99

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\946f198f08b87a5905b23ba3874d29f8_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2072

C:\Windows\system32\tabcal.exe
C:\Windows\system32\tabcal.exe
1⤵
PID:2868

C:\Users\Admin\AppData\Local\ESSf\tabcal.exe
C:\Users\Admin\AppData\Local\ESSf\tabcal.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1904

C:\Windows\system32\rdpinit.exe
C:\Windows\system32\rdpinit.exe
1⤵
PID:2044

C:\Users\Admin\AppData\Local\qRz\rdpinit.exe
C:\Users\Admin\AppData\Local\qRz\rdpinit.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:552

C:\Windows\system32\ApplicationFrameHost.exe
C:\Windows\system32\ApplicationFrameHost.exe
1⤵
PID:4328

C:\Users\Admin\AppData\Local\H2D\ApplicationFrameHost.exe
C:\Users\Admin\AppData\Local\H2D\ApplicationFrameHost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ESSf\HID.DLL

Filesize
1.2MB

MD5
3600787af4a1e1dffafffdff20ec37c0

SHA1
92147f59cded6c37775d0dfe23eaadae25d94562

SHA256
575870b70444c759e267a75ea69c5684f0dd137fd0391fcbbaaf674343015d47

SHA512
17935022f39601d0ba61ca7dc8d345b811506928e5ad5ce6a36a5b9a198bbd98559c953cc19d9751502983f1d1e3e8c7fdf561f7079721cf9c80490e9f519b14

Download Submit
C:\Users\Admin\AppData\Local\ESSf\tabcal.exe

Filesize
84KB

MD5
40f4014416ff0cbf92a9509f67a69754

SHA1
1798ff7324724a32c810e2075b11c09b41e4fede

SHA256
f31b4c751dbca276446119ba775787c3eb032da72eabcd40ad96a55826a3f33c

SHA512
646dfe4cfe90d068c3da4c35f7053bb0f57687875a0f3469c0683e707306e6a42b0baca3e944d78f9be5c564bb0600202c32c223a770f89d3e2b07a24673c259

Download Submit
C:\Users\Admin\AppData\Local\H2D\ApplicationFrameHost.exe

Filesize
76KB

MD5
d58a8a987a8dafad9dc32a548cc061e7

SHA1
f79fc9e0ab066cad530b949c2153c532a5223156

SHA256
cf58e424b86775e6f2354291052126a646f842fff811b730714dfbbd8ebc71a4

SHA512
93df28b65af23a5f82124ba644e821614e2e2074c98dbb2bd7319d1dfe9e2179b9d660d7720913c79a8e7b2f8560440789ad5e170b9d94670589885060c14265

Download Submit
C:\Users\Admin\AppData\Local\H2D\dxgi.dll

Filesize
1.2MB

MD5
d5b423b806c4f350776d9147642078e4

SHA1
1d8ab9c9d0e836a9031871f388615259ab9dd276

SHA256
b1683e71eca38b26e12073452c2bd6f7883e1e6e9a87ebabb85f21e9f9b83228

SHA512
8b0eccc2c60a65887ae7c91eca1d3dfe527a73a3e424eba519d14f5fbfab2917ec5677e6dde55e059aa450c71ad45a6f49dc09ddc835e8665339267d219a76d2

Download Submit
C:\Users\Admin\AppData\Local\qRz\WTSAPI32.dll

Filesize
1.2MB

MD5
59c8c56efe96c753678b9982db977bbf

SHA1
b47290957b4fc39e55712a70a827d25fba5b8429

SHA256
99e37ed23fe3e35a697ad6cae0068901612eaab3e83c97b3c279895f1eca9328

SHA512
8ab12a63463e8f17cef77f9715a4b59fcebc11897d10f33d0e3b1c092138af0447d2aba14bc8f7f756793c8fd1b59beef233397c76672453c7fff28e7ed77ae9

Download Submit
C:\Users\Admin\AppData\Local\qRz\rdpinit.exe

Filesize
343KB

MD5
b0ecd76d99c5f5134aeb52460add6f80

SHA1
51462078092c9d6b7fa2b9544ffe0a49eb258106

SHA256
51251863097f7c80ef59606152ec59e7522881c8e3886c194c43f56bcab92e1b

SHA512
16855c7db48b26297c78d37d52ad03f6af0f5a58e333e17ad83b34f5e8b200c5517c6481043af0ecf1b962af2378f38600bd968592f4e1018b5a1b9400adb367

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ahvhgxnkgdxqlh.lnk

Filesize
1KB

MD5
1e49c70f6dd7af33e1ded02924dcb9bc

SHA1
c2f42f87e15bddfb4d7698cb8dc2f2e81285a2a8

SHA256
6030babd84a57d6d261198f3ea33c62bc6e46d8f6df4cad97642a7d6b1351550

SHA512
241b26fbf6352d8f25c500b6136eec351559f447d08ef329e0617659a2ffccabac9bdabe52ec78e1b73604907d224f701af9c33610d1b1d257092c9be8eb7293

Download Submit
memory/552-66-0x000001E9FEAC0000-0x000001E9FEAC7000-memory.dmp

Filesize
28KB

Download
memory/552-69-0x00007FF86E360000-0x00007FF86E492000-memory.dmp

Filesize
1.2MB

Download
memory/1904-52-0x00007FF86E360000-0x00007FF86E492000-memory.dmp

Filesize
1.2MB

Download
memory/1904-46-0x00007FF86E360000-0x00007FF86E492000-memory.dmp

Filesize
1.2MB

Download
memory/1904-49-0x0000019E75160000-0x0000019E75167000-memory.dmp

Filesize
28KB

Download
memory/2072-1-0x00007FF87DE40000-0x00007FF87DF71000-memory.dmp

Filesize
1.2MB

Download
memory/2072-39-0x00007FF87DE40000-0x00007FF87DF71000-memory.dmp

Filesize
1.2MB

Download
memory/2072-0-0x0000018577F30000-0x0000018577F37000-memory.dmp

Filesize
28KB

Download
memory/3424-36-0x0000000000800000-0x0000000000807000-memory.dmp

Filesize
28KB

Download
memory/3424-17-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3424-9-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3424-8-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3424-10-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3424-12-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3424-14-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3424-15-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3424-16-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3424-11-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3424-34-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3424-37-0x00007FF88C1B0000-0x00007FF88C1C0000-memory.dmp

Filesize
64KB

Download
memory/3424-25-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3424-13-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3424-7-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3424-4-0x0000000002850000-0x0000000002851000-memory.dmp

Filesize
4KB

Download
memory/3424-6-0x00007FF88A60A000-0x00007FF88A60B000-memory.dmp

Filesize
4KB

Download
memory/4320-86-0x00007FF86E360000-0x00007FF86E492000-memory.dmp

Filesize
1.2MB

Download
memory/4320-83-0x000001E6F0E70000-0x000001E6F0E77000-memory.dmp

Filesize
28KB

Download