dridex | 591c1e2c680af88e04a68e5401b6f40fc86835c6a3753068994822f8af071a06

Analysis

max time kernel
150s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
15-08-2024 14:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9a653a6ca8bca2e4465c01ec60656a48_JaffaCakes118.dll
Size

1.2MB
MD5

9a653a6ca8bca2e4465c01ec60656a48
SHA1

224dbe5f344ec040c808667827eed50a30c7d8e7
SHA256

591c1e2c680af88e04a68e5401b6f40fc86835c6a3753068994822f8af071a06
SHA512

512fb0907bb2d248626ceb54371cd57230793748bcec48c4935c12ab47568f2eac4b63f6c702a602b2425b02fcc76584bd8a5980c5660ee47b81223071341b77
SSDEEP

24576:ruYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9Ncpt:19cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence privilege_escalation trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3420-4-0x0000000002A70000-0x0000000002A71000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
1164	dpapimig.exe
4560	mfpmp.exe
2244	DisplaySwitch.exe

Loads dropped DLL 3 IoCs

pid	Process
1164	dpapimig.exe
4560	mfpmp.exe
2244	DisplaySwitch.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Isybexcquevfui = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\oT7t4X33\\mfpmp.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dpapimig.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mfpmp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DisplaySwitch.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
344	rundll32.exe
344	rundll32.exe
344	rundll32.exe
344	rundll32.exe
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3420	Process not Found
Token: SeCreatePagefilePrivilege	3420	Process not Found
Token: SeShutdownPrivilege	3420	Process not Found
Token: SeCreatePagefilePrivilege	3420	Process not Found

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3420	Process not Found
3420	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3420 wrote to memory of 1000	3420	Process not Found	87
PID 3420 wrote to memory of 1000	3420	Process not Found	87
PID 3420 wrote to memory of 1164	3420	Process not Found	88
PID 3420 wrote to memory of 1164	3420	Process not Found	88
PID 3420 wrote to memory of 1172	3420	Process not Found	91
PID 3420 wrote to memory of 1172	3420	Process not Found	91
PID 3420 wrote to memory of 4560	3420	Process not Found	92
PID 3420 wrote to memory of 4560	3420	Process not Found	92
PID 3420 wrote to memory of 3744	3420	Process not Found	95
PID 3420 wrote to memory of 3744	3420	Process not Found	95
PID 3420 wrote to memory of 2244	3420	Process not Found	97
PID 3420 wrote to memory of 2244	3420	Process not Found	97

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9a653a6ca8bca2e4465c01ec60656a48_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:344

C:\Windows\system32\dpapimig.exe
C:\Windows\system32\dpapimig.exe
1⤵
PID:1000

C:\Users\Admin\AppData\Local\bQsNC\dpapimig.exe
C:\Users\Admin\AppData\Local\bQsNC\dpapimig.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1164

C:\Windows\system32\mfpmp.exe
C:\Windows\system32\mfpmp.exe
1⤵
PID:1172

C:\Users\Admin\AppData\Local\uJBw2l6i\mfpmp.exe
C:\Users\Admin\AppData\Local\uJBw2l6i\mfpmp.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4560

C:\Windows\system32\DisplaySwitch.exe
C:\Windows\system32\DisplaySwitch.exe
1⤵
PID:3744

C:\Users\Admin\AppData\Local\39xcvX\DisplaySwitch.exe
C:\Users\Admin\AppData\Local\39xcvX\DisplaySwitch.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\39xcvX\DisplaySwitch.exe

Filesize
1.8MB

MD5
5338d4beddf23db817eb5c37500b5735

SHA1
1b5c56f00b53fca3205ff24770203af46cbc7c54

SHA256
8b581f1d15a6920e4ecfe172d8ef753d0a2bf1a47e686a8d5d8e01147fa4c65e

SHA512
173170b83e0048ee05da18c0c957744204954da58a93c532b669d62edb632c4c73d0744c13eb864ecf357ff12831aa46c4f2445dc33b62a4547385b9e0297b0c

Download Submit
C:\Users\Admin\AppData\Local\39xcvX\WINSTA.dll

Filesize
1.2MB

MD5
6dfe344c04ad5649016d1a944cb3349f

SHA1
48421ea5c476ebf0b90d5923e39ba031fd9432c4

SHA256
55077f86e2c774d4ca8b4280c0a258c69b148f1e221a5c127ceb898a0e83b1dd

SHA512
3dddb7f52f12d06c7904d1b02a22adf0fe23d640e1489047daef7e4a8c0a67b2c4fb4735b3613566959024431a648f9e5a84c52cd518f8594fef2ade3c669f52

Download Submit
C:\Users\Admin\AppData\Local\bQsNC\DUI70.dll

Filesize
1.4MB

MD5
4a5282b0e84b55779d33a0e346317a2d

SHA1
2b1dd5d878f58354eaaedf135d609ba1e662dfee

SHA256
c08cb6c1055275021d2a3b50a1391d82f974ee9138f8939c7470aa42a7dcf33d

SHA512
9b1a1ce6a0f09a86a27ffef485359b35bf207cf1bfe4b7360815f8c7e6f22a9129850746f9e17acd968177b5277cd902601b47976815a561d6c086a283e7d441

Download Submit
C:\Users\Admin\AppData\Local\bQsNC\dpapimig.exe

Filesize
76KB

MD5
b6d6477a0c90a81624c6a8548026b4d0

SHA1
e6eac6941d27f76bbd306c2938c0a962dbf1ced1

SHA256
a8147d08b82609c72d588a0a604cd3c1f2076befcc719d282c7cbd6525ae89eb

SHA512
72ec8b79e3438f0f981129a323ad39db84df7dd14a796a820bdbc74ea8fa13eee843d1ea030a0c1caeda2e2d69952f14a821a73825b38dd9415047aca597b1fe

Download Submit
C:\Users\Admin\AppData\Local\uJBw2l6i\MFPlat.DLL

Filesize
1.2MB

MD5
deb22685b98f4c650c6e831a77eeae31

SHA1
df700930d4cfc82439b012b603586635034d586b

SHA256
98eb0f18c43fbe97d9bf866981b40da79458c56fa8b5bcfa8cceaa5ed342fb3b

SHA512
87a8ee3791996f13411bbdaad5695642c38f09120c12ebfa2051b0af25659e21169e8f6a55619845599be0c931e3f0533470a4cc126e47bf1ccbbf51d2d16647

Download Submit
C:\Users\Admin\AppData\Local\uJBw2l6i\mfpmp.exe

Filesize
46KB

MD5
8f8fd1988973bac0c5244431473b96a5

SHA1
ce81ea37260d7cafe27612606cf044921ad1304c

SHA256
27287ac874cef86be03aee7b6d34fdc3bd208070ed20e44621a305865fb7579e

SHA512
a91179e1561168b3b58f5ca893bce425d35f4a02aec20ac3d6fb944f5eb3c06b0a1b9d9f3fb9ea87869d65671d2b89b4ae19acf794372bdbd27f5e9756c5a8ab

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wyfsbgf.lnk

Filesize
1KB

MD5
138eb7aab174b41fc8305b158213c4a0

SHA1
c28117780b6f48d687572eb720a9647d19c9995a

SHA256
bd27afb7a9471c64d29874ff8e0b08a2655e230de36558ee7b95c58bcc8d581b

SHA512
f5d58dc90a8b54d065df4cd4281b60bcca2cb69af59d34ebb40483a666d08ea56fdc6781bc5e85b679b30e1edd64e6391e26e649258bfff45459ab9cc45027af

Download Submit
memory/344-1-0x00007FF8BCC00000-0x00007FF8BCD30000-memory.dmp

Filesize
1.2MB

Download
memory/344-38-0x00007FF8BCC00000-0x00007FF8BCD30000-memory.dmp

Filesize
1.2MB

Download
memory/344-0-0x000001AC629C0000-0x000001AC629C7000-memory.dmp

Filesize
28KB

Download
memory/1164-48-0x0000020309D00000-0x0000020309D07000-memory.dmp

Filesize
28KB

Download
memory/1164-51-0x00007FF8BCA20000-0x00007FF8BCB96000-memory.dmp

Filesize
1.5MB

Download
memory/1164-45-0x00007FF8BCA20000-0x00007FF8BCB96000-memory.dmp

Filesize
1.5MB

Download
memory/2244-79-0x000001E028690000-0x000001E028697000-memory.dmp

Filesize
28KB

Download
memory/2244-80-0x00007FF8ADDF0000-0x00007FF8ADF22000-memory.dmp

Filesize
1.2MB

Download
memory/2244-85-0x00007FF8ADDF0000-0x00007FF8ADF22000-memory.dmp

Filesize
1.2MB

Download
memory/3420-28-0x0000000000C50000-0x0000000000C57000-memory.dmp

Filesize
28KB

Download
memory/3420-24-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3420-9-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3420-10-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3420-11-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3420-12-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3420-13-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3420-15-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3420-16-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3420-8-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3420-5-0x00007FF8CA63A000-0x00007FF8CA63B000-memory.dmp

Filesize
4KB

Download
memory/3420-4-0x0000000002A70000-0x0000000002A71000-memory.dmp

Filesize
4KB

Download
memory/3420-7-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3420-35-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3420-29-0x00007FF8CB8D0000-0x00007FF8CB8E0000-memory.dmp

Filesize
64KB

Download
memory/3420-14-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/4560-68-0x00007FF8BCBF0000-0x00007FF8BCD22000-memory.dmp

Filesize
1.2MB

Download
memory/4560-63-0x00007FF8BCBF0000-0x00007FF8BCD22000-memory.dmp

Filesize
1.2MB

Download
memory/4560-62-0x000001F41F5D0000-0x000001F41F5D7000-memory.dmp

Filesize
28KB

Download