dridex | 0f22dce9cc7521ce92c5b64195b89405390cebe4f68a95852c92e1393d5ab821

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
16-08-2024 23:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a0682d74e106b09ade2106ede229c053_JaffaCakes118.dll
Size

1.2MB
MD5

a0682d74e106b09ade2106ede229c053
SHA1

9fe391db18b3625649adf27e339e81003318dda6
SHA256

0f22dce9cc7521ce92c5b64195b89405390cebe4f68a95852c92e1393d5ab821
SHA512

3093e13ab01081095346941f710fda9c9ad53377719880366441a8a28543ca120cf47fa6abae2b863fa30a0076b675e51233cdf7e8d9a6ca463b77afcb9bce31
SSDEEP

24576:KuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:S9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence privilege_escalation trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3448-4-0x00000000080D0000-0x00000000080D1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
3516	BitLockerWizardElev.exe
4972	dxgiadaptercache.exe
4472	Magnify.exe

Loads dropped DLL 6 IoCs

pid	Process
3516	BitLockerWizardElev.exe
4972	dxgiadaptercache.exe
4972	dxgiadaptercache.exe
4472	Magnify.exe
4472	Magnify.exe
4472	Magnify.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tdfoxulv = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\TEMPLA~1\\LIVECO~1\\16\\Managed\\DOCUME~1\\1033\\oGFUA\\DXGIAD~1.EXE"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BitLockerWizardElev.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dxgiadaptercache.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Magnify.exe

Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2272	rundll32.exe
2272	rundll32.exe
2272	rundll32.exe
2272	rundll32.exe
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3448	Process not Found
Token: SeCreatePagefilePrivilege	3448	Process not Found
Token: SeShutdownPrivilege	3448	Process not Found
Token: SeCreatePagefilePrivilege	3448	Process not Found
Token: SeShutdownPrivilege	3448	Process not Found
Token: SeCreatePagefilePrivilege	3448	Process not Found
Token: SeShutdownPrivilege	3448	Process not Found
Token: SeCreatePagefilePrivilege	3448	Process not Found

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3448	Process not Found
3448	Process not Found

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3448	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3448 wrote to memory of 1244	3448	Process not Found	95
PID 3448 wrote to memory of 1244	3448	Process not Found	95
PID 3448 wrote to memory of 3516	3448	Process not Found	96
PID 3448 wrote to memory of 3516	3448	Process not Found	96
PID 3448 wrote to memory of 636	3448	Process not Found	97
PID 3448 wrote to memory of 636	3448	Process not Found	97
PID 3448 wrote to memory of 4972	3448	Process not Found	98
PID 3448 wrote to memory of 4972	3448	Process not Found	98
PID 3448 wrote to memory of 440	3448	Process not Found	99
PID 3448 wrote to memory of 440	3448	Process not Found	99
PID 3448 wrote to memory of 4472	3448	Process not Found	100
PID 3448 wrote to memory of 4472	3448	Process not Found	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a0682d74e106b09ade2106ede229c053_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2272

C:\Windows\system32\BitLockerWizardElev.exe
C:\Windows\system32\BitLockerWizardElev.exe
1⤵
PID:1244

C:\Users\Admin\AppData\Local\iR6\BitLockerWizardElev.exe
C:\Users\Admin\AppData\Local\iR6\BitLockerWizardElev.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3516

C:\Windows\system32\dxgiadaptercache.exe
C:\Windows\system32\dxgiadaptercache.exe
1⤵
PID:636

C:\Users\Admin\AppData\Local\WHaa\dxgiadaptercache.exe
C:\Users\Admin\AppData\Local\WHaa\dxgiadaptercache.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4972

C:\Windows\system32\Magnify.exe
C:\Windows\system32\Magnify.exe
1⤵
PID:440

C:\Users\Admin\AppData\Local\cfJvGRTX\Magnify.exe
C:\Users\Admin\AppData\Local\cfJvGRTX\Magnify.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\WHaa\dxgi.dll

Filesize
1.2MB

MD5
1f09bb65f1bfc27400457a1b1eab42fc

SHA1
d2bc52dfcc896c6269ccf9a1f80704f55892eb3a

SHA256
3a4d3ff78285c5a73410e0d631a1e29a9762d08f85c2e533ca698d96cce296fa

SHA512
74577ae4d39a13779faec35ebca4b14c72b967ec6b3cbfc185de84196d309fafacd3cc4282396d0e1729fc46524ad9706f6d76ea07354c43b5e3c0647125953f

Download Submit
C:\Users\Admin\AppData\Local\WHaa\dxgiadaptercache.exe

Filesize
230KB

MD5
e62f89130b7253f7780a862ed9aff294

SHA1
b031e64a36e93f95f2061be5b0383069efac2070

SHA256
4bea9f741fe4ca9d6262477849896b9fa6377326d11af044561c31bde2d994b5

SHA512
05649d38a0b5d825bb8442549427b0ff77b139c9dd297b04d6c0fb1415504c95ed750cd79efea2ff514abfc5d1003e6251a3cd871d352dcea06be0cdeb0304f7

Download Submit
C:\Users\Admin\AppData\Local\cfJvGRTX\Magnify.exe

Filesize
639KB

MD5
4029890c147e3b4c6f41dfb5f9834d42

SHA1
10d08b3f6dabe8171ca2dd52e5737e3402951c75

SHA256
57137f784594793dc0669042ccd3a71ddbfedeb77da6d97173d82613e08add4d

SHA512
dbdc60f8692f13c23dbed0b76e9c6758a5b413bd6aaf4e4d0ba74e69c0871eb759da95c3f85a31d972388b545dcf3bb8abbcbedd29a1e7e48c065130b98b893d

Download Submit
C:\Users\Admin\AppData\Local\cfJvGRTX\dwmapi.dll

Filesize
1.2MB

MD5
459c0480b10c2be7cbbafb344078b2d0

SHA1
10a03ff73774dd5f5c0622f200dd24611d69c740

SHA256
4334715e9337e1aba0cde4edd510c7e1436fbaa47bc3219f10d3e078a08fec70

SHA512
63bf0a56d0ce64029e131732cec3d3c336a696d6f00353198d48ad0a383945ced07e9437423fef9b5ae504a23219c0b5cce13b1f312da6f4d1b135fab8a4d489

Download Submit
C:\Users\Admin\AppData\Local\iR6\BitLockerWizardElev.exe

Filesize
100KB

MD5
8ac5a3a20cf18ae2308c64fd707eeb81

SHA1
31f2f0bdc2eb3e0d2a6cd626ea8ed71262865544

SHA256
803eb37617d450704766cb167dc9766e82102a94940a26a988ad26ab8be3f2f5

SHA512
85d0e28e4bffec709f26b2f0d20eb76373134af43bcaa70b97a03efa273b77dd4fbd4f6ee026774ce4029ab5a983aea057111efcd234ab1686a9bd0f7202748b

Download Submit
C:\Users\Admin\AppData\Local\iR6\FVEWIZ.dll

Filesize
1.2MB

MD5
43a02418331a91f31f456dcd9d7ba789

SHA1
6d5fc9e3fdaa0c2a2433626886e094359e6bc9f3

SHA256
1d5842338d49f4ea9fe26f24aa341bef86772ff81b6eb03bc6ddf81410060846

SHA512
b7516167d6d63994104cb0e0e6f17bb896a49504d0e184dc6fc9466cc47d44a017595d9e2d3c9837c108408b673c914cabdb5b0ea150c89bdcb4554a4f33b43c

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Pvdelpvduyz.lnk

Filesize
1KB

MD5
3d445850e84c1aeafa344c84987eb312

SHA1
d0e95f999ef830b4104266cb47b3428dc513b5a3

SHA256
13578e6d7ba6e058d1fe10a066575ff8fde00217b9dc8364181844f4474d7292

SHA512
8f088b95ca24ffdc9ed0968ba85f6ebe6324be72a0401a574f94a5a33b3e105ae3ecf1d8a8f540b507954c884d5a4a647dccfb6ed7c50402f83aa09968a62727

Download Submit
memory/2272-0-0x00007FFF635A0000-0x00007FFF636D1000-memory.dmp

Filesize
1.2MB

Download
memory/2272-3-0x0000023D01290000-0x0000023D01297000-memory.dmp

Filesize
28KB

Download
memory/2272-39-0x00007FFF635A0000-0x00007FFF636D1000-memory.dmp

Filesize
1.2MB

Download
memory/3448-25-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3448-36-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3448-12-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3448-11-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3448-10-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3448-9-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3448-16-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3448-8-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3448-7-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3448-17-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3448-30-0x00007FFF72530000-0x00007FFF72540000-memory.dmp

Filesize
64KB

Download
memory/3448-14-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3448-4-0x00000000080D0000-0x00000000080D1000-memory.dmp

Filesize
4KB

Download
memory/3448-6-0x00007FFF708AA000-0x00007FFF708AB000-memory.dmp

Filesize
4KB

Download
memory/3448-13-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3448-29-0x00000000079A0000-0x00000000079A7000-memory.dmp

Filesize
28KB

Download
memory/3448-15-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3516-52-0x00007FFF53DA0000-0x00007FFF53ED2000-memory.dmp

Filesize
1.2MB

Download
memory/3516-47-0x00007FFF53DA0000-0x00007FFF53ED2000-memory.dmp

Filesize
1.2MB

Download
memory/3516-46-0x000001CAAABB0000-0x000001CAAABB7000-memory.dmp

Filesize
28KB

Download
memory/4472-83-0x00007FFF538E0000-0x00007FFF53A12000-memory.dmp

Filesize
1.2MB

Download
memory/4472-87-0x00007FFF538E0000-0x00007FFF53A12000-memory.dmp

Filesize
1.2MB

Download
memory/4972-67-0x00000162A6900000-0x00000162A6907000-memory.dmp

Filesize
28KB

Download
memory/4972-70-0x00007FFF53DA0000-0x00007FFF53ED2000-memory.dmp

Filesize
1.2MB

Download