dridex | 18225e4c3113085ea7969d7eeac3507e25eb36eddb6aa4511ff2618473b82e9f

Analysis

max time kernel
149s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
16-08-2024 14:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9ec755bc82d0950c88b7eb47e9f25f1f_JaffaCakes118.dll
Size

1.2MB
MD5

9ec755bc82d0950c88b7eb47e9f25f1f
SHA1

5a72e981a2182ab70bb76365cbb5cef7da7b02fd
SHA256

18225e4c3113085ea7969d7eeac3507e25eb36eddb6aa4511ff2618473b82e9f
SHA512

3af88950dab298df873b54700467be8f0f3ac03efca508154cbbd5f6c9ce09cd5a5f24f240375478067be783f1e7c3ad38af568ed8f319b36a2bf89fd8fc9a46
SSDEEP

24576:QuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:A9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3456-4-0x0000000008E60000-0x0000000008E61000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

EaseOfAccessDialog.exesigverif.exeMusNotificationUx.exe

pid	Process
1664	EaseOfAccessDialog.exe
2312	sigverif.exe
4284	MusNotificationUx.exe

Loads dropped DLL 3 IoCs

Processes:

EaseOfAccessDialog.exesigverif.exeMusNotificationUx.exe

pid	Process
1664	EaseOfAccessDialog.exe
2312	sigverif.exe
4284	MusNotificationUx.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Veuhujsfce = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\TEMPLA~1\\LIVECO~1\\16\\Managed\\DOCUME~1\\B084AT~1\\sigverif.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeEaseOfAccessDialog.exesigverif.exeMusNotificationUx.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	EaseOfAccessDialog.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sigverif.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MusNotificationUx.exe

Modifies registry class 1 IoCs

Processes:

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	Process
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

description	pid	Process
Token: SeShutdownPrivilege	3456
Token: SeCreatePagefilePrivilege	3456
Token: SeShutdownPrivilege	3456
Token: SeCreatePagefilePrivilege	3456
Token: SeShutdownPrivilege	3456
Token: SeCreatePagefilePrivilege	3456
Token: SeShutdownPrivilege	3456
Token: SeCreatePagefilePrivilege	3456
Token: SeShutdownPrivilege	3456
Token: SeCreatePagefilePrivilege	3456
Token: SeShutdownPrivilege	3456
Token: SeCreatePagefilePrivilege	3456

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid	Process
3456
3456

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid	Process
3456

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	procid_target
PID 3456 wrote to memory of 4944	3456	95
PID 3456 wrote to memory of 4944	3456	95
PID 3456 wrote to memory of 1664	3456	96
PID 3456 wrote to memory of 1664	3456	96
PID 3456 wrote to memory of 4664	3456	97
PID 3456 wrote to memory of 4664	3456	97
PID 3456 wrote to memory of 2312	3456	98
PID 3456 wrote to memory of 2312	3456	98
PID 3456 wrote to memory of 2136	3456	99
PID 3456 wrote to memory of 2136	3456	99
PID 3456 wrote to memory of 4284	3456	100
PID 3456 wrote to memory of 4284	3456	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9ec755bc82d0950c88b7eb47e9f25f1f_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2664

C:\Windows\system32\EaseOfAccessDialog.exe
C:\Windows\system32\EaseOfAccessDialog.exe
1⤵
PID:4944

C:\Users\Admin\AppData\Local\hHFSQ\EaseOfAccessDialog.exe
C:\Users\Admin\AppData\Local\hHFSQ\EaseOfAccessDialog.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1664

C:\Windows\system32\sigverif.exe
C:\Windows\system32\sigverif.exe
1⤵
PID:4664

C:\Users\Admin\AppData\Local\CwAa\sigverif.exe
C:\Users\Admin\AppData\Local\CwAa\sigverif.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2312

C:\Windows\system32\MusNotificationUx.exe
C:\Windows\system32\MusNotificationUx.exe
1⤵
PID:2136

C:\Users\Admin\AppData\Local\0MiEjlK\MusNotificationUx.exe
C:\Users\Admin\AppData\Local\0MiEjlK\MusNotificationUx.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\0MiEjlK\MusNotificationUx.exe

Filesize
615KB

MD5
869a214114a81712199f3de5d69d9aad

SHA1
be973e4188eff0d53fdf0e9360106e8ad946d89f

SHA256
405c2df9a36d7cfb5c8382c96f04792eb88c11a6cfa36b1d2ec3e0bec8d17361

SHA512
befcdeb8de6e68b9ee0bacd4cbc80f7393a0213d4039b239c98585e0cd5db1755c75559a62372374cbfb7132b6a7973ea9e6a31952e0e0ba007079c56e6d9012

Download Submit
C:\Users\Admin\AppData\Local\0MiEjlK\XmlLite.dll

Filesize
1.2MB

MD5
a0fc88260dd237372fb7ce2ccf16c453

SHA1
d0f661c6e39350854cfd89e65a3248a939d0f9c9

SHA256
dd3ed898d9ffc8f1d6be0b9b851fbe6dea72d308faac398c027d21dee48ec3d6

SHA512
39f80623318c6d928a4189bb0faa2e8312dba1ccee8d2c4d2250d776733796a70917223a89d9858c0286c7ef0e1751d3a8dd7ef50e9715e5d0b24006b6910aa7

Download Submit
C:\Users\Admin\AppData\Local\CwAa\VERSION.dll

Filesize
1.2MB

MD5
48b7c5ebef63fac091943bf9c0c90d5d

SHA1
788043eac21c9a095002e6efc8a7c505c9d4b1cb

SHA256
bc14c1367bf16c7fec72d67034e3f4779f8627feb383cb637ccde7506abb1b5a

SHA512
ae2dcc42a10c45d911962edcd58da3867107be29655c0ce715a2cb148e10eb8af7b25cf73811a673402296006c0561c32930e5dd29a17627e1f09e6c48eb4b7c

Download Submit
C:\Users\Admin\AppData\Local\CwAa\sigverif.exe

Filesize
77KB

MD5
2151a535274b53ba8a728e542cbc07a8

SHA1
a2304c0f2616a7d12298540dce459dd9ccf07443

SHA256
064de47877b00dc35886e829a697e4adb3d3cfdf294ddba13b6009a0f415b1bd

SHA512
e6fd520ee1bd80a5fe8a7c2ae6446dcaabd4e335a602c36356f85305abef751b7dffa7eaac1ec13c105ccd8c3e9070bd32ed4b14bc8a9e52dc5f47b936d69a9f

Download Submit
C:\Users\Admin\AppData\Local\hHFSQ\EaseOfAccessDialog.exe

Filesize
123KB

MD5
e75ee992c1041341f709a517c8723c87

SHA1
471021260055eac0021f0abffa2d0ba77a2f380e

SHA256
0b1731562413eaa972b373cd7388c644a3059940ce67eb89668e4073f3e068dc

SHA512
48c3a8531df6bcc5077367cdf32af104c94cf7701118a85e8beabba2e9c4f511ae14e47b6d1b57d11a2bc1e8b4f6d5bacae27a8d16fcd09a8f9e0018f5a6370a

Download Submit
C:\Users\Admin\AppData\Local\hHFSQ\OLEACC.dll

Filesize
1.2MB

MD5
7036c7ad3e170773771c5496d479c5c6

SHA1
57f70c5109cc9aeb1894ccf1cfb531cf72c6784e

SHA256
1437233f720eecd2429a5f2a3f5077dd0d15af56b40782bd6cac3e0d0e6ef54b

SHA512
35294155dbf4b4a8fb8175cae6082e7dda02c026ce425d5926b429ba560cea2ebc82b9fff2a9898c1859a06049f8dd93c5bdda08e49bca29cd0f1dc3b096c761

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Piobvoh.lnk

Filesize
1KB

MD5
ea69ea824b445b264d45e1de99d8f9a1

SHA1
dd38a5108484ec0824132af19d3982145c2f3297

SHA256
f9215c032f0bf52e1a2658ff4bf3fe7c1b118eecc1b2ec592807a3122c4c18ba

SHA512
5029c719414438415a91a0447f47d3984a5cb7ddf14ab0cc56288b12d11304a90a8c5cc2e80c166fe9a824ac5b2387c166a8f8bfdebd470c374d560d8a17d993

Download Submit
memory/1664-46-0x00007FFD68840000-0x00007FFD68971000-memory.dmp

Filesize
1.2MB

Download
memory/1664-51-0x00007FFD68840000-0x00007FFD68971000-memory.dmp

Filesize
1.2MB

Download
memory/1664-45-0x000002E51A980000-0x000002E51A987000-memory.dmp

Filesize
28KB

Download
memory/2312-65-0x0000021465930000-0x0000021465937000-memory.dmp

Filesize
28KB

Download
memory/2312-62-0x00007FFD68A90000-0x00007FFD68BC1000-memory.dmp

Filesize
1.2MB

Download
memory/2312-68-0x00007FFD68A90000-0x00007FFD68BC1000-memory.dmp

Filesize
1.2MB

Download
memory/2664-0-0x00000220FB310000-0x00000220FB317000-memory.dmp

Filesize
28KB

Download
memory/2664-38-0x00007FFD78F20000-0x00007FFD79050000-memory.dmp

Filesize
1.2MB

Download
memory/2664-1-0x00007FFD78F20000-0x00007FFD79050000-memory.dmp

Filesize
1.2MB

Download
memory/3456-29-0x00007FFD876D0000-0x00007FFD876E0000-memory.dmp

Filesize
64KB

Download
memory/3456-27-0x0000000008E40000-0x0000000008E47000-memory.dmp

Filesize
28KB

Download
memory/3456-10-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3456-11-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3456-12-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3456-13-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3456-14-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3456-15-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3456-16-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3456-8-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3456-35-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3456-24-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3456-9-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3456-7-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3456-4-0x0000000008E60000-0x0000000008E61000-memory.dmp

Filesize
4KB

Download
memory/3456-6-0x00007FFD865AA000-0x00007FFD865AB000-memory.dmp

Filesize
4KB

Download
memory/4284-85-0x00007FFD68A90000-0x00007FFD68BC1000-memory.dmp

Filesize
1.2MB

Download
memory/4284-82-0x0000020B40190000-0x0000020B40197000-memory.dmp

Filesize
28KB

Download