dridex | f0e9f3d5fced9258fdb6791c781c6844a172502786b058db47ce483493b1941d

Analysis

max time kernel
149s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
16-08-2024 17:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9f37c38c61838641d596841f6a1232ff_JaffaCakes118.dll
Size

1.4MB
MD5

9f37c38c61838641d596841f6a1232ff
SHA1

3334ad56daf32d68440ffcd6c838142c5822e650
SHA256

f0e9f3d5fced9258fdb6791c781c6844a172502786b058db47ce483493b1941d
SHA512

5fe41be56f5c65084cf13892da63eb9b33d6ef39a0214c14ea242d12aecdeeb85609cd2fc0638834bcbd4353ae087f1da443de756aeb00d586803f9629c0ab76
SSDEEP

24576:guYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9Ns:w9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence privilege_escalation trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3420-4-0x0000000002440000-0x0000000002441000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

SystemPropertiesRemote.exeAtBroker.exeSystemPropertiesAdvanced.exe

pid	Process
1796	SystemPropertiesRemote.exe
456	AtBroker.exe
3576	SystemPropertiesAdvanced.exe

Loads dropped DLL 3 IoCs

Processes:

SystemPropertiesRemote.exeAtBroker.exeSystemPropertiesAdvanced.exe

pid	Process
1796	SystemPropertiesRemote.exe
456	AtBroker.exe
3576	SystemPropertiesAdvanced.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qebzqfuc = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\dnvdd7\\AtBroker.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

SystemPropertiesAdvanced.exerundll32.exeSystemPropertiesRemote.exeAtBroker.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesAdvanced.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesRemote.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	AtBroker.exe

Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Modifies registry class 2 IoCs

Processes:

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	Process
5072	rundll32.exe
5072	rundll32.exe
5072	rundll32.exe
5072	rundll32.exe
5072	rundll32.exe
5072	rundll32.exe
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

description	pid	Process
Token: SeShutdownPrivilege	3420
Token: SeCreatePagefilePrivilege	3420
Token: SeShutdownPrivilege	3420
Token: SeCreatePagefilePrivilege	3420
Token: SeShutdownPrivilege	3420
Token: SeCreatePagefilePrivilege	3420
Token: SeShutdownPrivilege	3420
Token: SeCreatePagefilePrivilege	3420
Token: SeShutdownPrivilege	3420
Token: SeCreatePagefilePrivilege	3420
Token: SeShutdownPrivilege	3420
Token: SeCreatePagefilePrivilege	3420

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid	Process
3420

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	procid_target
PID 3420 wrote to memory of 3468	3420	96
PID 3420 wrote to memory of 3468	3420	96
PID 3420 wrote to memory of 1796	3420	97
PID 3420 wrote to memory of 1796	3420	97
PID 3420 wrote to memory of 2244	3420	98
PID 3420 wrote to memory of 2244	3420	98
PID 3420 wrote to memory of 456	3420	99
PID 3420 wrote to memory of 456	3420	99
PID 3420 wrote to memory of 4828	3420	100
PID 3420 wrote to memory of 4828	3420	100
PID 3420 wrote to memory of 3576	3420	101
PID 3420 wrote to memory of 3576	3420	101

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9f37c38c61838641d596841f6a1232ff_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:5072

C:\Windows\system32\SystemPropertiesRemote.exe
C:\Windows\system32\SystemPropertiesRemote.exe
1⤵
PID:3468

C:\Users\Admin\AppData\Local\7bQmZDjL\SystemPropertiesRemote.exe
C:\Users\Admin\AppData\Local\7bQmZDjL\SystemPropertiesRemote.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1796

C:\Windows\system32\AtBroker.exe
C:\Windows\system32\AtBroker.exe
1⤵
PID:2244

C:\Users\Admin\AppData\Local\FxxvBft\AtBroker.exe
C:\Users\Admin\AppData\Local\FxxvBft\AtBroker.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:456

C:\Windows\system32\SystemPropertiesAdvanced.exe
C:\Windows\system32\SystemPropertiesAdvanced.exe
1⤵
PID:4828

C:\Users\Admin\AppData\Local\ZoyMoF\SystemPropertiesAdvanced.exe
C:\Users\Admin\AppData\Local\ZoyMoF\SystemPropertiesAdvanced.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\7bQmZDjL\SYSDM.CPL

Filesize
1.4MB

MD5
7d9f7d042de840f929d8cf30ccac1832

SHA1
e9660ea9b6b82e370022d146258221dd5d7342c3

SHA256
33256e6212bd82bf17aaf7bbe4cd96462cd6b42900037b78ce5647cf9f614c6e

SHA512
2ca2f2982b3b66bcaea5a101a0bf6ed281ca594c73a64d0998e5b74d19567773ca66e5e4ec902242b5ba12272046b059d5d86d6ea738678acc86e9a5f65dd6c7

Download Submit
C:\Users\Admin\AppData\Local\7bQmZDjL\SystemPropertiesRemote.exe

Filesize
82KB

MD5
cdce1ee7f316f249a3c20cc7a0197da9

SHA1
dadb23af07827758005ec0235ac1573ffcea0da6

SHA256
7984e2bff295c8dbcbd3cd296d0741e3a6844b8db9f962abdbc8d333e9a83932

SHA512
f1dc529ebfed814adcf3e68041243ee02ba33b56c356a63eba5ef2cb6ede1eda192e03349f6a200d34dfab67263df79cf295be3706f4197b9008ccdc53410c26

Download Submit
C:\Users\Admin\AppData\Local\FxxvBft\AtBroker.exe

Filesize
90KB

MD5
30076e434a015bdf4c136e09351882cc

SHA1
584c958a35e23083a0861421357405afd26d9a0c

SHA256
ae7b1e298a6e38f0a3428151bfc5565ede50a8d98dafaa147b13cf89c61f2ddd

SHA512
675e310c2455acf9220735f34fa527afe87dac691e89cc0edc3c4659147e9fd223f96b7a3beea532047aa0ebc58880a7010343019a50aa73ce69a038e3592024

Download Submit
C:\Users\Admin\AppData\Local\FxxvBft\UxTheme.dll

Filesize
1.4MB

MD5
67e6bcb4a1a8343b86f1cee8f95bf6cb

SHA1
da613091f658099e9d405ea570e4e959e3265e1e

SHA256
06d9e2c9a7dbbaa5308ace2272794442da08c2b221d051964c9672e505f0a3f7

SHA512
29a9a2e04b0dfb3f35ee93b4b4d9bf9c40591e2f382287802aeda3d63c48931a54d30d4b1da9d2591010fa0d10865471560f5fb0151b5c31e259c2f1d1d465d7

Download Submit
C:\Users\Admin\AppData\Local\ZoyMoF\SYSDM.CPL

Filesize
1.4MB

MD5
fa6d01544abcc5c755dc379a5c2f96e3

SHA1
e093e749e357e1e5f92d3233a3fb48a105f175a2

SHA256
f0d1697b26286b6b812cf187627ec11c2cae32ae944ee2b9d59195b695c20a8c

SHA512
357ab774d4e6d12e0e4cc3c5f06b456591793afec7d272e93c638b1160bee515d1107dcfa4b2c545e5a9fd62e13f64457f05521291518d91aaba058868990d17

Download Submit
C:\Users\Admin\AppData\Local\ZoyMoF\SystemPropertiesAdvanced.exe

Filesize
82KB

MD5
fa040b18d2d2061ab38cf4e52e753854

SHA1
b1b37124e9afd6c860189ce4d49cebbb2e4c57bc

SHA256
c61fa0f8c5d8d61110adbcceaa453a6c1d31255b3244dc7e3b605a4a931c245c

SHA512
511f5981bd2c446f1f3039f6674f972651512305630bd688b1ef159af36a23cb836b43d7010b132a86b5f4d6c46206057abd31600f1e7dc930cb32ed962298a4

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Plbydas.lnk

Filesize
1KB

MD5
a612484266bdb97e5dc712df8eb34046

SHA1
327e57b4e36ec4aacd3641e340d342f55a8daf29

SHA256
042e7bae996db0bc0eadfa25954d43676b66639693a91a74e745ed7f5e9ef7b7

SHA512
8bec9e65dcc7e51288479142a5c9a6e9fcf96ed25ee3f7be7d98a1d59a9fa7da20b255e198911220677ce76337780233ebe376ecfcaf659b69c8565d0094db18

Download Submit
memory/456-68-0x00007FF9F00D0000-0x00007FF9F0234000-memory.dmp

Filesize
1.4MB

Download
memory/456-65-0x0000023065EF0000-0x0000023065EF7000-memory.dmp

Filesize
28KB

Download
memory/1796-51-0x00007FF9F00D0000-0x00007FF9F0234000-memory.dmp

Filesize
1.4MB

Download
memory/1796-46-0x00007FF9F00D0000-0x00007FF9F0234000-memory.dmp

Filesize
1.4MB

Download
memory/1796-45-0x000002A42F180000-0x000002A42F187000-memory.dmp

Filesize
28KB

Download
memory/3420-26-0x00007FFA0D7B0000-0x00007FFA0D7C0000-memory.dmp

Filesize
64KB

Download
memory/3420-15-0x0000000140000000-0x0000000140163000-memory.dmp

Filesize
1.4MB

Download
memory/3420-10-0x0000000140000000-0x0000000140163000-memory.dmp

Filesize
1.4MB

Download
memory/3420-16-0x0000000140000000-0x0000000140163000-memory.dmp

Filesize
1.4MB

Download
memory/3420-8-0x0000000140000000-0x0000000140163000-memory.dmp

Filesize
1.4MB

Download
memory/3420-7-0x0000000140000000-0x0000000140163000-memory.dmp

Filesize
1.4MB

Download
memory/3420-11-0x0000000140000000-0x0000000140163000-memory.dmp

Filesize
1.4MB

Download
memory/3420-12-0x0000000140000000-0x0000000140163000-memory.dmp

Filesize
1.4MB

Download
memory/3420-13-0x0000000140000000-0x0000000140163000-memory.dmp

Filesize
1.4MB

Download
memory/3420-6-0x00007FFA0D68A000-0x00007FFA0D68B000-memory.dmp

Filesize
4KB

Download
memory/3420-25-0x00000000008F0000-0x00000000008F7000-memory.dmp

Filesize
28KB

Download
memory/3420-4-0x0000000002440000-0x0000000002441000-memory.dmp

Filesize
4KB

Download
memory/3420-35-0x0000000140000000-0x0000000140163000-memory.dmp

Filesize
1.4MB

Download
memory/3420-24-0x0000000140000000-0x0000000140163000-memory.dmp

Filesize
1.4MB

Download
memory/3420-14-0x0000000140000000-0x0000000140163000-memory.dmp

Filesize
1.4MB

Download
memory/3420-9-0x0000000140000000-0x0000000140163000-memory.dmp

Filesize
1.4MB

Download
memory/3576-85-0x00007FF9F00D0000-0x00007FF9F0234000-memory.dmp

Filesize
1.4MB

Download
memory/3576-79-0x00000128F3730000-0x00000128F3737000-memory.dmp

Filesize
28KB

Download
memory/5072-38-0x00007FF9FEB50000-0x00007FF9FECB3000-memory.dmp

Filesize
1.4MB

Download
memory/5072-0-0x000001FA39A80000-0x000001FA39A87000-memory.dmp

Filesize
28KB

Download
memory/5072-1-0x00007FF9FEB50000-0x00007FF9FECB3000-memory.dmp

Filesize
1.4MB

Download