dridex | 40545a6526811c53e2e60af1d8df29607162db993879b289bddf2d2dab73e9d7

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17-08-2024 13:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a2c8e4117fbdd702afa7eaa9f3e4f45b_JaffaCakes118.dll
Size

1.2MB
MD5

a2c8e4117fbdd702afa7eaa9f3e4f45b
SHA1

8ef8013bd3fba4a9db7c2b003797eb59f3cc05c8
SHA256

40545a6526811c53e2e60af1d8df29607162db993879b289bddf2d2dab73e9d7
SHA512

20864d7b6ec128bd32994562d15f08b0b599242909c922c2e6eb4498dd6e2cd6292ffced315d9f54b4cd689387b2b6c5a1a14fe9a83fc0e6d28138e16e5db83c
SSDEEP

24576:guYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:w9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3436-4-0x00000000081F0000-0x00000000081F1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
1292	mstsc.exe
1724	ApplySettingsTemplateCatalog.exe
1312	tabcal.exe

Loads dropped DLL 3 IoCs

pid	Process
1292	mstsc.exe
1724	ApplySettingsTemplateCatalog.exe
1312	tabcal.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tdfoxulv = "C:\\Users\\Admin\\AppData\\Roaming\\Sun\\Vto0mbzoe\\ApplySettingsTemplateCatalog.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mstsc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ApplySettingsTemplateCatalog.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	tabcal.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1584	rundll32.exe
1584	rundll32.exe
1584	rundll32.exe
1584	rundll32.exe
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found
3436	Process not Found

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3436	Process not Found
Token: SeCreatePagefilePrivilege	3436	Process not Found
Token: SeShutdownPrivilege	3436	Process not Found
Token: SeCreatePagefilePrivilege	3436	Process not Found
Token: SeShutdownPrivilege	3436	Process not Found
Token: SeCreatePagefilePrivilege	3436	Process not Found
Token: SeShutdownPrivilege	3436	Process not Found
Token: SeCreatePagefilePrivilege	3436	Process not Found
Token: SeShutdownPrivilege	3436	Process not Found
Token: SeCreatePagefilePrivilege	3436	Process not Found
Token: SeShutdownPrivilege	3436	Process not Found
Token: SeCreatePagefilePrivilege	3436	Process not Found
Token: SeShutdownPrivilege	3436	Process not Found
Token: SeCreatePagefilePrivilege	3436	Process not Found
Token: SeShutdownPrivilege	3436	Process not Found
Token: SeCreatePagefilePrivilege	3436	Process not Found
Token: SeShutdownPrivilege	3436	Process not Found
Token: SeCreatePagefilePrivilege	3436	Process not Found
Token: SeShutdownPrivilege	3436	Process not Found
Token: SeCreatePagefilePrivilege	3436	Process not Found
Token: SeShutdownPrivilege	3436	Process not Found
Token: SeCreatePagefilePrivilege	3436	Process not Found
Token: SeShutdownPrivilege	3436	Process not Found
Token: SeCreatePagefilePrivilege	3436	Process not Found
Token: SeShutdownPrivilege	3436	Process not Found
Token: SeCreatePagefilePrivilege	3436	Process not Found
Token: SeShutdownPrivilege	3436	Process not Found
Token: SeCreatePagefilePrivilege	3436	Process not Found
Token: SeShutdownPrivilege	3436	Process not Found
Token: SeCreatePagefilePrivilege	3436	Process not Found
Token: SeShutdownPrivilege	3436	Process not Found
Token: SeCreatePagefilePrivilege	3436	Process not Found
Token: SeShutdownPrivilege	3436	Process not Found
Token: SeCreatePagefilePrivilege	3436	Process not Found
Token: SeShutdownPrivilege	3436	Process not Found
Token: SeCreatePagefilePrivilege	3436	Process not Found
Token: SeShutdownPrivilege	3436	Process not Found
Token: SeCreatePagefilePrivilege	3436	Process not Found
Token: SeShutdownPrivilege	3436	Process not Found
Token: SeCreatePagefilePrivilege	3436	Process not Found

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3436	Process not Found
3436	Process not Found

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3436	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3436 wrote to memory of 3900	3436	Process not Found	95
PID 3436 wrote to memory of 3900	3436	Process not Found	95
PID 3436 wrote to memory of 1292	3436	Process not Found	96
PID 3436 wrote to memory of 1292	3436	Process not Found	96
PID 3436 wrote to memory of 836	3436	Process not Found	97
PID 3436 wrote to memory of 836	3436	Process not Found	97
PID 3436 wrote to memory of 1724	3436	Process not Found	98
PID 3436 wrote to memory of 1724	3436	Process not Found	98
PID 3436 wrote to memory of 4740	3436	Process not Found	99
PID 3436 wrote to memory of 4740	3436	Process not Found	99
PID 3436 wrote to memory of 1312	3436	Process not Found	100
PID 3436 wrote to memory of 1312	3436	Process not Found	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a2c8e4117fbdd702afa7eaa9f3e4f45b_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1584

C:\Windows\system32\mstsc.exe
C:\Windows\system32\mstsc.exe
1⤵
PID:3900

C:\Users\Admin\AppData\Local\ntRlJt\mstsc.exe
C:\Users\Admin\AppData\Local\ntRlJt\mstsc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1292

C:\Windows\system32\ApplySettingsTemplateCatalog.exe
C:\Windows\system32\ApplySettingsTemplateCatalog.exe
1⤵
PID:836

C:\Users\Admin\AppData\Local\omK\ApplySettingsTemplateCatalog.exe
C:\Users\Admin\AppData\Local\omK\ApplySettingsTemplateCatalog.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1724

C:\Windows\system32\tabcal.exe
C:\Windows\system32\tabcal.exe
1⤵
PID:4740

C:\Users\Admin\AppData\Local\L6LJCJDu\tabcal.exe
C:\Users\Admin\AppData\Local\L6LJCJDu\tabcal.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\L6LJCJDu\HID.DLL

Filesize
1.2MB

MD5
3f601ab185b7e206f6f68f58a9703369

SHA1
da1a09d49f810b32a5651d0ef7030baa5e73e0c3

SHA256
96ffa453af23abbaab7bdcc034c2b76dacc49d07f3085f0fd4cc6860b82df207

SHA512
0b1773b5d61f5d3dfcd9251b585977533e8cb3593a07ec28f9a8390bccc5c384adbc7b93d8cbf2147877052e72264dfcaa8d5ea4e1ef5673c0bec812fc0219cd

Download Submit
C:\Users\Admin\AppData\Local\L6LJCJDu\tabcal.exe

Filesize
84KB

MD5
40f4014416ff0cbf92a9509f67a69754

SHA1
1798ff7324724a32c810e2075b11c09b41e4fede

SHA256
f31b4c751dbca276446119ba775787c3eb032da72eabcd40ad96a55826a3f33c

SHA512
646dfe4cfe90d068c3da4c35f7053bb0f57687875a0f3469c0683e707306e6a42b0baca3e944d78f9be5c564bb0600202c32c223a770f89d3e2b07a24673c259

Download Submit
C:\Users\Admin\AppData\Local\ntRlJt\credui.dll

Filesize
1.2MB

MD5
0f8625041b442d40075603cbe1f4da7e

SHA1
1d15c437dc169bdb0c75580e68c1a15a972aa07d

SHA256
0af55feb758e3a7fa71abc756f26097d5ebe5882dff5eb2fc6ece95d8cb7842b

SHA512
eeab7f0961ea12debd332cf6ad37052d8731f173cf8c090316d7944d38417dc6f0c172b2c88bf68d75ec7a7c155fd8b15f7cb0833c7fb9dd0cbeeefb82864c94

Download Submit
C:\Users\Admin\AppData\Local\ntRlJt\mstsc.exe

Filesize
1.5MB

MD5
3a26640414cee37ff5b36154b1a0b261

SHA1
e0c28b5fdf53a202a7543b67bbc97214bad490ed

SHA256
1d1b6b2edac7ac6494c9eecda3afb804f679d7190f4d1a80929380e85743823f

SHA512
76fc70ead57ddacd3dbcec1a4772bd46924d30b30018a36b13052d2f7272cc86b63bf85d5e4ec04aac08630d4b2637ca6e7d35c08ce6b675d63ed011f7d95ba2

Download Submit
C:\Users\Admin\AppData\Local\omK\ACTIVEDS.dll

Filesize
1.2MB

MD5
4278a771e55be7b859a8e38d2887c3f7

SHA1
b09d86d87ae6a5c301018352aa64abcd7642fe9b

SHA256
4bfd5fdf216a1e28338318297dc0f3aebf79eb25a50bebd4585d3ffa9d01ea31

SHA512
024ed6ab865886c1880e1da3fa9f228923a9e1e80c7637f80e845dd554c3bc890b7c8a804df4fde882a04b003b17d211b0bf62a0434051ec35a5af5ec70ebff5

Download Submit
C:\Users\Admin\AppData\Local\omK\ApplySettingsTemplateCatalog.exe

Filesize
1.1MB

MD5
13af41b1c1c53c7360cd582a82ec2093

SHA1
7425f893d1245e351483ab4a20a5f59d114df4e1

SHA256
a462f29efaaa3c30411e76f32608a2ba5b7d21af3b9804e5dda99e342ba8c429

SHA512
c7c82acef623d964c520f1a458dbfe34099981de0b781fb56e14b1f82632e3a8437db6434e7c20988aa3b39efde47aab8d188e80845e841a13e74b079285706a

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Pvdelpvduyz.lnk

Filesize
1KB

MD5
040b9537f1a50a4279b651e98bf07c0b

SHA1
1784832a46c4e9d0dda2c52760142c1085f94255

SHA256
c3f26c5116c2993c7c9ef60066bcd055720e54b6ee2cc6cd054bcb5b9c029b27

SHA512
a35976b724c8f01a80292095100a1820880305f96c4cd0491776aa1ba48671f94ac544b9260e38573cb5d46aee221003ecfb15918539d1d4e4ecae8200905a29

Download Submit
memory/1292-46-0x00007FFF5BD50000-0x00007FFF5BE82000-memory.dmp

Filesize
1.2MB

Download
memory/1292-49-0x000002153EA90000-0x000002153EA97000-memory.dmp

Filesize
28KB

Download
memory/1292-52-0x00007FFF5BD50000-0x00007FFF5BE82000-memory.dmp

Filesize
1.2MB

Download
memory/1312-80-0x0000014D8ED30000-0x0000014D8ED37000-memory.dmp

Filesize
28KB

Download
memory/1312-86-0x00007FFF5BD50000-0x00007FFF5BE82000-memory.dmp

Filesize
1.2MB

Download
memory/1584-0-0x000001D4A9860000-0x000001D4A9867000-memory.dmp

Filesize
28KB

Download
memory/1584-39-0x00007FFF6BFD0000-0x00007FFF6C101000-memory.dmp

Filesize
1.2MB

Download
memory/1584-1-0x00007FFF6BFD0000-0x00007FFF6C101000-memory.dmp

Filesize
1.2MB

Download
memory/1724-63-0x0000015E27B70000-0x0000015E27B77000-memory.dmp

Filesize
28KB

Download
memory/1724-69-0x00007FFF5BD50000-0x00007FFF5BE82000-memory.dmp

Filesize
1.2MB

Download
memory/3436-29-0x0000000007B60000-0x0000000007B67000-memory.dmp

Filesize
28KB

Download
memory/3436-12-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3436-7-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3436-8-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3436-9-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3436-10-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3436-11-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3436-13-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3436-16-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3436-17-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3436-25-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3436-36-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3436-30-0x00007FFF7A670000-0x00007FFF7A680000-memory.dmp

Filesize
64KB

Download
memory/3436-15-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3436-14-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3436-4-0x00000000081F0000-0x00000000081F1000-memory.dmp

Filesize
4KB

Download
memory/3436-6-0x00007FFF7895A000-0x00007FFF7895B000-memory.dmp

Filesize
4KB

Download