dridex | 5b2a5ca7d07b80fd01e348dce440046244cc407a5fdee053c21cf5de1a4e7c4e

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17-08-2024 15:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a30b4899908225a2b29ef1b14acef84a_JaffaCakes118.dll
Size

1.2MB
MD5

a30b4899908225a2b29ef1b14acef84a
SHA1

c35339f69cb4da6c1c36771a3bd6711f142fdec1
SHA256

5b2a5ca7d07b80fd01e348dce440046244cc407a5fdee053c21cf5de1a4e7c4e
SHA512

eb177eda0a91949f37c296ed66899a03e7ef9f9ffd90b203486631379ebdd441ce7a936452c3476c6c4bcf3d4842ad51f25d4ba09c783209e5077eb83c37618e
SSDEEP

24576:ruYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:19cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3524-4-0x0000000002EB0000-0x0000000002EB1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

sdclt.exeie4ushowIE.exeApplicationFrameHost.exe

pid	Process
4020	sdclt.exe
3304	ie4ushowIE.exe
840	ApplicationFrameHost.exe

Loads dropped DLL 3 IoCs

Processes:

sdclt.exeie4ushowIE.exeApplicationFrameHost.exe

pid	Process
4020	sdclt.exe
3304	ie4ushowIE.exe
840	ApplicationFrameHost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Vfaxdafbicozcso = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\xuHRaGeGJ\\ie4ushowIE.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exesdclt.exeie4ushowIE.exeApplicationFrameHost.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sdclt.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ie4ushowIE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ApplicationFrameHost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	Process
2124	rundll32.exe
2124	rundll32.exe
2124	rundll32.exe
2124	rundll32.exe
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid	Process
3524

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	procid_target
PID 3524 wrote to memory of 1508	3524	94
PID 3524 wrote to memory of 1508	3524	94
PID 3524 wrote to memory of 4020	3524	95
PID 3524 wrote to memory of 4020	3524	95
PID 3524 wrote to memory of 2052	3524	96
PID 3524 wrote to memory of 2052	3524	96
PID 3524 wrote to memory of 3304	3524	97
PID 3524 wrote to memory of 3304	3524	97
PID 3524 wrote to memory of 1828	3524	98
PID 3524 wrote to memory of 1828	3524	98
PID 3524 wrote to memory of 840	3524	99
PID 3524 wrote to memory of 840	3524	99

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a30b4899908225a2b29ef1b14acef84a_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2124

C:\Windows\system32\sdclt.exe
C:\Windows\system32\sdclt.exe
1⤵
PID:1508

C:\Users\Admin\AppData\Local\NTn\sdclt.exe
C:\Users\Admin\AppData\Local\NTn\sdclt.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4020

C:\Windows\system32\ie4ushowIE.exe
C:\Windows\system32\ie4ushowIE.exe
1⤵
PID:2052

C:\Users\Admin\AppData\Local\OLYaPTm9\ie4ushowIE.exe
C:\Users\Admin\AppData\Local\OLYaPTm9\ie4ushowIE.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3304

C:\Windows\system32\ApplicationFrameHost.exe
C:\Windows\system32\ApplicationFrameHost.exe
1⤵
PID:1828

C:\Users\Admin\AppData\Local\49sKQPXb\ApplicationFrameHost.exe
C:\Users\Admin\AppData\Local\49sKQPXb\ApplicationFrameHost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\49sKQPXb\ApplicationFrameHost.exe

Filesize
76KB

MD5
d58a8a987a8dafad9dc32a548cc061e7

SHA1
f79fc9e0ab066cad530b949c2153c532a5223156

SHA256
cf58e424b86775e6f2354291052126a646f842fff811b730714dfbbd8ebc71a4

SHA512
93df28b65af23a5f82124ba644e821614e2e2074c98dbb2bd7319d1dfe9e2179b9d660d7720913c79a8e7b2f8560440789ad5e170b9d94670589885060c14265

Download Submit
C:\Users\Admin\AppData\Local\49sKQPXb\dxgi.dll

Filesize
1.2MB

MD5
e0627b622b1e2011842df3b15b358550

SHA1
64c2206658202e5256607ffe76c5403a9e645fdc

SHA256
dc4719929c19113d9a8edb2a43ffb6727c3e5b3db86e48e7bb73638ff6960cb9

SHA512
1064fd699e50254f59c73855eb87436d740440a471cea24e004a9be5610c040e29f155968f0107e5906423b6080de2832933f3aee28b7be8c67d961f2211e82e

Download Submit
C:\Users\Admin\AppData\Local\NTn\WTSAPI32.dll

Filesize
1.2MB

MD5
f8975a2bd29dc9e536bb584e2a7319c7

SHA1
e3b86da1c7d4337ead2de47ac2ba1ded350d3756

SHA256
1c8446e075864d927909cb7f7bdfa74497bc083b80d4eda12155a3d79f35f2ae

SHA512
d82a7ee5fcbb2d167775faf55bc503dfe34c7ff5959ace0b2bbde39e977bb3b706d9a2ea6bd5779c4ef9c52a4be4217697db9a4b0d4cd358b37691ce6423bbc5

Download Submit
C:\Users\Admin\AppData\Local\NTn\sdclt.exe

Filesize
1.2MB

MD5
e09d48f225e7abcab14ebd3b8a9668ec

SHA1
1c5b9322b51c09a407d182df481609f7cb8c425d

SHA256
efd238ea79b93d07852d39052f1411618c36e7597e8af0966c4a3223f0021dc3

SHA512
384d606b90c4803e5144b4de24edc537cb22dd59336a18a58d229500ed36aec92c8467cae6d3f326647bd044d8074931da553c7809727fb70227e99c257df0b4

Download Submit
C:\Users\Admin\AppData\Local\OLYaPTm9\VERSION.dll

Filesize
1.2MB

MD5
e4cc7c32f1fcb5bb544b538417959b63

SHA1
1005ba52754f9197c861f4cde0b11d1cecaa344e

SHA256
e11a4b2844aab0af569f2bde7afc666360c38cd22a24fd03c4150603aedf3fcf

SHA512
4602879d116f6d2377706b754437752181ce2153323ef9d47afe6a717d52d8ac87fb41d7b3186967a1cac6c3770eedd913fa58f8888708a956d7725b21d7606d

Download Submit
C:\Users\Admin\AppData\Local\OLYaPTm9\ie4ushowIE.exe

Filesize
76KB

MD5
9de952f476abab0cd62bfd81e20a3deb

SHA1
109cc4467b78dad4b12a3225020ea590bccee3e6

SHA256
e9cb6336359ac6f71ac75af2836efb28daa3bafd10a1f0b775dcdc2ec8850a6b

SHA512
3cbe50a146ca50b0657a78a2d89a34630c69823005668906785b2d2015cc6139c8dbbf7aefa5fe55957ef55ae06e758933b3b41eaf822e49dba3b7700582e2c9

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yfsfrqrlkk.lnk

Filesize
1KB

MD5
96d3bc228e560020fec80da6c311a86d

SHA1
554aae9726da9a34324cbdda21755676ba45973a

SHA256
5cb9f97c03d230be76b490601a1f5402abffc235b15efff826e9db42b5b3f2a2

SHA512
d376ba410a98663a84aad5b41746d25e1fe0c644321ccabb46b1c3b015622326ca22b6fe6a60d6303bead2f2dc83245b82119acde70d27d038b70e64b10de92f

Download Submit
memory/840-85-0x00007FFE7ADF0000-0x00007FFE7AF21000-memory.dmp

Filesize
1.2MB

Download
memory/840-79-0x000002541F5A0000-0x000002541F5A7000-memory.dmp

Filesize
28KB

Download
memory/2124-0-0x0000019D546F0000-0x0000019D546F7000-memory.dmp

Filesize
28KB

Download
memory/2124-38-0x00007FFE898C0000-0x00007FFE899F0000-memory.dmp

Filesize
1.2MB

Download
memory/2124-2-0x00007FFE898C0000-0x00007FFE899F0000-memory.dmp

Filesize
1.2MB

Download
memory/3304-62-0x00007FFE7ADF0000-0x00007FFE7AF21000-memory.dmp

Filesize
1.2MB

Download
memory/3304-65-0x0000016638310000-0x0000016638317000-memory.dmp

Filesize
28KB

Download
memory/3304-68-0x00007FFE7ADF0000-0x00007FFE7AF21000-memory.dmp

Filesize
1.2MB

Download
memory/3524-27-0x0000000002900000-0x0000000002907000-memory.dmp

Filesize
28KB

Download
memory/3524-10-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3524-35-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3524-16-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3524-8-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3524-9-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3524-4-0x0000000002EB0000-0x0000000002EB1000-memory.dmp

Filesize
4KB

Download
memory/3524-5-0x00007FFE9821A000-0x00007FFE9821B000-memory.dmp

Filesize
4KB

Download
memory/3524-7-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3524-15-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3524-11-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3524-12-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3524-13-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3524-28-0x00007FFE98570000-0x00007FFE98580000-memory.dmp

Filesize
64KB

Download
memory/3524-24-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3524-14-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/4020-51-0x00007FFE7A330000-0x00007FFE7A461000-memory.dmp

Filesize
1.2MB

Download
memory/4020-48-0x000002590B9E0000-0x000002590B9E7000-memory.dmp

Filesize
28KB

Download
memory/4020-45-0x00007FFE7A330000-0x00007FFE7A461000-memory.dmp

Filesize
1.2MB

Download