dridex | e60597f976b7078f5ece1f0aca1aba18b9da2e87de3d24d02fb7468b943a0582

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18-08-2024 15:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a74387fec59971d9727daedf1772f601_JaffaCakes118.dll
Size

1.2MB
MD5

a74387fec59971d9727daedf1772f601
SHA1

96920b5c184bc122065cb5b0601cad3d86b0d04a
SHA256

e60597f976b7078f5ece1f0aca1aba18b9da2e87de3d24d02fb7468b943a0582
SHA512

466b131ccc8fd9f59d029dbcd7110c097e4e8b1216b0597329c986a082bcd05a4e707994a885feecb841c6baf157f541bb153b2df062aea539ce3e49fbf02eaf
SSDEEP

24576:buYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N/:F9cKrUqZWLAcUH

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3504-4-0x0000000008940000-0x0000000008941000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

dialer.exeSystemPropertiesComputerName.exesdclt.exe

pid	Process
860	dialer.exe
3004	SystemPropertiesComputerName.exe
1296	sdclt.exe

Loads dropped DLL 3 IoCs

Processes:

dialer.exeSystemPropertiesComputerName.exesdclt.exe

pid	Process
860	dialer.exe
3004	SystemPropertiesComputerName.exe
1296	sdclt.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wbdoaalrz = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\AccountPictures\\3L6qLp\\SystemPropertiesComputerName.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

dialer.exeSystemPropertiesComputerName.exesdclt.exerundll32.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dialer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesComputerName.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sdclt.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Modifies registry class 3 IoCs

Processes:

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	Process
5036	rundll32.exe
5036	rundll32.exe
5036	rundll32.exe
5036	rundll32.exe
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

description	pid	Process
Token: SeShutdownPrivilege	3504
Token: SeCreatePagefilePrivilege	3504
Token: SeShutdownPrivilege	3504
Token: SeCreatePagefilePrivilege	3504
Token: SeShutdownPrivilege	3504
Token: SeCreatePagefilePrivilege	3504
Token: SeShutdownPrivilege	3504
Token: SeCreatePagefilePrivilege	3504

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid	Process
3504
3504

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid	Process
3504

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	procid_target
PID 3504 wrote to memory of 3112	3504	95
PID 3504 wrote to memory of 3112	3504	95
PID 3504 wrote to memory of 860	3504	96
PID 3504 wrote to memory of 860	3504	96
PID 3504 wrote to memory of 4148	3504	97
PID 3504 wrote to memory of 4148	3504	97
PID 3504 wrote to memory of 3004	3504	98
PID 3504 wrote to memory of 3004	3504	98
PID 3504 wrote to memory of 2256	3504	99
PID 3504 wrote to memory of 2256	3504	99
PID 3504 wrote to memory of 1296	3504	100
PID 3504 wrote to memory of 1296	3504	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a74387fec59971d9727daedf1772f601_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:5036

C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
1⤵
PID:3112

C:\Users\Admin\AppData\Local\qKvg28YWu\dialer.exe
C:\Users\Admin\AppData\Local\qKvg28YWu\dialer.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:860

C:\Windows\system32\SystemPropertiesComputerName.exe
C:\Windows\system32\SystemPropertiesComputerName.exe
1⤵
PID:4148

C:\Users\Admin\AppData\Local\BPti7\SystemPropertiesComputerName.exe
C:\Users\Admin\AppData\Local\BPti7\SystemPropertiesComputerName.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3004

C:\Windows\system32\sdclt.exe
C:\Windows\system32\sdclt.exe
1⤵
PID:2256

C:\Users\Admin\AppData\Local\TPSy1V\sdclt.exe
C:\Users\Admin\AppData\Local\TPSy1V\sdclt.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\BPti7\SYSDM.CPL

Filesize
1.2MB

MD5
44c3773bb73db9bdc8820137cfee32bf

SHA1
e9c3a64eed908be6ad5840ab31e7cb65457ad99b

SHA256
89a4feb59b6ff7d93580b39507d0b523d49d7fb881f387f558743568c83dbbda

SHA512
86220420ef0ec38d3be9544acba8dea65769eeea9bde29ad3e65989d173436f4ba8d374f27ecb7b1395e278a7cfa98973d1cb956b85e5db3124dffeb9b5531fc

Download Submit
C:\Users\Admin\AppData\Local\BPti7\SystemPropertiesComputerName.exe

Filesize
82KB

MD5
6711765f323289f5008a6a2a04b6f264

SHA1
d8116fdf73608b4b254ad83c74f2232584d24144

SHA256
bd3a97327326e2245938ec6099f20059b446ff0fe1c10b9317d15d1a1dd5331e

SHA512
438abd282d9d1c0e7e5db2ce027ff9522c3980278b32b2eae09c595884a8dcbfd5178bc5926b1d15f03174303382e13f5d5ecab9a5d8e31fc07ef39e66c012e8

Download Submit
C:\Users\Admin\AppData\Local\TPSy1V\UxTheme.dll

Filesize
1.2MB

MD5
0fc9f35d6fffcd7c9fedec86458adde3

SHA1
44ab07bb881e5fd9d25b8598f2214afc357bcb64

SHA256
5738fba7a2254e551195a9b3bbcda6f6a55262f20e9a28cf321be877cb17d6c5

SHA512
d90e7bcdaf69005de124ad988972aa9b5fa6af86339ca61f48e95845e934a5a180a60d7fb9226540dcae24082b9f9325b7c380e528d7c159016a9b64fddc7702

Download Submit
C:\Users\Admin\AppData\Local\TPSy1V\sdclt.exe

Filesize
1.2MB

MD5
e09d48f225e7abcab14ebd3b8a9668ec

SHA1
1c5b9322b51c09a407d182df481609f7cb8c425d

SHA256
efd238ea79b93d07852d39052f1411618c36e7597e8af0966c4a3223f0021dc3

SHA512
384d606b90c4803e5144b4de24edc537cb22dd59336a18a58d229500ed36aec92c8467cae6d3f326647bd044d8074931da553c7809727fb70227e99c257df0b4

Download Submit
C:\Users\Admin\AppData\Local\qKvg28YWu\TAPI32.dll

Filesize
1.2MB

MD5
060271126ae8be1b75d88c92458de30a

SHA1
7232f6a1f17e22af2bd1915514e6fee5fdcbe929

SHA256
0f8d47891eb89d72808946ee73dde5d23045e3bd9010c6d5746879b5f1725549

SHA512
2ff80141a6d4c1c5fe520c74114e6b0fb1a9bb1a3b739e40f1ee16d37ca6a1b25dac58af13eba949eabefc2913b8a1c9c6d2bf6440d830d95056e15b872627b8

Download Submit
C:\Users\Admin\AppData\Local\qKvg28YWu\dialer.exe

Filesize
39KB

MD5
b2626bdcf079c6516fc016ac5646df93

SHA1
838268205bd97d62a31094d53643c356ea7848a6

SHA256
e3ac5e6196f3a98c1946d85c653866c318bb2a86dd865deffa7b52f665d699bb

SHA512
615cfe1f91b895513c687906bf3439ca352afcadd3b73f950af0a3b5fb1b358168a7a25a6796407b212fde5f803dd880bcdc350d8bac7e7594090d37ce259971

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Mihblavoyj.lnk

Filesize
1KB

MD5
0f8de921a2ee2ef1d4234d725a2ba717

SHA1
0adb9af6cd9e8da82d30b25df71e913e75f9442b

SHA256
9c5f8aab372ec71f853648c8bf0d6f2069fd9a4680879a49dc542ba19ea30218

SHA512
d28e47e14e9c39351997dc5fab168004d3f840f24eb137cd32ddebc92cbedb070faeb8f08d7c3ceba197d8b8ab96353573e394f3d05e40872c439ec12753c3b9

Download Submit
memory/860-45-0x000002132FDF0000-0x000002132FDF7000-memory.dmp

Filesize
28KB

Download
memory/860-46-0x00007FFA0A0D0000-0x00007FFA0A202000-memory.dmp

Filesize
1.2MB

Download
memory/860-51-0x00007FFA0A0D0000-0x00007FFA0A202000-memory.dmp

Filesize
1.2MB

Download
memory/1296-82-0x000001C574550000-0x000001C574557000-memory.dmp

Filesize
28KB

Download
memory/1296-79-0x00007FFA092C0000-0x00007FFA093F1000-memory.dmp

Filesize
1.2MB

Download
memory/1296-85-0x00007FFA092C0000-0x00007FFA093F1000-memory.dmp

Filesize
1.2MB

Download
memory/3004-62-0x000002B81BE50000-0x000002B81BE57000-memory.dmp

Filesize
28KB

Download
memory/3004-63-0x00007FFA0A0D0000-0x00007FFA0A201000-memory.dmp

Filesize
1.2MB

Download
memory/3004-68-0x00007FFA0A0D0000-0x00007FFA0A201000-memory.dmp

Filesize
1.2MB

Download
memory/3504-28-0x0000000008850000-0x0000000008857000-memory.dmp

Filesize
28KB

Download
memory/3504-16-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3504-5-0x00007FFA268BA000-0x00007FFA268BB000-memory.dmp

Filesize
4KB

Download
memory/3504-8-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3504-9-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3504-10-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3504-12-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3504-13-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3504-15-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3504-7-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3504-35-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3504-4-0x0000000008940000-0x0000000008941000-memory.dmp

Filesize
4KB

Download
memory/3504-24-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3504-29-0x00007FFA27730000-0x00007FFA27740000-memory.dmp

Filesize
64KB

Download
memory/3504-14-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3504-11-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/5036-0-0x00007FFA19720000-0x00007FFA19850000-memory.dmp

Filesize
1.2MB

Download
memory/5036-38-0x00007FFA19720000-0x00007FFA19850000-memory.dmp

Filesize
1.2MB

Download
memory/5036-3-0x0000021B36350000-0x0000021B36357000-memory.dmp

Filesize
28KB

Download