dridex | c848f850797249c8c2315d762a79e6ea7536ba9ccb699f7d419907bb2a528eff

Analysis

max time kernel
149s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-08-2024 23:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

acfe91ad1baf9ce432450d6bb0558e2b_JaffaCakes118.dll
Size

1.2MB
MD5

acfe91ad1baf9ce432450d6bb0558e2b
SHA1

e7a99b007e443ddd625892f5fbd5bfcd5227ddeb
SHA256

c848f850797249c8c2315d762a79e6ea7536ba9ccb699f7d419907bb2a528eff
SHA512

bc946115122b04649d208ee4971d8aa37fde2214888afc6a4a201c486a03775b1d13d9873a44435ef803a1c48a58aab928249192c0f9648aac6398fc7bc5f330
SSDEEP

24576:ChLBOY3Zch8R9trbCPQFaD0JAc8V7M/GGS069NmgsSF:KTFJawGGj6fmg

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/2992-4-0x0000000002700000-0x0000000002701000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
3784	SppExtComObj.Exe
444	LicensingUI.exe
5064	ApplicationFrameHost.exe

Loads dropped DLL 3 IoCs

pid	Process
3784	SppExtComObj.Exe
444	LicensingUI.exe
5064	ApplicationFrameHost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ygssokoticw = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Vault\\Fpz\\LicensingUI.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SppExtComObj.Exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	LicensingUI.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ApplicationFrameHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4172	rundll32.exe
4172	rundll32.exe
4172	rundll32.exe
4172	rundll32.exe
4172	rundll32.exe
4172	rundll32.exe
2992	Process not Found
2992	Process not Found
2992	Process not Found
2992	Process not Found
2992	Process not Found
2992	Process not Found
2992	Process not Found
2992	Process not Found
2992	Process not Found
2992	Process not Found
2992	Process not Found
2992	Process not Found
2992	Process not Found
2992	Process not Found
2992	Process not Found
2992	Process not Found
2992	Process not Found
2992	Process not Found
2992	Process not Found
2992	Process not Found
2992	Process not Found
2992	Process not Found
2992	Process not Found
2992	Process not Found
2992	Process not Found
2992	Process not Found
2992	Process not Found
2992	Process not Found
2992	Process not Found
2992	Process not Found
2992	Process not Found
2992	Process not Found
2992	Process not Found
2992	Process not Found
2992	Process not Found
2992	Process not Found
2992	Process not Found
2992	Process not Found
2992	Process not Found
2992	Process not Found
2992	Process not Found
2992	Process not Found
2992	Process not Found
2992	Process not Found
2992	Process not Found
2992	Process not Found
2992	Process not Found
2992	Process not Found
2992	Process not Found
2992	Process not Found
2992	Process not Found
2992	Process not Found
2992	Process not Found
2992	Process not Found
2992	Process not Found
2992	Process not Found
2992	Process not Found
2992	Process not Found

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2992	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2992 wrote to memory of 3140	2992	Process not Found	94
PID 2992 wrote to memory of 3140	2992	Process not Found	94
PID 2992 wrote to memory of 3784	2992	Process not Found	95
PID 2992 wrote to memory of 3784	2992	Process not Found	95
PID 2992 wrote to memory of 2380	2992	Process not Found	96
PID 2992 wrote to memory of 2380	2992	Process not Found	96
PID 2992 wrote to memory of 444	2992	Process not Found	97
PID 2992 wrote to memory of 444	2992	Process not Found	97
PID 2992 wrote to memory of 2608	2992	Process not Found	98
PID 2992 wrote to memory of 2608	2992	Process not Found	98
PID 2992 wrote to memory of 5064	2992	Process not Found	99
PID 2992 wrote to memory of 5064	2992	Process not Found	99

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\acfe91ad1baf9ce432450d6bb0558e2b_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4172

C:\Windows\system32\SppExtComObj.Exe
C:\Windows\system32\SppExtComObj.Exe
1⤵
PID:3140

C:\Users\Admin\AppData\Local\pAl2oM\SppExtComObj.Exe
C:\Users\Admin\AppData\Local\pAl2oM\SppExtComObj.Exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3784

C:\Windows\system32\LicensingUI.exe
C:\Windows\system32\LicensingUI.exe
1⤵
PID:2380

C:\Users\Admin\AppData\Local\NyuVPX6\LicensingUI.exe
C:\Users\Admin\AppData\Local\NyuVPX6\LicensingUI.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:444

C:\Windows\system32\ApplicationFrameHost.exe
C:\Windows\system32\ApplicationFrameHost.exe
1⤵
PID:2608

C:\Users\Admin\AppData\Local\61qwVuq\ApplicationFrameHost.exe
C:\Users\Admin\AppData\Local\61qwVuq\ApplicationFrameHost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:5064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\61qwVuq\ApplicationFrameHost.exe

Filesize
76KB

MD5
d58a8a987a8dafad9dc32a548cc061e7

SHA1
f79fc9e0ab066cad530b949c2153c532a5223156

SHA256
cf58e424b86775e6f2354291052126a646f842fff811b730714dfbbd8ebc71a4

SHA512
93df28b65af23a5f82124ba644e821614e2e2074c98dbb2bd7319d1dfe9e2179b9d660d7720913c79a8e7b2f8560440789ad5e170b9d94670589885060c14265

Download Submit
C:\Users\Admin\AppData\Local\61qwVuq\dxgi.dll

Filesize
1.2MB

MD5
ec3c4eff95c208a25fc3f348ded8535f

SHA1
55d2d819e36f0c937c45a3fbe0a44cb88c8c01ea

SHA256
5c7b5cf525a6e4b531b51a09425e6d44bf6c83001cecca5e45a9cf1cd085370f

SHA512
a682347bb7c7050d5fcfb6fa2ac47c9e4a135423df64e05afc54555bec787177bd58e6e83434a3f185b252d68d8a9323c6201ad20ae5a1377d2c9155d7d4e3b8

Download Submit
C:\Users\Admin\AppData\Local\NyuVPX6\DUI70.dll

Filesize
1.5MB

MD5
0dc740008f53efbf99c7c27166d98720

SHA1
64fb751da6171f10ec70c11c53c28b297645c36b

SHA256
6e4f6ecf0ca9f628fdffb003f270f1d2b25813cacda098bb8974a27761c1ac1f

SHA512
2c4c1a252fec81532f9a373ed67eb1270a83ecc0aba00d01abbc78a2fe86c74a4c9079eed687de5605c90ae4cf8166edc1ed1bb788918dd6b9b1ca04287e07b6

Download Submit
C:\Users\Admin\AppData\Local\NyuVPX6\LicensingUI.exe

Filesize
142KB

MD5
8b4abc637473c79a003d30bb9c7a05e5

SHA1
d1cab953c16d4fdec2b53262f56ac14a914558ca

SHA256
0e9eb89aa0df9bb84a8f11b0bb3e9d89905355de34c91508968b4cb78bc3f6c5

SHA512
5a40c846c5b3a53ae09114709239d8238c322a7d3758b20ed3fc8e097fc1409f62b4990557c1192e894eabfa89741a9d88bd5175850d039b97dfdf380d1c6eeb

Download Submit
C:\Users\Admin\AppData\Local\pAl2oM\ACTIVEDS.dll

Filesize
1.2MB

MD5
d67da2ff3a01fb811fb3198ca2c15ecf

SHA1
d83aa20ace1773e0f9b2d21c398e1d46dc18a922

SHA256
b278542185055e3dbe5ef8586d4d20eee7a55c8e07645af1faf109a9a400af2d

SHA512
93004c1d1886ce1afbe9c10de84763938fa094e487eb7f374bc9480bfba603e09e53aaadeb22c0b1082368405a2006fe8838f533f97247b8b214dbedf96cb033

Download Submit
C:\Users\Admin\AppData\Local\pAl2oM\SppExtComObj.Exe

Filesize
559KB

MD5
728a78909aa69ca0e976e94482350700

SHA1
6508dfcbf37df25cae8ae68cf1fcd4b78084abb7

SHA256
2a6581576305771044f07ea0fef27f77859996dbf66c2017e938f90bfc1e010c

SHA512
22bf985e71afa58a1365cc733c0aa03dabd4b44e7c6a136eb5f9b870db14470201b4ef88a19fa3864af6c44e79e1a01d6f8806062d9d4861ba7dac77d82074f1

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Nszgn.lnk

Filesize
1KB

MD5
7d6736c11337aaada3b888cfebdb0f0d

SHA1
8d8ba0315eebb0bf201fc377b39e1b7ac90932e5

SHA256
cad65d1ebbde8b19b88000f16a17d3bf86538a3d23cd924feaaaae8b0b871b7b

SHA512
63c8584625430f55953379c111a96d88f5b2fd848ef4177bb33fc40b8682895d40b76d1389840cfbe7a37d6dcaff25b73471627e51912d2fd1ebd6bae746dd3d

Download Submit
memory/444-67-0x00007FFC0FDA0000-0x00007FFC0FF27000-memory.dmp

Filesize
1.5MB

Download
memory/444-61-0x00007FFC0FDA0000-0x00007FFC0FF27000-memory.dmp

Filesize
1.5MB

Download
memory/444-64-0x000002C711940000-0x000002C711947000-memory.dmp

Filesize
28KB

Download
memory/2992-25-0x00007FFC1EDF0000-0x00007FFC1EE00000-memory.dmp

Filesize
64KB

Download
memory/2992-13-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/2992-12-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/2992-11-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/2992-10-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/2992-9-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/2992-8-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/2992-4-0x0000000002700000-0x0000000002701000-memory.dmp

Filesize
4KB

Download
memory/2992-15-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/2992-24-0x00000000026B0000-0x00000000026B7000-memory.dmp

Filesize
28KB

Download
memory/2992-6-0x00007FFC1D41A000-0x00007FFC1D41B000-memory.dmp

Filesize
4KB

Download
memory/2992-7-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/2992-14-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/2992-23-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/2992-34-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/3784-50-0x00007FFC0FDE0000-0x00007FFC0FF22000-memory.dmp

Filesize
1.3MB

Download
memory/3784-44-0x00007FFC0FDE0000-0x00007FFC0FF22000-memory.dmp

Filesize
1.3MB

Download
memory/3784-47-0x000001BB09080000-0x000001BB09087000-memory.dmp

Filesize
28KB

Download
memory/4172-3-0x0000018484860000-0x0000018484867000-memory.dmp

Filesize
28KB

Download
memory/4172-37-0x00007FFC102C0000-0x00007FFC10401000-memory.dmp

Filesize
1.3MB

Download
memory/4172-0-0x00007FFC102C0000-0x00007FFC10401000-memory.dmp

Filesize
1.3MB

Download
memory/5064-81-0x00000232FC640000-0x00000232FC647000-memory.dmp

Filesize
28KB

Download
memory/5064-84-0x00007FFC0FDE0000-0x00007FFC0FF22000-memory.dmp

Filesize
1.3MB

Download