dridex | 3b9b60dc1df3c32236efbfa255e992f1dab96551ffa4dfc533a00b6cf810d0ae

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-08-2024 23:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b1354a3e5555a634bafbb1f7d544a307_JaffaCakes118.dll
Size

1.2MB
MD5

b1354a3e5555a634bafbb1f7d544a307
SHA1

8b31570d013db1d63bfdbac53acb3359193fa565
SHA256

3b9b60dc1df3c32236efbfa255e992f1dab96551ffa4dfc533a00b6cf810d0ae
SHA512

73ae2f978f9cd855f41591d369ff7f606ab84a197322f85de8bb3ad177fbfe58daf3e9037004304ee9f151a382cbc00e9a7c4dcffe344f9d2e1875301fa24e0c
SSDEEP

24576:XuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:Z9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3584-4-0x0000000007670000-0x0000000007671000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

FXSCOVER.exeEhStorAuthn.exeProximityUxHost.exe

pid	Process
4312	FXSCOVER.exe
5016	EhStorAuthn.exe
2704	ProximityUxHost.exe

Loads dropped DLL 3 IoCs

Processes:

FXSCOVER.exeEhStorAuthn.exeProximityUxHost.exe

pid	Process
4312	FXSCOVER.exe
5016	EhStorAuthn.exe
2704	ProximityUxHost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qebzqfuc = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\w03\\EhStorAuthn.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeFXSCOVER.exeEhStorAuthn.exeProximityUxHost.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	FXSCOVER.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	EhStorAuthn.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ProximityUxHost.exe

Modifies registry class 3 IoCs

Processes:

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	Process
1512	rundll32.exe
1512	rundll32.exe
1512	rundll32.exe
1512	rundll32.exe
3584
3584
3584
3584
3584
3584
3584
3584
3584
3584
3584
3584
3584
3584
3584
3584
3584
3584
3584
3584
3584
3584
3584
3584
3584
3584
3584
3584
3584
3584
3584
3584
3584
3584
3584
3584
3584
3584
3584
3584
3584
3584
3584
3584
3584
3584
3584
3584
3584
3584
3584
3584
3584
3584
3584
3584
3584
3584
3584
3584

Suspicious use of AdjustPrivilegeToken 32 IoCs

Processes:

description	pid	Process
Token: SeShutdownPrivilege	3584
Token: SeCreatePagefilePrivilege	3584
Token: SeShutdownPrivilege	3584
Token: SeCreatePagefilePrivilege	3584
Token: SeShutdownPrivilege	3584
Token: SeCreatePagefilePrivilege	3584
Token: SeShutdownPrivilege	3584
Token: SeCreatePagefilePrivilege	3584
Token: SeShutdownPrivilege	3584
Token: SeCreatePagefilePrivilege	3584
Token: SeShutdownPrivilege	3584
Token: SeCreatePagefilePrivilege	3584
Token: SeShutdownPrivilege	3584
Token: SeCreatePagefilePrivilege	3584
Token: SeShutdownPrivilege	3584
Token: SeCreatePagefilePrivilege	3584
Token: SeShutdownPrivilege	3584
Token: SeCreatePagefilePrivilege	3584
Token: SeShutdownPrivilege	3584
Token: SeCreatePagefilePrivilege	3584
Token: SeShutdownPrivilege	3584
Token: SeCreatePagefilePrivilege	3584
Token: SeShutdownPrivilege	3584
Token: SeCreatePagefilePrivilege	3584
Token: SeShutdownPrivilege	3584
Token: SeCreatePagefilePrivilege	3584
Token: SeShutdownPrivilege	3584
Token: SeCreatePagefilePrivilege	3584
Token: SeShutdownPrivilege	3584
Token: SeCreatePagefilePrivilege	3584
Token: SeShutdownPrivilege	3584
Token: SeCreatePagefilePrivilege	3584

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid	Process
3584
3584

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid	Process
3584

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	procid_target
PID 3584 wrote to memory of 5008	3584	97
PID 3584 wrote to memory of 5008	3584	97
PID 3584 wrote to memory of 4312	3584	98
PID 3584 wrote to memory of 4312	3584	98
PID 3584 wrote to memory of 1396	3584	99
PID 3584 wrote to memory of 1396	3584	99
PID 3584 wrote to memory of 5016	3584	100
PID 3584 wrote to memory of 5016	3584	100
PID 3584 wrote to memory of 1088	3584	101
PID 3584 wrote to memory of 1088	3584	101
PID 3584 wrote to memory of 2704	3584	102
PID 3584 wrote to memory of 2704	3584	102

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b1354a3e5555a634bafbb1f7d544a307_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1512

C:\Windows\system32\FXSCOVER.exe
C:\Windows\system32\FXSCOVER.exe
1⤵
PID:5008

C:\Users\Admin\AppData\Local\3uxbz3\FXSCOVER.exe
C:\Users\Admin\AppData\Local\3uxbz3\FXSCOVER.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4312

C:\Windows\system32\EhStorAuthn.exe
C:\Windows\system32\EhStorAuthn.exe
1⤵
PID:1396

C:\Users\Admin\AppData\Local\mE4mWOP\EhStorAuthn.exe
C:\Users\Admin\AppData\Local\mE4mWOP\EhStorAuthn.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:5016

C:\Windows\system32\ProximityUxHost.exe
C:\Windows\system32\ProximityUxHost.exe
1⤵
PID:1088

C:\Users\Admin\AppData\Local\6cnAJZ\ProximityUxHost.exe
C:\Users\Admin\AppData\Local\6cnAJZ\ProximityUxHost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\3uxbz3\FXSCOVER.exe

Filesize
242KB

MD5
5769f78d00f22f76a4193dc720d0b2bd

SHA1
d62b6cab057e88737cba43fe9b0c6d11a28b53e8

SHA256
40e8e6dabfa1485b11cdccf220eb86eeaa8256e99e344cf2b2098d4cdb788a31

SHA512
b4b3448a2635b21690c71254d964832e89bf947f7a0d32e79dcc84730f11d4afb4149a810a768878e52f88fc8baec45f1a2fec8e22c5301e9f39fe4fc6a57e3f

Download Submit
C:\Users\Admin\AppData\Local\3uxbz3\MFC42u.dll

Filesize
1.2MB

MD5
3539c5f28d761fa6ccf6118b6ea2eead

SHA1
748ee75655b2f6ac8eb1bbda01da35579b9d4999

SHA256
5350938939eef041dc39dadde06e1158bd6737699d9584f3a890d7e6a0715ae1

SHA512
e9725fe7a9f8808950ddcb90448d4890901479e591350c580277c9e7eaca4c2c75125fe7aeedd7a31eb4985a00fc1a9837433ed9a8c30308fd1f55b10e940eb7

Download Submit
C:\Users\Admin\AppData\Local\6cnAJZ\DUI70.dll

Filesize
1.4MB

MD5
a7b770dfbaf4a9d5bd894974bc171a96

SHA1
46928a74d860db83baec9c4fdaa7463adbc46288

SHA256
117b91b461a5c4f6778031bb0295a3625711d6503aba4e6db2825b3966f7a353

SHA512
5ec4571e9b0c8a0b78230074b43ce123823101d618ba0a8a1688459b9293ee8f16a8cb0ab1103484a530ba9c380f15e485fa7299ee13a4fa127ff586d1774601

Download Submit
C:\Users\Admin\AppData\Local\6cnAJZ\ProximityUxHost.exe

Filesize
263KB

MD5
9ea326415b83d77295c70a35feb75577

SHA1
f8fc6a4f7f97b242f35066f61d305e278155b8a8

SHA256
192bfde77bf280e48f92d1eceacdc7ec4bf31cda46f7d577c7d7c3ec3ac89d8f

SHA512
2b1943600f97abcd18778101e33eac00c2bd360a3eff62fef65f668a084d8fa38c3bbdedfc6c2b7e8410aa7c9c3df2734705dc502b4754259121adc9198c3692

Download Submit
C:\Users\Admin\AppData\Local\mE4mWOP\EhStorAuthn.exe

Filesize
128KB

MD5
d45618e58303edb4268a6cca5ec99ecc

SHA1
1f8049fc5ea8b57bb68e19fb55cb9dc1e18e9513

SHA256
d527323643be9df4d174c3169c6f2c7854a59b781654bcaebd154cb51fb4219c

SHA512
5d7ae663dcfedfaf00836dc018131851e5a40778bd582b417b9f0bbd4bb6d1b2eb8f37f7f5a01cd2beed78b6037ef6eb2a3290248d5e901173b1407990a202bd

Download Submit
C:\Users\Admin\AppData\Local\mE4mWOP\UxTheme.dll

Filesize
1.2MB

MD5
c2d4f81b8600cf232b8ac6b3cb5c55cd

SHA1
eb2692ec2f5021863519e115622af9cc7faa55ae

SHA256
199d07b6588bc3ad67060f64f74af017ae5b31a31d3534bdeda9ec8056d5e8e0

SHA512
5f0c0765647558fb60c0572656278a2d98ea600d37317b3545289c70c2ca92356c5de26145652ddd2fe2faac7e356523dd4f1fc30be9ce88e5af73d77c29ea4c

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Plbydas.lnk

Filesize
1KB

MD5
4ceca362c0543b90ae88b84bf8c2c5c3

SHA1
b26dbdced701cff43ffc8b52d6910279580a0b02

SHA256
0f04e0ab668f16e5fdf43fccf764cb7932ace2688291ca3e3f15700a9d590c59

SHA512
7bf4718903b7280b2cf3e545461e6102d42ca2452cf084869b36838a50f65440721651853150704772daaa7ef1c899e44c417550f8119a4e0b083c6e6ea8f7e5

Download Submit
memory/1512-38-0x00007FF9E3CC0000-0x00007FF9E3DF0000-memory.dmp

Filesize
1.2MB

Download
memory/1512-1-0x00007FF9E3CC0000-0x00007FF9E3DF0000-memory.dmp

Filesize
1.2MB

Download
memory/1512-0-0x000001E8DFA70000-0x000001E8DFA77000-memory.dmp

Filesize
28KB

Download
memory/2704-84-0x00007FF9D4630000-0x00007FF9D47A6000-memory.dmp

Filesize
1.5MB

Download
memory/2704-79-0x00007FF9D4630000-0x00007FF9D47A6000-memory.dmp

Filesize
1.5MB

Download
memory/3584-29-0x00007FF9F2B30000-0x00007FF9F2B40000-memory.dmp

Filesize
64KB

Download
memory/3584-15-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3584-11-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3584-10-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3584-9-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3584-8-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3584-13-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3584-24-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3584-16-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3584-6-0x00007FF9F23BA000-0x00007FF9F23BB000-memory.dmp

Filesize
4KB

Download
memory/3584-4-0x0000000007670000-0x0000000007671000-memory.dmp

Filesize
4KB

Download
memory/3584-12-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3584-28-0x0000000007650000-0x0000000007657000-memory.dmp

Filesize
28KB

Download
memory/3584-35-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3584-7-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3584-14-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/4312-51-0x00007FF9D5350000-0x00007FF9D5487000-memory.dmp

Filesize
1.2MB

Download
memory/4312-48-0x0000020BC2400000-0x0000020BC2407000-memory.dmp

Filesize
28KB

Download
memory/4312-45-0x00007FF9D5350000-0x00007FF9D5487000-memory.dmp

Filesize
1.2MB

Download
memory/5016-68-0x00007FF9D5350000-0x00007FF9D5481000-memory.dmp

Filesize
1.2MB

Download
memory/5016-63-0x00007FF9D5350000-0x00007FF9D5481000-memory.dmp

Filesize
1.2MB

Download
memory/5016-62-0x0000017851120000-0x0000017851127000-memory.dmp

Filesize
28KB

Download