dridex | 8d46559c1484cdb308e3dbf6daf26b638c4a1f9c5b7f1ae5b45b1eed697b7f05

Analysis

max time kernel
150s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-08-2024 13:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af5c2d09865cacfddffbd020fab2f575_JaffaCakes118.dll
Size

1.2MB
MD5

af5c2d09865cacfddffbd020fab2f575
SHA1

403d2773b863288241f94f736194c5e014871c4e
SHA256

8d46559c1484cdb308e3dbf6daf26b638c4a1f9c5b7f1ae5b45b1eed697b7f05
SHA512

bb376f1b674507dcc41c6a8b30fd8926410adfdbb3a6f8dd9b999b90402d8a19f8499266d3c1d3305fe40d2d7095cef2e34a1f10ccfd6a73d71dd3b54eec156e
SSDEEP

24576:HuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:p9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3516-4-0x0000000008250000-0x0000000008251000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

bdeunlock.exeWFS.exedxgiadaptercache.exe

pid	Process
968	bdeunlock.exe
4604	WFS.exe
3920	dxgiadaptercache.exe

Loads dropped DLL 4 IoCs

Processes:

bdeunlock.exeWFS.exedxgiadaptercache.exe

pid	Process
968	bdeunlock.exe
4604	WFS.exe
3920	dxgiadaptercache.exe
3920	dxgiadaptercache.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Zsovh = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\6gVX\\WFS.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

WFS.exedxgiadaptercache.exerundll32.exebdeunlock.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WFS.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dxgiadaptercache.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bdeunlock.exe

Modifies registry class 1 IoCs

Processes:

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	Process
3404	rundll32.exe
3404	rundll32.exe
3404	rundll32.exe
3404	rundll32.exe
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516
3516

Suspicious use of AdjustPrivilegeToken 20 IoCs

Processes:

description	pid	Process
Token: SeShutdownPrivilege	3516
Token: SeCreatePagefilePrivilege	3516
Token: SeShutdownPrivilege	3516
Token: SeCreatePagefilePrivilege	3516
Token: SeShutdownPrivilege	3516
Token: SeCreatePagefilePrivilege	3516
Token: SeShutdownPrivilege	3516
Token: SeCreatePagefilePrivilege	3516
Token: SeShutdownPrivilege	3516
Token: SeCreatePagefilePrivilege	3516
Token: SeShutdownPrivilege	3516
Token: SeCreatePagefilePrivilege	3516
Token: SeShutdownPrivilege	3516
Token: SeCreatePagefilePrivilege	3516
Token: SeShutdownPrivilege	3516
Token: SeCreatePagefilePrivilege	3516
Token: SeShutdownPrivilege	3516
Token: SeCreatePagefilePrivilege	3516
Token: SeShutdownPrivilege	3516
Token: SeCreatePagefilePrivilege	3516

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid	Process
3516
3516

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid	Process
3516

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	procid_target
PID 3516 wrote to memory of 1316	3516	95
PID 3516 wrote to memory of 1316	3516	95
PID 3516 wrote to memory of 968	3516	96
PID 3516 wrote to memory of 968	3516	96
PID 3516 wrote to memory of 2932	3516	97
PID 3516 wrote to memory of 2932	3516	97
PID 3516 wrote to memory of 4604	3516	98
PID 3516 wrote to memory of 4604	3516	98
PID 3516 wrote to memory of 1524	3516	99
PID 3516 wrote to memory of 1524	3516	99
PID 3516 wrote to memory of 3920	3516	100
PID 3516 wrote to memory of 3920	3516	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\af5c2d09865cacfddffbd020fab2f575_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3404

C:\Windows\system32\bdeunlock.exe
C:\Windows\system32\bdeunlock.exe
1⤵
PID:1316

C:\Users\Admin\AppData\Local\J63\bdeunlock.exe
C:\Users\Admin\AppData\Local\J63\bdeunlock.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:968

C:\Windows\system32\WFS.exe
C:\Windows\system32\WFS.exe
1⤵
PID:2932

C:\Users\Admin\AppData\Local\6UbN\WFS.exe
C:\Users\Admin\AppData\Local\6UbN\WFS.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4604

C:\Windows\system32\dxgiadaptercache.exe
C:\Windows\system32\dxgiadaptercache.exe
1⤵
PID:1524

C:\Users\Admin\AppData\Local\X4eW\dxgiadaptercache.exe
C:\Users\Admin\AppData\Local\X4eW\dxgiadaptercache.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\6UbN\WFS.exe

Filesize
944KB

MD5
3cbc8d0f65e3db6c76c119ed7c2ffd85

SHA1
e74f794d86196e3bbb852522479946cceeed7e01

SHA256
e23e4182efe7ed61aaf369696e1ce304c3818df33d1663872b6d3c75499d81f4

SHA512
26ae5845a804b9eb752078f1ffa80a476648a8a9508b4f7ba56c94acd4198f3ba59c77add4feb7e0420070222af56521ca5f6334f466d5db272c816930513f0a

Download Submit
C:\Users\Admin\AppData\Local\6UbN\WINMM.dll

Filesize
1.2MB

MD5
29517f5be0fef925292fa85b0132b669

SHA1
8bcd62573037fdb968f35dab1ecc11cf312234d5

SHA256
5404477dfa07a145a7d218d66a4c4ee3d604a3d630bc1cdda384e04324176fd4

SHA512
121718006b81ae41c50cb056d967f864dff96ec33145f2ce92862876e0f147640d4bae9c8bec15f1e6d71a658da05b6f5942d1b045e9d10dd7f6807b415515ed

Download Submit
C:\Users\Admin\AppData\Local\J63\DUser.dll

Filesize
1.2MB

MD5
3ea01c6c05c497232757c05cbb7c002e

SHA1
10d0c053b8cd98e9cfd182bd558908c98acff596

SHA256
f03f5c3de2384c0a4b5e90e2c7b2cd896cd6293b35b9a9f91a452c5835621198

SHA512
ea72dffcc2e5c63a8ff7f5f1e01d184293a2e2bc2cb881a106138716fa8309e3939faf26498c25376c9456c4e865eb3f08149108e57e416b78be1db9bca38f93

Download Submit
C:\Users\Admin\AppData\Local\J63\bdeunlock.exe

Filesize
279KB

MD5
fef5d67150c249db3c1f4b30a2a5a22e

SHA1
41ca037b0229be9338da4d78244b4f0ea5a3d5f3

SHA256
dcfdd67bf3244ff86cadaaea50b43cce5479014ea2021c0c2fb40b7c856e5603

SHA512
4ded9ca87d9d30c31ab2baededaa6e26681741ea1742d80c318173536c643a01bc049e03a03c3b45b3cb8860464a855830e12e87670503e65eedcdd5e9b2d1e7

Download Submit
C:\Users\Admin\AppData\Local\X4eW\dxgi.dll

Filesize
1.2MB

MD5
6675b69009f3ee24acfd57a76220ca18

SHA1
862384dccb616338955f759b238200ff4e69586c

SHA256
326d8555ac4cbda78a2e7b9989bd6ded6e6b5b2c6d2d95e13f390c3933a78803

SHA512
512363dcc9356a569eadd2c108e5074b99e783004960430a2347114f7bce52c4228427652a7d3c96652ef2d7b59173501562fa894767473d352d90d60ee5cfb6

Download Submit
C:\Users\Admin\AppData\Local\X4eW\dxgiadaptercache.exe

Filesize
230KB

MD5
e62f89130b7253f7780a862ed9aff294

SHA1
b031e64a36e93f95f2061be5b0383069efac2070

SHA256
4bea9f741fe4ca9d6262477849896b9fa6377326d11af044561c31bde2d994b5

SHA512
05649d38a0b5d825bb8442549427b0ff77b139c9dd297b04d6c0fb1415504c95ed750cd79efea2ff514abfc5d1003e6251a3cd871d352dcea06be0cdeb0304f7

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Sfbjsepzltomqmf.lnk

Filesize
1KB

MD5
b49d1416dcbc742b38608a48c8ad35a2

SHA1
4082b94df5e7fffd8c6e326b9f9063afc745aca7

SHA256
0f5f63a1f359dec7b22c5e2a6537df8b6109140ac1c6ffd50ede592a321a4af8

SHA512
40541f3ac558afec63d4cded096498bc7d02b1e771831e037d598af7f4e76f226a62494e6038ee019d71887f0adf40425da65836f8d4d16c9fa35eba7e2d4190

Download Submit
memory/968-51-0x00007FFE91750000-0x00007FFE91883000-memory.dmp

Filesize
1.2MB

Download
memory/968-46-0x00007FFE91750000-0x00007FFE91883000-memory.dmp

Filesize
1.2MB

Download
memory/968-45-0x0000014C8AA60000-0x0000014C8AA67000-memory.dmp

Filesize
28KB

Download
memory/3404-38-0x00007FFEA16F0000-0x00007FFEA1821000-memory.dmp

Filesize
1.2MB

Download
memory/3404-0-0x00007FFEA16F0000-0x00007FFEA1821000-memory.dmp

Filesize
1.2MB

Download
memory/3404-3-0x00000252678D0000-0x00000252678D7000-memory.dmp

Filesize
28KB

Download
memory/3516-35-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3516-16-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3516-9-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3516-8-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3516-7-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3516-12-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3516-13-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3516-15-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3516-25-0x0000000002E30000-0x0000000002E37000-memory.dmp

Filesize
28KB

Download
memory/3516-24-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3516-34-0x00007FFEAFE50000-0x00007FFEAFE60000-memory.dmp

Filesize
64KB

Download
memory/3516-10-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3516-14-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3516-4-0x0000000008250000-0x0000000008251000-memory.dmp

Filesize
4KB

Download
memory/3516-6-0x00007FFEAF4CA000-0x00007FFEAF4CB000-memory.dmp

Filesize
4KB

Download
memory/3516-11-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3920-83-0x0000022A4D6A0000-0x0000022A4D6A7000-memory.dmp

Filesize
28KB

Download
memory/3920-80-0x00007FFE92150000-0x00007FFE92282000-memory.dmp

Filesize
1.2MB

Download
memory/3920-86-0x00007FFE92150000-0x00007FFE92282000-memory.dmp

Filesize
1.2MB

Download
memory/4604-68-0x00007FFE91750000-0x00007FFE91883000-memory.dmp

Filesize
1.2MB

Download
memory/4604-65-0x0000018B8FA00000-0x0000018B8FA07000-memory.dmp

Filesize
28KB

Download