dridex | 9eee24f1910adf2f9f51d20686490ef331245fa9272895d3aba8a62f8f190c69

Analysis

max time kernel
150s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-08-2024 23:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b57ee7b1519ce4f80831dcedad7662fe_JaffaCakes118.dll
Size

1.2MB
MD5

b57ee7b1519ce4f80831dcedad7662fe
SHA1

772b5c112e52bb186fc006785765902f62325c87
SHA256

9eee24f1910adf2f9f51d20686490ef331245fa9272895d3aba8a62f8f190c69
SHA512

899ce395891a99312f1cb2fe1ae190456d611af9a5d56ad9a83bc8d46a8836db762566ab13703c774aaf5045e96fc06972cc5df3c5b1ef90f91d6807c2c226a6
SSDEEP

24576:0uYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:s9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3596-4-0x0000000002ED0000-0x0000000002ED1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

raserver.exeApplySettingsTemplateCatalog.exebdeunlock.exe

pid	Process
1004	raserver.exe
512	ApplySettingsTemplateCatalog.exe
2128	bdeunlock.exe

Loads dropped DLL 3 IoCs

Processes:

raserver.exeApplySettingsTemplateCatalog.exebdeunlock.exe

pid	Process
1004	raserver.exe
512	ApplySettingsTemplateCatalog.exe
2128	bdeunlock.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Daamvycbobhd = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Office\\hw7I\\ApplySettingsTemplateCatalog.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeraserver.exeApplySettingsTemplateCatalog.exebdeunlock.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	raserver.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ApplySettingsTemplateCatalog.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bdeunlock.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	Process
4624	rundll32.exe
4624	rundll32.exe
4624	rundll32.exe
4624	rundll32.exe
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596
3596

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

description	pid	Process
Token: SeShutdownPrivilege	3596
Token: SeCreatePagefilePrivilege	3596
Token: SeShutdownPrivilege	3596
Token: SeCreatePagefilePrivilege	3596
Token: SeShutdownPrivilege	3596
Token: SeCreatePagefilePrivilege	3596

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid	Process
3596
3596

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid	Process
3596

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	procid_target
PID 3596 wrote to memory of 3204	3596	105
PID 3596 wrote to memory of 3204	3596	105
PID 3596 wrote to memory of 1004	3596	106
PID 3596 wrote to memory of 1004	3596	106
PID 3596 wrote to memory of 648	3596	107
PID 3596 wrote to memory of 648	3596	107
PID 3596 wrote to memory of 512	3596	108
PID 3596 wrote to memory of 512	3596	108
PID 3596 wrote to memory of 2116	3596	109
PID 3596 wrote to memory of 2116	3596	109
PID 3596 wrote to memory of 2128	3596	110
PID 3596 wrote to memory of 2128	3596	110

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b57ee7b1519ce4f80831dcedad7662fe_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4216,i,16316361669272684588,6171287487746154806,262144 --variations-seed-version --mojo-platform-channel-handle=4076 /prefetch:8
1⤵
PID:4632

C:\Windows\system32\raserver.exe
C:\Windows\system32\raserver.exe
1⤵
PID:3204

C:\Users\Admin\AppData\Local\8HM7\raserver.exe
C:\Users\Admin\AppData\Local\8HM7\raserver.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1004

C:\Windows\system32\ApplySettingsTemplateCatalog.exe
C:\Windows\system32\ApplySettingsTemplateCatalog.exe
1⤵
PID:648

C:\Users\Admin\AppData\Local\cGxVrZ\ApplySettingsTemplateCatalog.exe
C:\Users\Admin\AppData\Local\cGxVrZ\ApplySettingsTemplateCatalog.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:512

C:\Windows\system32\bdeunlock.exe
C:\Windows\system32\bdeunlock.exe
1⤵
PID:2116

C:\Users\Admin\AppData\Local\R1Kt\bdeunlock.exe
C:\Users\Admin\AppData\Local\R1Kt\bdeunlock.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\8HM7\WTSAPI32.dll

Filesize
1.2MB

MD5
8316807ed470d23d3bef3f79de1b83cd

SHA1
06c546782aaca88fe7c5c9f55c4a9d6c5b5cd174

SHA256
f131d24177f652ef276ef1d9291b8f8539174a2720488312c49cc79ead09acf9

SHA512
a92b11c6faec2486cbc36194b8bfe7bd389832f37445cc5b4723148869a6f4c65e017c635996aff0b48f3462985d69a170468284b9fc1f7244bfcefac0f40659

Download Submit
C:\Users\Admin\AppData\Local\8HM7\raserver.exe

Filesize
132KB

MD5
d1841c6ee4ea45794ced131d4b68b60e

SHA1
4be6d2116060d7c723ac2d0b5504efe23198ea01

SHA256
38732626242988cc5b8f97fe8d3b030d483046ef66ea90d7ea3607f1adc0600d

SHA512
d8bad215872c5956c6e8acac1cd3ad19b85f72b224b068fb71cfd1493705bc7d3390853ba923a1aa461140294f8793247df018484a378e4f026c2a12cb3fa5c9

Download Submit
C:\Users\Admin\AppData\Local\R1Kt\DUI70.dll

Filesize
1.4MB

MD5
8ed0dc137382fdb173822ca545ee8d36

SHA1
f5fd8f62e63884a43ad94c041b98294ddfb8c725

SHA256
08b4921e4986a8060a5db51c04cb4040056ec2f9ad494422a32ba13e6f833eb4

SHA512
534430bc16707fca7e9a3d0aad5caf990d1ce0082062df8d5450932ff74fb9c2ea54645e92294c4c0b424e15bfcf3b45a7616c87691bf9402b3273da676a1a04

Download Submit
C:\Users\Admin\AppData\Local\R1Kt\bdeunlock.exe

Filesize
279KB

MD5
fef5d67150c249db3c1f4b30a2a5a22e

SHA1
41ca037b0229be9338da4d78244b4f0ea5a3d5f3

SHA256
dcfdd67bf3244ff86cadaaea50b43cce5479014ea2021c0c2fb40b7c856e5603

SHA512
4ded9ca87d9d30c31ab2baededaa6e26681741ea1742d80c318173536c643a01bc049e03a03c3b45b3cb8860464a855830e12e87670503e65eedcdd5e9b2d1e7

Download Submit
C:\Users\Admin\AppData\Local\cGxVrZ\ACTIVEDS.dll

Filesize
1.2MB

MD5
5375840cc9341b507a1710240922d17f

SHA1
648cf4c7855b5186289872c739e2b51187aacebd

SHA256
989ceb97e21a8c111145963ff8357f7fee794de77c99ee888483fc209d098ead

SHA512
5e75dbc147000ef3441884fb86a46badc3c2132f6f0bfc8a6c695d9930a78bfe376de59c6657fc9dd95d8de6dc0480aabbd20de6f880bc71db31c64f20360597

Download Submit
C:\Users\Admin\AppData\Local\cGxVrZ\ApplySettingsTemplateCatalog.exe

Filesize
1.1MB

MD5
13af41b1c1c53c7360cd582a82ec2093

SHA1
7425f893d1245e351483ab4a20a5f59d114df4e1

SHA256
a462f29efaaa3c30411e76f32608a2ba5b7d21af3b9804e5dda99e342ba8c429

SHA512
c7c82acef623d964c520f1a458dbfe34099981de0b781fb56e14b1f82632e3a8437db6434e7c20988aa3b39efde47aab8d188e80845e841a13e74b079285706a

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Jmybglakcar.lnk

Filesize
1KB

MD5
4f31750d3a94780888ee7e1896c19e27

SHA1
02572ec4a5ea36e0a5b10a39e847a62a2682268f

SHA256
00ec4122c496a64c64ca924192c9f1cfae303fd80e9043ca6ae937c5fb0a8fcb

SHA512
262a4205f668233f1a1c752217bb2cbeea7b0199b119655c29fe1c61e4279f9cae13e4c9c7c126357ecc79e64768572f09a99a5905abeba688a23c9f3a82a90c

Download Submit
memory/512-69-0x00007FFA25BA0000-0x00007FFA25CD3000-memory.dmp

Filesize
1.2MB

Download
memory/512-66-0x000001D3F08A0000-0x000001D3F08A7000-memory.dmp

Filesize
28KB

Download
memory/1004-52-0x00007FFA25BA0000-0x00007FFA25CD3000-memory.dmp

Filesize
1.2MB

Download
memory/1004-46-0x00007FFA25BA0000-0x00007FFA25CD3000-memory.dmp

Filesize
1.2MB

Download
memory/1004-49-0x00000167BDE20000-0x00000167BDE27000-memory.dmp

Filesize
28KB

Download
memory/2128-80-0x000001FA3C0C0000-0x000001FA3C0C7000-memory.dmp

Filesize
28KB

Download
memory/2128-81-0x00007FFA25AC0000-0x00007FFA25C38000-memory.dmp

Filesize
1.5MB

Download
memory/2128-86-0x00007FFA25AC0000-0x00007FFA25C38000-memory.dmp

Filesize
1.5MB

Download
memory/3596-34-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3596-11-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3596-7-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3596-12-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3596-6-0x00007FFA429BA000-0x00007FFA429BB000-memory.dmp

Filesize
4KB

Download
memory/3596-8-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3596-17-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3596-9-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3596-10-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3596-16-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3596-14-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3596-25-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3596-4-0x0000000002ED0000-0x0000000002ED1000-memory.dmp

Filesize
4KB

Download
memory/3596-38-0x00007FFA44090000-0x00007FFA440A0000-memory.dmp

Filesize
64KB

Download
memory/3596-37-0x0000000002EB0000-0x0000000002EB7000-memory.dmp

Filesize
28KB

Download
memory/3596-15-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3596-13-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/4624-0-0x000001DA04F90000-0x000001DA04F97000-memory.dmp

Filesize
28KB

Download
memory/4624-39-0x00007FFA355C0000-0x00007FFA356F2000-memory.dmp

Filesize
1.2MB

Download
memory/4624-1-0x00007FFA355C0000-0x00007FFA356F2000-memory.dmp

Filesize
1.2MB

Download