dridex | f487a0f3b8ef34854390d1f67b57ead543c6a940a74bf00699264c183533cbe6

Analysis

max time kernel
149s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-08-2024 06:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b273fa97431153c131b5b9ae8d6f85b7_JaffaCakes118.dll
Size

1.2MB
MD5

b273fa97431153c131b5b9ae8d6f85b7
SHA1

6747bd7ef216cdf6d23e500c2ca8c41e851b109e
SHA256

f487a0f3b8ef34854390d1f67b57ead543c6a940a74bf00699264c183533cbe6
SHA512

6bc9e750e65ae49fa76d6fc1447b3386c79cf434871e75a5b6f2307ccd35b9105c8b6e5eafd610e618ce36ac4089cecd2c739ed05cb9bf9944327b40fcbc2e1c
SSDEEP

24576:GuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:m9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence privilege_escalation trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3464-4-0x0000000008500000-0x0000000008501000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
3292	DisplaySwitch.exe
1892	sppsvc.exe
3412	DeviceEnroller.exe

Loads dropped DLL 3 IoCs

pid	Process
3292	DisplaySwitch.exe
1892	sppsvc.exe
3412	DeviceEnroller.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qgfqnr = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\aefy\\sppsvc.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DisplaySwitch.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DeviceEnroller.exe

Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5052	rundll32.exe
5052	rundll32.exe
5052	rundll32.exe
5052	rundll32.exe
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3464	Process not Found
Token: SeCreatePagefilePrivilege	3464	Process not Found
Token: SeShutdownPrivilege	3464	Process not Found
Token: SeCreatePagefilePrivilege	3464	Process not Found
Token: SeShutdownPrivilege	3464	Process not Found
Token: SeCreatePagefilePrivilege	3464	Process not Found
Token: SeShutdownPrivilege	3464	Process not Found
Token: SeCreatePagefilePrivilege	3464	Process not Found
Token: SeShutdownPrivilege	3464	Process not Found
Token: SeCreatePagefilePrivilege	3464	Process not Found
Token: SeShutdownPrivilege	3464	Process not Found
Token: SeCreatePagefilePrivilege	3464	Process not Found
Token: SeShutdownPrivilege	3464	Process not Found
Token: SeCreatePagefilePrivilege	3464	Process not Found
Token: SeShutdownPrivilege	3464	Process not Found
Token: SeCreatePagefilePrivilege	3464	Process not Found

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3464	Process not Found
3464	Process not Found

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3464	Process not Found

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 3464 wrote to memory of 1860	3464	Process not Found	96
PID 3464 wrote to memory of 1860	3464	Process not Found	96
PID 3464 wrote to memory of 3292	3464	Process not Found	97
PID 3464 wrote to memory of 3292	3464	Process not Found	97
PID 3464 wrote to memory of 1892	3464	Process not Found	99
PID 3464 wrote to memory of 1892	3464	Process not Found	99
PID 3464 wrote to memory of 1488	3464	Process not Found	100
PID 3464 wrote to memory of 1488	3464	Process not Found	100
PID 3464 wrote to memory of 3412	3464	Process not Found	101
PID 3464 wrote to memory of 3412	3464	Process not Found	101

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b273fa97431153c131b5b9ae8d6f85b7_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:5052

C:\Windows\system32\DisplaySwitch.exe
C:\Windows\system32\DisplaySwitch.exe
1⤵
PID:1860

C:\Users\Admin\AppData\Local\GnXS5iq2F\DisplaySwitch.exe
C:\Users\Admin\AppData\Local\GnXS5iq2F\DisplaySwitch.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3292

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
1⤵
PID:4796

C:\Users\Admin\AppData\Local\bNO7\sppsvc.exe
C:\Users\Admin\AppData\Local\bNO7\sppsvc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1892

C:\Windows\system32\DeviceEnroller.exe
C:\Windows\system32\DeviceEnroller.exe
1⤵
PID:1488

C:\Users\Admin\AppData\Local\cYZ6RmKj\DeviceEnroller.exe
C:\Users\Admin\AppData\Local\cYZ6RmKj\DeviceEnroller.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\GnXS5iq2F\DisplaySwitch.exe

Filesize
1.8MB

MD5
5338d4beddf23db817eb5c37500b5735

SHA1
1b5c56f00b53fca3205ff24770203af46cbc7c54

SHA256
8b581f1d15a6920e4ecfe172d8ef753d0a2bf1a47e686a8d5d8e01147fa4c65e

SHA512
173170b83e0048ee05da18c0c957744204954da58a93c532b669d62edb632c4c73d0744c13eb864ecf357ff12831aa46c4f2445dc33b62a4547385b9e0297b0c

Download Submit
C:\Users\Admin\AppData\Local\GnXS5iq2F\WINSTA.dll

Filesize
1.2MB

MD5
a3973620aa36d705a378f9cd803c7b19

SHA1
d5b65c77ae6e63c82dd66a8937b5fec4063ae4ec

SHA256
9ff16c01c4ddc25a2f0a7a89327fc14e760d6843c354afc50bcb9e19840fb28c

SHA512
f801932217ff14b22a85a8c1384673614fd573148884a000da228918f07763c45aaa0ea781b652cfeb7481cbe61f23297eee20e8199a616b8a1b7aed475d87d7

Download Submit
C:\Users\Admin\AppData\Local\bNO7\XmlLite.dll

Filesize
1.2MB

MD5
41c23bc8cc0a75150aef994ef91fe3a2

SHA1
ea63a8459fb62e7d5345755ad736e06840d70f47

SHA256
3aa9e05b7c3b034f5172ff150b63704b79c6dc771bb7a98f31dc906f029cb1eb

SHA512
0b7a56ebbbb3cbc960592aad190f8706967725807cba575aafed8e78c3cb49174d481bdd63ba4b1e008fd7a35b1524546f5e68da12926accdddf2d8ed0c32c94

Download Submit
C:\Users\Admin\AppData\Local\bNO7\sppsvc.exe

Filesize
4.4MB

MD5
ec6cef0a81f167668e18fa32f1606fce

SHA1
6d56837a388ae5573a38a439cee16e6dde5b4de8

SHA256
82c59a2f606ebf1a8a0de16be150600ac63ad8351c6bf3952c27a70257cb70f8

SHA512
f40b37675329ca7875d958b4b0019082548a563ada217c7431c2ca5c7f93957b242f095f7f04bcdd6240b97ea99e89bfe3a003f97c43366d00a93768fef7b4c5

Download Submit
C:\Users\Admin\AppData\Local\cYZ6RmKj\DeviceEnroller.exe

Filesize
448KB

MD5
946d9474533f58d2613078fd14ca7473

SHA1
c2620ac9522fa3702a6a03299b930d6044aa5e49

SHA256
cf5f5fe084f172e9c435615c1dc6ae7d3bd8c5ec8ea290caa0627c2f392760cb

SHA512
3653d41a0553ee63a43490f682c9b528651a6336f28adafc333d4d148577351122db8279ff83ee59bb0a9c17bb384e9f6c9c78677c8c5ed671a42036dec1f8c1

Download Submit
C:\Users\Admin\AppData\Local\cYZ6RmKj\XmlLite.dll

Filesize
1.2MB

MD5
15030d55bc644ce6a3bf060b3dbb8611

SHA1
ef59c5312f25c9ce7da06651309fb8b8dc0c0493

SHA256
f1b1e403d8e6bc0663b2259fa9409386debf4f12ef88ead6258dc83da158b588

SHA512
25897a9b132bc1bece0a5469be750f645b0e7b7e585735d885be29811cfec4080e4654fe06a6e10214900674599ebabb8bf76877e08d7766288eac47cca5dbb3

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Mcinmsnhewplgza.lnk

Filesize
1KB

MD5
ffada1c90e60a6296baf8cda86a84657

SHA1
d3bd520e33e2e753e7bd8c251be654dc2f258ee4

SHA256
f4d753408b35a4e0ea688c1439a8431bfb7ddce4a8e60cdd32361ea7f1132710

SHA512
059d97457d9f8c310c2f177c8d0421289691c534522a48caa4812b667988e05b462406f14e62e487b1b920a09758649f3e3f4d334721c910d425d721efe4a842

Download Submit
memory/1892-64-0x00007FFCC73E0000-0x00007FFCC7512000-memory.dmp

Filesize
1.2MB

Download
memory/1892-63-0x00000159479E0000-0x00000159479E7000-memory.dmp

Filesize
28KB

Download
memory/1892-68-0x00007FFCC73E0000-0x00007FFCC7512000-memory.dmp

Filesize
1.2MB

Download
memory/3292-52-0x00007FFCC7230000-0x00007FFCC7363000-memory.dmp

Filesize
1.2MB

Download
memory/3292-49-0x000002EB56450000-0x000002EB56457000-memory.dmp

Filesize
28KB

Download
memory/3292-46-0x00007FFCC7230000-0x00007FFCC7363000-memory.dmp

Filesize
1.2MB

Download
memory/3412-84-0x00007FFCC73E0000-0x00007FFCC7512000-memory.dmp

Filesize
1.2MB

Download
memory/3464-16-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3464-17-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3464-6-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3464-4-0x0000000008500000-0x0000000008501000-memory.dmp

Filesize
4KB

Download
memory/3464-36-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3464-8-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3464-11-0x00007FFCE4C0A000-0x00007FFCE4C0B000-memory.dmp

Filesize
4KB

Download
memory/3464-10-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3464-12-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3464-13-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3464-14-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3464-15-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3464-9-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3464-7-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3464-26-0x00000000084D0000-0x00000000084D7000-memory.dmp

Filesize
28KB

Download
memory/3464-27-0x00007FFCE59D0000-0x00007FFCE59E0000-memory.dmp

Filesize
64KB

Download
memory/3464-25-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/5052-1-0x00007FFCD7610000-0x00007FFCD7741000-memory.dmp

Filesize
1.2MB

Download
memory/5052-39-0x00007FFCD7610000-0x00007FFCD7741000-memory.dmp

Filesize
1.2MB

Download
memory/5052-3-0x0000026D06C20000-0x0000026D06C27000-memory.dmp

Filesize
28KB

Download