dridex | 2fae4980756d9703b8adb56e7b874137e38a2a19d94874286517d7c753e0e3b3

Analysis

max time kernel
149s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-08-2024 16:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b42d93e77b5c62799de6e15c87e5aa0a_JaffaCakes118.dll
Size

1.2MB
MD5

b42d93e77b5c62799de6e15c87e5aa0a
SHA1

00254ec7a4aea06c5836d06de5f395c03e8df426
SHA256

2fae4980756d9703b8adb56e7b874137e38a2a19d94874286517d7c753e0e3b3
SHA512

49dd41fbaf5f2107b041a8811a4ddd05d5e5ff6b52b4066c69b909cb2c7ccbb002057db58eeb2a0f34391cc7415963917b45b425510d3dfb2f0bd8350ecb21fe
SSDEEP

24576:0uYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9NF:s9cKrUqZWLAcUd

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3480-4-0x0000000002CE0000-0x0000000002CE1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
1360	dccw.exe
2380	SystemPropertiesPerformance.exe
4792	raserver.exe

Loads dropped DLL 3 IoCs

pid	Process
1360	dccw.exe
2380	SystemPropertiesPerformance.exe
4792	raserver.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Isybexcquevfui = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\Wc3\\SystemPropertiesPerformance.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	raserver.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dccw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesPerformance.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4596	rundll32.exe
4596	rundll32.exe
4596	rundll32.exe
4596	rundll32.exe
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found
3480	Process not Found

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3480	Process not Found
Token: SeCreatePagefilePrivilege	3480	Process not Found
Token: SeShutdownPrivilege	3480	Process not Found
Token: SeCreatePagefilePrivilege	3480	Process not Found
Token: SeShutdownPrivilege	3480	Process not Found
Token: SeCreatePagefilePrivilege	3480	Process not Found
Token: SeShutdownPrivilege	3480	Process not Found
Token: SeCreatePagefilePrivilege	3480	Process not Found
Token: SeShutdownPrivilege	3480	Process not Found
Token: SeCreatePagefilePrivilege	3480	Process not Found
Token: SeShutdownPrivilege	3480	Process not Found
Token: SeCreatePagefilePrivilege	3480	Process not Found

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3480	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3480 wrote to memory of 4296	3480	Process not Found	94
PID 3480 wrote to memory of 4296	3480	Process not Found	94
PID 3480 wrote to memory of 1360	3480	Process not Found	95
PID 3480 wrote to memory of 1360	3480	Process not Found	95
PID 3480 wrote to memory of 3260	3480	Process not Found	96
PID 3480 wrote to memory of 3260	3480	Process not Found	96
PID 3480 wrote to memory of 2380	3480	Process not Found	97
PID 3480 wrote to memory of 2380	3480	Process not Found	97
PID 3480 wrote to memory of 1396	3480	Process not Found	98
PID 3480 wrote to memory of 1396	3480	Process not Found	98
PID 3480 wrote to memory of 4792	3480	Process not Found	99
PID 3480 wrote to memory of 4792	3480	Process not Found	99

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b42d93e77b5c62799de6e15c87e5aa0a_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4596

C:\Windows\system32\dccw.exe
C:\Windows\system32\dccw.exe
1⤵
PID:4296

C:\Users\Admin\AppData\Local\5tHcC\dccw.exe
C:\Users\Admin\AppData\Local\5tHcC\dccw.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1360

C:\Windows\system32\SystemPropertiesPerformance.exe
C:\Windows\system32\SystemPropertiesPerformance.exe
1⤵
PID:3260

C:\Users\Admin\AppData\Local\HqGC5\SystemPropertiesPerformance.exe
C:\Users\Admin\AppData\Local\HqGC5\SystemPropertiesPerformance.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2380

C:\Windows\system32\raserver.exe
C:\Windows\system32\raserver.exe
1⤵
PID:1396

C:\Users\Admin\AppData\Local\wj3Sg1f\raserver.exe
C:\Users\Admin\AppData\Local\wj3Sg1f\raserver.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\5tHcC\dccw.exe

Filesize
101KB

MD5
cb9374911bf5237179785c739a322c0f

SHA1
3f4d3dd3d58c9f19dfbb414ded16969ebd9f74b9

SHA256
f7f3300b78148a34f6a35796c777a832b638b6d3193e11f4a37f45d4c6dfa845

SHA512
9d47521538148b1823c0a17baa86ddf932f06f46d5d8b63fa87b2cc220fb98ce3f933e32d771222937bb8e41c88030839d489d1cd78b062bffeb2980dc6864be

Download Submit
C:\Users\Admin\AppData\Local\5tHcC\dxva2.dll

Filesize
1.2MB

MD5
dea0ae0ac3f670e03af4f54ef919e779

SHA1
69dc667f8c58cafdb5f65df0feae41ccb0a0c5ee

SHA256
6288857cc358a93cb9a183b4f54621e4556e63b7cc052478bfb1cefe12807423

SHA512
c04beab43fea826744beebac59091856550f07f1e73ce58b318dce79d306266de0ac6164d9659792ca14da9c942cd7eaa3c6e2ab9d6b3a529a49e1a592904812

Download Submit
C:\Users\Admin\AppData\Local\HqGC5\SYSDM.CPL

Filesize
1.2MB

MD5
b49b70db3f609ca701f1c4dc347299ee

SHA1
07cae3dd0868eee68f7fc6a1e440d79f402918d6

SHA256
de5aa3348bdebfed4a48ff4c5391e2aad77b72912a5457e34ef6e9a77594d8ba

SHA512
095cbfe7b8c4916d69c027d833fe3e57ea9e55e7aebc336a301a4b1d46be29ba4c342cd3c5468f3052539cacc941f13cc681199abd5a1a0bc7b12b6483181c63

Download Submit
C:\Users\Admin\AppData\Local\HqGC5\SystemPropertiesPerformance.exe

Filesize
82KB

MD5
e4fbf7cab8669c7c9cef92205d2f2ffc

SHA1
adbfa782b7998720fa85678cc85863b961975e28

SHA256
b266318d45a4245556a2e39b763f2f11eca780969105f6f103e53dd0a492bb30

SHA512
c5c62578d04133352d6cb7b018df96a7b55c18d6111ab8bf2bfe232a3315a63b07047fa5b0b88551d152085776c66169b47566242c8c4c5e0333c55adc64e1b6

Download Submit
C:\Users\Admin\AppData\Local\wj3Sg1f\WTSAPI32.dll

Filesize
1.2MB

MD5
b16209efcd160eb0afe568ce9d19f34d

SHA1
2087c4c43742d05804fc5e5bf7067614b1282ae3

SHA256
0b26848998a5ab24b6b11e9f38cf05d22bf2c4b78e0e85dc42a0f6db3dadece7

SHA512
f4748fa5cfe1fa7b67d0153bc95690826c4e1646c41efb53ca3a2e4bc550549686109e88f67040f3a50919275c3e5690452e67a29f9ef4047c0361482685aa3e

Download Submit
C:\Users\Admin\AppData\Local\wj3Sg1f\raserver.exe

Filesize
132KB

MD5
d1841c6ee4ea45794ced131d4b68b60e

SHA1
4be6d2116060d7c723ac2d0b5504efe23198ea01

SHA256
38732626242988cc5b8f97fe8d3b030d483046ef66ea90d7ea3607f1adc0600d

SHA512
d8bad215872c5956c6e8acac1cd3ad19b85f72b224b068fb71cfd1493705bc7d3390853ba923a1aa461140294f8793247df018484a378e4f026c2a12cb3fa5c9

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wyfsbgf.lnk

Filesize
1KB

MD5
da68291a2e2c375fb25c75ada758ca71

SHA1
084f0a12e992a38d23990de0636414057424668e

SHA256
2aae895626ce802173f75b8e55b0c176eee533ea7fb351163fe5e705b6b22e3d

SHA512
70ee40181e07c6c88b17f35621027f9a8a874e26056a36c178a526d41425f40e05b1c720c11fdcb4a172945ecfe48e9ac065713f79ab2ad4040a6214000c0464

Download Submit
memory/1360-52-0x00007FFBC5440000-0x00007FFBC5572000-memory.dmp

Filesize
1.2MB

Download
memory/1360-47-0x00007FFBC5440000-0x00007FFBC5572000-memory.dmp

Filesize
1.2MB

Download
memory/1360-46-0x00000270AA5D0000-0x00000270AA5D7000-memory.dmp

Filesize
28KB

Download
memory/2380-69-0x00007FFBC5440000-0x00007FFBC5572000-memory.dmp

Filesize
1.2MB

Download
memory/2380-63-0x0000019E6C8D0000-0x0000019E6C8D7000-memory.dmp

Filesize
28KB

Download
memory/3480-36-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3480-29-0x0000000000CC0000-0x0000000000CC7000-memory.dmp

Filesize
28KB

Download
memory/3480-13-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3480-10-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3480-9-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3480-8-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3480-12-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3480-4-0x0000000002CE0000-0x0000000002CE1000-memory.dmp

Filesize
4KB

Download
memory/3480-14-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3480-16-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3480-17-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3480-11-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3480-6-0x00007FFBE0C9A000-0x00007FFBE0C9B000-memory.dmp

Filesize
4KB

Download
memory/3480-30-0x00007FFBE2BD0000-0x00007FFBE2BE0000-memory.dmp

Filesize
64KB

Download
memory/3480-25-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3480-15-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3480-7-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/4596-0-0x00000216ACC50000-0x00000216ACC57000-memory.dmp

Filesize
28KB

Download
memory/4596-39-0x00007FFBD4400000-0x00007FFBD4531000-memory.dmp

Filesize
1.2MB

Download
memory/4596-1-0x00007FFBD4400000-0x00007FFBD4531000-memory.dmp

Filesize
1.2MB

Download
memory/4792-83-0x0000020D0E090000-0x0000020D0E097000-memory.dmp

Filesize
28KB

Download
memory/4792-86-0x00007FFBC5440000-0x00007FFBC5572000-memory.dmp

Filesize
1.2MB

Download