dridex | 1420e1c8cabda4b1e776f53d3da09b518192642228c48f781ef4db55e8da11e3

Analysis

max time kernel
150s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-08-2024 20:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b4ef573d73853151ed754c832c6b07d0_JaffaCakes118.dll
Size

1.2MB
MD5

b4ef573d73853151ed754c832c6b07d0
SHA1

5004eb22738a95e3b67020f946e585c73fc47d89
SHA256

1420e1c8cabda4b1e776f53d3da09b518192642228c48f781ef4db55e8da11e3
SHA512

b82eea4718ce1cb783f7bdcf29a3cf9bc1eeaf53624efedd0ec368588f13e473d33dcd697274a89e0201d55cbb277f97da246e3be29087351d73cbe027f0933a
SSDEEP

24576:tuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:n9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence privilege_escalation trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3420-4-0x0000000002440000-0x0000000002441000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
3204	cmstp.exe
1144	tcmsetup.exe
4536	DisplaySwitch.exe

Loads dropped DLL 3 IoCs

pid	Process
3204	cmstp.exe
1144	tcmsetup.exe
4536	DisplaySwitch.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qebzqfuc = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\TEMPLA~1\\LIVECO~1\\16\\User\\DOCUME~1\\ld7J9cX\\tcmsetup.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmstp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	tcmsetup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DisplaySwitch.exe

Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1420	rundll32.exe
1420	rundll32.exe
1420	rundll32.exe
1420	rundll32.exe
1420	rundll32.exe
1420	rundll32.exe
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found
3420	Process not Found

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3420	Process not Found
Token: SeCreatePagefilePrivilege	3420	Process not Found
Token: SeShutdownPrivilege	3420	Process not Found
Token: SeCreatePagefilePrivilege	3420	Process not Found
Token: SeShutdownPrivilege	3420	Process not Found
Token: SeCreatePagefilePrivilege	3420	Process not Found
Token: SeShutdownPrivilege	3420	Process not Found
Token: SeCreatePagefilePrivilege	3420	Process not Found
Token: SeShutdownPrivilege	3420	Process not Found
Token: SeCreatePagefilePrivilege	3420	Process not Found
Token: SeShutdownPrivilege	3420	Process not Found
Token: SeCreatePagefilePrivilege	3420	Process not Found

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3420	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3420 wrote to memory of 3240	3420	Process not Found	96
PID 3420 wrote to memory of 3240	3420	Process not Found	96
PID 3420 wrote to memory of 3204	3420	Process not Found	97
PID 3420 wrote to memory of 3204	3420	Process not Found	97
PID 3420 wrote to memory of 3272	3420	Process not Found	98
PID 3420 wrote to memory of 3272	3420	Process not Found	98
PID 3420 wrote to memory of 1144	3420	Process not Found	99
PID 3420 wrote to memory of 1144	3420	Process not Found	99
PID 3420 wrote to memory of 1288	3420	Process not Found	100
PID 3420 wrote to memory of 1288	3420	Process not Found	100
PID 3420 wrote to memory of 4536	3420	Process not Found	101
PID 3420 wrote to memory of 4536	3420	Process not Found	101

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b4ef573d73853151ed754c832c6b07d0_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1420

C:\Windows\system32\cmstp.exe
C:\Windows\system32\cmstp.exe
1⤵
PID:3240

C:\Users\Admin\AppData\Local\Nmg63cB\cmstp.exe
C:\Users\Admin\AppData\Local\Nmg63cB\cmstp.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3204

C:\Windows\system32\tcmsetup.exe
C:\Windows\system32\tcmsetup.exe
1⤵
PID:3272

C:\Users\Admin\AppData\Local\77rwScgv\tcmsetup.exe
C:\Users\Admin\AppData\Local\77rwScgv\tcmsetup.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1144

C:\Windows\system32\DisplaySwitch.exe
C:\Windows\system32\DisplaySwitch.exe
1⤵
PID:1288

C:\Users\Admin\AppData\Local\Zp5\DisplaySwitch.exe
C:\Users\Admin\AppData\Local\Zp5\DisplaySwitch.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\77rwScgv\TAPI32.dll

Filesize
1.2MB

MD5
e3eeba8f987889eede98ef75d51ed694

SHA1
ed777c9580d0013adc2dc36273f0dbe0682b891b

SHA256
99eafb97adff82826b0124710396f7f1133f757a60637034bdbc8bbb3886652f

SHA512
7c2aa2594e314dfe37842fe264d6b283949214db6fd884c7bd872564dce51db08b2bbe56d2e29ddd9dfb52a2115e412680011d94650edeff24a4fc50077c79ba

Download Submit
C:\Users\Admin\AppData\Local\77rwScgv\tcmsetup.exe

Filesize
16KB

MD5
58f3b915b9ae7d63431772c2616b0945

SHA1
6346e837da3b0f551becb7cac6d160e3063696e9

SHA256
e243501ba2ef7a6f04f51410bb916faffe0ec23450a4d030ce6bfe747e544b39

SHA512
7b09192af460c502d1a94989a0d06191c8c7a058ce3a4541e3f45960a1e12529d0cdaff9da3d5bacfdceed57aeb6dc9a159c6c0a95675c438f99bf7e418c6dc5

Download Submit
C:\Users\Admin\AppData\Local\Nmg63cB\VERSION.dll

Filesize
1.2MB

MD5
b9ca5320128b3ddd51c5b270c29bfb8b

SHA1
dd547e11991ceb5421f7e308b000ef124c6f6591

SHA256
9eff9ba2a59e4dfe03d31bead5c6d577052aafa2f1a450100b836c6acddcec3c

SHA512
dd6b8e40dd7ef1ab5486dd0aeeebf1bc1dd45eb14f387e93472095f5cb01770284af866b74949f6072a0e018d1d2fde20c4e3ff26dc2014b8385bc8838308e35

Download Submit
C:\Users\Admin\AppData\Local\Nmg63cB\cmstp.exe

Filesize
96KB

MD5
4cc43fe4d397ff79fa69f397e016df52

SHA1
8fd6cf81ad40c9b123cd75611860a8b95c72869c

SHA256
f2d3905ee38b2b5c0b724d582f14eb1db7621ffb8f3826df686a20784341614c

SHA512
851ef9fa5a03ec8b9fea0094c6e4bfa0b9e71cee3412ee86b2dfc34682aa5fb6455fefe7fc0092b711956d7c880cf8a5761b63ee990aa8e72f3473086ac0f157

Download Submit
C:\Users\Admin\AppData\Local\Zp5\DisplaySwitch.exe

Filesize
1.8MB

MD5
5338d4beddf23db817eb5c37500b5735

SHA1
1b5c56f00b53fca3205ff24770203af46cbc7c54

SHA256
8b581f1d15a6920e4ecfe172d8ef753d0a2bf1a47e686a8d5d8e01147fa4c65e

SHA512
173170b83e0048ee05da18c0c957744204954da58a93c532b669d62edb632c4c73d0744c13eb864ecf357ff12831aa46c4f2445dc33b62a4547385b9e0297b0c

Download Submit
C:\Users\Admin\AppData\Local\Zp5\dwmapi.dll

Filesize
1.2MB

MD5
24965386162e571ae8f9e27eab1defc7

SHA1
c602772aa36ff4342a07a67de25e4ca4feaacdcf

SHA256
95eecff83cdb5e92fb6149355a8ef5d389f1afa8ffed29dbbd8b7b06bc084a69

SHA512
105d25c4fca2ffb3552578879db1c8eb33cbe0b6a92a14d475a4291dd23699ee27e89a879e290d94efaea5a0e1400eb2d9223807eb9fc94ecb0d5b98a544b59e

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Plbydas.lnk

Filesize
1KB

MD5
629fc5668dbcd7384f12c7f6a0ff40ea

SHA1
33552e2c9fce26e1b2ab1fb3512116f36591e5fb

SHA256
190a8f3d23684e954fe9430da795d67fd37cc044ecc06e3310ebbd32f26b71ba

SHA512
7710bf70631c3fada91a32d1f474fd7fbd95e3a107826dc166fc6dc0efb842c58d959c6763290d32f06e7bbc6537cbb5f7575d616695973e8782237bfc56c7d3

Download Submit
memory/1144-69-0x00007FF9F00F0000-0x00007FF9F0223000-memory.dmp

Filesize
1.2MB

Download
memory/1144-64-0x00007FF9F00F0000-0x00007FF9F0223000-memory.dmp

Filesize
1.2MB

Download
memory/1144-63-0x000001CFC68A0000-0x000001CFC68A7000-memory.dmp

Filesize
28KB

Download
memory/1420-39-0x00007FF9FEB80000-0x00007FF9FECB1000-memory.dmp

Filesize
1.2MB

Download
memory/1420-0-0x0000015274680000-0x0000015274687000-memory.dmp

Filesize
28KB

Download
memory/1420-1-0x00007FF9FEB80000-0x00007FF9FECB1000-memory.dmp

Filesize
1.2MB

Download
memory/3204-52-0x00007FF9F00F0000-0x00007FF9F0222000-memory.dmp

Filesize
1.2MB

Download
memory/3204-49-0x000001ED96650000-0x000001ED96657000-memory.dmp

Filesize
28KB

Download
memory/3204-46-0x00007FF9F00F0000-0x00007FF9F0222000-memory.dmp

Filesize
1.2MB

Download
memory/3420-29-0x00000000008F0000-0x00000000008F7000-memory.dmp

Filesize
28KB

Download
memory/3420-18-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3420-8-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3420-10-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3420-11-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3420-12-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3420-13-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3420-14-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3420-16-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3420-9-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3420-30-0x00007FFA0D7B0000-0x00007FFA0D7C0000-memory.dmp

Filesize
64KB

Download
memory/3420-36-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3420-25-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3420-15-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3420-7-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3420-5-0x00007FFA0D68A000-0x00007FFA0D68B000-memory.dmp

Filesize
4KB

Download
memory/3420-4-0x0000000002440000-0x0000000002441000-memory.dmp

Filesize
4KB

Download
memory/4536-80-0x00007FF9EF720000-0x00007FF9EF852000-memory.dmp

Filesize
1.2MB

Download
memory/4536-86-0x00007FF9EF720000-0x00007FF9EF852000-memory.dmp

Filesize
1.2MB

Download
memory/4536-83-0x000002687BF20000-0x000002687BF27000-memory.dmp

Filesize
28KB

Download