dridex | 0a5a9a825cdb713862e4db1eeea33b8847e231cc54197c9b4b7b958c70e9c253

Analysis

max time kernel
150s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22-08-2024 02:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b612fd6158326f6573d2c195218b4187_JaffaCakes118.dll
Size

1.2MB
MD5

b612fd6158326f6573d2c195218b4187
SHA1

8a784d8434dc4ee8a185038e55beeae77169be6e
SHA256

0a5a9a825cdb713862e4db1eeea33b8847e231cc54197c9b4b7b958c70e9c253
SHA512

41fa451ca8ff1d805fa5407174fa0e59a6468017a91a3f2b2a0db6b84cbd26573bbce4788ead48c3fc41e40313886c2ef2237a6e99a9f41b710cf344ba1cb47a
SSDEEP

24576:buYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:F9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3420-4-0x0000000007F20000-0x0000000007F21000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

ApplySettingsTemplateCatalog.exeWFS.exeLockScreenContentServer.exe

pid	Process
2832	ApplySettingsTemplateCatalog.exe
1600	WFS.exe
1196	LockScreenContentServer.exe

Loads dropped DLL 3 IoCs

Processes:

ApplySettingsTemplateCatalog.exeWFS.exeLockScreenContentServer.exe

pid	Process
2832	ApplySettingsTemplateCatalog.exe
1600	WFS.exe
1196	LockScreenContentServer.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Veuhujsfce = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\sBiXz4FnO3Y\\WFS.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeApplySettingsTemplateCatalog.exeWFS.exeLockScreenContentServer.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ApplySettingsTemplateCatalog.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WFS.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	LockScreenContentServer.exe

Modifies registry class 1 IoCs

Processes:

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	Process
1468	rundll32.exe
1468	rundll32.exe
1468	rundll32.exe
1468	rundll32.exe
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420
3420

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

description	pid	Process
Token: SeShutdownPrivilege	3420
Token: SeCreatePagefilePrivilege	3420
Token: SeShutdownPrivilege	3420
Token: SeCreatePagefilePrivilege	3420
Token: SeShutdownPrivilege	3420
Token: SeCreatePagefilePrivilege	3420
Token: SeShutdownPrivilege	3420
Token: SeCreatePagefilePrivilege	3420

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid	Process
3420
3420

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid	Process
3420

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	procid_target
PID 3420 wrote to memory of 5104	3420	95
PID 3420 wrote to memory of 5104	3420	95
PID 3420 wrote to memory of 2832	3420	96
PID 3420 wrote to memory of 2832	3420	96
PID 3420 wrote to memory of 4480	3420	97
PID 3420 wrote to memory of 4480	3420	97
PID 3420 wrote to memory of 1600	3420	98
PID 3420 wrote to memory of 1600	3420	98
PID 3420 wrote to memory of 232	3420	99
PID 3420 wrote to memory of 232	3420	99
PID 3420 wrote to memory of 1196	3420	100
PID 3420 wrote to memory of 1196	3420	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b612fd6158326f6573d2c195218b4187_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1468

C:\Windows\system32\ApplySettingsTemplateCatalog.exe
C:\Windows\system32\ApplySettingsTemplateCatalog.exe
1⤵
PID:5104

C:\Users\Admin\AppData\Local\KYVuYR\ApplySettingsTemplateCatalog.exe
C:\Users\Admin\AppData\Local\KYVuYR\ApplySettingsTemplateCatalog.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2832

C:\Windows\system32\WFS.exe
C:\Windows\system32\WFS.exe
1⤵
PID:4480

C:\Users\Admin\AppData\Local\MXO\WFS.exe
C:\Users\Admin\AppData\Local\MXO\WFS.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1600

C:\Windows\system32\LockScreenContentServer.exe
C:\Windows\system32\LockScreenContentServer.exe
1⤵
PID:232

C:\Users\Admin\AppData\Local\9Dm\LockScreenContentServer.exe
C:\Users\Admin\AppData\Local\9Dm\LockScreenContentServer.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\9Dm\DUser.dll

Filesize
1.2MB

MD5
69b1b3f93111cd3d442f8cfd70f11fdd

SHA1
8f1fc3b174507fd3b7d17d953003744e3f59406e

SHA256
6feb0ad8be27dafc2976361b1155a5a31ad234871de4901e0180b237b779084f

SHA512
81f8a75507717459f6950a95124f30ae0834ff47ae1640c7264a64a104f51b0f4a7d1e3c489f133475fdc8df2b38557df4fa6acd2fae33221b770a85efd11eda

Download Submit
C:\Users\Admin\AppData\Local\9Dm\LockScreenContentServer.exe

Filesize
47KB

MD5
a0b7513c98cf46ca2cea3a567fec137c

SHA1
2307fc8e3fc620ea3c2fdc6248ad4658479ba995

SHA256
cb2278884f04fd34753f7a20e5865ef5fc4fa47c28df9ac14ad6e922713af8c6

SHA512
3928485a60ffa7f2d2b7d0be51863e1f8197578cfb397f1086a1ab5132843a23bbc4042b04b5d01fafad04878bd839161fa492d0cf1a6bac6be92023cdee3d15

Download Submit
C:\Users\Admin\AppData\Local\KYVuYR\ACTIVEDS.dll

Filesize
1.2MB

MD5
c99312cd870da4a46aebe448d0d5f64a

SHA1
a4b54ec8ebdefc22b330e5e0233457bbf89e7263

SHA256
6c2673fd1b97347f83dfbb9c27f7c1ab760d94e0e32dfd1bd430b00a2430a126

SHA512
4a5ecfbce45e4e2d073e9fb57b2aacf75b9f47b546979056e4c25d7962e8ea1f58f6c570e75464be7e2a607812b0687a1f769b6b75db46b9c89cd569efcf650f

Download Submit
C:\Users\Admin\AppData\Local\KYVuYR\ApplySettingsTemplateCatalog.exe

Filesize
1.1MB

MD5
13af41b1c1c53c7360cd582a82ec2093

SHA1
7425f893d1245e351483ab4a20a5f59d114df4e1

SHA256
a462f29efaaa3c30411e76f32608a2ba5b7d21af3b9804e5dda99e342ba8c429

SHA512
c7c82acef623d964c520f1a458dbfe34099981de0b781fb56e14b1f82632e3a8437db6434e7c20988aa3b39efde47aab8d188e80845e841a13e74b079285706a

Download Submit
C:\Users\Admin\AppData\Local\MXO\WFS.exe

Filesize
944KB

MD5
3cbc8d0f65e3db6c76c119ed7c2ffd85

SHA1
e74f794d86196e3bbb852522479946cceeed7e01

SHA256
e23e4182efe7ed61aaf369696e1ce304c3818df33d1663872b6d3c75499d81f4

SHA512
26ae5845a804b9eb752078f1ffa80a476648a8a9508b4f7ba56c94acd4198f3ba59c77add4feb7e0420070222af56521ca5f6334f466d5db272c816930513f0a

Download Submit
C:\Users\Admin\AppData\Local\MXO\credui.dll

Filesize
1.2MB

MD5
0a30e11a2d1e1594944f0b9423ced769

SHA1
99c34c3402861a27d79bbc902415d02f432eac45

SHA256
eb3c17e2e29b48052403adfa3ae6198a0894f2a38ee19246b308478014569f73

SHA512
28f6abed6280c4f039c653b7db497e5f4ae779ce97c1f580822015112417dc9f9c978471343fdab4ac95c5a7dcaafdbdfcf1c71504288cd458e1dcbe270ae9ef

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Piobvoh.lnk

Filesize
1KB

MD5
c1f3f533ca454d706db68f3e6244b78d

SHA1
1f1acb819433fe66f58807b49ba310457ef51e16

SHA256
6315bdae254ca4bee5a8c110787ba41d9d387c6664962cd80705abd0a5aff056

SHA512
a3aed715cfa736c2a3c4a3d858334bc11753b41a43ce8825a5791912bd1e1e6c6f4c63995506fb86dd78fdb0af22458cd2131027f5807c46c2e68a1d89525b75

Download Submit
memory/1196-80-0x00007FFCA1210000-0x00007FFCA1342000-memory.dmp

Filesize
1.2MB

Download
memory/1196-79-0x000001A9BE660000-0x000001A9BE667000-memory.dmp

Filesize
28KB

Download
memory/1196-85-0x00007FFCA1210000-0x00007FFCA1342000-memory.dmp

Filesize
1.2MB

Download
memory/1468-3-0x0000023987490000-0x0000023987497000-memory.dmp

Filesize
28KB

Download
memory/1468-38-0x00007FFCAFC90000-0x00007FFCAFDC0000-memory.dmp

Filesize
1.2MB

Download
memory/1468-0-0x00007FFCAFC90000-0x00007FFCAFDC0000-memory.dmp

Filesize
1.2MB

Download
memory/1600-68-0x00007FFCAF6A0000-0x00007FFCAF7D1000-memory.dmp

Filesize
1.2MB

Download
memory/1600-62-0x000001BCC1570000-0x000001BCC1577000-memory.dmp

Filesize
28KB

Download
memory/2832-51-0x00007FFCAF6A0000-0x00007FFCAF7D1000-memory.dmp

Filesize
1.2MB

Download
memory/2832-45-0x00007FFCAF6A0000-0x00007FFCAF7D1000-memory.dmp

Filesize
1.2MB

Download
memory/2832-48-0x0000022B181A0000-0x0000022B181A7000-memory.dmp

Filesize
28KB

Download
memory/3420-30-0x00007FFCBEF10000-0x00007FFCBEF20000-memory.dmp

Filesize
64KB

Download
memory/3420-36-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3420-7-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3420-8-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3420-9-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3420-10-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3420-14-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3420-15-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3420-16-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3420-29-0x0000000007CF0000-0x0000000007CF7000-memory.dmp

Filesize
28KB

Download
memory/3420-24-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3420-13-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3420-12-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3420-11-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3420-6-0x00007FFCBD1AA000-0x00007FFCBD1AB000-memory.dmp

Filesize
4KB

Download
memory/3420-4-0x0000000007F20000-0x0000000007F21000-memory.dmp

Filesize
4KB

Download