dridex | e302306cb2efdb2aa9c986801e8e5b7f74a8ef7216020e69cb4048515109d09c

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22-08-2024 05:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b67e1a99078ceeb5362a14bce73556dd_JaffaCakes118.dll
Size

1.2MB
MD5

b67e1a99078ceeb5362a14bce73556dd
SHA1

ee4555a24557d837ffd2dc0fa43179df48458700
SHA256

e302306cb2efdb2aa9c986801e8e5b7f74a8ef7216020e69cb4048515109d09c
SHA512

a7bb236f33933955dd4f274f9828bd1026b8a8ca94ebc40efec8ffcf2e3c3223c48416c212602c8aade8ec8eeedacce1cac8425908799cc7d3b539c2bdcda6ce
SSDEEP

24576:uuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:O9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3440-4-0x00000000014C0000-0x00000000014C1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

DmNotificationBroker.exeLicensingUI.exeRdpSa.exe

pid	Process
4104	DmNotificationBroker.exe
1004	LicensingUI.exe
1816	RdpSa.exe

Loads dropped DLL 3 IoCs

Processes:

DmNotificationBroker.exeLicensingUI.exeRdpSa.exe

pid	Process
4104	DmNotificationBroker.exe
1004	LicensingUI.exe
1816	RdpSa.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qebzqfuc = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\xA0EEAsZlF\\LicensingUI.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

RdpSa.exerundll32.exeDmNotificationBroker.exeLicensingUI.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RdpSa.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DmNotificationBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	LicensingUI.exe

Modifies registry class 2 IoCs

Processes:

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	Process
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
1588	rundll32.exe
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

description	pid	Process
Token: SeShutdownPrivilege	3440
Token: SeCreatePagefilePrivilege	3440
Token: SeShutdownPrivilege	3440
Token: SeCreatePagefilePrivilege	3440
Token: SeShutdownPrivilege	3440
Token: SeCreatePagefilePrivilege	3440
Token: SeShutdownPrivilege	3440
Token: SeCreatePagefilePrivilege	3440
Token: SeShutdownPrivilege	3440
Token: SeCreatePagefilePrivilege	3440
Token: SeShutdownPrivilege	3440
Token: SeCreatePagefilePrivilege	3440

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid	Process
3440

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	procid_target
PID 3440 wrote to memory of 2744	3440	96
PID 3440 wrote to memory of 2744	3440	96
PID 3440 wrote to memory of 4104	3440	97
PID 3440 wrote to memory of 4104	3440	97
PID 3440 wrote to memory of 1240	3440	98
PID 3440 wrote to memory of 1240	3440	98
PID 3440 wrote to memory of 1004	3440	99
PID 3440 wrote to memory of 1004	3440	99
PID 3440 wrote to memory of 3348	3440	100
PID 3440 wrote to memory of 3348	3440	100
PID 3440 wrote to memory of 1816	3440	101
PID 3440 wrote to memory of 1816	3440	101

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b67e1a99078ceeb5362a14bce73556dd_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1588

C:\Windows\system32\DmNotificationBroker.exe
C:\Windows\system32\DmNotificationBroker.exe
1⤵
PID:2744

C:\Users\Admin\AppData\Local\jebr9MQt\DmNotificationBroker.exe
C:\Users\Admin\AppData\Local\jebr9MQt\DmNotificationBroker.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4104

C:\Windows\system32\LicensingUI.exe
C:\Windows\system32\LicensingUI.exe
1⤵
PID:1240

C:\Users\Admin\AppData\Local\SjIfB\LicensingUI.exe
C:\Users\Admin\AppData\Local\SjIfB\LicensingUI.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1004

C:\Windows\system32\RdpSa.exe
C:\Windows\system32\RdpSa.exe
1⤵
PID:3348

C:\Users\Admin\AppData\Local\TaPxCM85\RdpSa.exe
C:\Users\Admin\AppData\Local\TaPxCM85\RdpSa.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\SjIfB\DUI70.dll

Filesize
1.4MB

MD5
b2659f18c603a26d374505edda901c85

SHA1
83e5775a02388a2614e4f4821bc63845912b9cb9

SHA256
c9b91aaec13d0b6be86566066eca2a5cdaa2014f3e5848c80ad57f00aa7cfc4c

SHA512
b8538d0f907e69d38a1217360e1f61c95afafd090615ceefd6861c8b33858fc270b294e4d3984f19a79edbb2f0adc3c33da00e838dc01716d166fe10de877462

Download Submit
C:\Users\Admin\AppData\Local\SjIfB\LicensingUI.exe

Filesize
142KB

MD5
8b4abc637473c79a003d30bb9c7a05e5

SHA1
d1cab953c16d4fdec2b53262f56ac14a914558ca

SHA256
0e9eb89aa0df9bb84a8f11b0bb3e9d89905355de34c91508968b4cb78bc3f6c5

SHA512
5a40c846c5b3a53ae09114709239d8238c322a7d3758b20ed3fc8e097fc1409f62b4990557c1192e894eabfa89741a9d88bd5175850d039b97dfdf380d1c6eeb

Download Submit
C:\Users\Admin\AppData\Local\TaPxCM85\RdpSa.exe

Filesize
56KB

MD5
5992f5b5d0b296b83877da15b54dd1b4

SHA1
0d87be8d4b7aeada4b55d1d05c0539df892f8f82

SHA256
32f60eabe54c4d0cd0f0ec29f48f55ca1ad097bf35097247b186fd70426f847c

SHA512
4f6da913af530301da1d0638aa2635ada446ebee6e27b5059db5c2b7fe439162ac3b1a595ecf4163a093890df9ac94d9085a53d8c991e48703f9d2691326e7e6

Download Submit
C:\Users\Admin\AppData\Local\TaPxCM85\WINSTA.dll

Filesize
1.2MB

MD5
5b37e0c24330c5f5e5148c2e3c69737d

SHA1
6d9ebc6c955ba81f276e5ab6f8fa9230516aec62

SHA256
7e6ad4a680cf174fc8ff21b33b95bb6b885282ef13ac6e0edba7816cfe4deea6

SHA512
64ebe27a7fdf0a25c95349270089aa3f610f3e937458b399e2e59aa8c3a7d0ba787168c8bef3b718b5633d2589c436958c289f7284c66c17a0ab0be801643b04

Download Submit
C:\Users\Admin\AppData\Local\jebr9MQt\DUI70.dll

Filesize
1.4MB

MD5
fd75e9723f20f653063893af15337fb7

SHA1
a73da4ae574fe1f0ca7d98a37479ce8788e66988

SHA256
f397d90cc924a560cb713dd1e1d56099bc80d7eb1d081d754ae416369ee3b1f0

SHA512
00f9c1845610dd8af5a6ae55051e7984d9207430bd69b98455d547b50c23bc5cf49b95e5e50151407df10bb49c1802b0c5741866cbc0d74769c32d9d618e2b47

Download Submit
C:\Users\Admin\AppData\Local\jebr9MQt\DmNotificationBroker.exe

Filesize
32KB

MD5
f0bdc20540d314a2aad951c7e2c88420

SHA1
4ab344595a4a81ab5f31ed96d72f217b4cee790b

SHA256
f87537e5f26193a2273380f86cc9ac16d977f65b0eff2435e40be830fd99f7b5

SHA512
cb69e35b2954406735264a4ae8fe1eca1bd4575f553ab2178c70749ab997bda3c06496d2fce97872c51215a19093e51eea7cc8971af62ad9d5726f3a0d2730aa

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Plbydas.lnk

Filesize
1KB

MD5
b812ced96db7bdede20a1732575a6079

SHA1
a8fb45e14ddf8012892b27ee9be3241985e73dbd

SHA256
65b051a39cb4e2ee5663cd01b30938700123c4a779885f3db0700969af0271a1

SHA512
04c0af1d801473f119c87d7a0e7f6d92fb1ccef423241b830ccc546bf98f94a696376ad632ec0e68b3cdeac29bbcefcfd24d00b0842edfaaf60a5ad8d9837df2

Download Submit
memory/1004-63-0x0000014A46C10000-0x0000014A46C17000-memory.dmp

Filesize
28KB

Download
memory/1004-69-0x00007FF9FB570000-0x00007FF9FB6E7000-memory.dmp

Filesize
1.5MB

Download
memory/1588-3-0x000001750C780000-0x000001750C787000-memory.dmp

Filesize
28KB

Download
memory/1588-1-0x00007FFA0A1E0000-0x00007FFA0A311000-memory.dmp

Filesize
1.2MB

Download
memory/1588-39-0x00007FFA0A1E0000-0x00007FFA0A311000-memory.dmp

Filesize
1.2MB

Download
memory/1816-83-0x0000027ACF7F0000-0x0000027ACF7F7000-memory.dmp

Filesize
28KB

Download
memory/1816-80-0x00007FF9FB5B0000-0x00007FF9FB6E3000-memory.dmp

Filesize
1.2MB

Download
memory/1816-86-0x00007FF9FB5B0000-0x00007FF9FB6E3000-memory.dmp

Filesize
1.2MB

Download
memory/3440-7-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3440-16-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3440-6-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3440-4-0x00000000014C0000-0x00000000014C1000-memory.dmp

Filesize
4KB

Download
memory/3440-10-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3440-11-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3440-12-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3440-8-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3440-19-0x0000000001470000-0x0000000001477000-memory.dmp

Filesize
28KB

Download
memory/3440-38-0x00007FFA18BF0000-0x00007FFA18C00000-memory.dmp

Filesize
64KB

Download
memory/3440-13-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3440-14-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3440-15-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3440-9-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3440-18-0x00007FFA17F5A000-0x00007FFA17F5B000-memory.dmp

Filesize
4KB

Download
memory/3440-26-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3440-35-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/4104-52-0x00007FF9FB570000-0x00007FF9FB6E7000-memory.dmp

Filesize
1.5MB

Download
memory/4104-47-0x00007FF9FB570000-0x00007FF9FB6E7000-memory.dmp

Filesize
1.5MB

Download
memory/4104-46-0x000001E8CDB50000-0x000001E8CDB57000-memory.dmp

Filesize
28KB

Download