dridex | fae74f1cdc0e33a7bef8b67415b052be1cccb05d1f420a1ca2e03a9928c02280

Analysis

max time kernel
150s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22-08-2024 16:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b8582e40b778541ea3445524e95735f2_JaffaCakes118.dll
Size

1.2MB
MD5

b8582e40b778541ea3445524e95735f2
SHA1

bc13cb980db1cac969ca37b8bdcf9dc7226940d5
SHA256

fae74f1cdc0e33a7bef8b67415b052be1cccb05d1f420a1ca2e03a9928c02280
SHA512

8a66492bad9431a5a928cce016d4639a011161fcd9caa35bc74cffce4dd1f73e2ed8b79cf0599128ebaa05f298bc88821751b63938d90059347dd1e4848a541a
SSDEEP

24576:DuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:t9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence privilege_escalation trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3504-4-0x0000000007CF0000-0x0000000007CF1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
2536	osk.exe
1532	tabcal.exe
4404	LockScreenContentServer.exe

Loads dropped DLL 3 IoCs

pid	Process
2536	osk.exe
1532	tabcal.exe
4404	LockScreenContentServer.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qebzqfuc = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-523280732-2327480845-3730041215-1000\\RqjRlSmu8\\tabcal.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	osk.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	tabcal.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	LockScreenContentServer.exe

Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3240	regsvr32.exe
3240	regsvr32.exe
3240	regsvr32.exe
3240	regsvr32.exe
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3504	Process not Found
Token: SeCreatePagefilePrivilege	3504	Process not Found
Token: SeShutdownPrivilege	3504	Process not Found
Token: SeCreatePagefilePrivilege	3504	Process not Found
Token: SeShutdownPrivilege	3504	Process not Found
Token: SeCreatePagefilePrivilege	3504	Process not Found
Token: SeShutdownPrivilege	3504	Process not Found
Token: SeCreatePagefilePrivilege	3504	Process not Found
Token: SeShutdownPrivilege	3504	Process not Found
Token: SeCreatePagefilePrivilege	3504	Process not Found
Token: SeShutdownPrivilege	3504	Process not Found
Token: SeCreatePagefilePrivilege	3504	Process not Found
Token: SeShutdownPrivilege	3504	Process not Found
Token: SeCreatePagefilePrivilege	3504	Process not Found
Token: SeShutdownPrivilege	3504	Process not Found
Token: SeCreatePagefilePrivilege	3504	Process not Found

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3504	Process not Found
3504	Process not Found

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3504	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3504 wrote to memory of 4084	3504	Process not Found	97
PID 3504 wrote to memory of 4084	3504	Process not Found	97
PID 3504 wrote to memory of 2536	3504	Process not Found	98
PID 3504 wrote to memory of 2536	3504	Process not Found	98
PID 3504 wrote to memory of 4928	3504	Process not Found	99
PID 3504 wrote to memory of 4928	3504	Process not Found	99
PID 3504 wrote to memory of 1532	3504	Process not Found	100
PID 3504 wrote to memory of 1532	3504	Process not Found	100
PID 3504 wrote to memory of 4356	3504	Process not Found	101
PID 3504 wrote to memory of 4356	3504	Process not Found	101
PID 3504 wrote to memory of 4404	3504	Process not Found	102
PID 3504 wrote to memory of 4404	3504	Process not Found	102

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\b8582e40b778541ea3445524e95735f2_JaffaCakes118.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3240

C:\Windows\system32\osk.exe
C:\Windows\system32\osk.exe
1⤵
PID:4084

C:\Users\Admin\AppData\Local\8bqD\osk.exe
C:\Users\Admin\AppData\Local\8bqD\osk.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2536

C:\Windows\system32\tabcal.exe
C:\Windows\system32\tabcal.exe
1⤵
PID:4928

C:\Users\Admin\AppData\Local\KHAg\tabcal.exe
C:\Users\Admin\AppData\Local\KHAg\tabcal.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1532

C:\Windows\system32\LockScreenContentServer.exe
C:\Windows\system32\LockScreenContentServer.exe
1⤵
PID:4356

C:\Users\Admin\AppData\Local\AiiOQqo9\LockScreenContentServer.exe
C:\Users\Admin\AppData\Local\AiiOQqo9\LockScreenContentServer.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\8bqD\dwmapi.dll

Filesize
1.2MB

MD5
5bfb703da6d5be43d368318f5805c8bc

SHA1
f3ce3e92e638598e2464e347d532ceafa302f2ab

SHA256
ce9c01354508cf7e2dfb6142c9e15160699aee0e6fe50df7c82407ea52a220ca

SHA512
3b07215a3f3ba83c438b1578290e97950463e4dc9dcc400433039aec349d0080f08fd2b2bc02275e39dfd333b6ac0ce1e73941f8f944eff6fa4d265b2080f764

Download Submit
C:\Users\Admin\AppData\Local\8bqD\osk.exe

Filesize
638KB

MD5
745f2df5beed97b8c751df83938cb418

SHA1
2f9fc33b1bf28e0f14fd75646a7b427ddbe14d25

SHA256
f67ef6e31fa0eaed44bfbab5b908be06b56cbc7d5a16ab2a72334d91f2bb6a51

SHA512
2125d021e6f45a81bd75c9129f4b098ad9aa15c25d270051f4da42458a9737bff44d6adf17aa1f2547715d159fb621829f7cd3b9d42f1521c919549cc7deb228

Download Submit
C:\Users\Admin\AppData\Local\AiiOQqo9\LockScreenContentServer.exe

Filesize
47KB

MD5
a0b7513c98cf46ca2cea3a567fec137c

SHA1
2307fc8e3fc620ea3c2fdc6248ad4658479ba995

SHA256
cb2278884f04fd34753f7a20e5865ef5fc4fa47c28df9ac14ad6e922713af8c6

SHA512
3928485a60ffa7f2d2b7d0be51863e1f8197578cfb397f1086a1ab5132843a23bbc4042b04b5d01fafad04878bd839161fa492d0cf1a6bac6be92023cdee3d15

Download Submit
C:\Users\Admin\AppData\Local\AiiOQqo9\dwmapi.dll

Filesize
1.2MB

MD5
c70b638f3d64cdc75c79cd3218360c00

SHA1
ca0b262234197ea3648029b40325236cbaf02ff4

SHA256
cffc6ead7965c1e9c0a7d729bac55237da18a1b6459e79bcf241a8ede8a492c9

SHA512
07eadb6cf2a18af15104f0dedfe7aba0ebf57f8ba147e9a7a599709e87b1fefd0bbb8e18f6f564671ee07c2e08696b854e3a53041953eb3e49edde5d7e607490

Download Submit
C:\Users\Admin\AppData\Local\KHAg\HID.DLL

Filesize
1.2MB

MD5
bb500aa39495eceee52cb8f890afefc4

SHA1
db76a3b492fc49ec874d95338173026c01eff9ad

SHA256
98e714edb9c2469f2c897264fc4cad3e2aa475699c10c2616cdd380999b824bb

SHA512
61e01fd0454484c011cee1f71b890175ab99ed614de8ae0d77bc38088b242ef81ea964d7c7c3db49077b9ea0f503026cfeb5b85b479e00454617107a75e99b1b

Download Submit
C:\Users\Admin\AppData\Local\KHAg\tabcal.exe

Filesize
84KB

MD5
40f4014416ff0cbf92a9509f67a69754

SHA1
1798ff7324724a32c810e2075b11c09b41e4fede

SHA256
f31b4c751dbca276446119ba775787c3eb032da72eabcd40ad96a55826a3f33c

SHA512
646dfe4cfe90d068c3da4c35f7053bb0f57687875a0f3469c0683e707306e6a42b0baca3e944d78f9be5c564bb0600202c32c223a770f89d3e2b07a24673c259

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Plbydas.lnk

Filesize
1KB

MD5
03855c0b5fc98894fa216c05f2b731e1

SHA1
e40210aefa29d25338fa856186298f4e8ee464f8

SHA256
3488d1bbc0a07680c169956362b3e17e369b097dfeded5899961859d458efee1

SHA512
784003039934ece6b681785d17ee0ba9a2ed2cb36f011e05fd3e83023f591beed11d319e3fb0f2586ef6281cd50b6081666c17d6fb362293ae4bfa55e12ed0ca

Download Submit
memory/1532-68-0x00007FFB95080000-0x00007FFB951B7000-memory.dmp

Filesize
1.2MB

Download
memory/1532-63-0x00007FFB95080000-0x00007FFB951B7000-memory.dmp

Filesize
1.2MB

Download
memory/1532-62-0x0000028B77BF0000-0x0000028B77BF7000-memory.dmp

Filesize
28KB

Download
memory/2536-46-0x00007FFB94E30000-0x00007FFB94F67000-memory.dmp

Filesize
1.2MB

Download
memory/2536-51-0x00007FFB94E30000-0x00007FFB94F67000-memory.dmp

Filesize
1.2MB

Download
memory/2536-45-0x0000021A01760000-0x0000021A01767000-memory.dmp

Filesize
28KB

Download
memory/3240-38-0x00007FFBA3930000-0x00007FFBA3A66000-memory.dmp

Filesize
1.2MB

Download
memory/3240-3-0x0000000002E40000-0x0000000002E47000-memory.dmp

Filesize
28KB

Download
memory/3240-0-0x00007FFBA3930000-0x00007FFBA3A66000-memory.dmp

Filesize
1.2MB

Download
memory/3504-35-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/3504-30-0x00007FFBB29B0000-0x00007FFBB29C0000-memory.dmp

Filesize
64KB

Download
memory/3504-9-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/3504-10-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/3504-11-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/3504-13-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/3504-15-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/3504-16-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/3504-29-0x0000000007CA0000-0x0000000007CA7000-memory.dmp

Filesize
28KB

Download
memory/3504-8-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/3504-24-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/3504-14-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/3504-7-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/3504-12-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/3504-5-0x00007FFBB1B8A000-0x00007FFBB1B8B000-memory.dmp

Filesize
4KB

Download
memory/3504-4-0x0000000007CF0000-0x0000000007CF1000-memory.dmp

Filesize
4KB

Download
memory/4404-84-0x00007FFB94E30000-0x00007FFB94F67000-memory.dmp

Filesize
1.2MB

Download