dridex | f8dee334edc64c7632389ce96664ef1abdedd74e8aa1f499f08e238dd913dba4

Analysis

max time kernel
149s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23-08-2024 23:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bd883d954444136909950a6421d4dd98_JaffaCakes118.dll
Size

1.2MB
MD5

bd883d954444136909950a6421d4dd98
SHA1

fbdc18ca772d8ddd7c2304e52ed35c2c98769d42
SHA256

f8dee334edc64c7632389ce96664ef1abdedd74e8aa1f499f08e238dd913dba4
SHA512

9adef86f3bc2f49ecae239cbd5f24ae5dbd7811ca8ba0cd6cf15cbe06d62ebc0e22719b5834fee5c0c7cf1f1b14add43c5ab4dd751040799d7f0ea1eb312d65d
SSDEEP

24576:rVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:rV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence privilege_escalation trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3580-4-0x0000000003430000-0x0000000003431000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

msinfo32.exeUtilman.exeeudcedit.exe

pid	Process
3244	msinfo32.exe
4072	Utilman.exe
4116	eudcedit.exe

Loads dropped DLL 3 IoCs

Processes:

msinfo32.exeUtilman.exeeudcedit.exe

pid	Process
3244	msinfo32.exe
4072	Utilman.exe
4116	eudcedit.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qgfqnr = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Extensions\\13\\Utilman.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exemsinfo32.exeUtilman.exeeudcedit.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Utilman.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	eudcedit.exe

Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Modifies registry class 3 IoCs

Processes:

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	Process
5080	rundll32.exe
5080	rundll32.exe
5080	rundll32.exe
5080	rundll32.exe
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580
3580

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

description	pid	Process
Token: SeShutdownPrivilege	3580
Token: SeCreatePagefilePrivilege	3580
Token: SeShutdownPrivilege	3580
Token: SeCreatePagefilePrivilege	3580
Token: SeShutdownPrivilege	3580
Token: SeCreatePagefilePrivilege	3580
Token: SeShutdownPrivilege	3580
Token: SeCreatePagefilePrivilege	3580
Token: SeShutdownPrivilege	3580
Token: SeCreatePagefilePrivilege	3580
Token: SeShutdownPrivilege	3580
Token: SeCreatePagefilePrivilege	3580
Token: SeShutdownPrivilege	3580
Token: SeCreatePagefilePrivilege	3580
Token: SeShutdownPrivilege	3580
Token: SeCreatePagefilePrivilege	3580
Token: SeShutdownPrivilege	3580
Token: SeCreatePagefilePrivilege	3580
Token: SeShutdownPrivilege	3580
Token: SeCreatePagefilePrivilege	3580
Token: SeShutdownPrivilege	3580
Token: SeCreatePagefilePrivilege	3580
Token: SeShutdownPrivilege	3580
Token: SeCreatePagefilePrivilege	3580

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid	Process
3580
3580

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid	Process
3580

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	procid_target
PID 3580 wrote to memory of 1300	3580	95
PID 3580 wrote to memory of 1300	3580	95
PID 3580 wrote to memory of 3244	3580	96
PID 3580 wrote to memory of 3244	3580	96
PID 3580 wrote to memory of 4920	3580	97
PID 3580 wrote to memory of 4920	3580	97
PID 3580 wrote to memory of 4072	3580	98
PID 3580 wrote to memory of 4072	3580	98
PID 3580 wrote to memory of 4984	3580	99
PID 3580 wrote to memory of 4984	3580	99
PID 3580 wrote to memory of 4116	3580	100
PID 3580 wrote to memory of 4116	3580	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\bd883d954444136909950a6421d4dd98_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:5080

C:\Windows\system32\msinfo32.exe
C:\Windows\system32\msinfo32.exe
1⤵
PID:1300

C:\Users\Admin\AppData\Local\iimMgs7\msinfo32.exe
C:\Users\Admin\AppData\Local\iimMgs7\msinfo32.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3244

C:\Windows\system32\Utilman.exe
C:\Windows\system32\Utilman.exe
1⤵
PID:4920

C:\Users\Admin\AppData\Local\70rg\Utilman.exe
C:\Users\Admin\AppData\Local\70rg\Utilman.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4072

C:\Windows\system32\eudcedit.exe
C:\Windows\system32\eudcedit.exe
1⤵
PID:4984

C:\Users\Admin\AppData\Local\dt6hhaap\eudcedit.exe
C:\Users\Admin\AppData\Local\dt6hhaap\eudcedit.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\70rg\OLEACC.dll

Filesize
1.2MB

MD5
735829a8d0da59cddede4a00c0ae3204

SHA1
584d29c252f87549c35be3561c12cd2e9cf71690

SHA256
2b4250ab22f11da3566803fbb25c98ec10269dd277d18ecbe9455cdd07413e10

SHA512
0949e7929a0a49db44d5b0cab3656bf30dbb08df3fa0931fa396adedb8db8f9d83e1352c0703960c98a39d4bf8d1c0fb84766d09f65cc32e154768912f6d5825

Download Submit
C:\Users\Admin\AppData\Local\70rg\Utilman.exe

Filesize
123KB

MD5
a117edc0e74ab4770acf7f7e86e573f7

SHA1
5ceffb1a5e05e52aafcbc2d44e1e8445440706f3

SHA256
b5bc4fce58403ea554691db678e6c8c448310fe59990990f0e37cd4357567d37

SHA512
72883f794ff585fe7e86e818d4d8c54fa9781cab6c3fac6f6956f58a016a91f676e70d14691cbe054ae7b7469c6b4783152fbb694e92b940d9e3595fe3f41d97

Download Submit
C:\Users\Admin\AppData\Local\dt6hhaap\MFC42u.dll

Filesize
1.3MB

MD5
a2213357e480b8d1a58395c9bdf753da

SHA1
efc7f62bf4ea454a86ff85ad7f9d9782ec36d654

SHA256
c433066ffa0bafd864f6c4f48f923d34113f6514a625bb3b971bae722f04722e

SHA512
a2b6b5aecccf8180fb6a85445703294ede8678787325817ed86f828b0fb7ddcc4ebd2a39df83790d81670ff25f06fb68b34d6288f3869f6d23f339beee78815b

Download Submit
C:\Users\Admin\AppData\Local\dt6hhaap\eudcedit.exe

Filesize
365KB

MD5
a9de6557179d371938fbe52511b551ce

SHA1
def460b4028788ded82dc55c36cb0df28599fd5f

SHA256
83c8d1a7582b24b4bbc0d453c813487185c2b05c483bd1759ef647a7e7e92dfe

SHA512
5790cac8dae16a785b48f790e6645b137f211c1587fb64ea88e743b846ff3a886324afcfef4bebc61f869023b9a22ba925c461dfb2e12497b70f501e6b79153c

Download Submit
C:\Users\Admin\AppData\Local\iimMgs7\SLC.dll

Filesize
1.2MB

MD5
f0790d82d25e0ed14fc86af3df6e6e9c

SHA1
01e35e91b1fb29364eb32f867dfcf1c08a1fb431

SHA256
ea22dc9fc83c1bb30310e0e1184fbbe3e0fa0d9f4a80b4ae0147b1c3184841b6

SHA512
ae0f631386b26cf6af3d383338c4eca9692ebe7b8c9779524eee372aac4b71c8f90aefae6fe8921d40ed3a4279594bdd61789f32e87742151a9032014697bff0

Download Submit
C:\Users\Admin\AppData\Local\iimMgs7\msinfo32.exe

Filesize
376KB

MD5
0aed91da63713bf9f881b03a604a1c9d

SHA1
b1b2d292cb1a4c13dc243b5eab13afb316a28b9a

SHA256
5cf1604d2473661266e08fc0e4e144ea98f99b7584c43585eb2b01551130fd14

SHA512
04bca9b321d702122b6e72c2ad15b7cd98924e5dfc3b8dd0e907ea28fd7826d3f72b98c67242b6698594df648d3c2b6b0952bb52a2363b687bbe44a66e830c03

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Mcinmsnhewplgza.lnk

Filesize
1KB

MD5
51601fdd0fc63bdb5be54f2a8e87f8db

SHA1
d8a5d9def7b48a4aac1ab149f2e06fbe2e219351

SHA256
93923736bd57fde9b6eb1eea93a14648724d5f5cad847277cf620c2efae0d3df

SHA512
08c11e147fa0d9fe13c5110c6b366d8a84c3ead9aafcf1522c3a19440fe3dd149eb72b7d5ac360b2d31c73024a5abba43fded5e730d4e5d9583250b97a0eeee0

Download Submit
memory/3244-52-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/3244-47-0x000001F057970000-0x000001F057977000-memory.dmp

Filesize
28KB

Download
memory/3244-46-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/3580-29-0x0000000003410000-0x0000000003417000-memory.dmp

Filesize
28KB

Download
memory/3580-7-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3580-11-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3580-10-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3580-9-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3580-8-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3580-15-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3580-13-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3580-5-0x00007FFEA12BA000-0x00007FFEA12BB000-memory.dmp

Filesize
4KB

Download
memory/3580-16-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3580-25-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3580-4-0x0000000003430000-0x0000000003431000-memory.dmp

Filesize
4KB

Download
memory/3580-36-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3580-30-0x00007FFEA3070000-0x00007FFEA3080000-memory.dmp

Filesize
64KB

Download
memory/3580-14-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3580-12-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/4072-63-0x0000015145A10000-0x0000015145A17000-memory.dmp

Filesize
28KB

Download
memory/4072-69-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/4116-80-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/4116-83-0x0000020FF1C80000-0x0000020FF1C87000-memory.dmp

Filesize
28KB

Download
memory/4116-86-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/5080-3-0x000001A52F700000-0x000001A52F707000-memory.dmp

Filesize
28KB

Download
memory/5080-39-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/5080-1-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download