dridex | 57aebefa5e25857379598239bf44620b3cc86347e87215c1f2e08581f5af4d89

Analysis

max time kernel
150s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23-08-2024 00:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b9b6b51144875ab0e2b29256a5de1483_JaffaCakes118.dll
Size

1.2MB
MD5

b9b6b51144875ab0e2b29256a5de1483
SHA1

fa894de7d15f6ea99a125c52fae5a468f51d27a4
SHA256

57aebefa5e25857379598239bf44620b3cc86347e87215c1f2e08581f5af4d89
SHA512

45696f27dbcf76f3656622b43e7c2dc1df5c69f9a4c28122d1a0cab4945a5842f8daac1855d0e143d631a096bec5fe630dc7211b225ede8657a5c61d4a471f63
SSDEEP

24576:KuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9NhOO:S9cKrUqZWLAcU8O

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3536-4-0x0000000007DC0000-0x0000000007DC1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
1624	MDMAppInstaller.exe
1540	mfpmp.exe
1112	dpapimig.exe

Loads dropped DLL 3 IoCs

pid	Process
1624	MDMAppInstaller.exe
1540	mfpmp.exe
1112	dpapimig.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ygssokoticw = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\LKVPIoXaG\\mfpmp.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dpapimig.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MDMAppInstaller.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mfpmp.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4144	regsvr32.exe
4144	regsvr32.exe
4144	regsvr32.exe
4144	regsvr32.exe
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3536	Process not Found
Token: SeCreatePagefilePrivilege	3536	Process not Found
Token: SeShutdownPrivilege	3536	Process not Found
Token: SeCreatePagefilePrivilege	3536	Process not Found
Token: SeShutdownPrivilege	3536	Process not Found
Token: SeCreatePagefilePrivilege	3536	Process not Found
Token: SeShutdownPrivilege	3536	Process not Found
Token: SeCreatePagefilePrivilege	3536	Process not Found
Token: SeShutdownPrivilege	3536	Process not Found
Token: SeCreatePagefilePrivilege	3536	Process not Found
Token: SeShutdownPrivilege	3536	Process not Found
Token: SeCreatePagefilePrivilege	3536	Process not Found
Token: SeShutdownPrivilege	3536	Process not Found
Token: SeCreatePagefilePrivilege	3536	Process not Found
Token: SeShutdownPrivilege	3536	Process not Found
Token: SeCreatePagefilePrivilege	3536	Process not Found
Token: SeShutdownPrivilege	3536	Process not Found
Token: SeCreatePagefilePrivilege	3536	Process not Found
Token: SeShutdownPrivilege	3536	Process not Found
Token: SeCreatePagefilePrivilege	3536	Process not Found
Token: SeShutdownPrivilege	3536	Process not Found
Token: SeCreatePagefilePrivilege	3536	Process not Found
Token: SeShutdownPrivilege	3536	Process not Found
Token: SeCreatePagefilePrivilege	3536	Process not Found
Token: SeShutdownPrivilege	3536	Process not Found
Token: SeCreatePagefilePrivilege	3536	Process not Found
Token: SeShutdownPrivilege	3536	Process not Found
Token: SeCreatePagefilePrivilege	3536	Process not Found
Token: SeShutdownPrivilege	3536	Process not Found
Token: SeCreatePagefilePrivilege	3536	Process not Found
Token: SeShutdownPrivilege	3536	Process not Found
Token: SeCreatePagefilePrivilege	3536	Process not Found
Token: SeShutdownPrivilege	3536	Process not Found
Token: SeCreatePagefilePrivilege	3536	Process not Found
Token: SeShutdownPrivilege	3536	Process not Found
Token: SeCreatePagefilePrivilege	3536	Process not Found
Token: SeShutdownPrivilege	3536	Process not Found
Token: SeCreatePagefilePrivilege	3536	Process not Found
Token: SeShutdownPrivilege	3536	Process not Found
Token: SeCreatePagefilePrivilege	3536	Process not Found

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3536	Process not Found
3536	Process not Found

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3536	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3536 wrote to memory of 1264	3536	Process not Found	95
PID 3536 wrote to memory of 1264	3536	Process not Found	95
PID 3536 wrote to memory of 1624	3536	Process not Found	96
PID 3536 wrote to memory of 1624	3536	Process not Found	96
PID 3536 wrote to memory of 4428	3536	Process not Found	97
PID 3536 wrote to memory of 4428	3536	Process not Found	97
PID 3536 wrote to memory of 1540	3536	Process not Found	98
PID 3536 wrote to memory of 1540	3536	Process not Found	98
PID 3536 wrote to memory of 224	3536	Process not Found	99
PID 3536 wrote to memory of 224	3536	Process not Found	99
PID 3536 wrote to memory of 1112	3536	Process not Found	100
PID 3536 wrote to memory of 1112	3536	Process not Found	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\b9b6b51144875ab0e2b29256a5de1483_JaffaCakes118.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4144

C:\Windows\system32\MDMAppInstaller.exe
C:\Windows\system32\MDMAppInstaller.exe
1⤵
PID:1264

C:\Users\Admin\AppData\Local\wB87TEeLY\MDMAppInstaller.exe
C:\Users\Admin\AppData\Local\wB87TEeLY\MDMAppInstaller.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1624

C:\Windows\system32\mfpmp.exe
C:\Windows\system32\mfpmp.exe
1⤵
PID:4428

C:\Users\Admin\AppData\Local\amF8WYdI\mfpmp.exe
C:\Users\Admin\AppData\Local\amF8WYdI\mfpmp.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1540

C:\Windows\system32\dpapimig.exe
C:\Windows\system32\dpapimig.exe
1⤵
PID:224

C:\Users\Admin\AppData\Local\ITbNV\dpapimig.exe
C:\Users\Admin\AppData\Local\ITbNV\dpapimig.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ITbNV\DUI70.dll

Filesize
1.5MB

MD5
986ee3b344ba7c2fb044ac424616c991

SHA1
01ee7935a9ac627468ca085f8d616eca2608236d

SHA256
51dddafe72e663b0ffcddef03a407299009bf8433ae54b395dffd039e6bbeb89

SHA512
799aa0877b07c85012e9abd683e35aefcb9a0b86f6ed3c05543b9dbceeb3ae296de11bb885cbefaeee7ff97c46c86770e012a35c76ec7594819775392171cb4c

Download Submit
C:\Users\Admin\AppData\Local\ITbNV\dpapimig.exe

Filesize
76KB

MD5
b6d6477a0c90a81624c6a8548026b4d0

SHA1
e6eac6941d27f76bbd306c2938c0a962dbf1ced1

SHA256
a8147d08b82609c72d588a0a604cd3c1f2076befcc719d282c7cbd6525ae89eb

SHA512
72ec8b79e3438f0f981129a323ad39db84df7dd14a796a820bdbc74ea8fa13eee843d1ea030a0c1caeda2e2d69952f14a821a73825b38dd9415047aca597b1fe

Download Submit
C:\Users\Admin\AppData\Local\amF8WYdI\MFPlat.DLL

Filesize
1.2MB

MD5
34fefbd71f0bfa640fcdda2c90d869ee

SHA1
d2ee379b1f2cb65d597661ba47ff27d9e4e16882

SHA256
5eaf625927404fb8b7edb31286cc97dcac4191eb7cb0e763ee342d5c2978603b

SHA512
569ce6867003a35b8ee72a5c149d28f5cdc106bd2a0bf9824cea72b4861cd5858675b396d7ac7944a5a15626923027bc3a6dd7a5142d539befc4833afe1206ad

Download Submit
C:\Users\Admin\AppData\Local\amF8WYdI\mfpmp.exe

Filesize
46KB

MD5
8f8fd1988973bac0c5244431473b96a5

SHA1
ce81ea37260d7cafe27612606cf044921ad1304c

SHA256
27287ac874cef86be03aee7b6d34fdc3bd208070ed20e44621a305865fb7579e

SHA512
a91179e1561168b3b58f5ca893bce425d35f4a02aec20ac3d6fb944f5eb3c06b0a1b9d9f3fb9ea87869d65671d2b89b4ae19acf794372bdbd27f5e9756c5a8ab

Download Submit
C:\Users\Admin\AppData\Local\wB87TEeLY\MDMAppInstaller.exe

Filesize
151KB

MD5
30e978cc6830b04f1e7ed285cccaa746

SHA1
e915147c17e113c676c635e2102bbff90fb7aa52

SHA256
dc821931f63117962e2266acd3266e86bf8116d4a14b3adbebfade1d40b84766

SHA512
331923fa479f71c4c80b0e86ea238628666f95b6cf61cf4d741ae4a27ea2b8c636864dfac543d14599b4873f3b2ab397d07c4e4c17aca3f3b4e5871e24e50214

Download Submit
C:\Users\Admin\AppData\Local\wB87TEeLY\WTSAPI32.dll

Filesize
1.2MB

MD5
d829dca48e0e58ab59d2cccf68e3d204

SHA1
016ceb12203be6b648638f423fdb44caa334e234

SHA256
db668da82936c5e67d804cedda6d167694a87941df8e56c24d33bbf1537d2ef4

SHA512
a18ade583a374b3f0258d6e57691a9153af755aea4df41c49f7d96ca9dba4eeab4abcd741cbe58271c68f50ba394fea39a46a19f7086eefba623d4db2c89ced5

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Nszgn.lnk

Filesize
1KB

MD5
0b1e7bc6c7f8fc49eb41c36978090688

SHA1
eb10847e5186cee362363c5d331aa8b3dbac9d30

SHA256
d0cf932865a27c595efff2c56226c469eae8dfb25dd7eb6c54cccb6b3b3547aa

SHA512
a70c42013ce16df8515c9820d8de88d55f1c59c09da64aea3760217aa4a94508279e7e1ce86fd343b3ab1f273b25c79754c25489e8d27557896ef9da11c4ba3b

Download Submit
memory/1112-80-0x00007FFDC4480000-0x00007FFDC45FD000-memory.dmp

Filesize
1.5MB

Download
memory/1112-85-0x00007FFDC4480000-0x00007FFDC45FD000-memory.dmp

Filesize
1.5MB

Download
memory/1540-66-0x000001D68FB70000-0x000001D68FB77000-memory.dmp

Filesize
28KB

Download
memory/1540-63-0x00007FFDC44C0000-0x00007FFDC45F9000-memory.dmp

Filesize
1.2MB

Download
memory/1540-69-0x00007FFDC44C0000-0x00007FFDC45F9000-memory.dmp

Filesize
1.2MB

Download
memory/1624-52-0x00007FFDC44C0000-0x00007FFDC45F8000-memory.dmp

Filesize
1.2MB

Download
memory/1624-49-0x000001CA56250000-0x000001CA56257000-memory.dmp

Filesize
28KB

Download
memory/1624-46-0x00007FFDC44C0000-0x00007FFDC45F8000-memory.dmp

Filesize
1.2MB

Download
memory/3536-33-0x00000000075F0000-0x00000000075F7000-memory.dmp

Filesize
28KB

Download
memory/3536-14-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/3536-8-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/3536-12-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/3536-4-0x0000000007DC0000-0x0000000007DC1000-memory.dmp

Filesize
4KB

Download
memory/3536-10-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/3536-25-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/3536-11-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/3536-13-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/3536-9-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/3536-16-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/3536-18-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/3536-6-0x00007FFDE1C3A000-0x00007FFDE1C3B000-memory.dmp

Filesize
4KB

Download
memory/3536-36-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/3536-34-0x00007FFDE1CF0000-0x00007FFDE1D00000-memory.dmp

Filesize
64KB

Download
memory/3536-15-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/3536-7-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/4144-3-0x00000000020B0000-0x00000000020B7000-memory.dmp

Filesize
28KB

Download
memory/4144-39-0x00007FFDD37E0000-0x00007FFDD3917000-memory.dmp

Filesize
1.2MB

Download
memory/4144-0-0x00007FFDD37E0000-0x00007FFDD3917000-memory.dmp

Filesize
1.2MB

Download