dridex | 20c896c17ea62e174e18810ced89c1f47df84f69e5f94cb5cf11692592c4b993

Analysis

max time kernel
149s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23-08-2024 07:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bae550212bff99a8b207f64a7f1aee67_JaffaCakes118.dll
Size

1.2MB
MD5

bae550212bff99a8b207f64a7f1aee67
SHA1

987722c97138b18802e34c972e65331c5a77af4a
SHA256

20c896c17ea62e174e18810ced89c1f47df84f69e5f94cb5cf11692592c4b993
SHA512

009cc39535fe343b5c7288c8620d2cf6157b10c920c19f1c58a59ecf4061b339b934f2bd709d0c2d1f7425c6f69ed48b4dfb4e2b29da72843fb177b075df4659
SSDEEP

24576:HuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9NJrE:p9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3476-4-0x0000000002430000-0x0000000002431000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

rdpclip.exeApplySettingsTemplateCatalog.exeDxpserver.exe

pid	Process
1452	rdpclip.exe
4176	ApplySettingsTemplateCatalog.exe
3080	Dxpserver.exe

Loads dropped DLL 3 IoCs

Processes:

rdpclip.exeApplySettingsTemplateCatalog.exeDxpserver.exe

pid	Process
1452	rdpclip.exe
4176	ApplySettingsTemplateCatalog.exe
3080	Dxpserver.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qebzqfuc = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\WINDOW~1\\S3TZUF~1\\APPLYS~1.EXE"

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rdpclip.exeApplySettingsTemplateCatalog.exeDxpserver.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdpclip.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ApplySettingsTemplateCatalog.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Dxpserver.exe

Modifies registry class 2 IoCs

Processes:

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

regsvr32.exe

pid	Process
2244	regsvr32.exe
2244	regsvr32.exe
2244	regsvr32.exe
2244	regsvr32.exe
2244	regsvr32.exe
2244	regsvr32.exe
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

description	pid	Process
Token: SeShutdownPrivilege	3476
Token: SeCreatePagefilePrivilege	3476
Token: SeShutdownPrivilege	3476
Token: SeCreatePagefilePrivilege	3476

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid	Process
3476

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	procid_target
PID 3476 wrote to memory of 2416	3476	94
PID 3476 wrote to memory of 2416	3476	94
PID 3476 wrote to memory of 1452	3476	95
PID 3476 wrote to memory of 1452	3476	95
PID 3476 wrote to memory of 4012	3476	96
PID 3476 wrote to memory of 4012	3476	96
PID 3476 wrote to memory of 4176	3476	97
PID 3476 wrote to memory of 4176	3476	97
PID 3476 wrote to memory of 1716	3476	98
PID 3476 wrote to memory of 1716	3476	98
PID 3476 wrote to memory of 3080	3476	99
PID 3476 wrote to memory of 3080	3476	99

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\bae550212bff99a8b207f64a7f1aee67_JaffaCakes118.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2244

C:\Windows\system32\rdpclip.exe
C:\Windows\system32\rdpclip.exe
1⤵
PID:2416

C:\Users\Admin\AppData\Local\foE\rdpclip.exe
C:\Users\Admin\AppData\Local\foE\rdpclip.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1452

C:\Windows\system32\ApplySettingsTemplateCatalog.exe
C:\Windows\system32\ApplySettingsTemplateCatalog.exe
1⤵
PID:4012

C:\Users\Admin\AppData\Local\1x3Af\ApplySettingsTemplateCatalog.exe
C:\Users\Admin\AppData\Local\1x3Af\ApplySettingsTemplateCatalog.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4176

C:\Windows\system32\Dxpserver.exe
C:\Windows\system32\Dxpserver.exe
1⤵
PID:1716

C:\Users\Admin\AppData\Local\BxJMs\Dxpserver.exe
C:\Users\Admin\AppData\Local\BxJMs\Dxpserver.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\1x3Af\ACTIVEDS.dll

Filesize
1.2MB

MD5
78c34862da0abc1297f1a66a14c8bbce

SHA1
63607c9d3d5fbcff98c11981a9a16daccc4d81bf

SHA256
6cc97867b6bdd8492055de0feda0caf84bf87888fc80b35b70b78173fcf9b5cd

SHA512
c5db9037f6ef4f2ad5c343f4b48dc3edcf15ce63e3993f4f74e0f1b527448d80f8ac13068176c251d55d09e165018865cd051e6fc67d8ac2721f0c18d1ef8115

Download Submit
C:\Users\Admin\AppData\Local\1x3Af\ApplySettingsTemplateCatalog.exe

Filesize
1.1MB

MD5
13af41b1c1c53c7360cd582a82ec2093

SHA1
7425f893d1245e351483ab4a20a5f59d114df4e1

SHA256
a462f29efaaa3c30411e76f32608a2ba5b7d21af3b9804e5dda99e342ba8c429

SHA512
c7c82acef623d964c520f1a458dbfe34099981de0b781fb56e14b1f82632e3a8437db6434e7c20988aa3b39efde47aab8d188e80845e841a13e74b079285706a

Download Submit
C:\Users\Admin\AppData\Local\BxJMs\Dxpserver.exe

Filesize
310KB

MD5
6344f1a7d50da5732c960e243c672165

SHA1
b6d0236f79d4f988640a8445a5647aff5b5410f7

SHA256
b1081651ac33610824e2088ff64d1655993dd3d6073af1e5ffe0b4a0027f502f

SHA512
73f6fa01b880e6619fafa065c171bd0a2b7b2d908762b5aca15f2b8d856b5501b3884e3566ef9b8032c8cbf9bb15116e60c22fded4656c8857c974cda4213d65

Download Submit
C:\Users\Admin\AppData\Local\BxJMs\XmlLite.dll

Filesize
1.2MB

MD5
c8a8bd3d415e7092de61021a8788821f

SHA1
22675f995201f211fbef2000b2a6c44bbebebb86

SHA256
7020bb6723339cbe80683cd5859ab4751fad2700c57e16d128dc56f8fded418a

SHA512
43404c03195a9d5d0daddc8f81de73586c54d4bb44fbf05336b5179ba2e9363c5d3185474d1f3d2e9f26b613d5ca461e44cd559182141f13803ed39fba305915

Download Submit
C:\Users\Admin\AppData\Local\foE\WTSAPI32.dll

Filesize
1.2MB

MD5
f317a5f8d40522ba956f91b4209c709b

SHA1
347c5d001496e5ea9e49336c0f4529765274b96c

SHA256
5d64f82d98ab472bddeddfc9ee82e0d4d33b94a8f4c975ce6221c4741eaab4c0

SHA512
8ecaad1ec17996610fa5fdf588b3a902057145c04be47b42ae33a7be536e75c9cdf71d8f56eb8300b23f354ee045091e68a62fba3122468518b8cb336aa4b874

Download Submit
C:\Users\Admin\AppData\Local\foE\rdpclip.exe

Filesize
446KB

MD5
a52402d6bd4e20a519a2eeec53332752

SHA1
129f2b6409395ef877b9ca39dd819a2703946a73

SHA256
9d5be181d9309dea98039d2ce619afe745fc8a9a1b1c05cf860b3620b5203308

SHA512
632dda67066cff2b940f27e3f409e164684994a02bda57d74e958c462b9a0963e922be4a487c06126cecc9ef34d34913ef8315524bf8422f83c0c135b8af924e

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Plbydas.lnk

Filesize
1KB

MD5
0136d571a970ec46d973097688fa933d

SHA1
c6fae1cc2aded8b74445cccccbf9d16ae650af59

SHA256
41118f27b98fbb20621cdb1aaa751523d7eb39342f106d66c6b2ce9d577e7ea6

SHA512
9cf72dac53c940eae22058e85e87cf6ae897cc89ded5daaf666da5219d73ce8382936c9e5fb1ef0cd728d595b67400e63ea552bd687b3299839d5d0508b0d66c

Download Submit
memory/1452-51-0x00007FFCD2310000-0x00007FFCD2447000-memory.dmp

Filesize
1.2MB

Download
memory/1452-45-0x00007FFCD2310000-0x00007FFCD2447000-memory.dmp

Filesize
1.2MB

Download
memory/1452-48-0x0000019C33A60000-0x0000019C33A67000-memory.dmp

Filesize
28KB

Download
memory/2244-0-0x0000000000FB0000-0x0000000000FB7000-memory.dmp

Filesize
28KB

Download
memory/2244-38-0x00007FFCE07D0000-0x00007FFCE0906000-memory.dmp

Filesize
1.2MB

Download
memory/2244-1-0x00007FFCE07D0000-0x00007FFCE0906000-memory.dmp

Filesize
1.2MB

Download
memory/3080-84-0x00007FFCD2310000-0x00007FFCD2447000-memory.dmp

Filesize
1.2MB

Download
memory/3476-29-0x00007FFCEF910000-0x00007FFCEF920000-memory.dmp

Filesize
64KB

Download
memory/3476-28-0x0000000002410000-0x0000000002417000-memory.dmp

Filesize
28KB

Download
memory/3476-8-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/3476-7-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/3476-10-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/3476-11-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/3476-13-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/3476-15-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/3476-16-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/3476-9-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/3476-35-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/3476-24-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/3476-4-0x0000000002430000-0x0000000002431000-memory.dmp

Filesize
4KB

Download
memory/3476-6-0x00007FFCEE0DA000-0x00007FFCEE0DB000-memory.dmp

Filesize
4KB

Download
memory/3476-14-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/3476-12-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/4176-68-0x00007FFCD2310000-0x00007FFCD2447000-memory.dmp

Filesize
1.2MB

Download
memory/4176-62-0x0000018C2AF40000-0x0000018C2AF47000-memory.dmp

Filesize
28KB

Download