dridex | 0f1c282e13dfd7aa0eabd5cf404e21768d5e9c703ae18a4c919576e675a45f0e

Analysis

max time kernel
149s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23-08-2024 13:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bbd4e284b00e85697e11b7d15c813adc_JaffaCakes118.dll
Size

1.2MB
MD5

bbd4e284b00e85697e11b7d15c813adc
SHA1

54cdb498f7e6cc601dced0637ffd830fc53820d2
SHA256

0f1c282e13dfd7aa0eabd5cf404e21768d5e9c703ae18a4c919576e675a45f0e
SHA512

40aa178bb1df2ec6e71323d67baa34b57887325391f5580b6e1ba2f5ead0a450e08f7802777967d41ddba114761cef900cb5b88654db04cc346e4be867da8c9f
SSDEEP

24576:7uYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:l9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3464-4-0x0000000007BD0000-0x0000000007BD1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

DevicePairingWizard.exeDevicePairingWizard.exesppsvc.exe

pid	Process
5040	DevicePairingWizard.exe
2188	DevicePairingWizard.exe
2320	sppsvc.exe

Loads dropped DLL 3 IoCs

Processes:

DevicePairingWizard.exeDevicePairingWizard.exesppsvc.exe

pid	Process
5040	DevicePairingWizard.exe
2188	DevicePairingWizard.exe
2320	sppsvc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Veuhujsfce = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\ASlXSY3u\\DevicePairingWizard.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeDevicePairingWizard.exeDevicePairingWizard.exesppsvc.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DevicePairingWizard.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DevicePairingWizard.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	Process
3488	rundll32.exe
3488	rundll32.exe
3488	rundll32.exe
3488	rundll32.exe
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

description	pid	Process
Token: SeShutdownPrivilege	3464
Token: SeCreatePagefilePrivilege	3464
Token: SeShutdownPrivilege	3464
Token: SeCreatePagefilePrivilege	3464
Token: SeShutdownPrivilege	3464
Token: SeCreatePagefilePrivilege	3464
Token: SeShutdownPrivilege	3464
Token: SeCreatePagefilePrivilege	3464

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid	Process
3464
3464

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid	Process
3464

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

description	pid	procid_target
PID 3464 wrote to memory of 4872	3464	95
PID 3464 wrote to memory of 4872	3464	95
PID 3464 wrote to memory of 5040	3464	96
PID 3464 wrote to memory of 5040	3464	96
PID 3464 wrote to memory of 3600	3464	97
PID 3464 wrote to memory of 3600	3464	97
PID 3464 wrote to memory of 2188	3464	98
PID 3464 wrote to memory of 2188	3464	98
PID 3464 wrote to memory of 2320	3464	100
PID 3464 wrote to memory of 2320	3464	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\bbd4e284b00e85697e11b7d15c813adc_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3488

C:\Windows\system32\DevicePairingWizard.exe
C:\Windows\system32\DevicePairingWizard.exe
1⤵
PID:4872

C:\Users\Admin\AppData\Local\SH8r\DevicePairingWizard.exe
C:\Users\Admin\AppData\Local\SH8r\DevicePairingWizard.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:5040

C:\Windows\system32\DevicePairingWizard.exe
C:\Windows\system32\DevicePairingWizard.exe
1⤵
PID:3600

C:\Users\Admin\AppData\Local\cuU\DevicePairingWizard.exe
C:\Users\Admin\AppData\Local\cuU\DevicePairingWizard.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2188

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
1⤵
PID:4508

C:\Users\Admin\AppData\Local\fE1nu9\sppsvc.exe
C:\Users\Admin\AppData\Local\fE1nu9\sppsvc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\SH8r\DevicePairingWizard.exe

Filesize
93KB

MD5
d0e40a5a0c7dad2d6e5040d7fbc37533

SHA1
b0eabbd37a97a1abcd90bd56394f5c45585699eb

SHA256
2adaf3a5d3fde149626e3fef0e943c7029a135c04688acf357b2d8d04c81981b

SHA512
1191c2efcadd53b74d085612025c44b6cd54dd69493632950e30ada650d5ed79e3468c138f389cd3bc21ea103059a63eb38d9d919a62d932a38830c93f57731f

Download Submit
C:\Users\Admin\AppData\Local\SH8r\MFC42u.dll

Filesize
1.2MB

MD5
42aae454faefeec0e086c22e5bbed1f0

SHA1
b2b47a332a0a0d45d940f7c7bb63ccf9102b8d6f

SHA256
2f91813bf006d9205ae8456e01d40365351109cf591b8a5e03d35a78a668c444

SHA512
126e4cca2dd24b105f1c0d28574604bd02e9f29794ba3f66f3fc1c120b22f7c0ee2de078e44edd6e00468e22584361463e6cb24a3b8c60846361ac48247cde25

Download Submit
C:\Users\Admin\AppData\Local\cuU\MFC42u.dll

Filesize
1.2MB

MD5
0f8c9ab800a66139292f1009ab321e26

SHA1
80e7fe06ff841b294748dc1bf0ffa22b226f292d

SHA256
a4d1ee84cbd8a339a951e207c62d557d54428a1c0abacb937993bba6bd26cd28

SHA512
61ca718c0911d94292ab0526aa19e3336e3a0f3a31fd4039c91554f4637c9324d17a9439f70b68ae9fd0d4d80b3d6ab3f3bee95a6028ff83d50bbf3874ae173f

Download Submit
C:\Users\Admin\AppData\Local\fE1nu9\XmlLite.dll

Filesize
1.2MB

MD5
165221e015cd23aea7277e9ae6a0b4c2

SHA1
3dbd0a3c58c536d14b8ba4d94054e37a1371eda8

SHA256
c1665eca222bdef6df067fcb87a76723be918344eb436c19d68c16c199b4645e

SHA512
dd7ab6ced1eae781a3be9351ea199e8c42bfa4502461d631d15c498827f757246e4a787e2fda15a27313772583beb77b2b3dca872e75a1c9abe807ca501ac8b0

Download Submit
C:\Users\Admin\AppData\Local\fE1nu9\sppsvc.exe

Filesize
4.4MB

MD5
ec6cef0a81f167668e18fa32f1606fce

SHA1
6d56837a388ae5573a38a439cee16e6dde5b4de8

SHA256
82c59a2f606ebf1a8a0de16be150600ac63ad8351c6bf3952c27a70257cb70f8

SHA512
f40b37675329ca7875d958b4b0019082548a563ada217c7431c2ca5c7f93957b242f095f7f04bcdd6240b97ea99e89bfe3a003f97c43366d00a93768fef7b4c5

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Piobvoh.lnk

Filesize
1KB

MD5
c840abc3a2ac22db69f6b4557f5c28ff

SHA1
b3ea9ab4d044e2f13ec3a53b4c45f1de444e0d15

SHA256
fad2939786a4606f741798eb95c687cfb99b7f616ecd76acadd913d7d093a0b4

SHA512
74766a7f9cebe3faed11c749ed6ff530b289798701a690862e598a27ef93a6e960da8e002eafab1311ac68db249883adbbac4b142a601438f0f3eb5ef1e63ab0

Download Submit
memory/2188-68-0x00007FF81FD80000-0x00007FF81FEB8000-memory.dmp

Filesize
1.2MB

Download
memory/2188-62-0x0000022726DA0000-0x0000022726DA7000-memory.dmp

Filesize
28KB

Download
memory/2320-85-0x00007FF81FD80000-0x00007FF81FEB2000-memory.dmp

Filesize
1.2MB

Download
memory/2320-82-0x00000163BAA40000-0x00000163BAA47000-memory.dmp

Filesize
28KB

Download
memory/2320-79-0x00007FF81FD80000-0x00007FF81FEB2000-memory.dmp

Filesize
1.2MB

Download
memory/3464-35-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3464-13-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3464-12-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3464-11-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3464-9-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3464-8-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3464-15-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3464-6-0x00007FF83B83A000-0x00007FF83B83B000-memory.dmp

Filesize
4KB

Download
memory/3464-16-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3464-24-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3464-4-0x0000000007BD0000-0x0000000007BD1000-memory.dmp

Filesize
4KB

Download
memory/3464-10-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3464-7-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3464-33-0x00007FF83D610000-0x00007FF83D620000-memory.dmp

Filesize
64KB

Download
memory/3464-14-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3464-32-0x0000000007AE0000-0x0000000007AE7000-memory.dmp

Filesize
28KB

Download
memory/3488-0-0x000002A4F3130000-0x000002A4F3137000-memory.dmp

Filesize
28KB

Download
memory/3488-38-0x00007FF82E880000-0x00007FF82E9B1000-memory.dmp

Filesize
1.2MB

Download
memory/3488-1-0x00007FF82E880000-0x00007FF82E9B1000-memory.dmp

Filesize
1.2MB

Download
memory/5040-51-0x00007FF81FD80000-0x00007FF81FEB8000-memory.dmp

Filesize
1.2MB

Download
memory/5040-45-0x00007FF81FD80000-0x00007FF81FEB8000-memory.dmp

Filesize
1.2MB

Download
memory/5040-48-0x000002A07E110000-0x000002A07E117000-memory.dmp

Filesize
28KB

Download