dridex | 7e4e5b66b159d527d7f95083f708b94777aad062e5e665f3a41eb07d7891a60e

Analysis

max time kernel
149s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-08-2024 08:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c0531aa81daf874d07f3ac24ce59d4f1_JaffaCakes118.dll
Size

1.2MB
MD5

c0531aa81daf874d07f3ac24ce59d4f1
SHA1

8aa0b1e290bf9b4335a8448989910b1f9827157e
SHA256

7e4e5b66b159d527d7f95083f708b94777aad062e5e665f3a41eb07d7891a60e
SHA512

abc190f52bc1e5f0a0368ac6f830254054cc5e574614c803cde4534887ee5e1e2387878ac0d72dc17fd121293815bbd29c29b34a077a2726b11b69a78b17666e
SSDEEP

24576:PuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:x9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3488-4-0x0000000003300000-0x0000000003301000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
4824	msinfo32.exe
2140	WindowsActionDialog.exe
1712	printfilterpipelinesvc.exe

Loads dropped DLL 3 IoCs

pid	Process
4824	msinfo32.exe
2140	WindowsActionDialog.exe
1712	printfilterpipelinesvc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ygssokoticw = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\SYSTEM~1\\2RoU6ily\\WINDOW~1.EXE"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WindowsActionDialog.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	printfilterpipelinesvc.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
828	rundll32.exe
828	rundll32.exe
828	rundll32.exe
828	rundll32.exe
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found
3488	Process not Found

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3488	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3488 wrote to memory of 2728	3488	Process not Found	94
PID 3488 wrote to memory of 2728	3488	Process not Found	94
PID 3488 wrote to memory of 4824	3488	Process not Found	95
PID 3488 wrote to memory of 4824	3488	Process not Found	95
PID 3488 wrote to memory of 3116	3488	Process not Found	96
PID 3488 wrote to memory of 3116	3488	Process not Found	96
PID 3488 wrote to memory of 2140	3488	Process not Found	97
PID 3488 wrote to memory of 2140	3488	Process not Found	97
PID 3488 wrote to memory of 4984	3488	Process not Found	98
PID 3488 wrote to memory of 4984	3488	Process not Found	98
PID 3488 wrote to memory of 1712	3488	Process not Found	99
PID 3488 wrote to memory of 1712	3488	Process not Found	99

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c0531aa81daf874d07f3ac24ce59d4f1_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:828

C:\Windows\system32\msinfo32.exe
C:\Windows\system32\msinfo32.exe
1⤵
PID:2728

C:\Users\Admin\AppData\Local\aCxyyAAv\msinfo32.exe
C:\Users\Admin\AppData\Local\aCxyyAAv\msinfo32.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4824

C:\Windows\system32\WindowsActionDialog.exe
C:\Windows\system32\WindowsActionDialog.exe
1⤵
PID:3116

C:\Users\Admin\AppData\Local\RhamyV\WindowsActionDialog.exe
C:\Users\Admin\AppData\Local\RhamyV\WindowsActionDialog.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2140

C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe
1⤵
PID:4984

C:\Users\Admin\AppData\Local\sAO6us\printfilterpipelinesvc.exe
C:\Users\Admin\AppData\Local\sAO6us\printfilterpipelinesvc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\RhamyV\DUI70.dll

Filesize
1.4MB

MD5
2ca20755c89d762e5a57cbcf3818cff4

SHA1
b80e022d0e7f5a48e55f01ba563bc5b086bc59fc

SHA256
1a0baa66ffb3489bdafebf1776242fc8cf8baf2299f90760a2348cef25c108f2

SHA512
2ba4b9641b51e48f216d158e7ece3a3f3e9b42de5058811bfd2137ab6101d26879d751c7d48cbc37d22faa4bef0e906c7675bae0fc2ac63603cef7cd1df8ab8a

Download Submit
C:\Users\Admin\AppData\Local\RhamyV\WindowsActionDialog.exe

Filesize
61KB

MD5
73c523b6556f2dc7eefc662338d66f8d

SHA1
1e6f9a1d885efa4d76f1e7a8be2e974f2b65cea5

SHA256
0c6397bfbcd7b1fcefb6de01a506578e36651725a61078c69708f1f92c41ea31

SHA512
69d0f23d1abaad657dd4672532936ef35f0e9d443caf9e19898017656a66ed46e75e7e05261c7e7636799c58feccd01dc93975d6a598cbb73242ddb48c6ec912

Download Submit
C:\Users\Admin\AppData\Local\aCxyyAAv\MFC42u.dll

Filesize
1.2MB

MD5
b1795cdcfdfa26d2b7c30d095cd5b3aa

SHA1
5ae7ab6fb1cf17fd70c2bb72b5b68e4ce74d482e

SHA256
9e34bb986331b269033758cbfd33f796cd3e8ceaf08cb21865ab827c0b5a5afa

SHA512
895b46bee2a32f3c17e9360c5873a0490c73ec3046dd0a2a20251604e618af02db02c691bbc35013dbfe122bf3bbc23065a1dfb1153d79f0451991cb89be71d0

Download Submit
C:\Users\Admin\AppData\Local\aCxyyAAv\msinfo32.exe

Filesize
376KB

MD5
0aed91da63713bf9f881b03a604a1c9d

SHA1
b1b2d292cb1a4c13dc243b5eab13afb316a28b9a

SHA256
5cf1604d2473661266e08fc0e4e144ea98f99b7584c43585eb2b01551130fd14

SHA512
04bca9b321d702122b6e72c2ad15b7cd98924e5dfc3b8dd0e907ea28fd7826d3f72b98c67242b6698594df648d3c2b6b0952bb52a2363b687bbe44a66e830c03

Download Submit
C:\Users\Admin\AppData\Local\sAO6us\XmlLite.dll

Filesize
1.2MB

MD5
06bd93cdbf4a880b7c3f48213306d148

SHA1
1579a866816f2b324f665b645c90ff1d502bf2a1

SHA256
8b2268dd64c87a51e4fced0c7842ca24135c044a4154c140e37ac024b64519a3

SHA512
ce31b8a96fc792bb86cc88259ba6894fdc18a2beac6d80184dc7e3b5795dcb2918b1ab8ba164d5646588404a7dcad49d38359520b57007048d598825ee2f8771

Download Submit
C:\Users\Admin\AppData\Local\sAO6us\printfilterpipelinesvc.exe

Filesize
813KB

MD5
331a40eabaa5870e316b401bd81c4861

SHA1
ddff65771ca30142172c0d91d5bfff4eb1b12b73

SHA256
105099819555ed87ef3dab70a2eaf2cb61076f453266cec57ffccb8f4c00df88

SHA512
29992dbf10f327d77865af5e6ebbe66b937a5b4ad04c68cafbf4e6adbd6c6532c8a82ac7e638d97c1f053353a7c8a6d7e379f389af15443c94a1e8f9b16be5f8

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Nszgn.lnk

Filesize
1KB

MD5
38519ca8a250ab0d5ede10f199efbd48

SHA1
496b488ea6345c18ecb9a24b1eee1980c569d829

SHA256
9c4265c27e556e697660574319b9320857672bd90cf56008b73d4665627df3bf

SHA512
70941eb9b799baeaf0edb571015eb5924176b555db2585af40853c5aa9eee5a1d550851ef1cecdb2fe0a42f6ca2d65312b9223fae9b0dd8cdeacd9346244fe00

Download Submit
memory/828-2-0x00007FFDCC3E0000-0x00007FFDCC511000-memory.dmp

Filesize
1.2MB

Download
memory/828-38-0x00007FFDCC3E0000-0x00007FFDCC511000-memory.dmp

Filesize
1.2MB

Download
memory/828-0-0x0000012A20C00000-0x0000012A20C07000-memory.dmp

Filesize
28KB

Download
memory/1712-84-0x00007FFDBD010000-0x00007FFDBD142000-memory.dmp

Filesize
1.2MB

Download
memory/1712-79-0x00007FFDBD010000-0x00007FFDBD142000-memory.dmp

Filesize
1.2MB

Download
memory/2140-65-0x000001C756020000-0x000001C756027000-memory.dmp

Filesize
28KB

Download
memory/2140-62-0x00007FFDBCFD0000-0x00007FFDBD147000-memory.dmp

Filesize
1.5MB

Download
memory/2140-68-0x00007FFDBCFD0000-0x00007FFDBD147000-memory.dmp

Filesize
1.5MB

Download
memory/3488-16-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3488-11-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3488-35-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3488-14-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3488-8-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3488-10-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3488-4-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/3488-7-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3488-9-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3488-6-0x00007FFDDA3FA000-0x00007FFDDA3FB000-memory.dmp

Filesize
4KB

Download
memory/3488-13-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3488-12-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3488-15-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3488-25-0x0000000002DA0000-0x0000000002DA7000-memory.dmp

Filesize
28KB

Download
memory/3488-26-0x00007FFDDA9F0000-0x00007FFDDAA00000-memory.dmp

Filesize
64KB

Download
memory/3488-24-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/4824-51-0x00007FFDBD010000-0x00007FFDBD148000-memory.dmp

Filesize
1.2MB

Download
memory/4824-46-0x00007FFDBD010000-0x00007FFDBD148000-memory.dmp

Filesize
1.2MB

Download
memory/4824-45-0x000002B34CEB0000-0x000002B34CEB7000-memory.dmp

Filesize
28KB

Download