dridex | 0acbdd88ad3bfa71a43bfc53fd70200c636ed15847b4587c26b73dd17d2834f0

Analysis

max time kernel
149s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-08-2024 16:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c11d18fc3052e4bd6c7e1930289ff881_JaffaCakes118.dll
Size

1.2MB
MD5

c11d18fc3052e4bd6c7e1930289ff881
SHA1

a1efb5769620a2d2a01b9e8879e2c7ad6d3e6098
SHA256

0acbdd88ad3bfa71a43bfc53fd70200c636ed15847b4587c26b73dd17d2834f0
SHA512

2b9a906d482462d17051173427fb71a75e607f2353918983d903fb7c4086a9967fea47cc3e69a539cb4a7ed5288bb4d000c6f1351481e4bf6ac95e97cbbbe5d1
SSDEEP

24576:5uYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:r9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3592-4-0x0000000008430000-0x0000000008431000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

SndVol.exeEhStorAuthn.exeDevicePairingWizard.exe

pid	Process
4412	SndVol.exe
1856	EhStorAuthn.exe
1948	DevicePairingWizard.exe

Loads dropped DLL 3 IoCs

Processes:

SndVol.exeEhStorAuthn.exeDevicePairingWizard.exe

pid	Process
4412	SndVol.exe
1856	EhStorAuthn.exe
1948	DevicePairingWizard.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wdtbxtklooytt = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\MAINTE~1\\GUDKZU~1\\EHSTOR~1.EXE"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeSndVol.exeEhStorAuthn.exeDevicePairingWizard.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SndVol.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	EhStorAuthn.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DevicePairingWizard.exe

Modifies registry class 1 IoCs

Processes:

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	Process
4936	rundll32.exe
4936	rundll32.exe
4936	rundll32.exe
4936	rundll32.exe
3592
3592
3592
3592
3592
3592
3592
3592
3592
3592
3592
3592
3592
3592
3592
3592
3592
3592
3592
3592
3592
3592
3592
3592
3592
3592
3592
3592
3592
3592
3592
3592
3592
3592
3592
3592
3592
3592
3592
3592
3592
3592
3592
3592
3592
3592
3592
3592
3592
3592
3592
3592
3592
3592
3592
3592
3592
3592
3592
3592

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

description	pid	Process
Token: SeShutdownPrivilege	3592
Token: SeCreatePagefilePrivilege	3592
Token: SeShutdownPrivilege	3592
Token: SeCreatePagefilePrivilege	3592
Token: SeShutdownPrivilege	3592
Token: SeCreatePagefilePrivilege	3592
Token: SeShutdownPrivilege	3592
Token: SeCreatePagefilePrivilege	3592

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid	Process
3592
3592

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid	Process
3592

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	procid_target
PID 3592 wrote to memory of 4928	3592	93
PID 3592 wrote to memory of 4928	3592	93
PID 3592 wrote to memory of 4412	3592	94
PID 3592 wrote to memory of 4412	3592	94
PID 3592 wrote to memory of 2064	3592	97
PID 3592 wrote to memory of 2064	3592	97
PID 3592 wrote to memory of 1856	3592	98
PID 3592 wrote to memory of 1856	3592	98
PID 3592 wrote to memory of 4408	3592	99
PID 3592 wrote to memory of 4408	3592	99
PID 3592 wrote to memory of 1948	3592	100
PID 3592 wrote to memory of 1948	3592	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c11d18fc3052e4bd6c7e1930289ff881_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4936

C:\Windows\system32\SndVol.exe
C:\Windows\system32\SndVol.exe
1⤵
PID:4928

C:\Users\Admin\AppData\Local\4PcJaNjOb\SndVol.exe
C:\Users\Admin\AppData\Local\4PcJaNjOb\SndVol.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4412

C:\Windows\system32\EhStorAuthn.exe
C:\Windows\system32\EhStorAuthn.exe
1⤵
PID:2064

C:\Users\Admin\AppData\Local\YsU\EhStorAuthn.exe
C:\Users\Admin\AppData\Local\YsU\EhStorAuthn.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1856

C:\Windows\system32\DevicePairingWizard.exe
C:\Windows\system32\DevicePairingWizard.exe
1⤵
PID:4408

C:\Users\Admin\AppData\Local\9EkgvEs\DevicePairingWizard.exe
C:\Users\Admin\AppData\Local\9EkgvEs\DevicePairingWizard.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\4PcJaNjOb\SndVol.exe

Filesize
269KB

MD5
c5d939ac3f9d885c8355884199e36433

SHA1
b8f277549c23953e8683746e225e7af1c193ad70

SHA256
68b6ced01f5dfc2bc9556b005f4fff235a3d02449ad9f9e4de627c0e1424d605

SHA512
8488e7928e53085c00df096af2315490cd4b22ce2ce196b157dc0fbb820c5399a9dbd5dead40b24b99a4a32b6de66b4edc28339d7bacd9c1e7d5936604d1a4f0

Download Submit
C:\Users\Admin\AppData\Local\4PcJaNjOb\UxTheme.dll

Filesize
1.2MB

MD5
b0b99e9a82213a43c82e5f440bf11af3

SHA1
0a877d70f14f1378da95819e06b357ab714b3ca2

SHA256
889daf95e9122da0ca9d3b715235bb89ef16d61b7b9c3b6b21b917454406b8cb

SHA512
d73b1bdad34115675f3ae77995d40c781c5473c91e641673a4e3dd8b06a0cd15cede6e68bd4aedd23ba7d9821867287f1e2889b5b558858734e4fc17082a466e

Download Submit
C:\Users\Admin\AppData\Local\9EkgvEs\DevicePairingWizard.exe

Filesize
93KB

MD5
d0e40a5a0c7dad2d6e5040d7fbc37533

SHA1
b0eabbd37a97a1abcd90bd56394f5c45585699eb

SHA256
2adaf3a5d3fde149626e3fef0e943c7029a135c04688acf357b2d8d04c81981b

SHA512
1191c2efcadd53b74d085612025c44b6cd54dd69493632950e30ada650d5ed79e3468c138f389cd3bc21ea103059a63eb38d9d919a62d932a38830c93f57731f

Download Submit
C:\Users\Admin\AppData\Local\9EkgvEs\MFC42u.dll

Filesize
1.2MB

MD5
092ab0ceed40dfd439b99e6fe0ef4c75

SHA1
683bb15ec38cf9f28216b4764f261bef6b60fc48

SHA256
378a62e770607320db205ebea9f1b0272c8d7322bee43cc44abf8a16b479ccc8

SHA512
43ac3bf6bfc66502af1bf6d5f503ff9212c7ddc265a8364618814a9dd6af1968804bcdea95cf6c137f79c524583a08ffba8393d889cca8c35be493ceb7af69d5

Download Submit
C:\Users\Admin\AppData\Local\YsU\EhStorAuthn.exe

Filesize
128KB

MD5
d45618e58303edb4268a6cca5ec99ecc

SHA1
1f8049fc5ea8b57bb68e19fb55cb9dc1e18e9513

SHA256
d527323643be9df4d174c3169c6f2c7854a59b781654bcaebd154cb51fb4219c

SHA512
5d7ae663dcfedfaf00836dc018131851e5a40778bd582b417b9f0bbd4bb6d1b2eb8f37f7f5a01cd2beed78b6037ef6eb2a3290248d5e901173b1407990a202bd

Download Submit
C:\Users\Admin\AppData\Local\YsU\UxTheme.dll

Filesize
1.2MB

MD5
814080c15054cbe0e2fba29af2d357ec

SHA1
96874889aa3b076077ae9a355e0a0ad618560713

SHA256
9de89ed55eb54260e50340b118ee9d25fe61b80100faec4d46b160f6514afe06

SHA512
2c58dd12c31936414f979c0a408600748578e9b503a2e91d79039cc2aa085fb3ec41dc22514dae37d17e3b3d48915bed7bc99b7caeaf26bde8531155404364d8

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ahvhgxnkgdxqlh.lnk

Filesize
1KB

MD5
e95e5f88d125afedf2bdde97c17c829e

SHA1
62cc8d24d689d179e0e6c7d23adccddd3052aec3

SHA256
cc88132eb9f857aa20b013432bcc99f7e2d9a5dbb72d7557880ebfd81f9b3fb5

SHA512
4d0b1fbaefba2eeb2bedb80424cf89559dd16617fd82de621cb943d22d37d7efb606c5675c4752440b914e17b06b76cd8bd808dc86953fb282f2d66a1fda03b8

Download Submit
memory/1856-64-0x00007FFD8B980000-0x00007FFD8BAB1000-memory.dmp

Filesize
1.2MB

Download
memory/1856-67-0x000001AEF3C40000-0x000001AEF3C47000-memory.dmp

Filesize
28KB

Download
memory/1856-70-0x00007FFD8B980000-0x00007FFD8BAB1000-memory.dmp

Filesize
1.2MB

Download
memory/1948-81-0x0000020740190000-0x0000020740197000-memory.dmp

Filesize
28KB

Download
memory/1948-82-0x00007FFD8B980000-0x00007FFD8BAB7000-memory.dmp

Filesize
1.2MB

Download
memory/1948-87-0x00007FFD8B980000-0x00007FFD8BAB7000-memory.dmp

Filesize
1.2MB

Download
memory/3592-14-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3592-10-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3592-37-0x00007FFDAA090000-0x00007FFDAA0A0000-memory.dmp

Filesize
64KB

Download
memory/3592-25-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3592-24-0x0000000008390000-0x0000000008397000-memory.dmp

Filesize
28KB

Download
memory/3592-23-0x00007FFDA915A000-0x00007FFDA915B000-memory.dmp

Filesize
4KB

Download
memory/3592-7-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3592-9-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3592-8-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3592-6-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3592-4-0x0000000008430000-0x0000000008431000-memory.dmp

Filesize
4KB

Download
memory/3592-34-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3592-11-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3592-12-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3592-16-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3592-13-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/4412-45-0x00007FFD8BBF0000-0x00007FFD8BD21000-memory.dmp

Filesize
1.2MB

Download
memory/4412-51-0x00007FFD8BBF0000-0x00007FFD8BD21000-memory.dmp

Filesize
1.2MB

Download
memory/4412-48-0x0000020A3E870000-0x0000020A3E877000-memory.dmp

Filesize
28KB

Download
memory/4936-0-0x00007FFD9BF90000-0x00007FFD9C0C0000-memory.dmp

Filesize
1.2MB

Download
memory/4936-38-0x00007FFD9BF90000-0x00007FFD9C0C0000-memory.dmp

Filesize
1.2MB

Download
memory/4936-3-0x000001AFD1BC0000-0x000001AFD1BC7000-memory.dmp

Filesize
28KB

Download