dridex | 532c4a9fdcc00ccbbde0658accc2d5d76862011038a28136e5c19f312e1cd7a9

Analysis

max time kernel
149s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27-08-2024 18:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c572ea4c00bbf5b57f75082b7abc9d4a_JaffaCakes118.dll
Size

1.2MB
MD5

c572ea4c00bbf5b57f75082b7abc9d4a
SHA1

b607b459531d5d3629d83b74a3e7064ab0a5172d
SHA256

532c4a9fdcc00ccbbde0658accc2d5d76862011038a28136e5c19f312e1cd7a9
SHA512

8de6287aae880a643a3cd3a17315d8c739b3bf3ee31df224d7d979a7e7a8b758b7429b27ac0c2ed2752a77995d5e9c4552adcf71d0b13baca9fb5492f6059ead
SSDEEP

24576:BuYfg4LhHr4NFXKJO1aUyDBvZ2+ITXmpclO9d:T9cKrU6ZWbAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3348-4-0x00000000083A0000-0x00000000083A1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

AgentService.exeMusNotificationUx.exebdechangepin.exe

pid	Process
3532	AgentService.exe
2428	MusNotificationUx.exe
3396	bdechangepin.exe

Loads dropped DLL 3 IoCs

Processes:

AgentService.exeMusNotificationUx.exebdechangepin.exe

pid	Process
3532	AgentService.exe
2428	MusNotificationUx.exe
3396	bdechangepin.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tdfoxulv = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\s5rNi\\MusNotificationUx.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeAgentService.exeMusNotificationUx.exebdechangepin.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	AgentService.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MusNotificationUx.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bdechangepin.exe

Modifies registry class 2 IoCs

Processes:

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	Process
1496	rundll32.exe
1496	rundll32.exe
1496	rundll32.exe
1496	rundll32.exe
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348
3348

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

description	pid	Process
Token: SeShutdownPrivilege	3348
Token: SeCreatePagefilePrivilege	3348
Token: SeShutdownPrivilege	3348
Token: SeCreatePagefilePrivilege	3348
Token: SeShutdownPrivilege	3348
Token: SeCreatePagefilePrivilege	3348
Token: SeShutdownPrivilege	3348
Token: SeCreatePagefilePrivilege	3348
Token: SeShutdownPrivilege	3348
Token: SeCreatePagefilePrivilege	3348
Token: SeShutdownPrivilege	3348
Token: SeCreatePagefilePrivilege	3348
Token: SeShutdownPrivilege	3348
Token: SeCreatePagefilePrivilege	3348
Token: SeShutdownPrivilege	3348
Token: SeCreatePagefilePrivilege	3348

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid	Process
3348
3348

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid	Process
3348

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	procid_target
PID 3348 wrote to memory of 2132	3348	97
PID 3348 wrote to memory of 2132	3348	97
PID 3348 wrote to memory of 3532	3348	98
PID 3348 wrote to memory of 3532	3348	98
PID 3348 wrote to memory of 1088	3348	99
PID 3348 wrote to memory of 1088	3348	99
PID 3348 wrote to memory of 2428	3348	100
PID 3348 wrote to memory of 2428	3348	100
PID 3348 wrote to memory of 4636	3348	101
PID 3348 wrote to memory of 4636	3348	101
PID 3348 wrote to memory of 3396	3348	102
PID 3348 wrote to memory of 3396	3348	102

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c572ea4c00bbf5b57f75082b7abc9d4a_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1496

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
PID:2132

C:\Users\Admin\AppData\Local\Lv1k0o\AgentService.exe
C:\Users\Admin\AppData\Local\Lv1k0o\AgentService.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3532

C:\Windows\system32\MusNotificationUx.exe
C:\Windows\system32\MusNotificationUx.exe
1⤵
PID:1088

C:\Users\Admin\AppData\Local\Lt9y\MusNotificationUx.exe
C:\Users\Admin\AppData\Local\Lt9y\MusNotificationUx.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2428

C:\Windows\system32\bdechangepin.exe
C:\Windows\system32\bdechangepin.exe
1⤵
PID:4636

C:\Users\Admin\AppData\Local\lmGSJiX7\bdechangepin.exe
C:\Users\Admin\AppData\Local\lmGSJiX7\bdechangepin.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Lt9y\MusNotificationUx.exe

Filesize
615KB

MD5
869a214114a81712199f3de5d69d9aad

SHA1
be973e4188eff0d53fdf0e9360106e8ad946d89f

SHA256
405c2df9a36d7cfb5c8382c96f04792eb88c11a6cfa36b1d2ec3e0bec8d17361

SHA512
befcdeb8de6e68b9ee0bacd4cbc80f7393a0213d4039b239c98585e0cd5db1755c75559a62372374cbfb7132b6a7973ea9e6a31952e0e0ba007079c56e6d9012

Download Submit
C:\Users\Admin\AppData\Local\Lt9y\XmlLite.dll

Filesize
1.2MB

MD5
9cd2d0d5c125f35c921404d3e75698a5

SHA1
a739fd335819977adb8450547fd474798582a938

SHA256
409b140d0c5f8acd43dc5a8ed925f634b1acf2d84c0eda2d3d4e969f5dff5405

SHA512
3403a67638099015e709043709444e10279fc47a6ae758cf449b0efa7c3285670a40241771994790e9196d833e851f6bd2b909144ff6907b070f2f7823b4801f

Download Submit
C:\Users\Admin\AppData\Local\Lv1k0o\ACTIVEDS.dll

Filesize
1.2MB

MD5
97250e9d250d833b7831a1071da6bfdb

SHA1
6181499aa285a8f1ec17e5c9b1f218d6718c46c5

SHA256
d20af637eb024d380e51ae6af550db4c79e3018a2487038d65c1b7c28989b4a2

SHA512
b7c91f9167dbe44546564235d5748b7aa11cbeb0b0fd0aa2f78902c93d4e8462ec84bd5298bfcfe77c1595f7569d9fc29586e27fdd2e8b81697097a01d2eb868

Download Submit
C:\Users\Admin\AppData\Local\Lv1k0o\AgentService.exe

Filesize
1.2MB

MD5
f8bac206def3e87ceb8ef3cb0fb5a194

SHA1
a28ea816e7b5ca511da4576262a5887a75171276

SHA256
c69e4520d5dd84a409c2df1825ba30ec367400e4f7b001c8e971da8bef1a2268

SHA512
8df9a814c738e79492a3b72ba359bf3aedfb89fe02215ef58e743c541a2194ba47e227969d76c55387eee6eb367ca68e4b3cdf054022cb86e62376cc2fdef909

Download Submit
C:\Users\Admin\AppData\Local\lmGSJiX7\DUI70.dll

Filesize
1.4MB

MD5
29c19143ab5649cdf7689bbcf487c6c6

SHA1
bd60487d0d077e10fe50592fa0c5a45e0492751e

SHA256
7f3a3ea118c5d93e042e43bd6ba0ef774165337abb6ec268c532f0d15dbb68c4

SHA512
9f256d28064600028a75d2c46fca0f3ac4c6eec3d30e335c648b1dfd2e920b3a7e3fa7b4f2d99afab0aabc0c6b65c94d90ab82fc5f541764ebf8573aa383a1d0

Download Submit
C:\Users\Admin\AppData\Local\lmGSJiX7\bdechangepin.exe

Filesize
373KB

MD5
601a28eb2d845d729ddd7330cbae6fd6

SHA1
5cf9f6f9135c903d42a7756c638333db8621e642

SHA256
4d43f37576a0ebbaf97024cd5597d968ffe59c871b483554aea302dccb7253f6

SHA512
1687044612ceb705f79c806b176f885fd01449251b0097c2df70280b7d10a2b830ee30ac0f645a7e8d8067892f6562d933624de694295e22318863260222859d

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Pvdelpvduyz.lnk

Filesize
1023B

MD5
059dee52c26a17c9fdf89e5ca04b1da5

SHA1
433c1e6d93cf50f4f08c801a1fb0248ce48294b8

SHA256
100514d2d8736398d518105606100cc79f67ee8eab757f7e29d1e62a6759a89b

SHA512
cb4ac4d9b0442b1034d23615dbae821d254b94fe6fdeac745bb8ada98a5265da06d1452a0debf8c9aa8dd1d734753ed3e3f7beb2a2511df3ae5822722768ee4d

Download Submit
memory/1496-1-0x00007FFF3DC50000-0x00007FFF3DD81000-memory.dmp

Filesize
1.2MB

Download
memory/1496-0-0x00000158515F0000-0x00000158515F7000-memory.dmp

Filesize
28KB

Download
memory/1496-39-0x00007FFF3DC50000-0x00007FFF3DD81000-memory.dmp

Filesize
1.2MB

Download
memory/2428-69-0x00007FFF2E2A0000-0x00007FFF2E3D2000-memory.dmp

Filesize
1.2MB

Download
memory/2428-63-0x0000014D14290000-0x0000014D14297000-memory.dmp

Filesize
28KB

Download
memory/3348-7-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3348-36-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3348-9-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3348-8-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3348-12-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3348-6-0x00007FFF4BEAA000-0x00007FFF4BEAB000-memory.dmp

Filesize
4KB

Download
memory/3348-4-0x00000000083A0000-0x00000000083A1000-memory.dmp

Filesize
4KB

Download
memory/3348-13-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3348-14-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3348-16-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3348-10-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3348-15-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3348-30-0x00007FFF4CB30000-0x00007FFF4CB40000-memory.dmp

Filesize
64KB

Download
memory/3348-18-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3348-25-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3348-29-0x0000000007580000-0x0000000007587000-memory.dmp

Filesize
28KB

Download
memory/3348-11-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3396-80-0x000001DBDCF80000-0x000001DBDCF87000-memory.dmp

Filesize
28KB

Download
memory/3396-81-0x00007FFF2E260000-0x00007FFF2E3D7000-memory.dmp

Filesize
1.5MB

Download
memory/3396-86-0x00007FFF2E260000-0x00007FFF2E3D7000-memory.dmp

Filesize
1.5MB

Download
memory/3532-52-0x00007FFF2E2A0000-0x00007FFF2E3D2000-memory.dmp

Filesize
1.2MB

Download
memory/3532-47-0x00007FFF2E2A0000-0x00007FFF2E3D2000-memory.dmp

Filesize
1.2MB

Download
memory/3532-46-0x000001D940550000-0x000001D940557000-memory.dmp

Filesize
28KB

Download