dridex | 38342eb9d98ddd4a2bdc2223fb97471c186123a5f675d7c2f3291bb84e9d9f3b

Analysis

max time kernel
150s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29-08-2024 04:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c835b2a733959689b55c54ba276ff260_JaffaCakes118.dll
Size

1.2MB
MD5

c835b2a733959689b55c54ba276ff260
SHA1

0bae1085ddd3c19f28ffa22854a1963a2f9d5750
SHA256

38342eb9d98ddd4a2bdc2223fb97471c186123a5f675d7c2f3291bb84e9d9f3b
SHA512

eadce97a5fc89ff16e63ecd33fe41b39fbf1cc9f96626a536815fa1048b367893dcc3108ff137b439fef7d5ad693c56420ca0b4b17249a9d0f3a39e407a6c5bb
SSDEEP

24576:GuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N/t:m9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3436-4-0x0000000008C60000-0x0000000008C61000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

perfmon.exerdpinit.exeInfDefaultInstall.exe

pid	Process
3932	perfmon.exe
1940	rdpinit.exe
1308	InfDefaultInstall.exe

Loads dropped DLL 3 IoCs

Processes:

perfmon.exerdpinit.exeInfDefaultInstall.exe

pid	Process
3932	perfmon.exe
1940	rdpinit.exe
1308	InfDefaultInstall.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Vfaxdafbicozcso = "C:\\Users\\Admin\\AppData\\Roaming\\Sun\\eP5\\rdpinit.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeperfmon.exerdpinit.exeInfDefaultInstall.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	perfmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdpinit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	InfDefaultInstall.exe

Modifies registry class 3 IoCs

Processes:

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	Process
4672	rundll32.exe
4672	rundll32.exe
4672	rundll32.exe
4672	rundll32.exe
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

description	pid	Process
Token: SeShutdownPrivilege	3436
Token: SeCreatePagefilePrivilege	3436
Token: SeShutdownPrivilege	3436
Token: SeCreatePagefilePrivilege	3436
Token: SeShutdownPrivilege	3436
Token: SeCreatePagefilePrivilege	3436
Token: SeShutdownPrivilege	3436
Token: SeCreatePagefilePrivilege	3436
Token: SeShutdownPrivilege	3436
Token: SeCreatePagefilePrivilege	3436
Token: SeShutdownPrivilege	3436
Token: SeCreatePagefilePrivilege	3436
Token: SeShutdownPrivilege	3436
Token: SeCreatePagefilePrivilege	3436
Token: SeShutdownPrivilege	3436
Token: SeCreatePagefilePrivilege	3436

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid	Process
3436
3436

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid	Process
3436

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	procid_target
PID 3436 wrote to memory of 5068	3436	96
PID 3436 wrote to memory of 5068	3436	96
PID 3436 wrote to memory of 3932	3436	97
PID 3436 wrote to memory of 3932	3436	97
PID 3436 wrote to memory of 2756	3436	98
PID 3436 wrote to memory of 2756	3436	98
PID 3436 wrote to memory of 1940	3436	99
PID 3436 wrote to memory of 1940	3436	99
PID 3436 wrote to memory of 4972	3436	100
PID 3436 wrote to memory of 4972	3436	100
PID 3436 wrote to memory of 1308	3436	101
PID 3436 wrote to memory of 1308	3436	101

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c835b2a733959689b55c54ba276ff260_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4672

C:\Windows\system32\perfmon.exe
C:\Windows\system32\perfmon.exe
1⤵
PID:5068

C:\Users\Admin\AppData\Local\8sp1a\perfmon.exe
C:\Users\Admin\AppData\Local\8sp1a\perfmon.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3932

C:\Windows\system32\rdpinit.exe
C:\Windows\system32\rdpinit.exe
1⤵
PID:2756

C:\Users\Admin\AppData\Local\GQ92UMG7x\rdpinit.exe
C:\Users\Admin\AppData\Local\GQ92UMG7x\rdpinit.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1940

C:\Windows\system32\InfDefaultInstall.exe
C:\Windows\system32\InfDefaultInstall.exe
1⤵
PID:4972

C:\Users\Admin\AppData\Local\uZCX41iX\InfDefaultInstall.exe
C:\Users\Admin\AppData\Local\uZCX41iX\InfDefaultInstall.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\8sp1a\credui.dll

Filesize
1.2MB

MD5
4b38058d0aacecf2012912382b7afd35

SHA1
8748af70644bab97c7c1e1d5bd34fb5c554adfd0

SHA256
58e3e44c787d1e55c72ea2f5ba72093bbb02faf9562cfbe9f4cba1ded27d7f5e

SHA512
871b5113968537cf687b2c00e12855edbd5af1019950b58c1b3649cf01f923e55b69acf6e2258a4eec31abc6f74038251a3cf40e9a003489ac26c8d0a3c90d33

Download Submit
C:\Users\Admin\AppData\Local\8sp1a\perfmon.exe

Filesize
177KB

MD5
d38aa59c3bea5456bd6f95c73ad3c964

SHA1
40170eab389a6ba35e949f9c92962646a302d9ef

SHA256
5f041cff346fb37e5c5c9dab3c1272c76f8b5f579205170e97d2248d04a4ea0c

SHA512
59fa552a46e5d6237c7244b03d09d60e9489217b4319a212e822c73fe1f31a81837cb906ae7da92072bd3d9263fe0b967e073110ba81da3a90126f25115fff68

Download Submit
C:\Users\Admin\AppData\Local\GQ92UMG7x\WTSAPI32.dll

Filesize
1.2MB

MD5
e5bd82bd463771997d94387c559f647c

SHA1
486067c5a35eb36f75d8e873ec56814bcfe1df30

SHA256
490d6600ad0f537cf82d0108e3298cb962467b6143ef299109ed0ba5c905d030

SHA512
467a0b8bc5f3252ecb91342e05058033e25d4f8f062421335e0cf7d7ea3a63e6fc8b427cd6958bd57273fe19cbd1a6569cf33482269d55936c416b01361f6833

Download Submit
C:\Users\Admin\AppData\Local\GQ92UMG7x\rdpinit.exe

Filesize
343KB

MD5
b0ecd76d99c5f5134aeb52460add6f80

SHA1
51462078092c9d6b7fa2b9544ffe0a49eb258106

SHA256
51251863097f7c80ef59606152ec59e7522881c8e3886c194c43f56bcab92e1b

SHA512
16855c7db48b26297c78d37d52ad03f6af0f5a58e333e17ad83b34f5e8b200c5517c6481043af0ecf1b962af2378f38600bd968592f4e1018b5a1b9400adb367

Download Submit
C:\Users\Admin\AppData\Local\uZCX41iX\InfDefaultInstall.exe

Filesize
13KB

MD5
ee18876c1e5de583de7547075975120e

SHA1
f7fcb3d77da74deee25de9296a7c7335916504e3

SHA256
e59127b5fe82714956c7a1f10392a8673086a8e1f609e059935c7da1fa015a5d

SHA512
08bc4d28b8f528582c58175a74871dd33ac97955c3709c991779fc34b5ba4b2ba6ff40476d9f59345b61b0153fd932b0ea539431a67ff5012cb2ac8ab392f73c

Download Submit
C:\Users\Admin\AppData\Local\uZCX41iX\newdev.dll

Filesize
1.2MB

MD5
12e9805ecc560c705ca775ec65b161dd

SHA1
714d34da816038604571175c87e39bb561d62750

SHA256
b87122b14e501eee63e7bf4385a0571de836163bad8a400b5064eb392f985f46

SHA512
89dde897f14e9a8afb36af16c30131ddd8c0cd45850fe928afafa6ef2732924e9574ac0c55695fcb5a7bc15449f5cf6cd423ba1a2b62ff2e0e7ffaaa34d56e1b

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yfsfrqrlkk.lnk

Filesize
1KB

MD5
9fdd57394c64a4b1cd77237cde99865f

SHA1
0d15ce36695ccd09c7aaee652e259d36c12505e0

SHA256
3e537a0450e44ad7677f5faab03040e65001caf73d3db9e38a900a8558d7477a

SHA512
385fed10e9ab558f977c0915297edc6afa4c3c7b7bf16696e8e55d67d2e8272249987811f21d1f81ac7ea32f8da022af3e160e865abfa88e07875698f64bfbc9

Download Submit
memory/1308-86-0x00007FFE57940000-0x00007FFE57A72000-memory.dmp

Filesize
1.2MB

Download
memory/1308-83-0x000002310BE00000-0x000002310BE07000-memory.dmp

Filesize
28KB

Download
memory/1940-69-0x00007FFE57940000-0x00007FFE57A72000-memory.dmp

Filesize
1.2MB

Download
memory/1940-63-0x00000221DD0E0000-0x00000221DD0E7000-memory.dmp

Filesize
28KB

Download
memory/3436-9-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3436-36-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3436-13-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3436-11-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3436-10-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3436-4-0x0000000008C60000-0x0000000008C61000-memory.dmp

Filesize
4KB

Download
memory/3436-8-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3436-7-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3436-6-0x00007FFE7399A000-0x00007FFE7399B000-memory.dmp

Filesize
4KB

Download
memory/3436-16-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3436-17-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3436-12-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3436-15-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3436-31-0x00007FFE74FF0000-0x00007FFE75000000-memory.dmp

Filesize
64KB

Download
memory/3436-25-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3436-30-0x0000000008B40000-0x0000000008B47000-memory.dmp

Filesize
28KB

Download
memory/3436-14-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3932-52-0x00007FFE57940000-0x00007FFE57A72000-memory.dmp

Filesize
1.2MB

Download
memory/3932-47-0x00007FFE57940000-0x00007FFE57A72000-memory.dmp

Filesize
1.2MB

Download
memory/3932-46-0x0000023399EB0000-0x0000023399EB7000-memory.dmp

Filesize
28KB

Download
memory/4672-39-0x00007FFE66030000-0x00007FFE66161000-memory.dmp

Filesize
1.2MB

Download
memory/4672-3-0x000001C3A2D30000-0x000001C3A2D37000-memory.dmp

Filesize
28KB

Download
memory/4672-0-0x00007FFE66030000-0x00007FFE66161000-memory.dmp

Filesize
1.2MB

Download