dridex | 849f991381c28c420499f0dd6871940f7074637575f5dc3c6e5826962c87351d

Analysis

max time kernel
150s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29/08/2024, 15:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c90f1183641a387ea5575b5e9cfc3823_JaffaCakes118.dll
Size

1.2MB
MD5

c90f1183641a387ea5575b5e9cfc3823
SHA1

7f54137d178f58adab7e50adaf3c2d48dc5b4607
SHA256

849f991381c28c420499f0dd6871940f7074637575f5dc3c6e5826962c87351d
SHA512

977c1b03b575156862324347ba97d88f8dc3fdd46ef1b6b7e7e6ba933cd22151af2609e87ff13e9655b131b839ca8efd67aa9406e9d34e2cded8e51b6676938b
SSDEEP

24576:uuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N2:O9cKrUqZWLAcUO

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3464-4-0x00000000028F0000-0x00000000028F1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
1768	PasswordOnWakeSettingFlyout.exe
4184	InfDefaultInstall.exe
1068	CustomShellHost.exe

Loads dropped DLL 3 IoCs

pid	Process
1768	PasswordOnWakeSettingFlyout.exe
4184	InfDefaultInstall.exe
1068	CustomShellHost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ftxdckjforivc = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Vault\\dl3LnMg0V\\InfDefaultInstall.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	PasswordOnWakeSettingFlyout.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	InfDefaultInstall.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	CustomShellHost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4752	rundll32.exe
4752	rundll32.exe
4752	rundll32.exe
4752	rundll32.exe
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found
3464	Process not Found

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3464	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3464 wrote to memory of 1820	3464	Process not Found	94
PID 3464 wrote to memory of 1820	3464	Process not Found	94
PID 3464 wrote to memory of 1768	3464	Process not Found	95
PID 3464 wrote to memory of 1768	3464	Process not Found	95
PID 3464 wrote to memory of 4056	3464	Process not Found	96
PID 3464 wrote to memory of 4056	3464	Process not Found	96
PID 3464 wrote to memory of 4184	3464	Process not Found	97
PID 3464 wrote to memory of 4184	3464	Process not Found	97
PID 3464 wrote to memory of 3008	3464	Process not Found	98
PID 3464 wrote to memory of 3008	3464	Process not Found	98
PID 3464 wrote to memory of 1068	3464	Process not Found	99
PID 3464 wrote to memory of 1068	3464	Process not Found	99

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c90f1183641a387ea5575b5e9cfc3823_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4752

C:\Windows\system32\PasswordOnWakeSettingFlyout.exe
C:\Windows\system32\PasswordOnWakeSettingFlyout.exe
1⤵
PID:1820

C:\Users\Admin\AppData\Local\d03a1YLY7\PasswordOnWakeSettingFlyout.exe
C:\Users\Admin\AppData\Local\d03a1YLY7\PasswordOnWakeSettingFlyout.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1768

C:\Windows\system32\InfDefaultInstall.exe
C:\Windows\system32\InfDefaultInstall.exe
1⤵
PID:4056

C:\Users\Admin\AppData\Local\jJj\InfDefaultInstall.exe
C:\Users\Admin\AppData\Local\jJj\InfDefaultInstall.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4184

C:\Windows\system32\CustomShellHost.exe
C:\Windows\system32\CustomShellHost.exe
1⤵
PID:3008

C:\Users\Admin\AppData\Local\C7twDpkh\CustomShellHost.exe
C:\Users\Admin\AppData\Local\C7twDpkh\CustomShellHost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\C7twDpkh\CustomShellHost.exe

Filesize
835KB

MD5
70400e78b71bc8efdd063570428ae531

SHA1
cd86ecd008914fdd0389ac2dc00fe92d87746096

SHA256
91333f3282a2420359ae9d3adf537688741d21e964f021e2b152ab293447f289

SHA512
53005dda237fb23af79f54779c74a09835ad4cad3ca7b9dcec80e3793a60dd262f45b910bef96ab9c8e69d0c6990fea6ca5fee85d7f8425db523ae658372959e

Download Submit
C:\Users\Admin\AppData\Local\C7twDpkh\WTSAPI32.dll

Filesize
1.2MB

MD5
1260b56302eb91f7af2ec5952839d12e

SHA1
bae23081e1a23c2069afb6c35b1a50f6acb2c9e1

SHA256
7a97c8f5af7066241a1a50d5e787471d152d2f6963eac438d67fa50dd4894bbc

SHA512
4e8f0528964f731fc927e106309829fcf21fdfd65847cf59d96aa164333194663a2265d4640ca4d50769a01e976c9159f4106ba938f28776c21a89c38f32d246

Download Submit
C:\Users\Admin\AppData\Local\d03a1YLY7\DUI70.dll

Filesize
1.4MB

MD5
04135c192e7d85ba140418bf10e929cf

SHA1
90c99c43b3afd6fdc876f94b1114fe366119f5cd

SHA256
6f9f8e8d661f87b3a9d90201ed2740fe5bd09088e76fc708eb54424e31c3b9f3

SHA512
7de5f279a1a9165755acbb4f2797aec9e735d43aca52d2aa2cb6cc9c314cf2bc5c14abd663bdccc960a015c5f6fc1dc6c2e900ddf1191ee2f3970c21026ad8df

Download Submit
C:\Users\Admin\AppData\Local\d03a1YLY7\PasswordOnWakeSettingFlyout.exe

Filesize
44KB

MD5
591a98c65f624c52882c2b238d6cd4c4

SHA1
c960d08c19d777069cf265dcc281807fbd8502d7

SHA256
5e6ed524c955fb1ea3e24f132987143da3ec81db5041a0edcfa7bf3ac790eb06

SHA512
1999f23c90d85857461f8ddc5342470296f6939a654ac015780c2977f293c1f799fc992462f3d4d9181c97ab960db3291b85ea7c0537edcb57755706b20b6074

Download Submit
C:\Users\Admin\AppData\Local\jJj\InfDefaultInstall.exe

Filesize
13KB

MD5
ee18876c1e5de583de7547075975120e

SHA1
f7fcb3d77da74deee25de9296a7c7335916504e3

SHA256
e59127b5fe82714956c7a1f10392a8673086a8e1f609e059935c7da1fa015a5d

SHA512
08bc4d28b8f528582c58175a74871dd33ac97955c3709c991779fc34b5ba4b2ba6ff40476d9f59345b61b0153fd932b0ea539431a67ff5012cb2ac8ab392f73c

Download Submit
C:\Users\Admin\AppData\Local\jJj\newdev.dll

Filesize
1.2MB

MD5
3e77f1d18c80393141af62c31014c49c

SHA1
3a89eba6128cf237f34be498bf878f129a4806a6

SHA256
80e0f2698d72ca47fb0d39e016ae96253f68f99bdd832e10ad109d5b62b42edd

SHA512
d5323dbfe4384e4052474df4ca311b4616fee6f9b4df6b27d50bbc68930b872f88889eda19de85239d138cacf63f8d7ec20084070eacd59ac635b40d53307393

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ppmzgvduo.lnk

Filesize
1KB

MD5
fb584ba2987b40fa062ab8e864282ea6

SHA1
54aa4a0425dbf71e4ce0e8929fd5bf7d23f9b0c0

SHA256
feddcf2c67f111ae869c2748871557752a111bbcc6f02ce25b87e1e94b242de8

SHA512
7584b90fdd3d7389c1e38a5647defab71f4b33897c16c37c532050afc2d9633acb77845410a1ac1cd1ad5ce17b589e5daee85322e92ad811fc03f6866ea9e34a

Download Submit
memory/1068-86-0x00007FF945BE0000-0x00007FF945D12000-memory.dmp

Filesize
1.2MB

Download
memory/1068-83-0x0000029FA10C0000-0x0000029FA10C7000-memory.dmp

Filesize
28KB

Download
memory/1768-52-0x00007FF945BA0000-0x00007FF945D17000-memory.dmp

Filesize
1.5MB

Download
memory/1768-49-0x0000013A5EDE0000-0x0000013A5EDE7000-memory.dmp

Filesize
28KB

Download
memory/1768-46-0x00007FF945BA0000-0x00007FF945D17000-memory.dmp

Filesize
1.5MB

Download
memory/3464-36-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3464-35-0x00007FF9632B0000-0x00007FF9632C0000-memory.dmp

Filesize
64KB

Download
memory/3464-12-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3464-10-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3464-9-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3464-8-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3464-25-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3464-4-0x00000000028F0000-0x00000000028F1000-memory.dmp

Filesize
4KB

Download
memory/3464-15-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3464-16-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3464-34-0x0000000000DD0000-0x0000000000DD7000-memory.dmp

Filesize
28KB

Download
memory/3464-13-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3464-6-0x00007FF961DEA000-0x00007FF961DEB000-memory.dmp

Filesize
4KB

Download
memory/3464-17-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3464-14-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3464-11-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3464-7-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/4184-69-0x00007FF945BE0000-0x00007FF945D12000-memory.dmp

Filesize
1.2MB

Download
memory/4184-66-0x000001D9A15A0000-0x000001D9A15A7000-memory.dmp

Filesize
28KB

Download
memory/4184-63-0x00007FF945BE0000-0x00007FF945D12000-memory.dmp

Filesize
1.2MB

Download
memory/4752-1-0x00007FF954460000-0x00007FF954591000-memory.dmp

Filesize
1.2MB

Download
memory/4752-39-0x00007FF954460000-0x00007FF954591000-memory.dmp

Filesize
1.2MB

Download
memory/4752-3-0x00000190C7340000-0x00000190C7347000-memory.dmp

Filesize
28KB

Download