dridex | 480819cebdae01d450d58cd97b2a92b70f2ba4b01e92fa3c99add416e1cb4031

Analysis

max time kernel
150s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
31-08-2024 10:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cca80d9e068acff700587abcb34c5234_JaffaCakes118.dll
Size

1.2MB
MD5

cca80d9e068acff700587abcb34c5234
SHA1

d9bbd6dfafc80c3a0af3a6814abd237cebdd6c55
SHA256

480819cebdae01d450d58cd97b2a92b70f2ba4b01e92fa3c99add416e1cb4031
SHA512

a9e55710194bb7958b642231466b6ff67be5afcb0081ff6563813be380fbb672a198e70ba5d9b2eee4cc71ba5c5fb7320169d99d03eef574917c43e68d92e2a2
SSDEEP

24576:0uYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9Nlpt:s9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3524-4-0x00000000070D0000-0x00000000070D1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
1212	bdechangepin.exe
4504	rdpshell.exe
3280	WindowsActionDialog.exe

Loads dropped DLL 3 IoCs

pid	Process
1212	bdechangepin.exe
4504	rdpshell.exe
3280	WindowsActionDialog.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Isybexcquevfui = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\35\\rdpshell.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bdechangepin.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdpshell.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WindowsActionDialog.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4524	rundll32.exe
4524	rundll32.exe
4524	rundll32.exe
4524	rundll32.exe
3524	Process not Found
3524	Process not Found
3524	Process not Found
3524	Process not Found
3524	Process not Found
3524	Process not Found
3524	Process not Found
3524	Process not Found
3524	Process not Found
3524	Process not Found
3524	Process not Found
3524	Process not Found
3524	Process not Found
3524	Process not Found
3524	Process not Found
3524	Process not Found
3524	Process not Found
3524	Process not Found
3524	Process not Found
3524	Process not Found
3524	Process not Found
3524	Process not Found
3524	Process not Found
3524	Process not Found
3524	Process not Found
3524	Process not Found
3524	Process not Found
3524	Process not Found
3524	Process not Found
3524	Process not Found
3524	Process not Found
3524	Process not Found
3524	Process not Found
3524	Process not Found
3524	Process not Found
3524	Process not Found
3524	Process not Found
3524	Process not Found
3524	Process not Found
3524	Process not Found
3524	Process not Found
3524	Process not Found
3524	Process not Found
3524	Process not Found
3524	Process not Found
3524	Process not Found
3524	Process not Found
3524	Process not Found
3524	Process not Found
3524	Process not Found
3524	Process not Found
3524	Process not Found
3524	Process not Found
3524	Process not Found
3524	Process not Found
3524	Process not Found
3524	Process not Found
3524	Process not Found
3524	Process not Found
3524	Process not Found

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3524	Process not Found
Token: SeCreatePagefilePrivilege	3524	Process not Found
Token: SeShutdownPrivilege	3524	Process not Found
Token: SeCreatePagefilePrivilege	3524	Process not Found
Token: SeShutdownPrivilege	3524	Process not Found
Token: SeCreatePagefilePrivilege	3524	Process not Found
Token: SeShutdownPrivilege	3524	Process not Found
Token: SeCreatePagefilePrivilege	3524	Process not Found
Token: SeShutdownPrivilege	3524	Process not Found
Token: SeCreatePagefilePrivilege	3524	Process not Found
Token: SeShutdownPrivilege	3524	Process not Found
Token: SeCreatePagefilePrivilege	3524	Process not Found

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3524	Process not Found
3524	Process not Found

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3524	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3524 wrote to memory of 4844	3524	Process not Found	100
PID 3524 wrote to memory of 4844	3524	Process not Found	100
PID 3524 wrote to memory of 1212	3524	Process not Found	101
PID 3524 wrote to memory of 1212	3524	Process not Found	101
PID 3524 wrote to memory of 1640	3524	Process not Found	102
PID 3524 wrote to memory of 1640	3524	Process not Found	102
PID 3524 wrote to memory of 4504	3524	Process not Found	103
PID 3524 wrote to memory of 4504	3524	Process not Found	103
PID 3524 wrote to memory of 1716	3524	Process not Found	104
PID 3524 wrote to memory of 1716	3524	Process not Found	104
PID 3524 wrote to memory of 3280	3524	Process not Found	105
PID 3524 wrote to memory of 3280	3524	Process not Found	105

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\cca80d9e068acff700587abcb34c5234_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4524

C:\Windows\system32\bdechangepin.exe
C:\Windows\system32\bdechangepin.exe
1⤵
PID:4844

C:\Users\Admin\AppData\Local\ps5jtYYrJ\bdechangepin.exe
C:\Users\Admin\AppData\Local\ps5jtYYrJ\bdechangepin.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1212

C:\Windows\system32\rdpshell.exe
C:\Windows\system32\rdpshell.exe
1⤵
PID:1640

C:\Users\Admin\AppData\Local\hc7fmUWdQ\rdpshell.exe
C:\Users\Admin\AppData\Local\hc7fmUWdQ\rdpshell.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4504

C:\Windows\system32\WindowsActionDialog.exe
C:\Windows\system32\WindowsActionDialog.exe
1⤵
PID:1716

C:\Users\Admin\AppData\Local\6DDNua4Ar\WindowsActionDialog.exe
C:\Users\Admin\AppData\Local\6DDNua4Ar\WindowsActionDialog.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\6DDNua4Ar\DUI70.dll

Filesize
1.4MB

MD5
052d0072ca39a8f43737383f8450755d

SHA1
b51e827766b7b1c22bfc01b533f81a86459e318c

SHA256
de303767800375141993adcc17eb760cd9feabc03771317ec4cda42f79f38b30

SHA512
879a6be8409e44d600f73f055cd730a7a546e369a6ae09e78d1657c2ead26dc38564a9f8233d7a34d936074378b2df928a64c21cad3b5f25b957f5c20af4db94

Download Submit
C:\Users\Admin\AppData\Local\6DDNua4Ar\WindowsActionDialog.exe

Filesize
61KB

MD5
73c523b6556f2dc7eefc662338d66f8d

SHA1
1e6f9a1d885efa4d76f1e7a8be2e974f2b65cea5

SHA256
0c6397bfbcd7b1fcefb6de01a506578e36651725a61078c69708f1f92c41ea31

SHA512
69d0f23d1abaad657dd4672532936ef35f0e9d443caf9e19898017656a66ed46e75e7e05261c7e7636799c58feccd01dc93975d6a598cbb73242ddb48c6ec912

Download Submit
C:\Users\Admin\AppData\Local\hc7fmUWdQ\dwmapi.dll

Filesize
1.2MB

MD5
9eea4a3d00014e7cddbd0b7b92fdc313

SHA1
7fc23debf5c4bed87787ff81b53aa42da0ab932f

SHA256
da092f1950734a02ee51398f3371cf6bb796257db504bfd6bddd1c8aa9a4fbe5

SHA512
b0f599d0364d5c1c1766a081c19ea03178a60e187a2b897ab1bed6e0a2500393f8f30ab14ef9e2b1b1aad81531f0ec6738fc46b985f144e68514755095352a6a

Download Submit
C:\Users\Admin\AppData\Local\hc7fmUWdQ\rdpshell.exe

Filesize
468KB

MD5
428066713f225bb8431340fa670671d4

SHA1
47f6878ff33317c3fc09c494df729a463bda174c

SHA256
da6c395a2018d3439ad580a19e6a1ca5ff29ef9074411ee9f9f1b0a6365dfebd

SHA512
292aad2762ae4dc519c69411aa114a29894f60ffac103813db4946f2fac4f5a166f66523c421529d6847c0882d8ab467392ee8da1e3a4fca0d6d4e6ebda5b737

Download Submit
C:\Users\Admin\AppData\Local\ps5jtYYrJ\DUI70.dll

Filesize
1.4MB

MD5
d7b1c530ee05c64f32987723bbf6aeda

SHA1
40c99c58c2d02654f95f116fef8ba6b68c110881

SHA256
7db69dfb18a9ad62d927c9460eb5f2423e38c2b983b848c053610b5d549b63d7

SHA512
09658c367b89a08cf1f6d840c6d639147451eeec3afb5d00eb5a60a9a076213300553716c3a656aeef7454950e25f885d7a4e3a02911afd98ccb5626843a197f

Download Submit
C:\Users\Admin\AppData\Local\ps5jtYYrJ\bdechangepin.exe

Filesize
373KB

MD5
601a28eb2d845d729ddd7330cbae6fd6

SHA1
5cf9f6f9135c903d42a7756c638333db8621e642

SHA256
4d43f37576a0ebbaf97024cd5597d968ffe59c871b483554aea302dccb7253f6

SHA512
1687044612ceb705f79c806b176f885fd01449251b0097c2df70280b7d10a2b830ee30ac0f645a7e8d8067892f6562d933624de694295e22318863260222859d

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wyfsbgf.lnk

Filesize
1KB

MD5
3659df54db61976240c51d4d4e04df11

SHA1
269f4ea44ed69589f2ce308ce30c17164908b22c

SHA256
4ecf15db385618df073a304f9f3fd0c734b39572ed98ee1f6454d9b8686a7357

SHA512
c042978a29a17f8249f784ab042fe1b93f358c8c4f537c7014e5b9430e58fc4dd3bd056c401d2b2124c0b1414ba76f95daea2dd32d062783b848a46eb7cdc2cd

Download Submit
memory/1212-51-0x00007FFDB7D30000-0x00007FFDB7EA6000-memory.dmp

Filesize
1.5MB

Download
memory/1212-46-0x00007FFDB7D30000-0x00007FFDB7EA6000-memory.dmp

Filesize
1.5MB

Download
memory/1212-45-0x0000028306CC0000-0x0000028306CC7000-memory.dmp

Filesize
28KB

Download
memory/3280-85-0x00007FFDB7D30000-0x00007FFDB7EA6000-memory.dmp

Filesize
1.5MB

Download
memory/3280-82-0x000001769B430000-0x000001769B437000-memory.dmp

Filesize
28KB

Download
memory/3524-35-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3524-14-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3524-8-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3524-24-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3524-7-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3524-9-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3524-10-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3524-11-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3524-12-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3524-4-0x00000000070D0000-0x00000000070D1000-memory.dmp

Filesize
4KB

Download
memory/3524-28-0x00000000028E0000-0x00000000028E7000-memory.dmp

Filesize
28KB

Download
memory/3524-6-0x00007FFDD52AA000-0x00007FFDD52AB000-memory.dmp

Filesize
4KB

Download
memory/3524-29-0x00007FFDD53D0000-0x00007FFDD53E0000-memory.dmp

Filesize
64KB

Download
memory/3524-15-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3524-16-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3524-13-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/4504-68-0x00007FFDB7D70000-0x00007FFDB7EA1000-memory.dmp

Filesize
1.2MB

Download
memory/4504-63-0x00007FFDB7D70000-0x00007FFDB7EA1000-memory.dmp

Filesize
1.2MB

Download
memory/4504-62-0x000001D437190000-0x000001D437197000-memory.dmp

Filesize
28KB

Download
memory/4524-38-0x00007FFDC6570000-0x00007FFDC66A0000-memory.dmp

Filesize
1.2MB

Download
memory/4524-0-0x0000024605E80000-0x0000024605E87000-memory.dmp

Filesize
28KB

Download
memory/4524-1-0x00007FFDC6570000-0x00007FFDC66A0000-memory.dmp

Filesize
1.2MB

Download