dridex | f2f6b3965cee4f171cec6a3e05067252f127e466dd090fe5fd22d957267a2076

Analysis

max time kernel
129s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
31-08-2024 18:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cd52a36ef1f73ebca3e8bbb12b5f4a9c_JaffaCakes118.dll
Size

1.2MB
MD5

cd52a36ef1f73ebca3e8bbb12b5f4a9c
SHA1

5f7b23a06b43436f64d30ebeb64936d2816d170a
SHA256

f2f6b3965cee4f171cec6a3e05067252f127e466dd090fe5fd22d957267a2076
SHA512

0c259f41ba031cb19f74faab856f3afb89a7e82d6df0d5de673ef73e8e4d79a35342a314fe722c4dca81f01da60b4e608ef060cf16d2e118eae79ee79174b039
SSDEEP

24576:yuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:a9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3476-4-0x0000000002700000-0x0000000002701000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
4452	Netplwiz.exe
3396	LockScreenContentServer.exe
3392	cmstp.exe

Loads dropped DLL 3 IoCs

pid	Process
4452	Netplwiz.exe
3396	LockScreenContentServer.exe
3392	cmstp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Zsovh = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\MAINTE~1\\4VZSu1Ld\\LOCKSC~1.EXE"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	LockScreenContentServer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmstp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Netplwiz.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3188	rundll32.exe
3188	rundll32.exe
3188	rundll32.exe
3188	rundll32.exe
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3476	Process not Found
Token: SeCreatePagefilePrivilege	3476	Process not Found
Token: SeShutdownPrivilege	3476	Process not Found
Token: SeCreatePagefilePrivilege	3476	Process not Found
Token: SeShutdownPrivilege	3476	Process not Found
Token: SeCreatePagefilePrivilege	3476	Process not Found
Token: SeShutdownPrivilege	3476	Process not Found
Token: SeCreatePagefilePrivilege	3476	Process not Found

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3476	Process not Found
3476	Process not Found

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3476	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3476 wrote to memory of 2376	3476	Process not Found	96
PID 3476 wrote to memory of 2376	3476	Process not Found	96
PID 3476 wrote to memory of 4452	3476	Process not Found	97
PID 3476 wrote to memory of 4452	3476	Process not Found	97
PID 3476 wrote to memory of 1228	3476	Process not Found	98
PID 3476 wrote to memory of 1228	3476	Process not Found	98
PID 3476 wrote to memory of 3396	3476	Process not Found	99
PID 3476 wrote to memory of 3396	3476	Process not Found	99
PID 3476 wrote to memory of 3012	3476	Process not Found	100
PID 3476 wrote to memory of 3012	3476	Process not Found	100
PID 3476 wrote to memory of 3392	3476	Process not Found	101
PID 3476 wrote to memory of 3392	3476	Process not Found	101

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\cd52a36ef1f73ebca3e8bbb12b5f4a9c_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3188

C:\Windows\system32\Netplwiz.exe
C:\Windows\system32\Netplwiz.exe
1⤵
PID:2376

C:\Users\Admin\AppData\Local\IJtoLE9\Netplwiz.exe
C:\Users\Admin\AppData\Local\IJtoLE9\Netplwiz.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4452

C:\Windows\system32\LockScreenContentServer.exe
C:\Windows\system32\LockScreenContentServer.exe
1⤵
PID:1228

C:\Users\Admin\AppData\Local\slJ\LockScreenContentServer.exe
C:\Users\Admin\AppData\Local\slJ\LockScreenContentServer.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3396

C:\Windows\system32\cmstp.exe
C:\Windows\system32\cmstp.exe
1⤵
PID:3012

C:\Users\Admin\AppData\Local\XEE6Hk6WA\cmstp.exe
C:\Users\Admin\AppData\Local\XEE6Hk6WA\cmstp.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\IJtoLE9\NETPLWIZ.dll

Filesize
1.2MB

MD5
204fa3130cdda474ecbddd38767d5813

SHA1
f2904aa10ed3e221c3c543a9f82fb78d3a6e761f

SHA256
5ee06ae4660d800d5927dc2e2fd4669b678d991c0a25d754249e9a985f6d5967

SHA512
3bfe31ab1078254da3680037795dc0675953590922c586b63011a50915583172d73cb32f237cc4588f5e44dc322565d86999b2a69a700212943229f24fb83a5c

Download Submit
C:\Users\Admin\AppData\Local\IJtoLE9\Netplwiz.exe

Filesize
40KB

MD5
520a7b7065dcb406d7eca847b81fd4ec

SHA1
d1b3b046a456630f65d482ff856c71dfd2f335c8

SHA256
8323b44b6e69f02356a5ab0d03a4fc87b953edcbd85c2b6281bf92bc0a3b224d

SHA512
7aea2810f38d1640d4aa87efbbe20783fe7b8e7f588864a3a384a37c91108d906abd89b235672608c98c46ed76db2b0039462098a1064ebe4108ec37b6087914

Download Submit
C:\Users\Admin\AppData\Local\XEE6Hk6WA\VERSION.dll

Filesize
1.2MB

MD5
317cc0162e9452e326d391947b9ca981

SHA1
8605d588f786fec586a0d8862d3010d6ed78ce72

SHA256
186510c30a3480093190660e52304b749b2586b69fedcd5f4996deb357b308fb

SHA512
bb352f3da0a362378d1f3b6856b85ae9673cd47bec35112ddca76fd575720bb2ff2bc1af3f7b2ad69ae13b8c9502c639f451b58b19966873b02ac5ec072cae00

Download Submit
C:\Users\Admin\AppData\Local\XEE6Hk6WA\cmstp.exe

Filesize
96KB

MD5
4cc43fe4d397ff79fa69f397e016df52

SHA1
8fd6cf81ad40c9b123cd75611860a8b95c72869c

SHA256
f2d3905ee38b2b5c0b724d582f14eb1db7621ffb8f3826df686a20784341614c

SHA512
851ef9fa5a03ec8b9fea0094c6e4bfa0b9e71cee3412ee86b2dfc34682aa5fb6455fefe7fc0092b711956d7c880cf8a5761b63ee990aa8e72f3473086ac0f157

Download Submit
C:\Users\Admin\AppData\Local\slJ\DUI70.dll

Filesize
1.4MB

MD5
b956cf526e15242863720a900a63f82f

SHA1
d0f3d6497dc106d92added78e4ac694e9bd7a3f9

SHA256
98f03f35bcb99dd4f70d12a0b261f2791941524c6640b2643ee637af5239ed0f

SHA512
32df9560a8ee52d855c0ef3d07209de60e0ba4ad78e8973daf83ce46e1059251dd71ed8dc810d7b95fc560f74cc96e054acd55faf5a2e2510c5787b5734195f6

Download Submit
C:\Users\Admin\AppData\Local\slJ\LockScreenContentServer.exe

Filesize
47KB

MD5
a0b7513c98cf46ca2cea3a567fec137c

SHA1
2307fc8e3fc620ea3c2fdc6248ad4658479ba995

SHA256
cb2278884f04fd34753f7a20e5865ef5fc4fa47c28df9ac14ad6e922713af8c6

SHA512
3928485a60ffa7f2d2b7d0be51863e1f8197578cfb397f1086a1ab5132843a23bbc4042b04b5d01fafad04878bd839161fa492d0cf1a6bac6be92023cdee3d15

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Sfbjsepzltomqmf.lnk

Filesize
1KB

MD5
842f3d39e51b210def4837dbf139089f

SHA1
86f1559f2a63061ebfcd6f2fda011bcd6425dbd4

SHA256
2d2dcb5b158a29f6ee998a83d37a38db1b95017cedda9a593f691cc50974bff1

SHA512
31895d6c81756e6770d7aa7506062373cc150f7dd01898f271d45a138649898a7d38594248bccab8b60214877a719cfefa01c1155f1309394c698a04be69bde1

Download Submit
memory/3188-0-0x00007FFAE5170000-0x00007FFAE52A2000-memory.dmp

Filesize
1.2MB

Download
memory/3188-2-0x000001B9B5470000-0x000001B9B5477000-memory.dmp

Filesize
28KB

Download
memory/3188-39-0x00007FFAE5170000-0x00007FFAE52A2000-memory.dmp

Filesize
1.2MB

Download
memory/3392-86-0x00007FFAD61C0000-0x00007FFAD62F3000-memory.dmp

Filesize
1.2MB

Download
memory/3392-80-0x0000021B75F90000-0x0000021B75F97000-memory.dmp

Filesize
28KB

Download
memory/3396-63-0x0000018844650000-0x0000018844657000-memory.dmp

Filesize
28KB

Download
memory/3396-64-0x00007FFAD60E0000-0x00007FFAD6258000-memory.dmp

Filesize
1.5MB

Download
memory/3396-69-0x00007FFAD60E0000-0x00007FFAD6258000-memory.dmp

Filesize
1.5MB

Download
memory/3476-11-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3476-36-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3476-10-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3476-8-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3476-13-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3476-15-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3476-16-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3476-6-0x00007FFAF276A000-0x00007FFAF276B000-memory.dmp

Filesize
4KB

Download
memory/3476-4-0x0000000002700000-0x0000000002701000-memory.dmp

Filesize
4KB

Download
memory/3476-9-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3476-17-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3476-25-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3476-30-0x00000000026E0000-0x00000000026E7000-memory.dmp

Filesize
28KB

Download
memory/3476-12-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3476-31-0x00007FFAF3BF0000-0x00007FFAF3C00000-memory.dmp

Filesize
64KB

Download
memory/3476-14-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3476-7-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/4452-52-0x00007FFAD61C0000-0x00007FFAD62F3000-memory.dmp

Filesize
1.2MB

Download
memory/4452-47-0x00007FFAD61C0000-0x00007FFAD62F3000-memory.dmp

Filesize
1.2MB

Download
memory/4452-46-0x00000292EFEE0000-0x00000292EFEE7000-memory.dmp

Filesize
28KB

Download