dridex | 32b3250666fa89539a9e89b14b35032a0d496166592382d3cda4685c42a08aee

Analysis

max time kernel
149s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07-09-2024 16:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d2653bc52ac82fd57843f88b6cfb3cdb_JaffaCakes118.dll
Size

1.4MB
MD5

d2653bc52ac82fd57843f88b6cfb3cdb
SHA1

27bdf0d4fa3e6088ab7a45849f826c125690ae08
SHA256

32b3250666fa89539a9e89b14b35032a0d496166592382d3cda4685c42a08aee
SHA512

24ce2014a7d984eacb7908f4eea16ec2a9edf35fe1e126005c71b5421efed6260bcd51f49aae50e151932c906bd1571e3e457d8a1cd340824d2a13013fea8364
SSDEEP

24576:0uYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9Np:s9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3484-4-0x0000000008B30000-0x0000000008B31000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
1016	isoburn.exe
4480	mstsc.exe
1204	printfilterpipelinesvc.exe

Loads dropped DLL 5 IoCs

pid	Process
1016	isoburn.exe
4480	mstsc.exe
1204	printfilterpipelinesvc.exe
1204	printfilterpipelinesvc.exe
1204	printfilterpipelinesvc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ygssokoticw = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\AddIns\\KvoL9OVs\\mstsc.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	isoburn.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mstsc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	printfilterpipelinesvc.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3708	rundll32.exe
3708	rundll32.exe
3708	rundll32.exe
3708	rundll32.exe
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3484	Process not Found
Token: SeCreatePagefilePrivilege	3484	Process not Found
Token: SeShutdownPrivilege	3484	Process not Found
Token: SeCreatePagefilePrivilege	3484	Process not Found
Token: SeShutdownPrivilege	3484	Process not Found
Token: SeCreatePagefilePrivilege	3484	Process not Found
Token: SeShutdownPrivilege	3484	Process not Found
Token: SeCreatePagefilePrivilege	3484	Process not Found
Token: SeShutdownPrivilege	3484	Process not Found
Token: SeCreatePagefilePrivilege	3484	Process not Found
Token: SeShutdownPrivilege	3484	Process not Found
Token: SeCreatePagefilePrivilege	3484	Process not Found

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3484	Process not Found
3484	Process not Found

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3484	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3484 wrote to memory of 5088	3484	Process not Found	94
PID 3484 wrote to memory of 5088	3484	Process not Found	94
PID 3484 wrote to memory of 1016	3484	Process not Found	95
PID 3484 wrote to memory of 1016	3484	Process not Found	95
PID 3484 wrote to memory of 2416	3484	Process not Found	96
PID 3484 wrote to memory of 2416	3484	Process not Found	96
PID 3484 wrote to memory of 4480	3484	Process not Found	97
PID 3484 wrote to memory of 4480	3484	Process not Found	97
PID 3484 wrote to memory of 3232	3484	Process not Found	98
PID 3484 wrote to memory of 3232	3484	Process not Found	98
PID 3484 wrote to memory of 1204	3484	Process not Found	99
PID 3484 wrote to memory of 1204	3484	Process not Found	99

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d2653bc52ac82fd57843f88b6cfb3cdb_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3708

C:\Windows\system32\isoburn.exe
C:\Windows\system32\isoburn.exe
1⤵
PID:5088

C:\Users\Admin\AppData\Local\s8uMWaV\isoburn.exe
C:\Users\Admin\AppData\Local\s8uMWaV\isoburn.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1016

C:\Windows\system32\mstsc.exe
C:\Windows\system32\mstsc.exe
1⤵
PID:2416

C:\Users\Admin\AppData\Local\oISjpYr\mstsc.exe
C:\Users\Admin\AppData\Local\oISjpYr\mstsc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4480

C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe
1⤵
PID:3232

C:\Users\Admin\AppData\Local\EL2PueC\printfilterpipelinesvc.exe
C:\Users\Admin\AppData\Local\EL2PueC\printfilterpipelinesvc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\EL2PueC\XmlLite.dll

Filesize
1.4MB

MD5
8ae2bb9d57aa57fa59da806d852acea5

SHA1
94c8db954d69c93d35d9bbccf5429b8875349ce9

SHA256
55ff5f176a0b3c3f73f5654de620fef5f94ef44049afde99cfbf9c1b3bff6b2c

SHA512
bd29ef024f0ae85e8d20681fd5e97ddd64c7615bb5f80b4b1e89dbf3fa376f8ba5478ecb22560737d96c341d1505acfe6efdea44e215567589a9bd131757f021

Download Submit
C:\Users\Admin\AppData\Local\EL2PueC\printfilterpipelinesvc.exe

Filesize
813KB

MD5
331a40eabaa5870e316b401bd81c4861

SHA1
ddff65771ca30142172c0d91d5bfff4eb1b12b73

SHA256
105099819555ed87ef3dab70a2eaf2cb61076f453266cec57ffccb8f4c00df88

SHA512
29992dbf10f327d77865af5e6ebbe66b937a5b4ad04c68cafbf4e6adbd6c6532c8a82ac7e638d97c1f053353a7c8a6d7e379f389af15443c94a1e8f9b16be5f8

Download Submit
C:\Users\Admin\AppData\Local\oISjpYr\WINMM.dll

Filesize
1.4MB

MD5
ae57dfd91f386cc459fa3795f464f5aa

SHA1
9eac4c0e4ae7ae37291d85d28fc9f8251830513f

SHA256
3c81a153440acc549c9a8f017b83ae16c0e452fc82dcb16c0e1480a0e0dbaec4

SHA512
85050b138f5b48f718b2a7fc06ff886112f713b413c7347ecdad7567062c55f2f5e04086e5e6924ea4575b2acbe4efafc96a6a82e52b5bbb4c2cbbbc6ea0f9cd

Download Submit
C:\Users\Admin\AppData\Local\oISjpYr\mstsc.exe

Filesize
1.5MB

MD5
3a26640414cee37ff5b36154b1a0b261

SHA1
e0c28b5fdf53a202a7543b67bbc97214bad490ed

SHA256
1d1b6b2edac7ac6494c9eecda3afb804f679d7190f4d1a80929380e85743823f

SHA512
76fc70ead57ddacd3dbcec1a4772bd46924d30b30018a36b13052d2f7272cc86b63bf85d5e4ec04aac08630d4b2637ca6e7d35c08ce6b675d63ed011f7d95ba2

Download Submit
C:\Users\Admin\AppData\Local\s8uMWaV\UxTheme.dll

Filesize
1.4MB

MD5
fc1be6d28a6e5d9fffdcd337c40cf698

SHA1
a81c0d802b1bae36525f1d4924812713f7f21a6a

SHA256
30d1590f6a222ef17022587f4e682912dff5ee53a70f545b3f31f638f01de9d3

SHA512
1213ad724a07c1bfb674654ca0a2eb0c9d098f9c7941b8d0be13311abe0896ff9f19fe48f53dfa6c8ce870b8890a0008c5f8e0d7edcd33a529ebd6e25544c94f

Download Submit
C:\Users\Admin\AppData\Local\s8uMWaV\isoburn.exe

Filesize
119KB

MD5
68078583d028a4873399ae7f25f64bad

SHA1
a3c928fe57856a10aed7fee17670627fe663e6fe

SHA256
9478c095afe212bce91d2de1a3c3647109f2d54e46b9bf70843e839324458567

SHA512
25503a47c53fe83eeb56726b5a5eec5cb01bc783e866306f92242a7a8cbafa20a3209217e0f4561febfec78d2f64f1725727a6b2d3ee6da512618984d0bb0bc1

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Nszgn.lnk

Filesize
1KB

MD5
55183b86e416043ccc11e7f557a73c17

SHA1
f4c73a8964b0d638aff3a074b2853f52a6c1a2e7

SHA256
3e538bcd5e957dc871f7ad5099153d3212f73723e779860376428e5c87fb53a3

SHA512
d1b0605e5339364cc6bdcab0d5c2fd52baff058c5ef4521c1df9ed4a7f31efe489c4e4869872809dfb6a1839def9fd5ed5e35c278490021c8b2b2415888e6083

Download Submit
memory/1016-51-0x00007FFD7FA90000-0x00007FFD7FBF4000-memory.dmp

Filesize
1.4MB

Download
memory/1016-45-0x00007FFD7FA90000-0x00007FFD7FBF4000-memory.dmp

Filesize
1.4MB

Download
memory/1016-48-0x0000016E6F970000-0x0000016E6F977000-memory.dmp

Filesize
28KB

Download
memory/1204-86-0x00007FFD7F5B0000-0x00007FFD7F714000-memory.dmp

Filesize
1.4MB

Download
memory/1204-81-0x00007FFD7F5B0000-0x00007FFD7F714000-memory.dmp

Filesize
1.4MB

Download
memory/3484-24-0x0000000140000000-0x0000000140163000-memory.dmp

Filesize
1.4MB

Download
memory/3484-12-0x0000000140000000-0x0000000140163000-memory.dmp

Filesize
1.4MB

Download
memory/3484-9-0x0000000140000000-0x0000000140163000-memory.dmp

Filesize
1.4MB

Download
memory/3484-8-0x0000000140000000-0x0000000140163000-memory.dmp

Filesize
1.4MB

Download
memory/3484-7-0x0000000140000000-0x0000000140163000-memory.dmp

Filesize
1.4MB

Download
memory/3484-35-0x0000000140000000-0x0000000140163000-memory.dmp

Filesize
1.4MB

Download
memory/3484-6-0x00007FFD9DE6A000-0x00007FFD9DE6B000-memory.dmp

Filesize
4KB

Download
memory/3484-15-0x0000000140000000-0x0000000140163000-memory.dmp

Filesize
1.4MB

Download
memory/3484-13-0x0000000140000000-0x0000000140163000-memory.dmp

Filesize
1.4MB

Download
memory/3484-14-0x0000000140000000-0x0000000140163000-memory.dmp

Filesize
1.4MB

Download
memory/3484-16-0x0000000140000000-0x0000000140163000-memory.dmp

Filesize
1.4MB

Download
memory/3484-10-0x0000000140000000-0x0000000140163000-memory.dmp

Filesize
1.4MB

Download
memory/3484-34-0x00007FFD9E0F0000-0x00007FFD9E100000-memory.dmp

Filesize
64KB

Download
memory/3484-25-0x0000000008320000-0x0000000008327000-memory.dmp

Filesize
28KB

Download
memory/3484-4-0x0000000008B30000-0x0000000008B31000-memory.dmp

Filesize
4KB

Download
memory/3484-11-0x0000000140000000-0x0000000140163000-memory.dmp

Filesize
1.4MB

Download
memory/3708-0-0x00007FFD8F140000-0x00007FFD8F2A3000-memory.dmp

Filesize
1.4MB

Download
memory/3708-38-0x00007FFD8F140000-0x00007FFD8F2A3000-memory.dmp

Filesize
1.4MB

Download
memory/3708-3-0x0000017EC3630000-0x0000017EC3637000-memory.dmp

Filesize
28KB

Download
memory/4480-68-0x00007FFD7FA90000-0x00007FFD7FBF5000-memory.dmp

Filesize
1.4MB

Download
memory/4480-63-0x00007FFD7FA90000-0x00007FFD7FBF5000-memory.dmp

Filesize
1.4MB

Download
memory/4480-62-0x000001FC25D60000-0x000001FC25D67000-memory.dmp

Filesize
28KB

Download