dridex | fad001d463e892e7844040cabdcfa8f8431c07e7ef1ffd76ffbd190f49d7693d

Analysis

max time kernel
104s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09-09-2024 03:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d594e8a2098a81c9bfa24f3c17c992e6_JaffaCakes118.exe
Size

734KB
MD5

d594e8a2098a81c9bfa24f3c17c992e6
SHA1

b9c820973407c7b4bef5b9ce98b7af62cafa397d
SHA256

fad001d463e892e7844040cabdcfa8f8431c07e7ef1ffd76ffbd190f49d7693d
SHA512

50049d1ded3f8cfcb6aa839c0341e91bb39b46dbd5376533f2725ce27e6ae5059d3f5af71100dd025b03b7a3cf90bfa920a93818ac1bafb30c65460514c4fd47
SSDEEP

12288:EY20AljdZgBPfKfi1leppjfQxAogJfqsUsz0cX0rLfGLEXTMd8MQ5B5rxVCz:Z20gPgFKLfQxAVBbIcXQGL+MWMwTrxMz

Score

10^/10

dridex 10555 botnet discovery evasion

Malware Config

Extracted

Family

dridex

Botnet

10555

151.236.219.181:443

142.4.6.57:14043

162.144.127.197:3786

103.40.116.68:5443

rc4.plain

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
4852	attrib.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	d594e8a2098a81c9bfa24f3c17c992e6_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 1 IoCs

pid	Process
732	PLS.exe

Loads dropped DLL 1 IoCs

pid	Process
4768	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d594e8a2098a81c9bfa24f3c17c992e6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PLS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Delays execution with timeout.exe 4 IoCs

evasion

pid	Process
1900	timeout.exe
1324	timeout.exe
4488	timeout.exe
3524	timeout.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	d594e8a2098a81c9bfa24f3c17c992e6_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	cmd.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 4476 wrote to memory of 1224	4476	d594e8a2098a81c9bfa24f3c17c992e6_JaffaCakes118.exe	86
PID 4476 wrote to memory of 1224	4476	d594e8a2098a81c9bfa24f3c17c992e6_JaffaCakes118.exe	86
PID 4476 wrote to memory of 1224	4476	d594e8a2098a81c9bfa24f3c17c992e6_JaffaCakes118.exe	86
PID 1224 wrote to memory of 2276	1224	WScript.exe	87
PID 1224 wrote to memory of 2276	1224	WScript.exe	87
PID 1224 wrote to memory of 2276	1224	WScript.exe	87
PID 2276 wrote to memory of 1900	2276	cmd.exe	89
PID 2276 wrote to memory of 1900	2276	cmd.exe	89
PID 2276 wrote to memory of 1900	2276	cmd.exe	89
PID 2276 wrote to memory of 732	2276	cmd.exe	94
PID 2276 wrote to memory of 732	2276	cmd.exe	94
PID 2276 wrote to memory of 732	2276	cmd.exe	94
PID 2276 wrote to memory of 1324	2276	cmd.exe	95
PID 2276 wrote to memory of 1324	2276	cmd.exe	95
PID 2276 wrote to memory of 1324	2276	cmd.exe	95
PID 2276 wrote to memory of 4512	2276	cmd.exe	97
PID 2276 wrote to memory of 4512	2276	cmd.exe	97
PID 2276 wrote to memory of 4512	2276	cmd.exe	97
PID 2276 wrote to memory of 4488	2276	cmd.exe	98
PID 2276 wrote to memory of 4488	2276	cmd.exe	98
PID 2276 wrote to memory of 4488	2276	cmd.exe	98
PID 4512 wrote to memory of 3824	4512	WScript.exe	99
PID 4512 wrote to memory of 3824	4512	WScript.exe	99
PID 4512 wrote to memory of 3824	4512	WScript.exe	99
PID 3824 wrote to memory of 4852	3824	cmd.exe	101
PID 3824 wrote to memory of 4852	3824	cmd.exe	101
PID 3824 wrote to memory of 4852	3824	cmd.exe	101
PID 3824 wrote to memory of 3524	3824	cmd.exe	102
PID 3824 wrote to memory of 3524	3824	cmd.exe	102
PID 3824 wrote to memory of 3524	3824	cmd.exe	102
PID 3824 wrote to memory of 4768	3824	cmd.exe	105
PID 3824 wrote to memory of 4768	3824	cmd.exe	105
PID 3824 wrote to memory of 4768	3824	cmd.exe	105

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4852	attrib.exe

C:\Users\Admin\AppData\Local\Temp\d594e8a2098a81c9bfa24f3c17c992e6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d594e8a2098a81c9bfa24f3c17c992e6_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4476
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\XIU\configurate\selector.vbs" /f=CREATE_NO_WINDOW install.cmd
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1224
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\XIU\configurate\dsep.bat" "
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2276
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:1900
  - - C:\XIU\configurate\PLS.exe
      "PLS.exe" e -pVersion hl.rar
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:732
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 5
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:1324
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\XIU\configurate\fatless.vbs"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4512
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\XIU\configurate\lll.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3824
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\XIU"
        6⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:4852
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        6⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:3524
      - C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32 -s CONFIG.dll
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:4768
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 4
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:4488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\XIU\configurate\CONFIG.dll

Filesize
324KB

MD5
031f318c8ab815cda0d447904a925cf7

SHA1
2bbca22cb0355f1ad4acedd9dd69ebaaeddf6b9e

SHA256
9492c6842475059a6af7f4b8c42e03944f08938243fa393713a5a6a930d79bcd

SHA512
519a54859e82861cf3f73b3a6ac400b57bd560a53867b8396aa8c286a5ee4e675c75c3f80ddc0cb4e0ef80300ada6b4e985bd4bb73bdc8d1c56a673240a83c4d

Download Submit
C:\XIU\configurate\PLS.exe

Filesize
551KB

MD5
061f64173293969577916832be29b90d

SHA1
b05b80385de20463a80b6c9c39bd1d53123aab9b

SHA256
34dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce

SHA512
66e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da

Download Submit
C:\XIU\configurate\SLP.txt

Filesize
212KB

MD5
24fdf4791a3efa0178e677b0e03c12b1

SHA1
f5f45b8c35cf303eff77aa1fbe02e9bd4318c7d7

SHA256
6740389c8266848199851648c4228df7401dd30c8dec89ab7827f1bec7ab522b

SHA512
f9b71717cdd61a9539dd93267f4d039e0de7dd8933b9f63679466a881884b06ccdc666d27bb6b9909127101a63879b33a1165a83fff9d6ce3009ed5e7b97b6da

Download Submit
C:\XIU\configurate\dsep.bat

Filesize
569B

MD5
9318a04c2d4d80719382a7e73c28736b

SHA1
ddb5096d2841b575a941ecaf79fee8e2365563ae

SHA256
db74d354ad34fa9a0dafd9b846574855b480590ebf06879d87844060cf50ff4b

SHA512
0dd33ebf730e77a1d55996b14a560f1584e17e55e5a6efdedd3bce2ecdd0e7f892c9ae2b4bef8ee68a723ef9d02717e9f9fb3939f1b95cacaeacd29b28e70717

Download Submit
C:\XIU\configurate\fatless.vbs

Filesize
99B

MD5
75214af723ca4720e0aa365eb3ef6f5b

SHA1
a6b73a92246cd3b857e32e2a8a26ee8fc52fdcb4

SHA256
06d4a788d4c91c141b933199826ac3b4df8d6027f818fc2b198043773ea132e4

SHA512
91b7752a63e694641f17187cdb8e1a7876eda195f3070d6fee210b6210e2897833bc08b770db6e82cfec7a99e3fae5c01588872eb2aa60dccdc4064363f54c58

Download Submit
C:\XIU\configurate\lll.bat

Filesize
692B

MD5
70c1b14895a29502d3e94e395606f82d

SHA1
a02fff1f3a0c1c8ff5453a5de715cbe5ba227185

SHA256
b449d3d5b476b1a53bbe6b5d6fef93e89d8456450e84b1c349237c6a8df3b65d

SHA512
8f9a8975124738b7a5ad1e0d92549f45a06c6efa8fac7d3c07ce16399a6aeed5644c14bf56cec56c83a293835cfb994a99d3e75dc5e9ea7f41e9e354760f742c

Download Submit
C:\XIU\configurate\selector.vbs

Filesize
82B

MD5
9cce3084f1850c3be989cc47fab4ee71

SHA1
e490f01a46f85c155c2848affda6d2c7b0791c8b

SHA256
332462b21eed1bcbd9c198851e28b789893628410e7268ddc022a40e2f7f94c1

SHA512
30cc59e8e1a5b20a1c59bb437dc96cf65f7bbfa798617a77a613ae89012be78bda38c51278411ba511a7058eaca728e160a0d6d29f5defaeafa4dc7f64458f88

Download Submit
memory/4768-26-0x0000000073AE0000-0x0000000073B31000-memory.dmp

Filesize
324KB

Download
memory/4768-28-0x0000000073AE0000-0x0000000073B31000-memory.dmp

Filesize
324KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads