dridex | 05d450ee3454e6ca1e2b3d3adc4cf104b85d39bf4d219daa7951b2ff7d834b97

Analysis

max time kernel
149s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12-09-2024 19:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dcea7f27744c02429fdf1c007ad07bb0_JaffaCakes118.dll
Size

1.2MB
MD5

dcea7f27744c02429fdf1c007ad07bb0
SHA1

5ae352c4ae07d6327ceee302739a5ebe5ce12c81
SHA256

05d450ee3454e6ca1e2b3d3adc4cf104b85d39bf4d219daa7951b2ff7d834b97
SHA512

0a751a9187dd67c7cc3ac068737f95892bee0e67024f51d5e5041b932fb965be99cd88a73507677b5a920b375c89843741d65ce918b83c06b59e6235c1246961
SSDEEP

24576:GuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N7t:m9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3464-4-0x0000000000E70000-0x0000000000E71000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

printfilterpipelinesvc.exeRecoveryDrive.exesigverif.exe

pid	Process
404	printfilterpipelinesvc.exe
376	RecoveryDrive.exe
4964	sigverif.exe

Loads dropped DLL 3 IoCs

Processes:

printfilterpipelinesvc.exeRecoveryDrive.exesigverif.exe

pid	Process
404	printfilterpipelinesvc.exe
376	RecoveryDrive.exe
4964	sigverif.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ftxdckjforivc = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\33ayAXQ91\\RecoveryDrive.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeprintfilterpipelinesvc.exeRecoveryDrive.exesigverif.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	printfilterpipelinesvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RecoveryDrive.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sigverif.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	Process
4764	rundll32.exe
4764	rundll32.exe
4764	rundll32.exe
4764	rundll32.exe
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid	Process
3464

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	procid_target
PID 3464 wrote to memory of 4616	3464	93
PID 3464 wrote to memory of 4616	3464	93
PID 3464 wrote to memory of 404	3464	94
PID 3464 wrote to memory of 404	3464	94
PID 3464 wrote to memory of 4008	3464	95
PID 3464 wrote to memory of 4008	3464	95
PID 3464 wrote to memory of 376	3464	96
PID 3464 wrote to memory of 376	3464	96
PID 3464 wrote to memory of 3252	3464	97
PID 3464 wrote to memory of 3252	3464	97
PID 3464 wrote to memory of 4964	3464	98
PID 3464 wrote to memory of 4964	3464	98

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\dcea7f27744c02429fdf1c007ad07bb0_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4764

C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe
1⤵
PID:4616

C:\Users\Admin\AppData\Local\MPwOKqANm\printfilterpipelinesvc.exe
C:\Users\Admin\AppData\Local\MPwOKqANm\printfilterpipelinesvc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:404

C:\Windows\system32\RecoveryDrive.exe
C:\Windows\system32\RecoveryDrive.exe
1⤵
PID:4008

C:\Users\Admin\AppData\Local\mfGArKN\RecoveryDrive.exe
C:\Users\Admin\AppData\Local\mfGArKN\RecoveryDrive.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:376

C:\Windows\system32\sigverif.exe
C:\Windows\system32\sigverif.exe
1⤵
PID:3252

C:\Users\Admin\AppData\Local\3gg\sigverif.exe
C:\Users\Admin\AppData\Local\3gg\sigverif.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\3gg\VERSION.dll

Filesize
1.2MB

MD5
1b3eda4e1fefdc551505e4c0e2a6a286

SHA1
afcc18322efa47dc4e07c842de65a52acbb58b3f

SHA256
e4ef9c2cdea32012fca6d7421fe734f29d992d50fbe2b37757ff208fc14e880c

SHA512
c9efb02da2f736a3c8d1053ade3ef0c0a8908125a6f4d05118940a391ddb166e993dbebc218be9afe2aa5b55b146c1741dba0ed544cb453b675ed4d75efc7302

Download Submit
C:\Users\Admin\AppData\Local\3gg\sigverif.exe

Filesize
77KB

MD5
2151a535274b53ba8a728e542cbc07a8

SHA1
a2304c0f2616a7d12298540dce459dd9ccf07443

SHA256
064de47877b00dc35886e829a697e4adb3d3cfdf294ddba13b6009a0f415b1bd

SHA512
e6fd520ee1bd80a5fe8a7c2ae6446dcaabd4e335a602c36356f85305abef751b7dffa7eaac1ec13c105ccd8c3e9070bd32ed4b14bc8a9e52dc5f47b936d69a9f

Download Submit
C:\Users\Admin\AppData\Local\MPwOKqANm\XmlLite.dll

Filesize
1.2MB

MD5
6e48ecce49d865c198acb63d7efa0612

SHA1
30c6c88d9ecf9f94f73ea013db8b056a26cac37a

SHA256
c716a2c4d6adcf74100d5a5ec1e9697df310d3cbfbcc7fb38826528a5479c629

SHA512
520761058ce5dc48783f3730d960389430a0cc5cbd50fca200b99e583bb6ef937d000d0efcc00e92e768b68e5cca46e01db08ae39b09e9dc79faee50d8973895

Download Submit
C:\Users\Admin\AppData\Local\MPwOKqANm\printfilterpipelinesvc.exe

Filesize
813KB

MD5
331a40eabaa5870e316b401bd81c4861

SHA1
ddff65771ca30142172c0d91d5bfff4eb1b12b73

SHA256
105099819555ed87ef3dab70a2eaf2cb61076f453266cec57ffccb8f4c00df88

SHA512
29992dbf10f327d77865af5e6ebbe66b937a5b4ad04c68cafbf4e6adbd6c6532c8a82ac7e638d97c1f053353a7c8a6d7e379f389af15443c94a1e8f9b16be5f8

Download Submit
C:\Users\Admin\AppData\Local\mfGArKN\ReAgent.dll

Filesize
1.2MB

MD5
6bdb46161039d275030d753e78a0e7d7

SHA1
e41e638ab4adee0d6bedacefb8fae6b9d00ed9bc

SHA256
8ffecc2f7c57ee5314eaa9cfee71fe65d97c56b263be23291856743999fda8f0

SHA512
5a40c91ae9516dbf50b53fd6c16b925491f467bb89720e3c86d420e715f087cc68e2ed198564a46361468bb342c069246c89a6d03f6a3539f01af571df811188

Download Submit
C:\Users\Admin\AppData\Local\mfGArKN\RecoveryDrive.exe

Filesize
911KB

MD5
b9b3dc6f2eb89e41ff27400952602c74

SHA1
24ae07e0db3ace0809d08bbd039db3a9d533e81b

SHA256
630518cb2e4636f889d12c98fb2e6be4e579c5eeb86f88695d3f7fff3f5515c4

SHA512
7906954b881f1051a0c7f098e096bc28eddcc48643b8bf3134dd57b8c18d8beba4f9a0ac5d348de2f9b8ea607c3e9cb0e61d91e4f3ba1fefb02839f928e3e3fe

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ppmzgvduo.lnk

Filesize
1KB

MD5
5b29b53bfb17da439a940c10bd4169ab

SHA1
1adc48d281be7d87196ae02b8da36e42940c20fc

SHA256
2b8f932b7be31366c4cd4bee01b553dd31f4652a5fde1d228b2acd64878970b9

SHA512
c493242813a1049508e415e91dd6999749f33c78e1eb9244cf8cedad23108f263e2adf89e1ea9a23cf619af0cfc19d40ca76543b47090af0e1334b37116a8e03

Download Submit
memory/376-66-0x0000027680610000-0x0000027680617000-memory.dmp

Filesize
28KB

Download
memory/376-63-0x00007FF80AF50000-0x00007FF80B082000-memory.dmp

Filesize
1.2MB

Download
memory/376-69-0x00007FF80AF50000-0x00007FF80B082000-memory.dmp

Filesize
1.2MB

Download
memory/404-52-0x00007FF80B010000-0x00007FF80B142000-memory.dmp

Filesize
1.2MB

Download
memory/404-47-0x00007FF80B010000-0x00007FF80B142000-memory.dmp

Filesize
1.2MB

Download
memory/404-46-0x0000021ABB9B0000-0x0000021ABB9B7000-memory.dmp

Filesize
28KB

Download
memory/3464-16-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3464-25-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3464-14-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3464-13-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3464-6-0x00007FF827ACA000-0x00007FF827ACB000-memory.dmp

Filesize
4KB

Download
memory/3464-4-0x0000000000E70000-0x0000000000E71000-memory.dmp

Filesize
4KB

Download
memory/3464-8-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3464-7-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3464-9-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3464-36-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3464-10-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3464-11-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3464-12-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3464-17-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3464-27-0x00007FF8286F0000-0x00007FF828700000-memory.dmp

Filesize
64KB

Download
memory/3464-26-0x0000000000C90000-0x0000000000C97000-memory.dmp

Filesize
28KB

Download
memory/3464-15-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/4764-0-0x00007FF819CC0000-0x00007FF819DF1000-memory.dmp

Filesize
1.2MB

Download
memory/4764-39-0x00007FF819CC0000-0x00007FF819DF1000-memory.dmp

Filesize
1.2MB

Download
memory/4764-3-0x0000028A6A180000-0x0000028A6A187000-memory.dmp

Filesize
28KB

Download
memory/4964-85-0x00007FF80B010000-0x00007FF80B142000-memory.dmp

Filesize
1.2MB

Download