dridex | 8dfde40a120fd5954b84e6b064cbe332f43b877ab1787cce2f9e4552cb077e3b

Analysis

max time kernel
149s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13-09-2024 10:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de3a0b9b0192ab009b5fb6780863a6de_JaffaCakes118.dll
Size

1.2MB
MD5

de3a0b9b0192ab009b5fb6780863a6de
SHA1

47201ab5c416f3dc1850be9d9af2d5785ac6eaf0
SHA256

8dfde40a120fd5954b84e6b064cbe332f43b877ab1787cce2f9e4552cb077e3b
SHA512

bee84eae73e1426f4f8287e3d012189af4ff5ee8659f2800091866584d643a19435f6aa152b322da148b27bb5bf8cf3ad081f30a75cc9dc46ef525f10abffbec
SSDEEP

24576:yuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9Nb:a9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence privilege_escalation trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3456-4-0x00000000073D0000-0x00000000073D1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
4072	SystemPropertiesHardware.exe
3400	osk.exe
2968	ApplicationFrameHost.exe

Loads dropped DLL 3 IoCs

pid	Process
4072	SystemPropertiesHardware.exe
3400	osk.exe
2968	ApplicationFrameHost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qebzqfuc = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\AccountPictures\\6FnspAJAZVA\\osk.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ApplicationFrameHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesHardware.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	osk.exe

Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3160	rundll32.exe
3160	rundll32.exe
3160	rundll32.exe
3160	rundll32.exe
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found
3456	Process not Found

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3456	Process not Found
Token: SeCreatePagefilePrivilege	3456	Process not Found
Token: SeShutdownPrivilege	3456	Process not Found
Token: SeCreatePagefilePrivilege	3456	Process not Found
Token: SeShutdownPrivilege	3456	Process not Found
Token: SeCreatePagefilePrivilege	3456	Process not Found
Token: SeShutdownPrivilege	3456	Process not Found
Token: SeCreatePagefilePrivilege	3456	Process not Found
Token: SeShutdownPrivilege	3456	Process not Found
Token: SeCreatePagefilePrivilege	3456	Process not Found
Token: SeShutdownPrivilege	3456	Process not Found
Token: SeCreatePagefilePrivilege	3456	Process not Found

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3456	Process not Found
3456	Process not Found

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3456	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3456 wrote to memory of 2360	3456	Process not Found	94
PID 3456 wrote to memory of 2360	3456	Process not Found	94
PID 3456 wrote to memory of 4072	3456	Process not Found	95
PID 3456 wrote to memory of 4072	3456	Process not Found	95
PID 3456 wrote to memory of 3644	3456	Process not Found	96
PID 3456 wrote to memory of 3644	3456	Process not Found	96
PID 3456 wrote to memory of 3400	3456	Process not Found	97
PID 3456 wrote to memory of 3400	3456	Process not Found	97
PID 3456 wrote to memory of 2492	3456	Process not Found	98
PID 3456 wrote to memory of 2492	3456	Process not Found	98
PID 3456 wrote to memory of 2968	3456	Process not Found	99
PID 3456 wrote to memory of 2968	3456	Process not Found	99

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\de3a0b9b0192ab009b5fb6780863a6de_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3160

C:\Windows\system32\SystemPropertiesHardware.exe
C:\Windows\system32\SystemPropertiesHardware.exe
1⤵
PID:2360

C:\Users\Admin\AppData\Local\SIiSEfTC\SystemPropertiesHardware.exe
C:\Users\Admin\AppData\Local\SIiSEfTC\SystemPropertiesHardware.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4072

C:\Windows\system32\osk.exe
C:\Windows\system32\osk.exe
1⤵
PID:3644

C:\Users\Admin\AppData\Local\65Es0kd2x\osk.exe
C:\Users\Admin\AppData\Local\65Es0kd2x\osk.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3400

C:\Windows\system32\ApplicationFrameHost.exe
C:\Windows\system32\ApplicationFrameHost.exe
1⤵
PID:2492

C:\Users\Admin\AppData\Local\DwKMg57\ApplicationFrameHost.exe
C:\Users\Admin\AppData\Local\DwKMg57\ApplicationFrameHost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\65Es0kd2x\OLEACC.dll

Filesize
1.2MB

MD5
ea5537562d6d06d2b18676f098d47e9d

SHA1
39c643fd07614bf664daff9dfb8d619ae217e133

SHA256
c48b9467b4578f0646ceafeb1729a56ee04b06b64310d90a9bc65d0f8bd4386c

SHA512
ac305ed382dc3cfc29238f5723ff8104184c08b3c256752f2ce7180ca4851bc9379047f6e8420d29dd88e4cb7e0d015aa89cc246a728188acf6e204c31e71833

Download Submit
C:\Users\Admin\AppData\Local\65Es0kd2x\osk.exe

Filesize
638KB

MD5
745f2df5beed97b8c751df83938cb418

SHA1
2f9fc33b1bf28e0f14fd75646a7b427ddbe14d25

SHA256
f67ef6e31fa0eaed44bfbab5b908be06b56cbc7d5a16ab2a72334d91f2bb6a51

SHA512
2125d021e6f45a81bd75c9129f4b098ad9aa15c25d270051f4da42458a9737bff44d6adf17aa1f2547715d159fb621829f7cd3b9d42f1521c919549cc7deb228

Download Submit
C:\Users\Admin\AppData\Local\DwKMg57\ApplicationFrameHost.exe

Filesize
76KB

MD5
d58a8a987a8dafad9dc32a548cc061e7

SHA1
f79fc9e0ab066cad530b949c2153c532a5223156

SHA256
cf58e424b86775e6f2354291052126a646f842fff811b730714dfbbd8ebc71a4

SHA512
93df28b65af23a5f82124ba644e821614e2e2074c98dbb2bd7319d1dfe9e2179b9d660d7720913c79a8e7b2f8560440789ad5e170b9d94670589885060c14265

Download Submit
C:\Users\Admin\AppData\Local\DwKMg57\dxgi.dll

Filesize
1.2MB

MD5
17402d518f908fb79bc08a7db11f4262

SHA1
e154c760a6304a445357defeab031bda95d699c5

SHA256
a133d78d624dacf5c37c8b0a2013c79ff93a0fd8e2b9bc7ef6d71c85c8a87a23

SHA512
8a297092d2f1cc0378aa3aeaf09509f41ad0f636ac88de05ec5ce91fde961e3c6b748ca4013c110cc90d02c23ce1b7f0b35a64ece632bf9fe04f8d95b33a5fb3

Download Submit
C:\Users\Admin\AppData\Local\SIiSEfTC\SYSDM.CPL

Filesize
1.2MB

MD5
029bd4307d6917107951140bc6dade9c

SHA1
7de230e0f72a4622597f32c0f28c32ae6983560d

SHA256
4721b8e956ba4abcf07f13522c742f1427f55a332b4964e79ea9c401a41f4c78

SHA512
58c9a0caf53b860a8295db99dfac1d7374532a2495dad0cc8b2e061a09c94a139d5f52c4f399ead145397a47f8099c72f125b072d05f9f132b7eb5205c6de3c1

Download Submit
C:\Users\Admin\AppData\Local\SIiSEfTC\SystemPropertiesHardware.exe

Filesize
82KB

MD5
bf5bc0d70a936890d38d2510ee07a2cd

SHA1
69d5971fd264d8128f5633db9003afef5fad8f10

SHA256
c8ebd920399ebcf3ab72bd325b71a6b4c6119dfecea03f25059a920c4d32acc7

SHA512
0e129044777cbbf5ea995715159c50773c1818fc5e8faa5c827fd631b44c086b34dfdcbe174b105891ccc3882cc63a8664d189fb6a631d8f589de4e01a862f51

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Plbydas.lnk

Filesize
1KB

MD5
389e554664d856dd28a84e3a1cbc96a6

SHA1
0a1922fc70e11262019f9c195f651248754b3c04

SHA256
347f4b4e96525c7973f25481115f970a2431a8b33b6eee8aad3b2d0218e79d0b

SHA512
1b451d0b92d2a63495f979aa27d2b5cbf4838a0628d2e475ae5b6165151fe02ecfcf17cd135e84a0f9ffce2699369618236204fdd19e600338988f9e64b5a0da

Download Submit
memory/2968-86-0x00007FF81BC60000-0x00007FF81BD93000-memory.dmp

Filesize
1.2MB

Download
memory/2968-80-0x000002CF67470000-0x000002CF67477000-memory.dmp

Filesize
28KB

Download
memory/3160-1-0x00007FF82B010000-0x00007FF82B142000-memory.dmp

Filesize
1.2MB

Download
memory/3160-3-0x0000020D1A0D0000-0x0000020D1A0D7000-memory.dmp

Filesize
28KB

Download
memory/3160-39-0x00007FF82B010000-0x00007FF82B142000-memory.dmp

Filesize
1.2MB

Download
memory/3400-64-0x00007FF81BA10000-0x00007FF81BB43000-memory.dmp

Filesize
1.2MB

Download
memory/3400-63-0x0000028D7ABE0000-0x0000028D7ABE7000-memory.dmp

Filesize
28KB

Download
memory/3400-69-0x00007FF81BA10000-0x00007FF81BB43000-memory.dmp

Filesize
1.2MB

Download
memory/3456-8-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3456-30-0x00007FF83A110000-0x00007FF83A120000-memory.dmp

Filesize
64KB

Download
memory/3456-25-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3456-7-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3456-10-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3456-12-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3456-13-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3456-4-0x00000000073D0000-0x00000000073D1000-memory.dmp

Filesize
4KB

Download
memory/3456-5-0x00007FF8386DA000-0x00007FF8386DB000-memory.dmp

Filesize
4KB

Download
memory/3456-11-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3456-14-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3456-16-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3456-29-0x00000000073B0000-0x00000000073B7000-memory.dmp

Filesize
28KB

Download
memory/3456-9-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3456-36-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3456-18-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3456-15-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/4072-52-0x00007FF81BC60000-0x00007FF81BD93000-memory.dmp

Filesize
1.2MB

Download
memory/4072-47-0x00007FF81BC60000-0x00007FF81BD93000-memory.dmp

Filesize
1.2MB

Download
memory/4072-46-0x0000024D144C0000-0x0000024D144C7000-memory.dmp

Filesize
28KB

Download