dridex | 2579ef73b4428c682a9609a873d3b415a65ff2f61387d72270f1dcf5c07034b2

Analysis

max time kernel
150s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13-09-2024 17:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de915c885da0de165bf8c0e92d702b7a_JaffaCakes118.dll
Size

1.2MB
MD5

de915c885da0de165bf8c0e92d702b7a
SHA1

27e5f69d7ecbeefa9babd6e43295dd62b9b9b8ff
SHA256

2579ef73b4428c682a9609a873d3b415a65ff2f61387d72270f1dcf5c07034b2
SHA512

9c7c80efbf5cc3142882ecc36ac9a4ee5390f89830d3d09c700ea153d8f681fd5976fc7e549682951cc0110c80e7cdc9bbbbbb5ddb5cd80b01cba385cb2f5477
SSDEEP

24576:buYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:F9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3504-4-0x0000000008C20000-0x0000000008C21000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 4 IoCs

pid	Process
3748	dccw.exe
3144	SystemSettingsRemoveDevice.exe
1728	wermgr.exe
1164	mstsc.exe

Loads dropped DLL 3 IoCs

pid	Process
3748	dccw.exe
3144	SystemSettingsRemoveDevice.exe
1164	mstsc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Zsovh = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Templates\\Ye\\SystemSettingsRemoveDevice.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dccw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemSettingsRemoveDevice.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mstsc.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3992	rundll32.exe
3992	rundll32.exe
3992	rundll32.exe
3992	rundll32.exe
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found
3504	Process not Found

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3504	Process not Found
Token: SeCreatePagefilePrivilege	3504	Process not Found
Token: SeShutdownPrivilege	3504	Process not Found
Token: SeCreatePagefilePrivilege	3504	Process not Found

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3504	Process not Found
3504	Process not Found

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3504	Process not Found

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3504 wrote to memory of 4304	3504	Process not Found	94
PID 3504 wrote to memory of 4304	3504	Process not Found	94
PID 3504 wrote to memory of 3748	3504	Process not Found	95
PID 3504 wrote to memory of 3748	3504	Process not Found	95
PID 3504 wrote to memory of 3520	3504	Process not Found	96
PID 3504 wrote to memory of 3520	3504	Process not Found	96
PID 3504 wrote to memory of 3144	3504	Process not Found	97
PID 3504 wrote to memory of 3144	3504	Process not Found	97
PID 3504 wrote to memory of 5040	3504	Process not Found	98
PID 3504 wrote to memory of 5040	3504	Process not Found	98
PID 3504 wrote to memory of 1728	3504	Process not Found	99
PID 3504 wrote to memory of 1728	3504	Process not Found	99
PID 3504 wrote to memory of 1696	3504	Process not Found	100
PID 3504 wrote to memory of 1696	3504	Process not Found	100
PID 3504 wrote to memory of 1164	3504	Process not Found	101
PID 3504 wrote to memory of 1164	3504	Process not Found	101

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\de915c885da0de165bf8c0e92d702b7a_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3992

C:\Windows\system32\dccw.exe
C:\Windows\system32\dccw.exe
1⤵
PID:4304

C:\Users\Admin\AppData\Local\nTSx\dccw.exe
C:\Users\Admin\AppData\Local\nTSx\dccw.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3748

C:\Windows\system32\SystemSettingsRemoveDevice.exe
C:\Windows\system32\SystemSettingsRemoveDevice.exe
1⤵
PID:3520

C:\Users\Admin\AppData\Local\zkGF1RR\SystemSettingsRemoveDevice.exe
C:\Users\Admin\AppData\Local\zkGF1RR\SystemSettingsRemoveDevice.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3144

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
1⤵
PID:5040

C:\Users\Admin\AppData\Local\eVs\wermgr.exe
C:\Users\Admin\AppData\Local\eVs\wermgr.exe
1⤵
- Executes dropped EXE
PID:1728

C:\Windows\system32\mstsc.exe
C:\Windows\system32\mstsc.exe
1⤵
PID:1696

C:\Users\Admin\AppData\Local\quY1jQT\mstsc.exe
C:\Users\Admin\AppData\Local\quY1jQT\mstsc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\eVs\wermgr.exe

Filesize
223KB

MD5
f7991343cf02ed92cb59f394e8b89f1f

SHA1
573ad9af63a6a0ab9b209ece518fd582b54cfef5

SHA256
1c09759dcd31fdc81bcd6685438d7efb34e0229f1096bfd57d41ecfe614d07dc

SHA512
fa3cf314100f5340c7d0f6a70632a308fcadb4b48785753310a053a510169979a89637b8b4fedf4d3690db6b8b55146e323cad70d704c4e2ede4edff5284237d

Download Submit
C:\Users\Admin\AppData\Local\nTSx\dccw.exe

Filesize
101KB

MD5
cb9374911bf5237179785c739a322c0f

SHA1
3f4d3dd3d58c9f19dfbb414ded16969ebd9f74b9

SHA256
f7f3300b78148a34f6a35796c777a832b638b6d3193e11f4a37f45d4c6dfa845

SHA512
9d47521538148b1823c0a17baa86ddf932f06f46d5d8b63fa87b2cc220fb98ce3f933e32d771222937bb8e41c88030839d489d1cd78b062bffeb2980dc6864be

Download Submit
C:\Users\Admin\AppData\Local\nTSx\dxva2.dll

Filesize
1.2MB

MD5
cf735b4a3d04c32a3c549a031c87d373

SHA1
d6a90c88de98a0b1a1d5e53b27b444fc59cf0a72

SHA256
c2ed1693bef7afd5d4ecbbbe765716ba9d71c498d7a9ce9c8c9e81b91f72f81b

SHA512
69dcfb0e61ea7fdb7edacb1fdfd0c171a7be94727d0d813a95a709bfd9e0f4da7158dd565eb3e9f779dcbc3980dd8d3e4fb7b50f4810944556e0efe4868195b8

Download Submit
C:\Users\Admin\AppData\Local\quY1jQT\credui.dll

Filesize
1.2MB

MD5
2e948f552ecc79c104939b6c8d82e7da

SHA1
81fa571c7dda00e65df64c42472749124f2eba30

SHA256
04a815c2d5dfd455ead9ea3fb934205d108838bde8544ee3ab8d17a3446ab847

SHA512
bea3830996ee0a4a63fade75979516a2eed2b64274ae934304ba53179a66ee5c1ca4fb5a4172d5cdfe3a35e5866d9bbc2970fe6bfa1e0e7e7563498f8162bce7

Download Submit
C:\Users\Admin\AppData\Local\quY1jQT\mstsc.exe

Filesize
1.5MB

MD5
3a26640414cee37ff5b36154b1a0b261

SHA1
e0c28b5fdf53a202a7543b67bbc97214bad490ed

SHA256
1d1b6b2edac7ac6494c9eecda3afb804f679d7190f4d1a80929380e85743823f

SHA512
76fc70ead57ddacd3dbcec1a4772bd46924d30b30018a36b13052d2f7272cc86b63bf85d5e4ec04aac08630d4b2637ca6e7d35c08ce6b675d63ed011f7d95ba2

Download Submit
C:\Users\Admin\AppData\Local\zkGF1RR\DUI70.dll

Filesize
1.4MB

MD5
dc2d759319212ac0e0a885c0df472f3d

SHA1
f2ccf7c5e4735144b68aaa575c96f3cb40209de0

SHA256
6267b5092a41ea1d9b2fc269c23730196335bc750647634db89e9c21dc41944a

SHA512
3bff3c44f1b3488089b8575f7bfc7f863a1b162daba2689d2f955e0ad3abd0198a70aa58430ba159874c2090cb619a2a52335de0de55e2d07b6423f3cafc0f90

Download Submit
C:\Users\Admin\AppData\Local\zkGF1RR\SystemSettingsRemoveDevice.exe

Filesize
39KB

MD5
7853f1c933690bb7c53c67151cbddeb0

SHA1
d47a1ad0ccba4c988c8ffc5cbf9636fd4f4fa6e6

SHA256
9500731b2a3442f11dfd08a8adfe027e7f32ef5834c628eed4b78be74168470d

SHA512
831993d610539d44422d769de6561a4622e1b9cb3d73253774b6cecabf57654a74cd88b4ebe20921585ea96d977225b9501f02a0f6a1fc7d2cad6824fd539304

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Sfbjsepzltomqmf.lnk

Filesize
1KB

MD5
fa4d30f704e59e77cf3cfe870bfabe85

SHA1
0d7c3ba8dc4c1e8942703ba5dcf096b950811f0c

SHA256
a0d7b196fe473ff143a7d44a895c61c6bf16267dc1e0898bd63079ab8c67d335

SHA512
fce4e353db593cfa9b12fd0f30ba6c60b7a9c0e6537a72bc4dcaf80a99dcc74348f3c5b4cb7c17075677a7d619b7fa8afe321ebe45bd2142c43f7ea01bd541d1

Download Submit
memory/1164-94-0x00007FF983020000-0x00007FF983151000-memory.dmp

Filesize
1.2MB

Download
memory/3144-70-0x00007FF982FE0000-0x00007FF983156000-memory.dmp

Filesize
1.5MB

Download
memory/3144-64-0x00007FF982FE0000-0x00007FF983156000-memory.dmp

Filesize
1.5MB

Download
memory/3144-67-0x000001D35DE50000-0x000001D35DE57000-memory.dmp

Filesize
28KB

Download
memory/3504-28-0x00000000079B0000-0x00000000079B7000-memory.dmp

Filesize
28KB

Download
memory/3504-13-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3504-10-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3504-8-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3504-7-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3504-9-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3504-6-0x00007FF99FE8A000-0x00007FF99FE8B000-memory.dmp

Filesize
4KB

Download
memory/3504-29-0x00007FF9A17D0000-0x00007FF9A17E0000-memory.dmp

Filesize
64KB

Download
memory/3504-15-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3504-4-0x0000000008C20000-0x0000000008C21000-memory.dmp

Filesize
4KB

Download
memory/3504-12-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3504-11-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3504-16-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3504-24-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3504-14-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3504-35-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3748-51-0x00007FF983020000-0x00007FF983151000-memory.dmp

Filesize
1.2MB

Download
memory/3748-45-0x000002BE05C00000-0x000002BE05C07000-memory.dmp

Filesize
28KB

Download
memory/3748-46-0x00007FF983020000-0x00007FF983151000-memory.dmp

Filesize
1.2MB

Download
memory/3992-0-0x000001864E620000-0x000001864E627000-memory.dmp

Filesize
28KB

Download
memory/3992-38-0x00007FF9932F0000-0x00007FF993420000-memory.dmp

Filesize
1.2MB

Download
memory/3992-1-0x00007FF9932F0000-0x00007FF993420000-memory.dmp

Filesize
1.2MB

Download