dridex | 6da8b8e1b1f1db5c5497500cc342b5778541c2d6584a958ce64ae77c09895ecc

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
15-09-2024 21:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e35c61ebe91c031d45c2ae5fee1ce298_JaffaCakes118.dll
Size

985KB
MD5

e35c61ebe91c031d45c2ae5fee1ce298
SHA1

18f2b3c265c8cb3dfc839e276c8b991e2dc03eaf
SHA256

6da8b8e1b1f1db5c5497500cc342b5778541c2d6584a958ce64ae77c09895ecc
SHA512

9b29a54deec72ef1e8c713da7659299df77a842e4543b2cf2d09dcea30cc68e87fff71e629acbf76feaada6a6019ac79c9ea438c3dc3d00d44f731bc767e620d
SSDEEP

24576:hhLBOY3Zch8R9trbCPQFaD0JAc8V7M/GGS069NmgsSF:pTFJawGGj6fmg

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3432-4-0x0000000002A70000-0x0000000002A71000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 4 IoCs

pid	Process
4660	mmc.exe
3380	ie4uinit.exe
3252	msconfig.exe
1892	BitLockerWizardElev.exe

Loads dropped DLL 5 IoCs

pid	Process
4660	mmc.exe
3380	ie4uinit.exe
3380	ie4uinit.exe
3252	msconfig.exe
1892	BitLockerWizardElev.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qgfqnr = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\pjYgD\\msconfig.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 5 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ie4uinit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msconfig.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BitLockerWizardElev.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mmc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1728	rundll32.exe
1728	rundll32.exe
1728	rundll32.exe
1728	rundll32.exe
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3432 wrote to memory of 3876	3432	Process not Found	89
PID 3432 wrote to memory of 3876	3432	Process not Found	89
PID 3432 wrote to memory of 4660	3432	Process not Found	90
PID 3432 wrote to memory of 4660	3432	Process not Found	90
PID 3432 wrote to memory of 4248	3432	Process not Found	91
PID 3432 wrote to memory of 4248	3432	Process not Found	91
PID 3432 wrote to memory of 3380	3432	Process not Found	92
PID 3432 wrote to memory of 3380	3432	Process not Found	92
PID 3432 wrote to memory of 2308	3432	Process not Found	93
PID 3432 wrote to memory of 2308	3432	Process not Found	93
PID 3432 wrote to memory of 3252	3432	Process not Found	94
PID 3432 wrote to memory of 3252	3432	Process not Found	94
PID 3432 wrote to memory of 4304	3432	Process not Found	95
PID 3432 wrote to memory of 4304	3432	Process not Found	95
PID 3432 wrote to memory of 1892	3432	Process not Found	96
PID 3432 wrote to memory of 1892	3432	Process not Found	96

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e35c61ebe91c031d45c2ae5fee1ce298_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1728

C:\Windows\system32\mmc.exe
C:\Windows\system32\mmc.exe
1⤵
PID:3876

C:\Users\Admin\AppData\Local\nJrEM0X\mmc.exe
C:\Users\Admin\AppData\Local\nJrEM0X\mmc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4660

C:\Windows\system32\ie4uinit.exe
C:\Windows\system32\ie4uinit.exe
1⤵
PID:4248

C:\Users\Admin\AppData\Local\s2oT6YMYO\ie4uinit.exe
C:\Users\Admin\AppData\Local\s2oT6YMYO\ie4uinit.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3380

C:\Windows\system32\msconfig.exe
C:\Windows\system32\msconfig.exe
1⤵
PID:2308

C:\Users\Admin\AppData\Local\2GMrUIP\msconfig.exe
C:\Users\Admin\AppData\Local\2GMrUIP\msconfig.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3252

C:\Windows\system32\BitLockerWizardElev.exe
C:\Windows\system32\BitLockerWizardElev.exe
1⤵
PID:4304

C:\Users\Admin\AppData\Local\ci0vuL\BitLockerWizardElev.exe
C:\Users\Admin\AppData\Local\ci0vuL\BitLockerWizardElev.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\2GMrUIP\MFC42u.dll

Filesize
1013KB

MD5
b94a5c4405dcea66e9962acad4b68e32

SHA1
41571558e045ed596672c43866a8c43d9bc19046

SHA256
35bc4c21f0d8f62751581b4a5c5d08ab6d3a332b04007df4565e9a7b69a57ee8

SHA512
3a93696281c5893cbba24f5a28674349b68d6dc09c3322b559b3bb95d71e615b7023b458de7e129f9d6f527b44cf1c9462a59555ebd7b775f0b611fc7bf5a503

Download Submit
C:\Users\Admin\AppData\Local\2GMrUIP\msconfig.exe

Filesize
193KB

MD5
39009536cafe30c6ef2501fe46c9df5e

SHA1
6ff7b4d30f31186de899665c704a105227704b72

SHA256
93d2604f7fdf7f014ac5bef63ab177b6107f3cfc26da6cbd9a7ab50c96564a04

SHA512
95c9a8bc61c79108634f5578825544323e3d980ae97a105a325c58bc0e44b1d500637459969602f08d6d23d346baec6acd07d8351803981000c797190d48f03a

Download Submit
C:\Users\Admin\AppData\Local\ci0vuL\BitLockerWizardElev.exe

Filesize
100KB

MD5
8ac5a3a20cf18ae2308c64fd707eeb81

SHA1
31f2f0bdc2eb3e0d2a6cd626ea8ed71262865544

SHA256
803eb37617d450704766cb167dc9766e82102a94940a26a988ad26ab8be3f2f5

SHA512
85d0e28e4bffec709f26b2f0d20eb76373134af43bcaa70b97a03efa273b77dd4fbd4f6ee026774ce4029ab5a983aea057111efcd234ab1686a9bd0f7202748b

Download Submit
C:\Users\Admin\AppData\Local\ci0vuL\FVEWIZ.dll

Filesize
988KB

MD5
f96529f1ecdbeb9b72754b241986e3fb

SHA1
c21010e0a6e733623de9324e8bc4261c2397ccaa

SHA256
04b41d833642316283ef290179d1dd0570184948478c70ffe47435046fc85039

SHA512
239ed4ef1b5fad6f1ae667bf89e47e8c0d5815218829378c1be1bf23aab8990550b71a625ac6269938f429c7d1ed18da5d8f8398a543d835f5675cf4ab5ecf71

Download Submit
C:\Users\Admin\AppData\Local\nJrEM0X\MFC42u.dll

Filesize
1013KB

MD5
ca61ccb9f2583e114a94b57f652bf6d2

SHA1
1bfa86554a9d514024c69329baaef9278cdd09c1

SHA256
73a8ce4ec0d2233eb2ac73efe852cb9c9d3034e624362b31c690db645041c98b

SHA512
f17332231e628121a95c5457852ae956f28565829a6c045dffc5ea3faed0bc717da5c7a2f8cb0fd01d8f905f6364620a930040ed00810c53349fb39b7ddae2ff

Download Submit
C:\Users\Admin\AppData\Local\nJrEM0X\mmc.exe

Filesize
1.8MB

MD5
8c86b80518406f14a4952d67185032d6

SHA1
9269f1fbcf65fefbc88a2e239519c21efe0f6ba5

SHA256
895eef1eda5700a425934ae3782d4741dfefb7deafa53891bde490150187b98a

SHA512
1bbdaa3ae8b5716ad2bd517055533e286ddb8a6c23cbc7aa602143dbb1ae132b513088ab61527c49737c554269c51416cceb80206ac8128ac6b003f1864eb099

Download Submit
C:\Users\Admin\AppData\Local\s2oT6YMYO\VERSION.dll

Filesize
986KB

MD5
c76cc2c430d302f3b1b2aadf271203a6

SHA1
7c742d9eb0feaceb2395fa19ef1ad11cfd8a788b

SHA256
bb6b8ba78a9e89e4f19953047a9d9bb19574f4a727cb233478702eb948b0bc6d

SHA512
073f66b023e9655e7438c582a344c62fb68250dd6da945c94d5508bd07b0a0eeeb708208559ac240b2e08a8783c533e84a853745ff35bacc4248a65ab475d729

Download Submit
C:\Users\Admin\AppData\Local\s2oT6YMYO\ie4uinit.exe

Filesize
262KB

MD5
a2f0104edd80ca2c24c24356d5eacc4f

SHA1
8269b9fd9231f04ed47419bd565c69dc677fab56

SHA256
5d85c4d62cc26996826b9d96a9153f7e05a2260342bd913b3730610a1809203c

SHA512
e7bb87f9f6c82cb945b95f62695be98b3fa827a24fa8c4187fe836d4e7d3e7ae3b95101edd3c41d65f6cb684910f5954a67307d450072acd8d475212db094390

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Mcinmsnhewplgza.lnk

Filesize
1024B

MD5
f816e0abb135bc47f8c08776cbc9e8c9

SHA1
f14df70d2f8f63ed34f429a8537ae75b3cf1573d

SHA256
07a28b730cb475499673a1dfb7ada88ffcbce4ea5b22f45717aad6aebe796655

SHA512
796f422d11652460404bd46bab184d3a7ac0b5d0733c23bcc41615a843b9cc214af6affad2292c9046316c167a7a2adb38a5314b7232d118f57aad6339c9a639

Download Submit
memory/1728-1-0x00007FFE59F40000-0x00007FFE5A03C000-memory.dmp

Filesize
1008KB

Download
memory/1728-37-0x00007FFE59F40000-0x00007FFE5A03C000-memory.dmp

Filesize
1008KB

Download
memory/1728-0-0x000001EB578B0000-0x000001EB578B7000-memory.dmp

Filesize
28KB

Download
memory/1892-95-0x00007FFE4A080000-0x00007FFE4A17D000-memory.dmp

Filesize
1012KB

Download
memory/3252-74-0x00007FFE4A070000-0x00007FFE4A173000-memory.dmp

Filesize
1.0MB

Download
memory/3252-77-0x00007FFE4A070000-0x00007FFE4A173000-memory.dmp

Filesize
1.0MB

Download
memory/3380-63-0x00007FFE4A080000-0x00007FFE4A17D000-memory.dmp

Filesize
1012KB

Download
memory/3380-57-0x0000018BDF810000-0x0000018BDF817000-memory.dmp

Filesize
28KB

Download
memory/3380-58-0x00007FFE4A080000-0x00007FFE4A17D000-memory.dmp

Filesize
1012KB

Download
memory/3432-14-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3432-11-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3432-24-0x00000000028D0000-0x00000000028D7000-memory.dmp

Filesize
28KB

Download
memory/3432-22-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3432-32-0x00007FFE68190000-0x00007FFE681A0000-memory.dmp

Filesize
64KB

Download
memory/3432-9-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3432-10-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3432-7-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3432-6-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3432-8-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3432-12-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3432-13-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3432-34-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3432-4-0x0000000002A70000-0x0000000002A71000-memory.dmp

Filesize
4KB

Download
memory/3432-23-0x00007FFE66FCA000-0x00007FFE66FCB000-memory.dmp

Filesize
4KB

Download
memory/4660-49-0x00007FFE49FD0000-0x00007FFE4A0D3000-memory.dmp

Filesize
1.0MB

Download
memory/4660-48-0x0000000000640000-0x0000000000647000-memory.dmp

Filesize
28KB

Download
memory/4660-45-0x00007FFE49FD0000-0x00007FFE4A0D3000-memory.dmp

Filesize
1.0MB

Download