dridex | c1740bb33bac0ad1293f0e1305ea99e8b0d7719f7a02f0d12f719d48336ce1c0

Analysis

max time kernel
150s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17-09-2024 13:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e6f0b105457870d7cd16f84f233d21f9_JaffaCakes118.dll
Size

1.3MB
MD5

e6f0b105457870d7cd16f84f233d21f9
SHA1

9bc3bf0208c214b1f8f6704e94cd9741e561bd62
SHA256

c1740bb33bac0ad1293f0e1305ea99e8b0d7719f7a02f0d12f719d48336ce1c0
SHA512

80690bced2325abefa50e01e3051e150b452ceeaa573406d753a78e9176cc0d0ea50b320ad94311d2c278ceb01a4de821a256cd28b989f3019467af33990f551
SSDEEP

12288:sdMIwS97wJs6tSKDXEabXaC+jhc1S8XXk7CZzHsZH9dq0T:eMIJxSDX3bqjhcfHk7MzH6z

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3472-3-0x0000000003010000-0x0000000003011000-memory.dmp	dridex_stager_shellcode

Dridex payload 8 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/4724-0-0x0000000140000000-0x0000000140154000-memory.dmp	dridex_payload
behavioral2/memory/3472-58-0x0000000140000000-0x0000000140154000-memory.dmp	dridex_payload
behavioral2/memory/3472-47-0x0000000140000000-0x0000000140154000-memory.dmp	dridex_payload
behavioral2/memory/4724-61-0x0000000140000000-0x0000000140154000-memory.dmp	dridex_payload
behavioral2/memory/4368-69-0x0000000140000000-0x0000000140155000-memory.dmp	dridex_payload
behavioral2/memory/4368-73-0x0000000140000000-0x0000000140155000-memory.dmp	dridex_payload
behavioral2/memory/872-89-0x0000000140000000-0x0000000140155000-memory.dmp	dridex_payload
behavioral2/memory/1484-105-0x0000000140000000-0x0000000140155000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

LockScreenContentServer.exeCustomShellHost.exequickassist.exe

pid	Process
4368	LockScreenContentServer.exe
872	CustomShellHost.exe
1484	quickassist.exe

Loads dropped DLL 3 IoCs

Processes:

LockScreenContentServer.exeCustomShellHost.exequickassist.exe

pid	Process
4368	LockScreenContentServer.exe
872	CustomShellHost.exe
1484	quickassist.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ygssokoticw = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\Keys\\zOir\\CustomShellHost.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

LockScreenContentServer.exeCustomShellHost.exequickassist.exerundll32.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	LockScreenContentServer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	CustomShellHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	quickassist.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	Process
4724	rundll32.exe
4724	rundll32.exe
4724	rundll32.exe
4724	rundll32.exe
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	procid_target
PID 3472 wrote to memory of 4904	3472	89
PID 3472 wrote to memory of 4904	3472	89
PID 3472 wrote to memory of 4368	3472	90
PID 3472 wrote to memory of 4368	3472	90
PID 3472 wrote to memory of 4796	3472	91
PID 3472 wrote to memory of 4796	3472	91
PID 3472 wrote to memory of 872	3472	92
PID 3472 wrote to memory of 872	3472	92
PID 3472 wrote to memory of 2260	3472	93
PID 3472 wrote to memory of 2260	3472	93
PID 3472 wrote to memory of 1484	3472	94
PID 3472 wrote to memory of 1484	3472	94

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e6f0b105457870d7cd16f84f233d21f9_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4724

C:\Windows\system32\LockScreenContentServer.exe
C:\Windows\system32\LockScreenContentServer.exe
1⤵
PID:4904

C:\Users\Admin\AppData\Local\jLAizrslW\LockScreenContentServer.exe
C:\Users\Admin\AppData\Local\jLAizrslW\LockScreenContentServer.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4368

C:\Windows\system32\CustomShellHost.exe
C:\Windows\system32\CustomShellHost.exe
1⤵
PID:4796

C:\Users\Admin\AppData\Local\sVj\CustomShellHost.exe
C:\Users\Admin\AppData\Local\sVj\CustomShellHost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:872

C:\Windows\system32\quickassist.exe
C:\Windows\system32\quickassist.exe
1⤵
PID:2260

C:\Users\Admin\AppData\Local\eFyP\quickassist.exe
C:\Users\Admin\AppData\Local\eFyP\quickassist.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\eFyP\UxTheme.dll

Filesize
1.3MB

MD5
a9491f5d86a98590d7a9b8c524117fe5

SHA1
18eba969e81f16f1173a13c0b5a6703fe997190d

SHA256
bdcc807d554cbb9df3ef16a7f6708746d16f3bbf71d54a1f5171a8ce6666d4db

SHA512
e4dbd3227fd753a9944b9da22bb16313da012f67593d3d6becf05d640ed7d840e90a5453c84285262b0f2b99c46f8daf576fa8beacf76d75c03fd93012e736c1

Download Submit
C:\Users\Admin\AppData\Local\eFyP\quickassist.exe

Filesize
665KB

MD5
d1216f9b9a64fd943539cc2b0ddfa439

SHA1
6fad9aeb7780bdfd88a9a5a73b35b3e843605e6c

SHA256
c1e8fda00da574e8759ba262d76b6edc1d5f4a80620730ef0be7527e0d803db2

SHA512
c5fd7d81d1d478056fcbed0ba887ce551832f0104e7c31753c3c8760b4d63f38324f74e996684042acc8f9682fce8a8c85172741a868257e87d5e0f988c4e567

Download Submit
C:\Users\Admin\AppData\Local\jLAizrslW\LockScreenContentServer.exe

Filesize
47KB

MD5
a0b7513c98cf46ca2cea3a567fec137c

SHA1
2307fc8e3fc620ea3c2fdc6248ad4658479ba995

SHA256
cb2278884f04fd34753f7a20e5865ef5fc4fa47c28df9ac14ad6e922713af8c6

SHA512
3928485a60ffa7f2d2b7d0be51863e1f8197578cfb397f1086a1ab5132843a23bbc4042b04b5d01fafad04878bd839161fa492d0cf1a6bac6be92023cdee3d15

Download Submit
C:\Users\Admin\AppData\Local\jLAizrslW\dwmapi.dll

Filesize
1.3MB

MD5
13ebe1bc889b4647312c98ce40c36507

SHA1
033832dc8815b9f565897a9f5ee40f28b744e01e

SHA256
4300f8947093841c7db7e6363a54e77e3b6900d104a9b788eb30f55fd6d79bfe

SHA512
c9949ec78cd14b0adcf5e72b4eb956b153f7c370c84eade4495b3a7856043bab9db574c05ea07bcf0c484b4a9561d6baed898b1f493741918db04d781bfb65cb

Download Submit
C:\Users\Admin\AppData\Local\sVj\CustomShellHost.exe

Filesize
835KB

MD5
70400e78b71bc8efdd063570428ae531

SHA1
cd86ecd008914fdd0389ac2dc00fe92d87746096

SHA256
91333f3282a2420359ae9d3adf537688741d21e964f021e2b152ab293447f289

SHA512
53005dda237fb23af79f54779c74a09835ad4cad3ca7b9dcec80e3793a60dd262f45b910bef96ab9c8e69d0c6990fea6ca5fee85d7f8425db523ae658372959e

Download Submit
C:\Users\Admin\AppData\Local\sVj\WTSAPI32.dll

Filesize
1.3MB

MD5
31eabe7f6c9f61703916f59df2ffdb10

SHA1
c1475331882c4acb4e7424cc3d3ef9e04f6255f2

SHA256
626b2d67eacf71de82a40fce551d221d34ee75fe0e50e186c129fd06c5d83604

SHA512
077ffa6800291d5b59a18a792c6e0af951f3c6ef896ca7c5b6e1140dec71aa337791dc1e96a2d8e322b83e36e889a345d560e7b9714aab131d1a952e573b42cd

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Nszgn.lnk

Filesize
1KB

MD5
bfb1b9a58eabe42f9545c86ac3b05c64

SHA1
436aec56cc1cc7325c71d285517d2f01d3be3142

SHA256
fe0730422ca6103f375dc8861590bfd56d8948927a5aeabffb1ebeb774a6ccaf

SHA512
a545087fb068120164cf40cc5f725e4387a98f62c082ab98b6c6391d687063693c89ef982f0f52017d586ffcf87a1b5ced7d5d78adf473481ed4931ffaf53e3b

Download Submit
memory/872-89-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/872-86-0x000001A7BCCD0000-0x000001A7BCCD7000-memory.dmp

Filesize
28KB

Download
memory/1484-105-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/1484-100-0x0000024624770000-0x0000024624777000-memory.dmp

Filesize
28KB

Download
memory/3472-17-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/3472-11-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/3472-34-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/3472-32-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/3472-31-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/3472-30-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/3472-29-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/3472-27-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/3472-26-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/3472-25-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/3472-23-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/3472-24-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/3472-22-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/3472-21-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/3472-20-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/3472-19-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/3472-18-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/3472-28-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/3472-16-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/3472-15-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/3472-14-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/3472-13-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/3472-12-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/3472-33-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/3472-10-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/3472-8-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/3472-7-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/3472-6-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/3472-5-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/3472-9-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/3472-3-0x0000000003010000-0x0000000003011000-memory.dmp

Filesize
4KB

Download
memory/3472-46-0x0000000001310000-0x0000000001317000-memory.dmp

Filesize
28KB

Download
memory/3472-35-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/3472-36-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/3472-58-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/3472-49-0x00007FF891CF0000-0x00007FF891D00000-memory.dmp

Filesize
64KB

Download
memory/3472-48-0x00007FF891D00000-0x00007FF891D10000-memory.dmp

Filesize
64KB

Download
memory/3472-37-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/3472-45-0x00007FF89152A000-0x00007FF89152B000-memory.dmp

Filesize
4KB

Download
memory/3472-47-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/4368-73-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/4368-68-0x0000026EFBA30000-0x0000026EFBA37000-memory.dmp

Filesize
28KB

Download
memory/4368-69-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/4724-61-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/4724-2-0x000002C3913B0000-0x000002C3913B7000-memory.dmp

Filesize
28KB

Download
memory/4724-0-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download