dridex | 71e81df6b6a1662f36f6dbd56571d345bf55f342d6deb464c33c2c3cb2c55d4d

Analysis

max time kernel
149s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18-09-2024 07:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e89fed8bcadd8c09505de5a77f5869fd_JaffaCakes118.dll
Size

1.2MB
MD5

e89fed8bcadd8c09505de5a77f5869fd
SHA1

73b46bfbcf230c1f0a5bfe6efe53c43b494a8c25
SHA256

71e81df6b6a1662f36f6dbd56571d345bf55f342d6deb464c33c2c3cb2c55d4d
SHA512

8a0185e05880d5979b392bdb02f15c6f37b7b8dbde337f71f6e41291f05d281b222a9d9df31965f4c2640e299bf0e265da96333b7fc1190e5fb6c0570264dbfc
SSDEEP

24576:buYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:F9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3444-4-0x0000000002570000-0x0000000002571000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
1036	systemreset.exe
1824	SystemPropertiesHardware.exe
4908	wbengine.exe

Loads dropped DLL 3 IoCs

pid	Process
1036	systemreset.exe
1824	SystemPropertiesHardware.exe
4908	wbengine.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wbdoaalrz = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\CachedFiles\\jt6ByzG\\SystemPropertiesHardware.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	systemreset.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesHardware.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wbengine.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1612	rundll32.exe
1612	rundll32.exe
1612	rundll32.exe
1612	rundll32.exe
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3444 wrote to memory of 3676	3444	Process not Found	92
PID 3444 wrote to memory of 3676	3444	Process not Found	92
PID 3444 wrote to memory of 1036	3444	Process not Found	93
PID 3444 wrote to memory of 1036	3444	Process not Found	93
PID 3444 wrote to memory of 1040	3444	Process not Found	94
PID 3444 wrote to memory of 1040	3444	Process not Found	94
PID 3444 wrote to memory of 1824	3444	Process not Found	95
PID 3444 wrote to memory of 1824	3444	Process not Found	95
PID 3444 wrote to memory of 1892	3444	Process not Found	96
PID 3444 wrote to memory of 1892	3444	Process not Found	96
PID 3444 wrote to memory of 4908	3444	Process not Found	97
PID 3444 wrote to memory of 4908	3444	Process not Found	97

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e89fed8bcadd8c09505de5a77f5869fd_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1612

C:\Windows\system32\systemreset.exe
C:\Windows\system32\systemreset.exe
1⤵
PID:3676

C:\Users\Admin\AppData\Local\HhygDQkIF\systemreset.exe
C:\Users\Admin\AppData\Local\HhygDQkIF\systemreset.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1036

C:\Windows\system32\SystemPropertiesHardware.exe
C:\Windows\system32\SystemPropertiesHardware.exe
1⤵
PID:1040

C:\Users\Admin\AppData\Local\jHWNG\SystemPropertiesHardware.exe
C:\Users\Admin\AppData\Local\jHWNG\SystemPropertiesHardware.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1824

C:\Windows\system32\wbengine.exe
C:\Windows\system32\wbengine.exe
1⤵
PID:1892

C:\Users\Admin\AppData\Local\aj3B9CVRL\wbengine.exe
C:\Users\Admin\AppData\Local\aj3B9CVRL\wbengine.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\HhygDQkIF\ReAgent.dll

Filesize
1.2MB

MD5
811fb27553754604ed8df66043c71762

SHA1
245e49a82199d4450d0bcffe0b6ce978eb7ac5d5

SHA256
70cb0c9fca49e0e27d1d4fbd1095ede40ed2a6fd24dc8875ed1b95cfbbdee5ff

SHA512
a96b6806ed27a6675caa48de8b73b54b6e4deb7360b15ff537c9d4a13e8adcb5405285755933a4cd36e824d53dccc424dad71e12c2435c169b1f7092f5c9941c

Download Submit
C:\Users\Admin\AppData\Local\HhygDQkIF\systemreset.exe

Filesize
508KB

MD5
325ff647506adb89514defdd1c372194

SHA1
84234ff97d6ddc8a4ea21303ea842aa76a74e0ea

SHA256
ebff6159a7627234f94f606afa2e55e98e1548fd197d22779a5fcff24aa477ad

SHA512
8a9758f4af0264be08d684125827ef11efe651138059f6b463c52476f8a8e1bed94d093042f85893cb3e37c5f3ba7b55c6ce9394595001e661bccbc578da3868

Download Submit
C:\Users\Admin\AppData\Local\aj3B9CVRL\XmlLite.dll

Filesize
1.2MB

MD5
f18df587f076e524e166b17a940fa178

SHA1
db18dfd68b6412428f32dd13118414f5d360d163

SHA256
d62564f2f29ca31856e65f749e9c59548e54e782e925fef0b86e6dbfc69e20fa

SHA512
f1d0b8de8f11954335083efa7da92189f3d8965517ab0f86daa4479af9829855503cbf6b86055bbba535f2075e28f4405fb80da331c213500a8bf194c1a1ed4a

Download Submit
C:\Users\Admin\AppData\Local\aj3B9CVRL\wbengine.exe

Filesize
1.5MB

MD5
17270a354a66590953c4aac1cf54e507

SHA1
715babcc8e46b02ac498f4f06df7937904d9798d

SHA256
9954394b43783061f9290706320cc65597c29176d5b8e7a26fa1d6b3536832b4

SHA512
6be0ba6be84d01ab47f5a4ca98a6b940c43bd2d1e1a273d41c3e88aca47da11d932024b007716d1a6ffe6cee396b0e3e6971ab2afc293e72472f2e61c17b2a89

Download Submit
C:\Users\Admin\AppData\Local\jHWNG\SYSDM.CPL

Filesize
1.2MB

MD5
1e9499d572a1a18f65ad15c392bdaaff

SHA1
38afb609619ec989f9e6bc5679ffdfaf4d701b71

SHA256
e99121932ad00b789d9e3501db3dc647b7324bd2eb1f0eebb8f4af569cf6af9d

SHA512
f683d8670ac06cf53418c3188c9aa9fccdf2f6a1f28b64e849f7e68f0a76649a6507d745b368acb7078ed2c138e7e3e013c1746f560cf6b92e43961a05c7c423

Download Submit
C:\Users\Admin\AppData\Local\jHWNG\SystemPropertiesHardware.exe

Filesize
82KB

MD5
bf5bc0d70a936890d38d2510ee07a2cd

SHA1
69d5971fd264d8128f5633db9003afef5fad8f10

SHA256
c8ebd920399ebcf3ab72bd325b71a6b4c6119dfecea03f25059a920c4d32acc7

SHA512
0e129044777cbbf5ea995715159c50773c1818fc5e8faa5c827fd631b44c086b34dfdcbe174b105891ccc3882cc63a8664d189fb6a631d8f589de4e01a862f51

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Mihblavoyj.lnk

Filesize
1KB

MD5
c96505c154312b2eca66e970fa95011e

SHA1
9105441d1c46153f4d73924e8a533410a2c8056c

SHA256
1eb7849745b720398643682a27e84d840cfd05e151c5e79461aa1ec2d951900e

SHA512
538b96cf7f4e703e60a5c5930e8b38b7687cf1e6316babd97fd0c5bbb1b4bb4deaa7ef529b971a1a8fe96af83035667eea7e8d99d526217b285a21609ea22db6

Download Submit
memory/1036-48-0x00000150D6550000-0x00000150D6557000-memory.dmp

Filesize
28KB

Download
memory/1036-51-0x00007FFBD69E0000-0x00007FFBD6B11000-memory.dmp

Filesize
1.2MB

Download
memory/1036-45-0x00007FFBD69E0000-0x00007FFBD6B11000-memory.dmp

Filesize
1.2MB

Download
memory/1612-0-0x0000017E8B060000-0x0000017E8B067000-memory.dmp

Filesize
28KB

Download
memory/1612-38-0x00007FFBE5A90000-0x00007FFBE5BC0000-memory.dmp

Filesize
1.2MB

Download
memory/1612-1-0x00007FFBE5A90000-0x00007FFBE5BC0000-memory.dmp

Filesize
1.2MB

Download
memory/1824-62-0x0000021319510000-0x0000021319517000-memory.dmp

Filesize
28KB

Download
memory/1824-63-0x00007FFBD6B90000-0x00007FFBD6CC1000-memory.dmp

Filesize
1.2MB

Download
memory/1824-68-0x00007FFBD6B90000-0x00007FFBD6CC1000-memory.dmp

Filesize
1.2MB

Download
memory/3444-14-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3444-13-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3444-4-0x0000000002570000-0x0000000002571000-memory.dmp

Filesize
4KB

Download
memory/3444-6-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3444-7-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3444-8-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3444-9-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3444-10-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3444-11-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3444-35-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3444-15-0x00007FFBF4AEA000-0x00007FFBF4AEB000-memory.dmp

Filesize
4KB

Download
memory/3444-17-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3444-34-0x00007FFBF4F50000-0x00007FFBF4F60000-memory.dmp

Filesize
64KB

Download
memory/3444-25-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3444-16-0x0000000000740000-0x0000000000747000-memory.dmp

Filesize
28KB

Download
memory/3444-12-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/4908-84-0x00007FFBD6B40000-0x00007FFBD6C71000-memory.dmp

Filesize
1.2MB

Download
memory/4908-79-0x00007FFBD6B40000-0x00007FFBD6C71000-memory.dmp

Filesize
1.2MB

Download