dridex | a638b49731c356434985d9ef68e10b6def07bf5b398059ea17c2cf8dd1b9f1cc

Analysis

max time kernel
150s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 19:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec0fbfbc9d92e4357791f2f1613571eb_JaffaCakes118.dll
Size

1.2MB
MD5

ec0fbfbc9d92e4357791f2f1613571eb
SHA1

ac4c84d2178402a2e6fb29b3bdb6178495161f11
SHA256

a638b49731c356434985d9ef68e10b6def07bf5b398059ea17c2cf8dd1b9f1cc
SHA512

d9d1c1502ae4774d7eeb8ccb3315ef41a40e15c5a7644e8fda521ec94bf6b9315efcc0ed8c289f716fb143d2c2975f76bd29e4963d8c8854fe303c61609a14a7
SSDEEP

24576:WuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:W9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3580-4-0x0000000002890000-0x0000000002891000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
2272	usocoreworker.exe
1136	iexpress.exe
3620	OptionalFeatures.exe

Loads dropped DLL 3 IoCs

pid	Process
2272	usocoreworker.exe
1136	iexpress.exe
3620	OptionalFeatures.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Veuhujsfce = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\Ru9nDhET\\iexpress.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	usocoreworker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iexpress.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OptionalFeatures.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1104	rundll32.exe
1104	rundll32.exe
1104	rundll32.exe
1104	rundll32.exe
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found
3580	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3580 wrote to memory of 2284	3580	Process not Found	92
PID 3580 wrote to memory of 2284	3580	Process not Found	92
PID 3580 wrote to memory of 2272	3580	Process not Found	93
PID 3580 wrote to memory of 2272	3580	Process not Found	93
PID 3580 wrote to memory of 2424	3580	Process not Found	94
PID 3580 wrote to memory of 2424	3580	Process not Found	94
PID 3580 wrote to memory of 1136	3580	Process not Found	95
PID 3580 wrote to memory of 1136	3580	Process not Found	95
PID 3580 wrote to memory of 3740	3580	Process not Found	96
PID 3580 wrote to memory of 3740	3580	Process not Found	96
PID 3580 wrote to memory of 3620	3580	Process not Found	97
PID 3580 wrote to memory of 3620	3580	Process not Found	97

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ec0fbfbc9d92e4357791f2f1613571eb_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1104

C:\Windows\system32\usocoreworker.exe
C:\Windows\system32\usocoreworker.exe
1⤵
PID:2284

C:\Users\Admin\AppData\Local\XRfp\usocoreworker.exe
C:\Users\Admin\AppData\Local\XRfp\usocoreworker.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2272

C:\Windows\system32\iexpress.exe
C:\Windows\system32\iexpress.exe
1⤵
PID:2424

C:\Users\Admin\AppData\Local\nZpy\iexpress.exe
C:\Users\Admin\AppData\Local\nZpy\iexpress.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1136

C:\Windows\system32\OptionalFeatures.exe
C:\Windows\system32\OptionalFeatures.exe
1⤵
PID:3740

C:\Users\Admin\AppData\Local\QukiLDv\OptionalFeatures.exe
C:\Users\Admin\AppData\Local\QukiLDv\OptionalFeatures.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\QukiLDv\OptionalFeatures.exe

Filesize
110KB

MD5
d6cd8bef71458804dbc33b88ace56372

SHA1
a18b58445be2492c5d37abad69b5aa0d29416a60

SHA256
fa2e741416994f2c1bf9ef7a16b9c4dbf20c84267e3da91ae6f1ad75ee9f49b8

SHA512
1bed8af2cf99a7f3bb36a34f4a71c34787904bd072ecdc731fb7498290dcf4024b956fb8b6912ad050b74aa861f0b0349081b77088f72732bda5075413b1f83d

Download Submit
C:\Users\Admin\AppData\Local\QukiLDv\appwiz.cpl

Filesize
1.2MB

MD5
19e0c798e79e772e44a829b6cf233ec3

SHA1
a01b9dba7915672f9bc4b2dcb7cdc76f62d8cfd0

SHA256
adac627310ce7d1d3b83ebe2c2f51790d2bcd8d754046e27f5d9a07feea68b77

SHA512
daa79278450126014ad03de5a4a98e7343cb078d38af6223813fe8a67e61f2e9687975a1590f2f9c018dc402e04a3e0a38d60128f9071b1cf94ad227b3a8deea

Download Submit
C:\Users\Admin\AppData\Local\XRfp\XmlLite.dll

Filesize
1.2MB

MD5
04db46050083f7e22b03ae2b1064000e

SHA1
e42d77895de83a6c3255c2b011e14457ec787ac2

SHA256
51c359305c039840ce7a40df954328820c9a39480294e42213d2d1f7ad0ad1fb

SHA512
046110d178efb58fd4e65af88cfa78e43335cd6b672c0f37f90379b3eac7d4c8974ca5c789edd525082bdb24c8583cd764aaced9b6f6769775aab7c1b47be57a

Download Submit
C:\Users\Admin\AppData\Local\XRfp\usocoreworker.exe

Filesize
1.3MB

MD5
2c5efb321aa64af37dedc6383ce3198e

SHA1
a06d7020dd43a57047a62bfb443091cd9de946ba

SHA256
0fb6688a32340036f3eaab4a09a82dee533bfb2ca266c36f6142083134de6f0e

SHA512
5448ea01b24af7444505bda80064849a2efcc459011d32879e021e836fd573c9b1b9d3b37291d3f53ff536c691ac13a545b12f318a16c8a367421986bbf002ed

Download Submit
C:\Users\Admin\AppData\Local\nZpy\VERSION.dll

Filesize
1.2MB

MD5
c988ac3be67472606f66f74db9cf6f49

SHA1
66c93eecedc53ce06296194e496ced74c2e7b253

SHA256
fb9204814d80443d0d5281b5a1cd517a39e3c6aeee67744094b688b224b5bd19

SHA512
f95ea978f93a76ffbb1f497bf6e281deee30b34afa21b2cdbeeb026823cf7d782f07f9c3bc828905d9da8ad5e2a6476dacf9b419d6fa7660f0407bd650a6981f

Download Submit
C:\Users\Admin\AppData\Local\nZpy\iexpress.exe

Filesize
166KB

MD5
17b93a43e25d821d01af40ba6babcc8c

SHA1
97c978d78056d995f751dfef1388d7cce4cc404a

SHA256
d070b79fa254c528babb73d607a7a8fd53db89795d751f42fc0a283b61a76fd3

SHA512
6b5743b37a3be8ae9ee2ab84e0749c32c60544298a7cce396470aa40bbd13f2e838d5d98159f21d500d20817c51ebce4b1d2f554e3e05f6c7fc97bc9d70ea391

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Piobvoh.lnk

Filesize
1KB

MD5
5e501b1d703a851661f3d7052e7a9271

SHA1
cf3255b10a82fef79691740b128716f2dd8ab7b7

SHA256
0d028c8e47a5d00733b81ee372097a726093e4c0a338d287128f0fb68655ad7d

SHA512
8a4e3216ea8bc925e58ba9aac63432a8e6a7eb28f160fa3757fa25df5e12bda02557163da52ae25816e7893605574212e0a42194b7a11c81d0e4994ac3416235

Download Submit
memory/1104-0-0x000001FC317F0000-0x000001FC317F7000-memory.dmp

Filesize
28KB

Download
memory/1104-39-0x00007FFB2B7E0000-0x00007FFB2B911000-memory.dmp

Filesize
1.2MB

Download
memory/1104-2-0x00007FFB2B7E0000-0x00007FFB2B911000-memory.dmp

Filesize
1.2MB

Download
memory/1136-66-0x0000026DDB290000-0x0000026DDB297000-memory.dmp

Filesize
28KB

Download
memory/1136-69-0x00007FFB1C5A0000-0x00007FFB1C6D2000-memory.dmp

Filesize
1.2MB

Download
memory/2272-52-0x00007FFB1C5A0000-0x00007FFB1C6D2000-memory.dmp

Filesize
1.2MB

Download
memory/2272-49-0x000001F6FF0D0000-0x000001F6FF0D7000-memory.dmp

Filesize
28KB

Download
memory/2272-46-0x00007FFB1C5A0000-0x00007FFB1C6D2000-memory.dmp

Filesize
1.2MB

Download
memory/3580-17-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3580-13-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3580-6-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3580-4-0x0000000002890000-0x0000000002891000-memory.dmp

Filesize
4KB

Download
memory/3580-8-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3580-10-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3580-12-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3580-11-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3580-14-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3580-7-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3580-16-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3580-34-0x0000000000E30000-0x0000000000E37000-memory.dmp

Filesize
28KB

Download
memory/3580-35-0x00007FFB3A9F0000-0x00007FFB3AA00000-memory.dmp

Filesize
64KB

Download
memory/3580-36-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3580-25-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3580-15-0x00007FFB39D6A000-0x00007FFB39D6B000-memory.dmp

Filesize
4KB

Download
memory/3580-9-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3620-86-0x00007FFB1C5A0000-0x00007FFB1C6D2000-memory.dmp

Filesize
1.2MB

Download
memory/3620-80-0x000001A4E5B20000-0x000001A4E5B27000-memory.dmp

Filesize
28KB

Download