dridex | e06c71d9c6e770486e02dc3dc6fb9d8d640c3142b625d7a4e8ca0d99aff3b944

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-09-2024 03:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ecc94ddcac7f889fba06679317c767a1_JaffaCakes118.dll
Size

1.2MB
MD5

ecc94ddcac7f889fba06679317c767a1
SHA1

75da782863c7e30f45939c0711057d37483bd437
SHA256

e06c71d9c6e770486e02dc3dc6fb9d8d640c3142b625d7a4e8ca0d99aff3b944
SHA512

f096735220bc58a172bc362aae448ac3e169418fd76a247c9d20fc814d93e8fde44e2a99e9a5a4ccac73b41dbbca3849bd7215cd4fbe8c68f26d3a512ec9444a
SSDEEP

24576:FuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:/9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3448-4-0x0000000002790000-0x0000000002791000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
1584	AgentService.exe
4864	phoneactivate.exe
720	dxgiadaptercache.exe

Loads dropped DLL 3 IoCs

pid	Process
1584	AgentService.exe
4864	phoneactivate.exe
720	dxgiadaptercache.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ftxdckjforivc = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\AddIns\\3uwOD\\phoneactivate.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	AgentService.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	phoneactivate.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dxgiadaptercache.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3016	rundll32.exe
3016	rundll32.exe
3016	rundll32.exe
3016	rundll32.exe
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3448 wrote to memory of 4440	3448	Process not Found	89
PID 3448 wrote to memory of 4440	3448	Process not Found	89
PID 3448 wrote to memory of 1584	3448	Process not Found	90
PID 3448 wrote to memory of 1584	3448	Process not Found	90
PID 3448 wrote to memory of 2312	3448	Process not Found	91
PID 3448 wrote to memory of 2312	3448	Process not Found	91
PID 3448 wrote to memory of 4864	3448	Process not Found	92
PID 3448 wrote to memory of 4864	3448	Process not Found	92
PID 3448 wrote to memory of 4852	3448	Process not Found	93
PID 3448 wrote to memory of 4852	3448	Process not Found	93
PID 3448 wrote to memory of 720	3448	Process not Found	94
PID 3448 wrote to memory of 720	3448	Process not Found	94

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ecc94ddcac7f889fba06679317c767a1_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3016

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
PID:4440

C:\Users\Admin\AppData\Local\YT6\AgentService.exe
C:\Users\Admin\AppData\Local\YT6\AgentService.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1584

C:\Windows\system32\phoneactivate.exe
C:\Windows\system32\phoneactivate.exe
1⤵
PID:2312

C:\Users\Admin\AppData\Local\F6KmPEHr\phoneactivate.exe
C:\Users\Admin\AppData\Local\F6KmPEHr\phoneactivate.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4864

C:\Windows\system32\dxgiadaptercache.exe
C:\Windows\system32\dxgiadaptercache.exe
1⤵
PID:4852

C:\Users\Admin\AppData\Local\41m\dxgiadaptercache.exe
C:\Users\Admin\AppData\Local\41m\dxgiadaptercache.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\41m\dxgi.dll

Filesize
1.2MB

MD5
2d1a832cf98688e8df6f01e92b588ebf

SHA1
cf443a8dc0b5bb5c454a36d012594799d5f1759f

SHA256
f495a859589df224e04d4ae18f666b259ddd3e1d808ce2aa57f0736d77615311

SHA512
ee8d13777b3d719f735f0f6c57ed1db3ab7c46e4d8991fe4e5518c168ceb312a5d94113ab7d03ac1b7540d46ad7bf5e058ea8ef2bc9da3bef1e9aa5e6304c493

Download Submit
C:\Users\Admin\AppData\Local\41m\dxgiadaptercache.exe

Filesize
230KB

MD5
e62f89130b7253f7780a862ed9aff294

SHA1
b031e64a36e93f95f2061be5b0383069efac2070

SHA256
4bea9f741fe4ca9d6262477849896b9fa6377326d11af044561c31bde2d994b5

SHA512
05649d38a0b5d825bb8442549427b0ff77b139c9dd297b04d6c0fb1415504c95ed750cd79efea2ff514abfc5d1003e6251a3cd871d352dcea06be0cdeb0304f7

Download Submit
C:\Users\Admin\AppData\Local\F6KmPEHr\DUI70.dll

Filesize
1.4MB

MD5
b1ee4cb3df38d27dbcebae866e27247b

SHA1
79281341334311a7d4e03a122209c1ddfc151474

SHA256
bb10a34cc008b5bdb46117842bfaff9811855776ade8710cc65f98f3e349da1c

SHA512
8dd1a11185510c9f303673aba0ec06107da445df4c4747fc52add2bbe829404de499f9659749727d449035e675955310500f3549332c2d9490ee528c3b5b327f

Download Submit
C:\Users\Admin\AppData\Local\F6KmPEHr\phoneactivate.exe

Filesize
107KB

MD5
32c31f06e0b68f349f68afdd08e45f3d

SHA1
e4b642f887e2c1d76b6b4777ade91e3cb3b9e27c

SHA256
cea83eb34233fed5ebeef8745c7c581a8adbefbcfc0e30e2d30a81000c821017

SHA512
fe61764b471465b164c9c2202ed349605117d57ceb0eca75acf8bda44e8744c115767ee0caed0b7feb70ba37b477d00805b3fdf0d0fa879dd4c8e3c1dc1c0d26

Download Submit
C:\Users\Admin\AppData\Local\YT6\AgentService.exe

Filesize
1.2MB

MD5
f8bac206def3e87ceb8ef3cb0fb5a194

SHA1
a28ea816e7b5ca511da4576262a5887a75171276

SHA256
c69e4520d5dd84a409c2df1825ba30ec367400e4f7b001c8e971da8bef1a2268

SHA512
8df9a814c738e79492a3b72ba359bf3aedfb89fe02215ef58e743c541a2194ba47e227969d76c55387eee6eb367ca68e4b3cdf054022cb86e62376cc2fdef909

Download Submit
C:\Users\Admin\AppData\Local\YT6\VERSION.dll

Filesize
1.2MB

MD5
3d38d8b1c46c4c24d93d81d87fa45d3d

SHA1
239b7c8e8df68456aad946d084d67144e159644c

SHA256
e74cd77bc8b11d3eb3d8f4d0443537ab52b43542e03701fb73a8019dd1ced4f0

SHA512
cb7011ac4306df87e5dd7f98fc6886b77c367a9c97971edf0d463143819309abaf105e1982538bb17a1ac9b0443c6702329ce9531078bb6ada7ecd14842a22a1

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ppmzgvduo.lnk

Filesize
790B

MD5
3d4a6f99afed261d62bce9eff781c999

SHA1
2a8a0d80e0d78ea3867e0ac60d584fa371c6aab3

SHA256
c422576a0e33cf859f3b15d59051280eb11cd94e9a5751a57d831cb96c5b4d37

SHA512
4295ae72cf7c064977100618757f7a8130d95371b2e9847c560633d7e3ad1718ce1d85659fb8b0e59ea07a33a43fd0924f634aea672713cc3188e1a8dc17bd2a

Download Submit
memory/720-79-0x000001F25BAD0000-0x000001F25BAD7000-memory.dmp

Filesize
28KB

Download
memory/720-85-0x00007FFA209E0000-0x00007FFA20B11000-memory.dmp

Filesize
1.2MB

Download
memory/1584-51-0x00007FFA209E0000-0x00007FFA20B11000-memory.dmp

Filesize
1.2MB

Download
memory/1584-46-0x00007FFA209E0000-0x00007FFA20B11000-memory.dmp

Filesize
1.2MB

Download
memory/1584-45-0x000001D756FF0000-0x000001D756FF7000-memory.dmp

Filesize
28KB

Download
memory/3016-1-0x00007FFA2F7B0000-0x00007FFA2F8E0000-memory.dmp

Filesize
1.2MB

Download
memory/3016-0-0x000002733A3E0000-0x000002733A3E7000-memory.dmp

Filesize
28KB

Download
memory/3016-38-0x00007FFA2F7B0000-0x00007FFA2F8E0000-memory.dmp

Filesize
1.2MB

Download
memory/3448-35-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3448-28-0x0000000000E00000-0x0000000000E07000-memory.dmp

Filesize
28KB

Download
memory/3448-7-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3448-9-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3448-10-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3448-11-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3448-12-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3448-15-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3448-16-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3448-8-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3448-29-0x00007FFA3E9D0000-0x00007FFA3E9E0000-memory.dmp

Filesize
64KB

Download
memory/3448-4-0x0000000002790000-0x0000000002791000-memory.dmp

Filesize
4KB

Download
memory/3448-5-0x00007FFA3E5AA000-0x00007FFA3E5AB000-memory.dmp

Filesize
4KB

Download
memory/3448-13-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3448-24-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3448-14-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/4864-68-0x00007FFA209A0000-0x00007FFA20B16000-memory.dmp

Filesize
1.5MB

Download
memory/4864-63-0x00007FFA209A0000-0x00007FFA20B16000-memory.dmp

Filesize
1.5MB

Download
memory/4864-62-0x00000232C7620000-0x00000232C7627000-memory.dmp

Filesize
28KB

Download