dridex | 4128d0f84d420bcd7d2b648660b3cae21bcbf088e8a82f225b65acf95de78d98

Analysis

max time kernel
149s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
20-09-2024 13:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

edbc2bb8ff32ba555d9ecfb4ebe4336d_JaffaCakes118.dll
Size

1.2MB
MD5

edbc2bb8ff32ba555d9ecfb4ebe4336d
SHA1

30fa3d1d4d7f4993667d2717a8fcd8fa27ba9656
SHA256

4128d0f84d420bcd7d2b648660b3cae21bcbf088e8a82f225b65acf95de78d98
SHA512

0ed34499393e76d87da9c227a755086147720d36e358bbefe8e0167cbeb7927b843202ba35e8d9eb86da25324c89511d8b4891da46fb59e01dc3a1cd660ee28e
SSDEEP

24576:GuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9NHt:m9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3440-4-0x0000000000B30000-0x0000000000B31000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
2132	phoneactivate.exe
3644	LicensingUI.exe
1660	printfilterpipelinesvc.exe

Loads dropped DLL 5 IoCs

pid	Process
2132	phoneactivate.exe
3644	LicensingUI.exe
1660	printfilterpipelinesvc.exe
1660	printfilterpipelinesvc.exe
1660	printfilterpipelinesvc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Vogna = "C:\\Users\\Admin\\AppData\\Roaming\\Sun\\8A\\LicensingUI.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	phoneactivate.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	LicensingUI.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	printfilterpipelinesvc.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4188	rundll32.exe
4188	rundll32.exe
4188	rundll32.exe
4188	rundll32.exe
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3440	Process not Found
Token: SeCreatePagefilePrivilege	3440	Process not Found
Token: SeShutdownPrivilege	3440	Process not Found
Token: SeCreatePagefilePrivilege	3440	Process not Found
Token: SeShutdownPrivilege	3440	Process not Found
Token: SeCreatePagefilePrivilege	3440	Process not Found
Token: SeShutdownPrivilege	3440	Process not Found
Token: SeCreatePagefilePrivilege	3440	Process not Found

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3440	Process not Found
3440	Process not Found

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3440	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3440 wrote to memory of 4840	3440	Process not Found	95
PID 3440 wrote to memory of 4840	3440	Process not Found	95
PID 3440 wrote to memory of 2132	3440	Process not Found	96
PID 3440 wrote to memory of 2132	3440	Process not Found	96
PID 3440 wrote to memory of 2752	3440	Process not Found	97
PID 3440 wrote to memory of 2752	3440	Process not Found	97
PID 3440 wrote to memory of 3644	3440	Process not Found	98
PID 3440 wrote to memory of 3644	3440	Process not Found	98
PID 3440 wrote to memory of 3500	3440	Process not Found	99
PID 3440 wrote to memory of 3500	3440	Process not Found	99
PID 3440 wrote to memory of 1660	3440	Process not Found	100
PID 3440 wrote to memory of 1660	3440	Process not Found	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\edbc2bb8ff32ba555d9ecfb4ebe4336d_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4188

C:\Windows\system32\phoneactivate.exe
C:\Windows\system32\phoneactivate.exe
1⤵
PID:4840

C:\Users\Admin\AppData\Local\OzW6M\phoneactivate.exe
C:\Users\Admin\AppData\Local\OzW6M\phoneactivate.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2132

C:\Windows\system32\LicensingUI.exe
C:\Windows\system32\LicensingUI.exe
1⤵
PID:2752

C:\Users\Admin\AppData\Local\JjRmCCC\LicensingUI.exe
C:\Users\Admin\AppData\Local\JjRmCCC\LicensingUI.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3644

C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe
1⤵
PID:3500

C:\Users\Admin\AppData\Local\AbmuTR1\printfilterpipelinesvc.exe
C:\Users\Admin\AppData\Local\AbmuTR1\printfilterpipelinesvc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\AbmuTR1\XmlLite.dll

Filesize
1.2MB

MD5
cf40339c63b5e76f4064b519284c4024

SHA1
ce43cb1739df249d2e0c61543cbcb28effc1604c

SHA256
d97d79005864f9e956a6aa198825d031b1d80abc4f9992faf5494ec68e52bc56

SHA512
b827488823a45cf7abff9a746369d0a17aba0b3a0ef65348d4e4f69c582c3174c79fe067775d2497d4f4c43d826105c3f2abc5cdef47b037f6c04f5b742b376d

Download Submit
C:\Users\Admin\AppData\Local\AbmuTR1\printfilterpipelinesvc.exe

Filesize
813KB

MD5
331a40eabaa5870e316b401bd81c4861

SHA1
ddff65771ca30142172c0d91d5bfff4eb1b12b73

SHA256
105099819555ed87ef3dab70a2eaf2cb61076f453266cec57ffccb8f4c00df88

SHA512
29992dbf10f327d77865af5e6ebbe66b937a5b4ad04c68cafbf4e6adbd6c6532c8a82ac7e638d97c1f053353a7c8a6d7e379f389af15443c94a1e8f9b16be5f8

Download Submit
C:\Users\Admin\AppData\Local\JjRmCCC\DUI70.dll

Filesize
1.4MB

MD5
22a18aeaf839541764ab29fb8e5044cf

SHA1
2c7fd05d26904f0c4806c786090c3693ecd5007c

SHA256
67a2515e83756897cf785fc20a2dcb08e4af2418e6a41fd35d11f1771c13d505

SHA512
c09a5f12504c41b4f006ae15429b235dcaa077d75df0790d0dbfa36d24b44051da80499b35fa0eca4aebe7a2355c9b6d65ef5bba2cca0bb68aaa31254244d885

Download Submit
C:\Users\Admin\AppData\Local\JjRmCCC\LicensingUI.exe

Filesize
142KB

MD5
8b4abc637473c79a003d30bb9c7a05e5

SHA1
d1cab953c16d4fdec2b53262f56ac14a914558ca

SHA256
0e9eb89aa0df9bb84a8f11b0bb3e9d89905355de34c91508968b4cb78bc3f6c5

SHA512
5a40c846c5b3a53ae09114709239d8238c322a7d3758b20ed3fc8e097fc1409f62b4990557c1192e894eabfa89741a9d88bd5175850d039b97dfdf380d1c6eeb

Download Submit
C:\Users\Admin\AppData\Local\OzW6M\SLC.dll

Filesize
1.2MB

MD5
6940cfe1d3db5e152d5144ad87b048b1

SHA1
f99ef1748265bd9b20000ad57f975c3aa9664686

SHA256
2ae9a3178cfd1636e874f4801b133a3cf970352f4bead22f620aa4cc374d8329

SHA512
581c349f1ae0853a8ba97827ca24a1ceb066f308d360303611cc9b0cf947753641459665fa95528fbc93ab02ab2b58efe53f1fccbe2f5876dde563af370ba8e7

Download Submit
C:\Users\Admin\AppData\Local\OzW6M\phoneactivate.exe

Filesize
107KB

MD5
32c31f06e0b68f349f68afdd08e45f3d

SHA1
e4b642f887e2c1d76b6b4777ade91e3cb3b9e27c

SHA256
cea83eb34233fed5ebeef8745c7c581a8adbefbcfc0e30e2d30a81000c821017

SHA512
fe61764b471465b164c9c2202ed349605117d57ceb0eca75acf8bda44e8744c115767ee0caed0b7feb70ba37b477d00805b3fdf0d0fa879dd4c8e3c1dc1c0d26

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Nqkmrrwxgzxnra.lnk

Filesize
1KB

MD5
862ae1306bed21950923a8e394e7a973

SHA1
51fe31d97300a5189b68206fe1fc75418f330517

SHA256
ee521af05f0acdfb4d289fe91d3d73b510c588e823b923c74c1457170061eb5d

SHA512
99802110203435348ae3a3f8c7d27b1b9029668e1eb5d5d1ebb798cfd3b5a369bab68f013a637121f3c0211b48ef0485b07b069b279eb38582a2188547e72185

Download Submit
memory/1660-87-0x00007FFA6F830000-0x00007FFA6F962000-memory.dmp

Filesize
1.2MB

Download
memory/2132-52-0x00007FFA6F830000-0x00007FFA6F962000-memory.dmp

Filesize
1.2MB

Download
memory/2132-47-0x00007FFA6F830000-0x00007FFA6F962000-memory.dmp

Filesize
1.2MB

Download
memory/2132-46-0x000002648B870000-0x000002648B877000-memory.dmp

Filesize
28KB

Download
memory/3440-25-0x0000000000AC0000-0x0000000000AC7000-memory.dmp

Filesize
28KB

Download
memory/3440-16-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3440-12-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3440-11-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3440-10-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3440-9-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3440-6-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3440-4-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download
memory/3440-14-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3440-13-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3440-15-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3440-7-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3440-8-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3440-35-0x00007FFA8D970000-0x00007FFA8D980000-memory.dmp

Filesize
64KB

Download
memory/3440-36-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3440-26-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3440-24-0x00007FFA8D11A000-0x00007FFA8D11B000-memory.dmp

Filesize
4KB

Download
memory/3644-66-0x00000167EA4E0000-0x00000167EA4E7000-memory.dmp

Filesize
28KB

Download
memory/3644-69-0x00007FFA70250000-0x00007FFA703C7000-memory.dmp

Filesize
1.5MB

Download
memory/3644-63-0x00007FFA70250000-0x00007FFA703C7000-memory.dmp

Filesize
1.5MB

Download
memory/4188-1-0x00007FFA7E100000-0x00007FFA7E231000-memory.dmp

Filesize
1.2MB

Download
memory/4188-39-0x00007FFA7E100000-0x00007FFA7E231000-memory.dmp

Filesize
1.2MB

Download
memory/4188-3-0x000001C7F8BA0000-0x000001C7F8BA7000-memory.dmp

Filesize
28KB

Download