dridex | 997d7cb2cc9b826d90e614f7f65398727a87682c4bdcde9dc34538db1bfdb334

Analysis

max time kernel
149s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
26-09-2024 06:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f7be1eab255e2a375ea6beedd7d8a764_JaffaCakes118.dll
Size

1.2MB
MD5

f7be1eab255e2a375ea6beedd7d8a764
SHA1

64eb172fc246f70cf745e0a25fd74276fa7faf33
SHA256

997d7cb2cc9b826d90e614f7f65398727a87682c4bdcde9dc34538db1bfdb334
SHA512

2ca17e868ab645f3619fe9a74165989f513e403a38d84e430caf43ef432595699d74149a010f7d6b5b17f6f275c7c26dd8743c92ba670859d5bd02e4c73ef3a8
SSDEEP

24576:LuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:V9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3472-4-0x0000000003300000-0x0000000003301000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

rdpclip.exePresentationHost.exeie4ushowIE.exe

pid	Process
1400	rdpclip.exe
5064	PresentationHost.exe
3988	ie4ushowIE.exe

Loads dropped DLL 3 IoCs

Processes:

rdpclip.exePresentationHost.exeie4ushowIE.exe

pid	Process
1400	rdpclip.exe
5064	PresentationHost.exe
3988	ie4ushowIE.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ygssokoticw = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\HaFVy9wg9\\PresentationHost.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exerdpclip.exePresentationHost.exeie4ushowIE.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdpclip.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	PresentationHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ie4ushowIE.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	Process
3868	rundll32.exe
3868	rundll32.exe
3868	rundll32.exe
3868	rundll32.exe
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472
3472

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	procid_target
PID 3472 wrote to memory of 3740	3472	87
PID 3472 wrote to memory of 3740	3472	87
PID 3472 wrote to memory of 1400	3472	88
PID 3472 wrote to memory of 1400	3472	88
PID 3472 wrote to memory of 1892	3472	91
PID 3472 wrote to memory of 1892	3472	91
PID 3472 wrote to memory of 5064	3472	92
PID 3472 wrote to memory of 5064	3472	92
PID 3472 wrote to memory of 936	3472	93
PID 3472 wrote to memory of 936	3472	93
PID 3472 wrote to memory of 3988	3472	94
PID 3472 wrote to memory of 3988	3472	94

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7be1eab255e2a375ea6beedd7d8a764_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3868

C:\Windows\system32\rdpclip.exe
C:\Windows\system32\rdpclip.exe
1⤵
PID:3740

C:\Users\Admin\AppData\Local\Y204n\rdpclip.exe
C:\Users\Admin\AppData\Local\Y204n\rdpclip.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1400

C:\Windows\system32\PresentationHost.exe
C:\Windows\system32\PresentationHost.exe
1⤵
PID:1892

C:\Users\Admin\AppData\Local\9QIw4o\PresentationHost.exe
C:\Users\Admin\AppData\Local\9QIw4o\PresentationHost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:5064

C:\Windows\system32\ie4ushowIE.exe
C:\Windows\system32\ie4ushowIE.exe
1⤵
PID:936

C:\Users\Admin\AppData\Local\SlzQ51CT\ie4ushowIE.exe
C:\Users\Admin\AppData\Local\SlzQ51CT\ie4ushowIE.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\9QIw4o\PresentationHost.exe

Filesize
276KB

MD5
ef27d65b92d89e8175e6751a57ed9d93

SHA1
7279b58e711b459434f047e9098f9131391c3778

SHA256
17d6dcfaced6873a4ac0361ff14f48313f270ac9c465e9f02b5c12b5a5274c48

SHA512
40f46c3a131bb0388b8a3f7aee422936f6e2aa8d2cda547c43c4e7979c163d06c5aa20033a5156d3eeee5d455eeb929cbce89bcc8bb1766cbb65d7f03dd23e2e

Download Submit
C:\Users\Admin\AppData\Local\9QIw4o\VERSION.dll

Filesize
1.2MB

MD5
b18b33770cf996999a556659b93a92ca

SHA1
2fcf1dc9558895545853397c66a0c09c857cd57b

SHA256
fb4462394f795c8c963ce4f80ce5b48054191e2454f026f2f82c4959a66c9ffa

SHA512
34cc5a5e6c29ea6b495ae4a5405e6a4b44a5d184581024f795941a3a17ef0250f660d565f38154b812bd55b0bae82c90b51a3568a9eb7e0588ea91011d1803a5

Download Submit
C:\Users\Admin\AppData\Local\SlzQ51CT\VERSION.dll

Filesize
1.2MB

MD5
2700dc6a9e7c77c5869aeeec62dcc213

SHA1
76b1458edfb81ebded3d1ed1dd3e2de0dd8a323a

SHA256
1473896b84e836d60517fa078622c325c230680b61c7a54fa2fa678d4555f6df

SHA512
efbc52be8c63e750dfd1f860b58315403f55efa0a1efd9b62e470ecd64bffe8186c4ebed130a68be9d126e7a9ea3c2ae43116b4a9a84ed476e6e282fe26f08c2

Download Submit
C:\Users\Admin\AppData\Local\SlzQ51CT\ie4ushowIE.exe

Filesize
76KB

MD5
9de952f476abab0cd62bfd81e20a3deb

SHA1
109cc4467b78dad4b12a3225020ea590bccee3e6

SHA256
e9cb6336359ac6f71ac75af2836efb28daa3bafd10a1f0b775dcdc2ec8850a6b

SHA512
3cbe50a146ca50b0657a78a2d89a34630c69823005668906785b2d2015cc6139c8dbbf7aefa5fe55957ef55ae06e758933b3b41eaf822e49dba3b7700582e2c9

Download Submit
C:\Users\Admin\AppData\Local\Y204n\WTSAPI32.dll

Filesize
1.2MB

MD5
0e44137396217bb930a5c72f9d8ce350

SHA1
aa9a24d8f7a6533d574d318180a124e777ae98d5

SHA256
ad172b3c7ed150f898a61a5e471436aeb1d709f378cfbfa2dcbf7e9a1e639b13

SHA512
540a43f4b70ea496d8e36bf764ec9a6594ee4ae0c5aa8068f5a3bb1528a6e4dade3b049a0de5ca94f3b3d28dc2e0b2e97bd32aa97a5d5f4c0381dd9cd9dd4c97

Download Submit
C:\Users\Admin\AppData\Local\Y204n\rdpclip.exe

Filesize
446KB

MD5
a52402d6bd4e20a519a2eeec53332752

SHA1
129f2b6409395ef877b9ca39dd819a2703946a73

SHA256
9d5be181d9309dea98039d2ce619afe745fc8a9a1b1c05cf860b3620b5203308

SHA512
632dda67066cff2b940f27e3f409e164684994a02bda57d74e958c462b9a0963e922be4a487c06126cecc9ef34d34913ef8315524bf8422f83c0c135b8af924e

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Nszgn.lnk

Filesize
1KB

MD5
05e3aaab817eb06bb68e28caac03e0eb

SHA1
001e8d61ada797e9223f64a1f13aa448ff3550e6

SHA256
521262bda6a660d4c449f6cce75764bc20b3882695fff3702bb95e05ec01931f

SHA512
c6a62c4862625cca55bf8836e37b7e2a4d586aa89c13bda13d11c8136d07c87d8db2d97f0888525404360e2ea337de999679d8f18f2b209939be7115ea7a2990

Download Submit
memory/1400-51-0x00007FF999550000-0x00007FF999681000-memory.dmp

Filesize
1.2MB

Download
memory/1400-45-0x00007FF999550000-0x00007FF999681000-memory.dmp

Filesize
1.2MB

Download
memory/1400-48-0x0000024AB8EA0000-0x0000024AB8EA7000-memory.dmp

Filesize
28KB

Download
memory/3472-24-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3472-35-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3472-11-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3472-10-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3472-9-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3472-8-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3472-7-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3472-6-0x00007FF9B6C1A000-0x00007FF9B6C1B000-memory.dmp

Filesize
4KB

Download
memory/3472-4-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/3472-15-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3472-16-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3472-13-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3472-27-0x00000000032E0000-0x00000000032E7000-memory.dmp

Filesize
28KB

Download
memory/3472-28-0x00007FF9B7690000-0x00007FF9B76A0000-memory.dmp

Filesize
64KB

Download
memory/3472-14-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3472-12-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3868-1-0x00007FF9A8FE0000-0x00007FF9A9110000-memory.dmp

Filesize
1.2MB

Download
memory/3868-38-0x00007FF9A8FE0000-0x00007FF9A9110000-memory.dmp

Filesize
1.2MB

Download
memory/3868-0-0x000001C8752A0000-0x000001C8752A7000-memory.dmp

Filesize
28KB

Download
memory/3988-79-0x0000027EA4C20000-0x0000027EA4C27000-memory.dmp

Filesize
28KB

Download
memory/3988-85-0x00007FF999490000-0x00007FF9995C1000-memory.dmp

Filesize
1.2MB

Download
memory/5064-63-0x000001B1FCD60000-0x000001B1FCD67000-memory.dmp

Filesize
28KB

Download
memory/5064-68-0x00007FF999490000-0x00007FF9995C1000-memory.dmp

Filesize
1.2MB

Download
memory/5064-62-0x00007FF999490000-0x00007FF9995C1000-memory.dmp

Filesize
1.2MB

Download