dridex | 505e175a4ff5d40800c0cf4a00332b8230504090a9f24b1f255d86770dbb23b6

Analysis

max time kernel
149s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
26-09-2024 14:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f8881045a1ea4f61e672b9e6edcc4a8b_JaffaCakes118.dll
Size

1.2MB
MD5

f8881045a1ea4f61e672b9e6edcc4a8b
SHA1

aebacdb61c914143ba4160c44fa458be9559f358
SHA256

505e175a4ff5d40800c0cf4a00332b8230504090a9f24b1f255d86770dbb23b6
SHA512

b683a09a09942ba5e0d16ed752d81bfe72cfa8f100d9ec7dd6bbfb98495cdb26eb383beafa16e777a1452f9758cfe0305545381cbb5c32019119926440741992
SSDEEP

24576:muYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:G9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3448-5-0x0000000002FC0000-0x0000000002FC1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
928	wlrmdr.exe
4652	wscript.exe
3808	wextract.exe

Loads dropped DLL 3 IoCs

pid	Process
928	wlrmdr.exe
4652	wscript.exe
3808	wextract.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qebzqfuc = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\TEMPLA~1\\LIVECO~1\\16\\User\\WORDDO~2\\UT3AYC~1\\wscript.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wlrmdr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wextract.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3948	rundll32.exe
3948	rundll32.exe
3948	rundll32.exe
3948	rundll32.exe
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found
3448	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3448 wrote to memory of 2132	3448	Process not Found	89
PID 3448 wrote to memory of 2132	3448	Process not Found	89
PID 3448 wrote to memory of 928	3448	Process not Found	90
PID 3448 wrote to memory of 928	3448	Process not Found	90
PID 3448 wrote to memory of 2316	3448	Process not Found	91
PID 3448 wrote to memory of 2316	3448	Process not Found	91
PID 3448 wrote to memory of 4652	3448	Process not Found	92
PID 3448 wrote to memory of 4652	3448	Process not Found	92
PID 3448 wrote to memory of 2420	3448	Process not Found	93
PID 3448 wrote to memory of 2420	3448	Process not Found	93
PID 3448 wrote to memory of 3808	3448	Process not Found	94
PID 3448 wrote to memory of 3808	3448	Process not Found	94

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f8881045a1ea4f61e672b9e6edcc4a8b_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3948

C:\Windows\system32\wlrmdr.exe
C:\Windows\system32\wlrmdr.exe
1⤵
PID:2132

C:\Users\Admin\AppData\Local\x5FzHE\wlrmdr.exe
C:\Users\Admin\AppData\Local\x5FzHE\wlrmdr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:928

C:\Windows\system32\wscript.exe
C:\Windows\system32\wscript.exe
1⤵
PID:2316

C:\Users\Admin\AppData\Local\TFTNumXH\wscript.exe
C:\Users\Admin\AppData\Local\TFTNumXH\wscript.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4652

C:\Windows\system32\wextract.exe
C:\Windows\system32\wextract.exe
1⤵
PID:2420

C:\Users\Admin\AppData\Local\PAmSce68A\wextract.exe
C:\Users\Admin\AppData\Local\PAmSce68A\wextract.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\PAmSce68A\VERSION.dll

Filesize
1.2MB

MD5
8a1a6358aa9f5854b9b909286814d827

SHA1
20985070220bc1d26c00e3d0d7459bc47ba87eaf

SHA256
17206a4096bd14f740f6a611b52dee0b15b427b1841cb381273629e6aca19baf

SHA512
2791c5806913eadc809e4637c8b597237d1cc69b504249461026e5d44474d9c7e69a06c3fc97469b3f615823bad02fe08cd4f3f26af4ab6aa932a395e31bdb4b

Download Submit
C:\Users\Admin\AppData\Local\PAmSce68A\wextract.exe

Filesize
143KB

MD5
56e501e3e49cfde55eb1caabe6913e45

SHA1
ab2399cbf17dbee7b302bea49e40d4cee7caea76

SHA256
fbb6dc62abeeb222b49a63f43dc6eea96f3d7e9a8da55381c15d57a5d099f3e0

SHA512
2b536e86cbd8ab026529ba2c72c0fda97e9b6f0bc4fd96777024155852670cb41d17937cde372a44cdbad3e53b8cd3ef1a4a3ee9b34dfb3c2069822095f7a172

Download Submit
C:\Users\Admin\AppData\Local\TFTNumXH\VERSION.dll

Filesize
1.2MB

MD5
0254244b4c29669b3a6bcb9a6507c0bb

SHA1
9f73f3ffb419066b99c21e860808edb03afbf6d2

SHA256
668e40c61a4a6c4e6a3350c230487c81a893969b1f2470cd9fcc4526f8f7a459

SHA512
0494c345d88e61277ce0908815fb520bc0d54941b2b8efdeeb0e24aacd4e2c711279b75e92d9e5ed1d33324be9210c8e55efc6117cc420b86d6086f5a9400caa

Download Submit
C:\Users\Admin\AppData\Local\TFTNumXH\wscript.exe

Filesize
166KB

MD5
a47cbe969ea935bdd3ab568bb126bc80

SHA1
15f2facfd05daf46d2c63912916bf2887cebd98a

SHA256
34008e2057df8842df210246995385a0441dc1e081d60ad15bd481e062e7f100

SHA512
f5c81e6dc4d916944304fc85136e1ff6dee29a21e50a54fe6280a475343eccbfe094171d62475db5f38e07898c061126158c34d48b9d8f4f57f76d49e564e3fc

Download Submit
C:\Users\Admin\AppData\Local\x5FzHE\DUI70.dll

Filesize
1.4MB

MD5
3e339d438637ec44d1130c4f47956c55

SHA1
7c3c397f37fd75a233c078f107a8819b468c8ad1

SHA256
6f9fb37a27387803ccd758ac36fc91694218b8de0256cf4d9a3bf13d49dd9929

SHA512
86eb87bf31433a0ee44fc911288319783eabcb109bf2ce1d1aa6f4621155fae79ed712c04cea44cd06b48569e225b99679ef94d09b403812c5166a49fe7903d9

Download Submit
C:\Users\Admin\AppData\Local\x5FzHE\wlrmdr.exe

Filesize
66KB

MD5
ef9bba7a637a11b224a90bf90a8943ac

SHA1
4747ec6efd2d41e049159249c2d888189bb33d1d

SHA256
2fda95aafb2e9284c730bf912b93f60a75b151941adc14445ed1e056140325b1

SHA512
4c1fdb8e4bf25546a2a33c95268593746f5ae2666ce36c6d9ba5833357f13720c4722231224e82308af8c156485a2c86ffd97e3093717a28d1300d3787ef1831

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Plbydas.lnk

Filesize
1KB

MD5
709c63af57e0f6ecbb9a9c7dda254e00

SHA1
aa0d5c0cb5072c1d382ea3983e020e5e480345d0

SHA256
77f2be10e6f28ea8b0f8b4e5696439ca526d1f00f7f83daec5c00c18c006d221

SHA512
cf4fb4a3b48936f03445ca43250afbe0b75a19efe381ada8b0067874501ad29b8df5193ab93537b90004f8f917d03de2ae08a0e87047d7d24ad8b5c111a46b58

Download Submit
memory/928-52-0x00007FFF124B0000-0x00007FFF12627000-memory.dmp

Filesize
1.5MB

Download
memory/928-49-0x00000273FC440000-0x00000273FC447000-memory.dmp

Filesize
28KB

Download
memory/928-46-0x00007FFF124B0000-0x00007FFF12627000-memory.dmp

Filesize
1.5MB

Download
memory/3448-36-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3448-25-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3448-16-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3448-14-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3448-12-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3448-13-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3448-11-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3448-9-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3448-10-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3448-5-0x0000000002FC0000-0x0000000002FC1000-memory.dmp

Filesize
4KB

Download
memory/3448-34-0x0000000001240000-0x0000000001247000-memory.dmp

Filesize
28KB

Download
memory/3448-35-0x00007FFF30790000-0x00007FFF307A0000-memory.dmp

Filesize
64KB

Download
memory/3448-4-0x00007FFF304EA000-0x00007FFF304EB000-memory.dmp

Filesize
4KB

Download
memory/3448-18-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3448-15-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3448-7-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3448-8-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3808-83-0x0000027F94C10000-0x0000027F94C17000-memory.dmp

Filesize
28KB

Download
memory/3808-86-0x00007FFF125B0000-0x00007FFF126E2000-memory.dmp

Filesize
1.2MB

Download
memory/3948-0-0x00007FFF221D0000-0x00007FFF22301000-memory.dmp

Filesize
1.2MB

Download
memory/3948-39-0x00007FFF221D0000-0x00007FFF22301000-memory.dmp

Filesize
1.2MB

Download
memory/3948-3-0x000001F94C920000-0x000001F94C927000-memory.dmp

Filesize
28KB

Download
memory/4652-66-0x00000221D8100000-0x00000221D8107000-memory.dmp

Filesize
28KB

Download
memory/4652-63-0x00007FFF125B0000-0x00007FFF126E2000-memory.dmp

Filesize
1.2MB

Download
memory/4652-69-0x00007FFF125B0000-0x00007FFF126E2000-memory.dmp

Filesize
1.2MB

Download