dridex | d2b8767e0bc73b401800438a4249a81a7fc998d126f98ee574779b3629569e9c

Analysis

max time kernel
149s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27-09-2024 00:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f963cdd13e8a02e085ad96942c7b697e_JaffaCakes118.dll
Size

1.2MB
MD5

f963cdd13e8a02e085ad96942c7b697e
SHA1

c45bbdcfa0d01b667a899c580eaf672c17f6476e
SHA256

d2b8767e0bc73b401800438a4249a81a7fc998d126f98ee574779b3629569e9c
SHA512

442f9c643485bece188752fbac53aa9c2bfbbefc273c1b60e37d0e9625fdda2caf3ade1ebef99acb0964f015203c9ecea72cdb4250cf328b88b5ca8419a0701d
SSDEEP

24576:iVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8v:iV8hf6STw1ZlQauvzSq01ICe6zvmU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3408-4-0x00000000014E0000-0x00000000014E1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
216	DWWIN.EXE
1140	CloudNotifications.exe
2788	perfmon.exe

Loads dropped DLL 3 IoCs

pid	Process
216	DWWIN.EXE
1140	CloudNotifications.exe
2788	perfmon.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tdfoxulv = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\USERPI~1\\bMseo\\CLOUDN~1.EXE"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	perfmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DWWIN.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	CloudNotifications.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
624	rundll32.exe
624	rundll32.exe
624	rundll32.exe
624	rundll32.exe
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3408 wrote to memory of 3632	3408	Process not Found	89
PID 3408 wrote to memory of 3632	3408	Process not Found	89
PID 3408 wrote to memory of 216	3408	Process not Found	90
PID 3408 wrote to memory of 216	3408	Process not Found	90
PID 3408 wrote to memory of 4752	3408	Process not Found	91
PID 3408 wrote to memory of 4752	3408	Process not Found	91
PID 3408 wrote to memory of 1140	3408	Process not Found	92
PID 3408 wrote to memory of 1140	3408	Process not Found	92
PID 3408 wrote to memory of 3952	3408	Process not Found	93
PID 3408 wrote to memory of 3952	3408	Process not Found	93
PID 3408 wrote to memory of 2788	3408	Process not Found	94
PID 3408 wrote to memory of 2788	3408	Process not Found	94

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f963cdd13e8a02e085ad96942c7b697e_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:624

C:\Windows\system32\DWWIN.EXE
C:\Windows\system32\DWWIN.EXE
1⤵
PID:3632

C:\Users\Admin\AppData\Local\ooCDgYP\DWWIN.EXE
C:\Users\Admin\AppData\Local\ooCDgYP\DWWIN.EXE
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:216

C:\Windows\system32\CloudNotifications.exe
C:\Windows\system32\CloudNotifications.exe
1⤵
PID:4752

C:\Users\Admin\AppData\Local\s6L5OX2AA\CloudNotifications.exe
C:\Users\Admin\AppData\Local\s6L5OX2AA\CloudNotifications.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1140

C:\Windows\system32\perfmon.exe
C:\Windows\system32\perfmon.exe
1⤵
PID:3952

C:\Users\Admin\AppData\Local\UY6h\perfmon.exe
C:\Users\Admin\AppData\Local\UY6h\perfmon.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\UY6h\credui.dll

Filesize
1.2MB

MD5
08f9849399f64c16d61833fb5cdaf1bc

SHA1
546dc060b740246949e25118c92ab72068ba56bf

SHA256
779e3520016357113fb64b97ae1805db0c2287f19b1bc15da6769bdcfe9c116b

SHA512
907886d9a27d2f792c48fefa2b9f38351a6056bd151028381cdba1d4bb0758c47ccfa981116394d00897443941be948a59bcf99f16996afd37084c77df60a5fe

Download Submit
C:\Users\Admin\AppData\Local\UY6h\perfmon.exe

Filesize
177KB

MD5
d38aa59c3bea5456bd6f95c73ad3c964

SHA1
40170eab389a6ba35e949f9c92962646a302d9ef

SHA256
5f041cff346fb37e5c5c9dab3c1272c76f8b5f579205170e97d2248d04a4ea0c

SHA512
59fa552a46e5d6237c7244b03d09d60e9489217b4319a212e822c73fe1f31a81837cb906ae7da92072bd3d9263fe0b967e073110ba81da3a90126f25115fff68

Download Submit
C:\Users\Admin\AppData\Local\ooCDgYP\DWWIN.EXE

Filesize
229KB

MD5
444cc4d3422a0fdd45c1b78070026c60

SHA1
97162ff341fff1ec54b827ec02f8b86fd2d41a97

SHA256
4b3f620272e709ce3e01ae5b19ef0300bd476f2da6412637f703bbaded2821f0

SHA512
21742d330a6a5763ea41a8fed4d71b98e4a1b4c685675c4cfeb7253033c3a208c23902caf0efdf470a85e0770cb8fac8af0eb6d3a8511445b0570054b42d5553

Download Submit
C:\Users\Admin\AppData\Local\ooCDgYP\VERSION.dll

Filesize
1.2MB

MD5
c4d99fd1b28e295b6459d23687da3047

SHA1
dd1399715a349d67ad95cb27748d930447694527

SHA256
e0bca955b548c28d6405209821b5dde8f799685a65fa3522cc0239db5d74a60b

SHA512
f10a2c1962b09415bcadbc6e86645970981020bff464632ca617eedf24bb15082353263c10c0d39008f66edf41ce1f77915aa0e2f248ab1fd2a76f10a5de8564

Download Submit
C:\Users\Admin\AppData\Local\s6L5OX2AA\CloudNotifications.exe

Filesize
59KB

MD5
b50dca49bc77046b6f480db6444c3d06

SHA1
cc9b38240b0335b1763badcceac37aa9ce547f9e

SHA256
96e7e1a3f0f4f6fc6bda3527ab8a739d6dfcab8e534aa7a02b023daebb3c0775

SHA512
2a0504ca336e86b92b2f5eff1c458ebd9df36c496331a7247ef0bb8b82eabd86ade7559ddb47ca4169e8365a97e80e5f1d3c1fc330364dea2450608bd692b1d3

Download Submit
C:\Users\Admin\AppData\Local\s6L5OX2AA\UxTheme.dll

Filesize
1.2MB

MD5
c569102f37640630bf08fc51c495484e

SHA1
fd694e105bc38fd5b25fe3123d0ee9b9b59674fb

SHA256
968452d9b85511068eb8c080b1bbf7a084bf586212164f7629909591edd3f12e

SHA512
1b0f62088be3d3a78751a00310890aa972bcefca3b9145bc80a1d6aa64045edd93731f7da58e77f597083f19e0418fc0f4ff6ee9f5a038a51c9ba3eef83b5087

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Pvdelpvduyz.lnk

Filesize
1KB

MD5
834151eedd9de97a277645e1221d7bb0

SHA1
c7bbf535cf4700925ec362df5853a56fcc87b015

SHA256
af28fe069a8990cfb409ad1decff9d33d8d108e9710ce7f2734079bf4ab2100b

SHA512
41529cf8d78903cd25cc587475c9fdd633dae29b413b6d14fc60074a1252e43b1d0244f4b6ff25ce0f998fbcad1ced1b051008c7662c758777d6259164d1c6ea

Download Submit
memory/216-49-0x000001DF32250000-0x000001DF32257000-memory.dmp

Filesize
28KB

Download
memory/216-46-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/216-52-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/624-0-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/624-39-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/624-3-0x00000224FB220000-0x00000224FB227000-memory.dmp

Filesize
28KB

Download
memory/1140-63-0x000001DAFF130000-0x000001DAFF137000-memory.dmp

Filesize
28KB

Download
memory/1140-69-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/2788-83-0x000001AB8A220000-0x000001AB8A227000-memory.dmp

Filesize
28KB

Download
memory/2788-86-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/3408-36-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3408-8-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3408-9-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3408-10-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3408-12-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3408-13-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3408-14-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3408-15-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3408-25-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3408-29-0x0000000001470000-0x0000000001477000-memory.dmp

Filesize
28KB

Download
memory/3408-30-0x00007FFF95D50000-0x00007FFF95D60000-memory.dmp

Filesize
64KB

Download
memory/3408-16-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3408-7-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3408-11-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3408-5-0x00007FFF94D3A000-0x00007FFF94D3B000-memory.dmp

Filesize
4KB

Download
memory/3408-4-0x00000000014E0000-0x00000000014E1000-memory.dmp

Filesize
4KB

Download