dridex | 71589f5444e986a5cb4bd2043518f4209f7afa633c826b3f8471dba7a47a689f

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28-09-2024 19:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd08217e7bf39060422120e0bf0c3c55_JaffaCakes118.dll
Size

1.2MB
MD5

fd08217e7bf39060422120e0bf0c3c55
SHA1

30b0479d71ea93a53e6ba7dc47c5f3cbf226de13
SHA256

71589f5444e986a5cb4bd2043518f4209f7afa633c826b3f8471dba7a47a689f
SHA512

c0aff810372c653b505c50abd8a21960dc951798102cf726373178f53fe7cf96d33f97baacd0b98e34eee4fa3416243fe0af4f3ef9f1ff5b3ba6eb194fe98208
SSDEEP

24576:suYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:E9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3588-4-0x0000000002970000-0x0000000002971000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
1464	isoburn.exe
2368	wextract.exe
3076	FXSCOVER.exe

Loads dropped DLL 3 IoCs

pid	Process
1464	isoburn.exe
2368	wextract.exe
3076	FXSCOVER.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wdtbxtklooytt = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\gD72K\\wextract.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	isoburn.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wextract.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	FXSCOVER.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4476	rundll32.exe
4476	rundll32.exe
4476	rundll32.exe
4476	rundll32.exe
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found
3588	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3588 wrote to memory of 4356	3588	Process not Found	84
PID 3588 wrote to memory of 4356	3588	Process not Found	84
PID 3588 wrote to memory of 1464	3588	Process not Found	85
PID 3588 wrote to memory of 1464	3588	Process not Found	85
PID 3588 wrote to memory of 2792	3588	Process not Found	88
PID 3588 wrote to memory of 2792	3588	Process not Found	88
PID 3588 wrote to memory of 2368	3588	Process not Found	89
PID 3588 wrote to memory of 2368	3588	Process not Found	89
PID 3588 wrote to memory of 3360	3588	Process not Found	93
PID 3588 wrote to memory of 3360	3588	Process not Found	93
PID 3588 wrote to memory of 3076	3588	Process not Found	94
PID 3588 wrote to memory of 3076	3588	Process not Found	94

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\fd08217e7bf39060422120e0bf0c3c55_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4476

C:\Windows\system32\isoburn.exe
C:\Windows\system32\isoburn.exe
1⤵
PID:4356

C:\Users\Admin\AppData\Local\6PDPA1GO4\isoburn.exe
C:\Users\Admin\AppData\Local\6PDPA1GO4\isoburn.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1464

C:\Windows\system32\wextract.exe
C:\Windows\system32\wextract.exe
1⤵
PID:2792

C:\Users\Admin\AppData\Local\57UPw\wextract.exe
C:\Users\Admin\AppData\Local\57UPw\wextract.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2368

C:\Windows\system32\FXSCOVER.exe
C:\Windows\system32\FXSCOVER.exe
1⤵
PID:3360

C:\Users\Admin\AppData\Local\T9t4h9j\FXSCOVER.exe
C:\Users\Admin\AppData\Local\T9t4h9j\FXSCOVER.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\57UPw\VERSION.dll

Filesize
1.2MB

MD5
3c329e0f4ca4d06613c6752bdbb28ecd

SHA1
4018a721af5d8b1a6a9173d8b0786ecfaaa18094

SHA256
ef77d35c7cf31783d698c9fd4e14c3f26056b3e4894f9212ffd7498af1c6371f

SHA512
0dba2beb26e3aa117e90b47900878791d2d4321cecc852186fc7a6291637a582983686cbe81f698cbf944f743e87319caa597a50c27b95c4b43fb8363877e5c0

Download Submit
C:\Users\Admin\AppData\Local\57UPw\wextract.exe

Filesize
143KB

MD5
56e501e3e49cfde55eb1caabe6913e45

SHA1
ab2399cbf17dbee7b302bea49e40d4cee7caea76

SHA256
fbb6dc62abeeb222b49a63f43dc6eea96f3d7e9a8da55381c15d57a5d099f3e0

SHA512
2b536e86cbd8ab026529ba2c72c0fda97e9b6f0bc4fd96777024155852670cb41d17937cde372a44cdbad3e53b8cd3ef1a4a3ee9b34dfb3c2069822095f7a172

Download Submit
C:\Users\Admin\AppData\Local\6PDPA1GO4\UxTheme.dll

Filesize
1.2MB

MD5
86031b544967a605f9d8de46fadeef5b

SHA1
7692d07ef1ed7bf245e99ebbca468cd8ed008435

SHA256
01191c0308ff05105dcfa1ccd9910daa42087528eaaaf84e2f6631d5ae518044

SHA512
d8064e0fd0ecc0bf2657f3cfcfaa3b2b3d38e87fbfb0083b397eca8ce370d03efab71b0241f2ee30d2d94956762189bc67e3045b8f7453e27bc6e11eff1db438

Download Submit
C:\Users\Admin\AppData\Local\6PDPA1GO4\isoburn.exe

Filesize
119KB

MD5
68078583d028a4873399ae7f25f64bad

SHA1
a3c928fe57856a10aed7fee17670627fe663e6fe

SHA256
9478c095afe212bce91d2de1a3c3647109f2d54e46b9bf70843e839324458567

SHA512
25503a47c53fe83eeb56726b5a5eec5cb01bc783e866306f92242a7a8cbafa20a3209217e0f4561febfec78d2f64f1725727a6b2d3ee6da512618984d0bb0bc1

Download Submit
C:\Users\Admin\AppData\Local\T9t4h9j\FXSCOVER.exe

Filesize
242KB

MD5
5769f78d00f22f76a4193dc720d0b2bd

SHA1
d62b6cab057e88737cba43fe9b0c6d11a28b53e8

SHA256
40e8e6dabfa1485b11cdccf220eb86eeaa8256e99e344cf2b2098d4cdb788a31

SHA512
b4b3448a2635b21690c71254d964832e89bf947f7a0d32e79dcc84730f11d4afb4149a810a768878e52f88fc8baec45f1a2fec8e22c5301e9f39fe4fc6a57e3f

Download Submit
C:\Users\Admin\AppData\Local\T9t4h9j\MFC42u.dll

Filesize
1.2MB

MD5
6dd7c80a7250f9d1c383ac58032da101

SHA1
318b511dd576af748985ffc71d7d64b796985046

SHA256
ffd9dab6ab71c9af391370340cc639c6a13a8ec0f29bea3cbf96f6ff75b251ca

SHA512
f879be1048893fe6dfbfc00acf3390f22fc16977d94fe280013b1e25c41320e36606570982dd34710573dea521f3ee331c3f484fc87807f7f0eec2b1e91b63bf

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ahvhgxnkgdxqlh.lnk

Filesize
1KB

MD5
ca9b5a9c53737abf1c990e9dc154bfbe

SHA1
2e96456385c518ef14259a3326e65f89a5cef585

SHA256
620e8ae9ad912c634a99193a5a2d76e38171c12eaed290b1f2fcb508f5ccc56a

SHA512
7960a0bcc70e644ead5f3417de7c82245c45a91701d9a3ecb7eba809330d5adb7a9b8100dc8901de8a6358bae3209b57e02e8d41196a60dbd63ba29452fb8f12

Download Submit
memory/1464-46-0x000001A46DF10000-0x000001A46DF17000-memory.dmp

Filesize
28KB

Download
memory/1464-47-0x00007FF8B7B80000-0x00007FF8B7CB2000-memory.dmp

Filesize
1.2MB

Download
memory/1464-52-0x00007FF8B7B80000-0x00007FF8B7CB2000-memory.dmp

Filesize
1.2MB

Download
memory/2368-69-0x00007FF8A7DE0000-0x00007FF8A7F12000-memory.dmp

Filesize
1.2MB

Download
memory/2368-66-0x000001FCCBAA0000-0x000001FCCBAA7000-memory.dmp

Filesize
28KB

Download
memory/2368-63-0x00007FF8A7DE0000-0x00007FF8A7F12000-memory.dmp

Filesize
1.2MB

Download
memory/3076-82-0x000002098BBE0000-0x000002098BBE7000-memory.dmp

Filesize
28KB

Download
memory/3076-83-0x00007FF8A7DE0000-0x00007FF8A7F18000-memory.dmp

Filesize
1.2MB

Download
memory/3076-88-0x00007FF8A7DE0000-0x00007FF8A7F18000-memory.dmp

Filesize
1.2MB

Download
memory/3588-17-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3588-14-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3588-25-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3588-6-0x00007FF8C577A000-0x00007FF8C577B000-memory.dmp

Filesize
4KB

Download
memory/3588-9-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3588-10-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3588-11-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3588-12-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3588-13-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3588-8-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3588-16-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3588-4-0x0000000002970000-0x0000000002971000-memory.dmp

Filesize
4KB

Download
memory/3588-29-0x0000000002820000-0x0000000002827000-memory.dmp

Filesize
28KB

Download
memory/3588-30-0x00007FF8C5D90000-0x00007FF8C5DA0000-memory.dmp

Filesize
64KB

Download
memory/3588-36-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3588-15-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3588-7-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/4476-0-0x000002099D2C0000-0x000002099D2C7000-memory.dmp

Filesize
28KB

Download
memory/4476-39-0x00007FF8B7B80000-0x00007FF8B7CB1000-memory.dmp

Filesize
1.2MB

Download
memory/4476-2-0x00007FF8B7B80000-0x00007FF8B7CB1000-memory.dmp

Filesize
1.2MB

Download