dridex | e65d864ac680a40fcf898cb480e6b6eb2406307973a19b5001edaedefc4b3f7b

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29/09/2024, 18:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff18e8259190c79d60bdb5e0ec552404_JaffaCakes118.dll
Size

1.2MB
MD5

ff18e8259190c79d60bdb5e0ec552404
SHA1

ffabe6c627e7824f5ff3d10c3716f03a4ae6dea9
SHA256

e65d864ac680a40fcf898cb480e6b6eb2406307973a19b5001edaedefc4b3f7b
SHA512

30efef42d9b3874822388b4c6a8c196d518fe560cd0bb12b23f0af3ad82da90533351e518a661a91d850b968b80d505fc2ada5c9dd10127c04ab3e157b1fac47
SSDEEP

24576:auYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:C9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3512-5-0x0000000002700000-0x0000000002701000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
4104	DeviceEnroller.exe
1852	ddodiag.exe
2780	CameraSettingsUIHost.exe

Loads dropped DLL 3 IoCs

pid	Process
4104	DeviceEnroller.exe
1852	ddodiag.exe
2780	CameraSettingsUIHost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tdfoxulv = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\CachedFiles\\JvN\\ddodiag.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DeviceEnroller.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ddodiag.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	CameraSettingsUIHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2572	rundll32.exe
2572	rundll32.exe
2572	rundll32.exe
2572	rundll32.exe
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3512	Process not Found
Token: SeCreatePagefilePrivilege	3512	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3512 wrote to memory of 212	3512	Process not Found	87
PID 3512 wrote to memory of 212	3512	Process not Found	87
PID 3512 wrote to memory of 4104	3512	Process not Found	88
PID 3512 wrote to memory of 4104	3512	Process not Found	88
PID 3512 wrote to memory of 4696	3512	Process not Found	91
PID 3512 wrote to memory of 4696	3512	Process not Found	91
PID 3512 wrote to memory of 1852	3512	Process not Found	92
PID 3512 wrote to memory of 1852	3512	Process not Found	92
PID 3512 wrote to memory of 1884	3512	Process not Found	93
PID 3512 wrote to memory of 1884	3512	Process not Found	93
PID 3512 wrote to memory of 2780	3512	Process not Found	94
PID 3512 wrote to memory of 2780	3512	Process not Found	94

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ff18e8259190c79d60bdb5e0ec552404_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2572

C:\Windows\system32\DeviceEnroller.exe
C:\Windows\system32\DeviceEnroller.exe
1⤵
PID:212

C:\Users\Admin\AppData\Local\dgbla\DeviceEnroller.exe
C:\Users\Admin\AppData\Local\dgbla\DeviceEnroller.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4104

C:\Windows\system32\ddodiag.exe
C:\Windows\system32\ddodiag.exe
1⤵
PID:4696

C:\Users\Admin\AppData\Local\TdVEbpCwb\ddodiag.exe
C:\Users\Admin\AppData\Local\TdVEbpCwb\ddodiag.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1852

C:\Windows\system32\CameraSettingsUIHost.exe
C:\Windows\system32\CameraSettingsUIHost.exe
1⤵
PID:1884

C:\Users\Admin\AppData\Local\mHk\CameraSettingsUIHost.exe
C:\Users\Admin\AppData\Local\mHk\CameraSettingsUIHost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TdVEbpCwb\XmlLite.dll

Filesize
1.2MB

MD5
c37e874ad20a14b7ee2188505642820e

SHA1
cf964bd3652c4ab86ac02f362e14b4ee0251d021

SHA256
a29ffd0bebb43d9ea68012efcddf0b236a5e49df67a90f7df4b2df45d898550d

SHA512
9a972dcf0effab0ae266324cad1b39e58958b150d7d0ed61a2c152964be04af28ff00f1c0af36dbb0ad40e4f82b64c14f60387092ea04448825be813900a6b18

Download Submit
C:\Users\Admin\AppData\Local\TdVEbpCwb\ddodiag.exe

Filesize
39KB

MD5
85feee634a6aee90f0108e26d3d9bc1f

SHA1
a7b1fa32fe7ed67bd51dea438f2f767e3fef0ca2

SHA256
99c63175504781e9278824d487da082da7c014e99f1024227af164986d3a27c6

SHA512
b81a3e1723a5180c5168cd7bb5181c631f4f57c59780bb82a502160b7874777f3eef1ebe1b14f66c97f9f1a4721af13b6fbcdff2045c8563c18b5d12540953ff

Download Submit
C:\Users\Admin\AppData\Local\dgbla\DeviceEnroller.exe

Filesize
448KB

MD5
946d9474533f58d2613078fd14ca7473

SHA1
c2620ac9522fa3702a6a03299b930d6044aa5e49

SHA256
cf5f5fe084f172e9c435615c1dc6ae7d3bd8c5ec8ea290caa0627c2f392760cb

SHA512
3653d41a0553ee63a43490f682c9b528651a6336f28adafc333d4d148577351122db8279ff83ee59bb0a9c17bb384e9f6c9c78677c8c5ed671a42036dec1f8c1

Download Submit
C:\Users\Admin\AppData\Local\dgbla\XmlLite.dll

Filesize
1.2MB

MD5
03f6c8337def7e35584798b866515ca3

SHA1
e4a604a5ca2a56ebf705bed131f4183fac068705

SHA256
e67b2707d370871bbc96cae513df7a37473fa7284733261e224cb53914beb984

SHA512
e80382cc462fd6f5a9a5a1376c40ba50ae46c723c99403ac8b55d4f93831f265e88555a1aea6c9a1217c5e31630df24e83afe85cc6539ab0626c57e121068c57

Download Submit
C:\Users\Admin\AppData\Local\mHk\CameraSettingsUIHost.exe

Filesize
31KB

MD5
9e98636523a653c7a648f37be229cf69

SHA1
bd4da030e7cf4d55b7c644dfacd26b152e6a14c4

SHA256
3bf20bc5a208dfa1ea26a042fd0010b1268dcfedc94ed775f11890bc1d95e717

SHA512
41966166e2ddfe40e6f4e6da26bc490775caac9997465c6dd94ba6a664d3a797ffc2aa5684c95702e8657e5cea62a46a75aee3e7d5e07a47dcaaa5c4da565e78

Download Submit
C:\Users\Admin\AppData\Local\mHk\DUI70.dll

Filesize
1.4MB

MD5
097000ef27ee6d72b38ca8208c975c9d

SHA1
e2bea6e54875b0b45f78dcc03cb0933310926792

SHA256
e65f163e9d75e4a78aadff6906f00c9e438bab475dcf97219a9b798f995e5d48

SHA512
d1ccfa54ee0cf55ead82010f30719c77e5ae71b3d6f47e080b3921cb3ccf78d1b0601341645a816372b8526054579183e86037fb9bba5a686f582875b0971fa3

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Pvdelpvduyz.lnk

Filesize
1KB

MD5
d905589b102aa78d5604a20753719ab8

SHA1
5f1fda5cc7cc50e50a52a56ee0178bc211ac3d1c

SHA256
9bf237ae87140dde39703c7979db1557cc93cb87a3d7fb1dc96400e9cd6f1bd9

SHA512
e35b9acfb0e1706281780e0593140250b28b386d801139ad6fa034ab58057eabd442c314653f222a284bfad06051eae73aea8e4dde6bd0e6caeaec1415b9b443

Download Submit
memory/1852-70-0x00007FFB01780000-0x00007FFB018B2000-memory.dmp

Filesize
1.2MB

Download
memory/1852-65-0x00007FFB01780000-0x00007FFB018B2000-memory.dmp

Filesize
1.2MB

Download
memory/1852-64-0x0000025990D40000-0x0000025990D47000-memory.dmp

Filesize
28KB

Download
memory/2572-39-0x00007FFB06120000-0x00007FFB06251000-memory.dmp

Filesize
1.2MB

Download
memory/2572-0-0x0000029C65F50000-0x0000029C65F57000-memory.dmp

Filesize
28KB

Download
memory/2572-1-0x00007FFB06120000-0x00007FFB06251000-memory.dmp

Filesize
1.2MB

Download
memory/2780-84-0x000001DD571A0000-0x000001DD571A7000-memory.dmp

Filesize
28KB

Download
memory/2780-81-0x00007FFB01740000-0x00007FFB018B7000-memory.dmp

Filesize
1.5MB

Download
memory/2780-87-0x00007FFB01740000-0x00007FFB018B7000-memory.dmp

Filesize
1.5MB

Download
memory/3512-25-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3512-14-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3512-8-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3512-10-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3512-40-0x00007FFB1339A000-0x00007FFB1339B000-memory.dmp

Filesize
4KB

Download
memory/3512-11-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3512-12-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3512-4-0x00007FFB1339A000-0x00007FFB1339B000-memory.dmp

Filesize
4KB

Download
memory/3512-5-0x0000000002700000-0x0000000002701000-memory.dmp

Filesize
4KB

Download
memory/3512-7-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3512-13-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3512-9-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3512-16-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3512-17-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3512-36-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3512-29-0x0000000000930000-0x0000000000937000-memory.dmp

Filesize
28KB

Download
memory/3512-30-0x00007FFB14B70000-0x00007FFB14B80000-memory.dmp

Filesize
64KB

Download
memory/3512-15-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/4104-53-0x00007FFB05610000-0x00007FFB05742000-memory.dmp

Filesize
1.2MB

Download
memory/4104-48-0x00007FFB05610000-0x00007FFB05742000-memory.dmp

Filesize
1.2MB

Download
memory/4104-47-0x00000213FB770000-0x00000213FB777000-memory.dmp

Filesize
28KB

Download