dridex | b579608532ee7162cb68571b74d3b13838d6719133f75eaa6cb3c7a57bfe231f

Analysis

max time kernel
150s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-10-2024 10:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

211cf9ae6ca6a0e4a98dacd5eda8d14a_JaffaCakes118.dll
Size

2.3MB
MD5

211cf9ae6ca6a0e4a98dacd5eda8d14a
SHA1

ef0761f5ae25b3dfdf9f57941134dd26924867f3
SHA256

b579608532ee7162cb68571b74d3b13838d6719133f75eaa6cb3c7a57bfe231f
SHA512

37810a5d53e9f846c2f7c76bb02d92fe58af6efe0f25e31f260f0ce4860df01ab7cd1128825323fef607731d0f6e57c2b7bc249b508f7cce0c39684a213347f3
SSDEEP

12288:/VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1gpE:2fP7fWsK5z9A+WGAW+V5SB6Ct4bnbg

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3520-4-0x00000000023F0000-0x00000000023F1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

SystemPropertiesComputerName.exedwm.exeTaskmgr.exe

pid process

2348 SystemPropertiesComputerName.exe
4896 dwm.exe
2752 Taskmgr.exe
Loads dropped DLL 4 IoCs

Processes:

SystemPropertiesComputerName.exedwm.exeTaskmgr.exe

pid process

2348 SystemPropertiesComputerName.exe
4896 dwm.exe
4896 dwm.exe
2752 Taskmgr.exe

pid	process
2348	SystemPropertiesComputerName.exe
4896	dwm.exe
2752	Taskmgr.exe

pid	process
2348	SystemPropertiesComputerName.exe
4896	dwm.exe
4896	dwm.exe
2752	Taskmgr.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Pzfwfhktmuesbir = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\LDO\\dwm.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeSystemPropertiesComputerName.exedwm.exeTaskmgr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesComputerName.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Taskmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1844	rundll32.exe
1844	rundll32.exe
1844	rundll32.exe
1844	rundll32.exe
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520
3520

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

3520
3520

pid	process
3520
3520

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3520 wrote to memory of 3416	3520	SystemPropertiesComputerName.exe
PID 3520 wrote to memory of 3416	3520	SystemPropertiesComputerName.exe
PID 3520 wrote to memory of 2348	3520	SystemPropertiesComputerName.exe
PID 3520 wrote to memory of 2348	3520	SystemPropertiesComputerName.exe
PID 3520 wrote to memory of 1132	3520	dwm.exe
PID 3520 wrote to memory of 1132	3520	dwm.exe
PID 3520 wrote to memory of 4896	3520	dwm.exe
PID 3520 wrote to memory of 4896	3520	dwm.exe
PID 3520 wrote to memory of 3708	3520	Taskmgr.exe
PID 3520 wrote to memory of 3708	3520	Taskmgr.exe
PID 3520 wrote to memory of 2752	3520	Taskmgr.exe
PID 3520 wrote to memory of 2752	3520	Taskmgr.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\211cf9ae6ca6a0e4a98dacd5eda8d14a_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1844

C:\Windows\system32\SystemPropertiesComputerName.exe
C:\Windows\system32\SystemPropertiesComputerName.exe
1⤵
PID:3416

C:\Users\Admin\AppData\Local\fgrzg\SystemPropertiesComputerName.exe
C:\Users\Admin\AppData\Local\fgrzg\SystemPropertiesComputerName.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2348

C:\Windows\system32\dwm.exe
C:\Windows\system32\dwm.exe
1⤵
PID:1132

C:\Users\Admin\AppData\Local\nOpnbww4\dwm.exe
C:\Users\Admin\AppData\Local\nOpnbww4\dwm.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4896

C:\Windows\system32\Taskmgr.exe
C:\Windows\system32\Taskmgr.exe
1⤵
PID:3708

C:\Users\Admin\AppData\Local\wKw\Taskmgr.exe
C:\Users\Admin\AppData\Local\wKw\Taskmgr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\fgrzg\SYSDM.CPL

Filesize
2.3MB

MD5
4bc748ca89129237b03cd9dc9b242d2f

SHA1
a87fd158b629e750d770b859c12733489cfdd5ea

SHA256
537f312ead9934c5e6cdb644706967bf31f9136d08c1ca352409d15c764ca381

SHA512
84ae72259cddc39ef06791647f0cb9f75e3606f2b41116628b83d74bf6d9972b9de3c83dea7230b434b8bfe27500ad09b85acfadc4556fb94ccd995ddaf43caf

Download Submit
C:\Users\Admin\AppData\Local\fgrzg\SystemPropertiesComputerName.exe

Filesize
82KB

MD5
6711765f323289f5008a6a2a04b6f264

SHA1
d8116fdf73608b4b254ad83c74f2232584d24144

SHA256
bd3a97327326e2245938ec6099f20059b446ff0fe1c10b9317d15d1a1dd5331e

SHA512
438abd282d9d1c0e7e5db2ce027ff9522c3980278b32b2eae09c595884a8dcbfd5178bc5926b1d15f03174303382e13f5d5ecab9a5d8e31fc07ef39e66c012e8

Download Submit
C:\Users\Admin\AppData\Local\nOpnbww4\dwm.exe

Filesize
92KB

MD5
5c27608411832c5b39ba04e33d53536c

SHA1
f92f8b7439ce1de4c297046ed1d3ff9f20bc97af

SHA256
0ac827c9e35cdaa492ddd435079415805dcc276352112b040bcd34ef122cf565

SHA512
1fa25eabc08dff9ea25dfa7da310a677927c6344b76815696b0483f8860fa1469820ff15d88a78ed32f712d03003631d9aceaf9c9851de5dd40c1fc2a7bc1309

Download Submit
C:\Users\Admin\AppData\Local\nOpnbww4\dxgi.dll

Filesize
2.3MB

MD5
2ca380b8f204f6f90ba8f3583823d17b

SHA1
107b0391673c7271b616428d192c967cdb7fb5ed

SHA256
77d6052ec79f56bf3dfc32e384a8efb7826783191184210519df542be18332c1

SHA512
20492807d53a739f9bb758fce8556ceecf7398dddf708e2c768a54ed91fa3c409d0d325e70fcb5b6e73bc97c1a26f1adebc24c9df1207183ac708c6a05a85f18

Download Submit
C:\Users\Admin\AppData\Local\wKw\DUI70.dll

Filesize
2.6MB

MD5
76dd81aa0053050d3638ab7e9ab75832

SHA1
232ac24d4db5f0878131287fdc4d07988c5e6804

SHA256
99f8f475b6c6f911709fa11d7a0fb0350859bc2ebc4423755b3db6b325b65b79

SHA512
a467801643b9cf4906ab28eb35315166dbc4cf518a877dfe8ae132e3b64168ed6292b97994d108f077dfa7c3d6a8fe21a4e99ea4914d1afc92d699f7a5aa927f

Download Submit
C:\Users\Admin\AppData\Local\wKw\Taskmgr.exe

Filesize
1.2MB

MD5
58d5bc7895f7f32ee308e34f06f25dd5

SHA1
7a7f5e991ddeaf73e15a0fdcb5c999c0248a2fa4

SHA256
4e305198f15bafd5728b5fb8e7ff48d9f312399c744ecfea0ecac79d93c5e478

SHA512
872c84c92b0e4050ae4a4137330ec3cda30008fd15d6413bf7a913c03a021ad41b6131e5a7356b374ced98d37ae207147ebefd93893560dc15c3e9875f93f7a9

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Iyqor.lnk

Filesize
1KB

MD5
8fb22b2585bfcf3aa2ebaf6c1d41584a

SHA1
3eb58756b8b77e2c761c118c3e52686b3fd8ce13

SHA256
fafd529b54949179cd6a9e1e1d148228020042c91fa857fe98077e374e8ae743

SHA512
9eff2510bc07bfe5dba8744fea8e2befac03832ac6dd05af89b88fd862d68060be9c250c96c4f6b6deb21b9a092dddf683c67ad6a47b283536cf5b46d04dddf6

Download Submit
memory/1844-1-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/1844-0-0x000002004D4F0000-0x000002004D4F7000-memory.dmp

Filesize
28KB

Download
memory/1844-15-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/2348-83-0x0000018C9AA10000-0x0000018C9AA17000-memory.dmp

Filesize
28KB

Download
memory/2348-84-0x0000000140000000-0x0000000140249000-memory.dmp

Filesize
2.3MB

Download
memory/2348-78-0x0000000140000000-0x0000000140249000-memory.dmp

Filesize
2.3MB

Download
memory/3520-29-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/3520-56-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/3520-65-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/3520-47-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/3520-46-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/3520-44-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/3520-43-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/3520-42-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/3520-41-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/3520-39-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/3520-38-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/3520-37-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/3520-36-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/3520-34-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/3520-33-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/3520-32-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/3520-30-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/3520-73-0x0000000002400000-0x0000000002407000-memory.dmp

Filesize
28KB

Download
memory/3520-28-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/3520-27-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/3520-26-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/3520-24-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/3520-23-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/3520-21-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/3520-22-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/3520-67-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/3520-20-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/3520-19-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/3520-18-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/3520-74-0x00007FFC10C60000-0x00007FFC10C70000-memory.dmp

Filesize
64KB

Download
memory/3520-16-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/3520-14-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/3520-13-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/3520-12-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/3520-11-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/3520-49-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/3520-45-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/3520-40-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/3520-35-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/3520-31-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/3520-25-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/3520-17-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/3520-8-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/3520-7-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/3520-48-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/3520-10-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/3520-4-0x00000000023F0000-0x00000000023F1000-memory.dmp

Filesize
4KB

Download
memory/3520-9-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/3520-5-0x00007FFC0F9DA000-0x00007FFC0F9DB000-memory.dmp

Filesize
4KB

Download
memory/4896-97-0x0000021213B20000-0x0000021213B27000-memory.dmp

Filesize
28KB

Download