dridex | c946e2a27a0c8eb2dd4bbffd200e12eb98ecec7ac2b41ae21b86ce6197e2444b

Analysis

max time kernel
149s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09/10/2024, 05:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2bbced116fdb8fc62616ebecff5923b0_JaffaCakes118.dll
Size

1.2MB
MD5

2bbced116fdb8fc62616ebecff5923b0
SHA1

08c7486f88a21923f42b1da93f80e518be7e2332
SHA256

c946e2a27a0c8eb2dd4bbffd200e12eb98ecec7ac2b41ae21b86ce6197e2444b
SHA512

e581584c16497af995212caf6f80011fdded57e02184293ff9d67c07d552a96e70655af54d1be9f28f12445f43ae578480c400d559528622e5e060e3c1b361d4
SSDEEP

12288:qVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:3fP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3412-4-0x0000000002540000-0x0000000002541000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
5084	bdeunlock.exe
3940	DWWIN.EXE
1080	wscript.exe

Loads dropped DLL 3 IoCs

pid	Process
5084	bdeunlock.exe
3940	DWWIN.EXE
1080	wscript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nzvdnevrdk = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\9gA\\DWWIN.EXE"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bdeunlock.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DWWIN.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wscript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2732	rundll32.exe
2732	rundll32.exe
2732	rundll32.exe
2732	rundll32.exe
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3412 wrote to memory of 3964	3412	Process not Found	86
PID 3412 wrote to memory of 3964	3412	Process not Found	86
PID 3412 wrote to memory of 5084	3412	Process not Found	87
PID 3412 wrote to memory of 5084	3412	Process not Found	87
PID 3412 wrote to memory of 3392	3412	Process not Found	88
PID 3412 wrote to memory of 3392	3412	Process not Found	88
PID 3412 wrote to memory of 3940	3412	Process not Found	89
PID 3412 wrote to memory of 3940	3412	Process not Found	89
PID 3412 wrote to memory of 2736	3412	Process not Found	90
PID 3412 wrote to memory of 2736	3412	Process not Found	90
PID 3412 wrote to memory of 1080	3412	Process not Found	91
PID 3412 wrote to memory of 1080	3412	Process not Found	91

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2bbced116fdb8fc62616ebecff5923b0_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2732

C:\Windows\system32\bdeunlock.exe
C:\Windows\system32\bdeunlock.exe
1⤵
PID:3964

C:\Users\Admin\AppData\Local\kFbF6\bdeunlock.exe
C:\Users\Admin\AppData\Local\kFbF6\bdeunlock.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:5084

C:\Windows\system32\DWWIN.EXE
C:\Windows\system32\DWWIN.EXE
1⤵
PID:3392

C:\Users\Admin\AppData\Local\OD0hrIG\DWWIN.EXE
C:\Users\Admin\AppData\Local\OD0hrIG\DWWIN.EXE
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3940

C:\Windows\system32\wscript.exe
C:\Windows\system32\wscript.exe
1⤵
PID:2736

C:\Users\Admin\AppData\Local\TXL\wscript.exe
C:\Users\Admin\AppData\Local\TXL\wscript.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\OD0hrIG\DWWIN.EXE

Filesize
229KB

MD5
444cc4d3422a0fdd45c1b78070026c60

SHA1
97162ff341fff1ec54b827ec02f8b86fd2d41a97

SHA256
4b3f620272e709ce3e01ae5b19ef0300bd476f2da6412637f703bbaded2821f0

SHA512
21742d330a6a5763ea41a8fed4d71b98e4a1b4c685675c4cfeb7253033c3a208c23902caf0efdf470a85e0770cb8fac8af0eb6d3a8511445b0570054b42d5553

Download Submit
C:\Users\Admin\AppData\Local\OD0hrIG\VERSION.dll

Filesize
1.2MB

MD5
d33b63d2fed0bed30a7de7da7f334f50

SHA1
72c2856979e85767ac810c0e56034f58b2c9c74e

SHA256
82fb7f267483e8115ed3eb7903944144bf69eb6e116588585b139df69dc3fc3e

SHA512
a9726867311e596c5abbb6fa34ad4fac5fb35f1bf86fd19c02c24b7f90ed942aebe9204b1ccde810532f8b812c8bbe3a9b13dee571df854c303dc06faeef866e

Download Submit
C:\Users\Admin\AppData\Local\TXL\VERSION.dll

Filesize
1.2MB

MD5
925014fdc0fb8572907631e1f89c8ac1

SHA1
bdba6311621bc50612627d34b5364017d09dc905

SHA256
4613849fcfda8c4114f049c19f72efca388b24522546546f564dc9502b30c24f

SHA512
3f6d920b302f03704c1d5729655cdbe22ae2904946a32d002cc16222b1ee5fb0ee6c2e15bf050e6c957db4557d30e3db96e4700466c932190c04df0fafd6ab0d

Download Submit
C:\Users\Admin\AppData\Local\TXL\wscript.exe

Filesize
166KB

MD5
a47cbe969ea935bdd3ab568bb126bc80

SHA1
15f2facfd05daf46d2c63912916bf2887cebd98a

SHA256
34008e2057df8842df210246995385a0441dc1e081d60ad15bd481e062e7f100

SHA512
f5c81e6dc4d916944304fc85136e1ff6dee29a21e50a54fe6280a475343eccbfe094171d62475db5f38e07898c061126158c34d48b9d8f4f57f76d49e564e3fc

Download Submit
C:\Users\Admin\AppData\Local\kFbF6\DUI70.dll

Filesize
1.4MB

MD5
afd3721a5638a81a2a2232d0f961026e

SHA1
b97f4eb73f7831acdddbd0fca39648d22abcf002

SHA256
f644e5f2b8ffa813192354eb880f6017ae7786ab69f3e2b3c2f01ca9cd962773

SHA512
662082680bc0a8a4479e2afced82e0b47c2f1bfa759203437b1b0a5d02075dbd83ee5d292dde6abaea50e7b01953b808f4b21405c9c962057bd59e12415b1461

Download Submit
C:\Users\Admin\AppData\Local\kFbF6\bdeunlock.exe

Filesize
279KB

MD5
fef5d67150c249db3c1f4b30a2a5a22e

SHA1
41ca037b0229be9338da4d78244b4f0ea5a3d5f3

SHA256
dcfdd67bf3244ff86cadaaea50b43cce5479014ea2021c0c2fb40b7c856e5603

SHA512
4ded9ca87d9d30c31ab2baededaa6e26681741ea1742d80c318173536c643a01bc049e03a03c3b45b3cb8860464a855830e12e87670503e65eedcdd5e9b2d1e7

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Eswctkc.lnk

Filesize
974B

MD5
760f1fd94a9242a1c74e00d0fc8c096a

SHA1
9f524814c50dadb2a3bf8e621f3ab191504d5c67

SHA256
9c9e8f430d4395e34d1e3dcc8840222cfab00363fac4182711e6f0ee28f11254

SHA512
c231448733329e341ca339d9bab954a29c6c6b71e4800cc6fcd10bd43e6477290189fe6763420222179c1c81364b1d71c63c4086e8c5ae973a3378652071fcdb

Download Submit
memory/1080-106-0x000002D6731A0000-0x000002D6731A7000-memory.dmp

Filesize
28KB

Download
memory/2732-16-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/2732-0-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/2732-2-0x000001D595A60000-0x000001D595A67000-memory.dmp

Filesize
28KB

Download
memory/3412-12-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3412-41-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3412-32-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3412-31-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3412-28-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3412-26-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3412-27-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3412-25-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3412-24-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3412-23-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3412-22-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3412-21-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3412-20-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3412-19-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3412-18-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3412-17-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3412-59-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3412-15-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3412-13-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3412-50-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3412-11-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3412-10-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3412-9-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3412-43-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3412-42-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3412-33-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3412-40-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3412-39-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3412-38-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3412-37-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3412-36-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3412-35-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3412-34-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3412-30-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3412-7-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3412-64-0x0000000000B30000-0x0000000000B37000-memory.dmp

Filesize
28KB

Download
memory/3412-65-0x00007FFEA2C20000-0x00007FFEA2C30000-memory.dmp

Filesize
64KB

Download
memory/3412-4-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/3412-5-0x00007FFEA0FDA000-0x00007FFEA0FDB000-memory.dmp

Filesize
4KB

Download
memory/3412-14-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3412-61-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3412-29-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3412-8-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3940-90-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/3940-95-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/3940-89-0x0000019190DE0000-0x0000019190DE7000-memory.dmp

Filesize
28KB

Download
memory/5084-78-0x0000000140000000-0x0000000140172000-memory.dmp

Filesize
1.4MB

Download
memory/5084-73-0x0000000140000000-0x0000000140172000-memory.dmp

Filesize
1.4MB

Download
memory/5084-72-0x0000020DA38A0000-0x0000020DA38A7000-memory.dmp

Filesize
28KB

Download