dridex | 85a83765c561ea8375b492b286a66a6541427217967cd399d2e4e4230141e4e7

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15-10-2024 19:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

49b478cc38b76090a5dcf3bf2bf85860_JaffaCakes118.dll
Size

1.2MB
MD5

49b478cc38b76090a5dcf3bf2bf85860
SHA1

17eac34e5fa4b82d401a47c5f5763e918693cac3
SHA256

85a83765c561ea8375b492b286a66a6541427217967cd399d2e4e4230141e4e7
SHA512

6f37c08e374b6b07a7c45a1521b05d2841864cf66d04044c1db9e6c828cdd877adbd6df0602df8db6df86740c28d72a27ed077c916333e2d08cb3129bae57958
SSDEEP

12288:pVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:IfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3500-4-0x00000000033D0000-0x00000000033D1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

SystemPropertiesHardware.exemsra.exeWMPDMC.exe

pid process

5020 SystemPropertiesHardware.exe
2024 msra.exe
4200 WMPDMC.exe
Loads dropped DLL 3 IoCs

Processes:

SystemPropertiesHardware.exemsra.exeWMPDMC.exe

pid process

5020 SystemPropertiesHardware.exe
2024 msra.exe
4200 WMPDMC.exe

pid	process
5020	SystemPropertiesHardware.exe
2024	msra.exe
4200	WMPDMC.exe

pid	process
5020	SystemPropertiesHardware.exe
2024	msra.exe
4200	WMPDMC.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qiqbxsgjw = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Office\\Recent\\NX1rPUoVT\\msra.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeSystemPropertiesHardware.exemsra.exeWMPDMC.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesHardware.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msra.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WMPDMC.exe

Modifies registry class 2 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
4964	rundll32.exe
4964	rundll32.exe
4964	rundll32.exe
4964	rundll32.exe
4964	rundll32.exe
4964	rundll32.exe
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3500
Token: SeCreatePagefilePrivilege	3500
Token: SeShutdownPrivilege	3500
Token: SeCreatePagefilePrivilege	3500

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3500

pid	process
3500

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3500 wrote to memory of 4464	3500	SystemPropertiesHardware.exe
PID 3500 wrote to memory of 4464	3500	SystemPropertiesHardware.exe
PID 3500 wrote to memory of 5020	3500	SystemPropertiesHardware.exe
PID 3500 wrote to memory of 5020	3500	SystemPropertiesHardware.exe
PID 3500 wrote to memory of 5116	3500	msra.exe
PID 3500 wrote to memory of 5116	3500	msra.exe
PID 3500 wrote to memory of 2024	3500	msra.exe
PID 3500 wrote to memory of 2024	3500	msra.exe
PID 3500 wrote to memory of 4536	3500	WMPDMC.exe
PID 3500 wrote to memory of 4536	3500	WMPDMC.exe
PID 3500 wrote to memory of 4200	3500	WMPDMC.exe
PID 3500 wrote to memory of 4200	3500	WMPDMC.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\49b478cc38b76090a5dcf3bf2bf85860_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4964

C:\Windows\system32\SystemPropertiesHardware.exe
C:\Windows\system32\SystemPropertiesHardware.exe
1⤵
PID:4464

C:\Users\Admin\AppData\Local\GJcYk57t\SystemPropertiesHardware.exe
C:\Users\Admin\AppData\Local\GJcYk57t\SystemPropertiesHardware.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:5020

C:\Windows\system32\msra.exe
C:\Windows\system32\msra.exe
1⤵
PID:5116

C:\Users\Admin\AppData\Local\8f0ZdzK\msra.exe
C:\Users\Admin\AppData\Local\8f0ZdzK\msra.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2024

C:\Windows\system32\WMPDMC.exe
C:\Windows\system32\WMPDMC.exe
1⤵
PID:4536

C:\Users\Admin\AppData\Local\i48\WMPDMC.exe
C:\Users\Admin\AppData\Local\i48\WMPDMC.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\8f0ZdzK\NDFAPI.DLL

Filesize
1.2MB

MD5
c5d96671c5c745f43b13366c662339ac

SHA1
800a3b339e31d652e3a9ed4c75c9b9dae7964040

SHA256
6dc2e498233f5f184b5fc03ba322fd7972d13fed3526e76f0a170eb9fc97820f

SHA512
46c9061da8a75be31434c8fb1185d98a567ff88646c364daef0009f803c5918b1efede19c38b63b29884a18924c85914c078b9275d485aa74307fe2bcbca5449

Download Submit
C:\Users\Admin\AppData\Local\8f0ZdzK\msra.exe

Filesize
579KB

MD5
dcda3b7b8eb0bfbccb54b4d6a6844ad6

SHA1
316a2925e451f739f45e31bc233a95f91bf775fa

SHA256
011e1decd6683afe5f1e397fe9697f2cf592ae21766a7629e234682f721658ae

SHA512
18e8c99f8b86375627aba0d2b10cf4db24ee5ac61a3d6a73d382a83ec63217c7e455570d4fa7dcdbb188dcc73988689661f8cab2337ae8c615fa6bc9a08f71f5

Download Submit
C:\Users\Admin\AppData\Local\GJcYk57t\SYSDM.CPL

Filesize
1.2MB

MD5
5d26820f3ba6f42a0f2186c72032305e

SHA1
41181fdd9831864d5975f3441ba2244c88c6bbb7

SHA256
e6fe9f1733ffc50e508b743997b4f62694e1ca8a20c18263d866cdbbb6a8a6c7

SHA512
1bb30e84c39f8528cf36fa738063f020f27aba62fa6d64235f044af5609a68d7d5955f07a0027e83c731bd7982ee9dec222d7277bdfebd2131449624e6dfd4d0

Download Submit
C:\Users\Admin\AppData\Local\GJcYk57t\SystemPropertiesHardware.exe

Filesize
82KB

MD5
bf5bc0d70a936890d38d2510ee07a2cd

SHA1
69d5971fd264d8128f5633db9003afef5fad8f10

SHA256
c8ebd920399ebcf3ab72bd325b71a6b4c6119dfecea03f25059a920c4d32acc7

SHA512
0e129044777cbbf5ea995715159c50773c1818fc5e8faa5c827fd631b44c086b34dfdcbe174b105891ccc3882cc63a8664d189fb6a631d8f589de4e01a862f51

Download Submit
C:\Users\Admin\AppData\Local\i48\OLEACC.dll

Filesize
1.2MB

MD5
f60c61a2aba49d1ef358da4212b8d248

SHA1
75af018642ef6b7faa3a249935cb27a3c3ac52a9

SHA256
dfdec9657bc9ffca4b9c3096a3e8ed46c2ccd7b36d167dc7e99207a9708e25ac

SHA512
98b2c286e2c8ea61cfee4d7f607aa96f4190d2f1841e3bd9e882e1a1a2d166da67ab38dd1b4557ebcede53af37d24837f2ce629f685a66c9f51ba323b404a074

Download Submit
C:\Users\Admin\AppData\Local\i48\WMPDMC.exe

Filesize
1.5MB

MD5
59ce6e554da0a622febce19eb61c4d34

SHA1
176a4a410cb97b3d4361d2aea0edbf17e15d04c7

SHA256
c36eba7186f7367fe717595f3372a49503c9613893c2ab2eff38b625a50d04ba

SHA512
e9b0d310416b66e0055381391bb6b0c19ee26bbcf0e3bb9ea7d696d5851e6efbdd9bdeb250c74638b7d73b20528ea1dfb718e75ad5977aaad77aae36cc7b7e18

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Zcgcwwxuxxxcbkn.lnk

Filesize
1KB

MD5
c7d580a664e3d43d0c6c5e3f76002488

SHA1
71a6d9e5120e41ca122a2eb5970d0ccb5f253ae3

SHA256
62743a39036f21f492d524237b7db12625bc8ff1914c48e64e13697cdb7c0288

SHA512
81f59786098476e9ec6da07783965714b9d573667bb2c0964c9666773cbb3e36b10f2ea31429ccb080d093290086a07e7a8f80de55be1562e422483383fa1f0e

Download Submit
memory/2024-94-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/2024-93-0x000002296C920000-0x000002296C927000-memory.dmp

Filesize
28KB

Download
memory/3500-26-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/3500-20-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/3500-67-0x00007FFBCB2E0000-0x00007FFBCB2F0000-memory.dmp

Filesize
64KB

Download
memory/3500-66-0x0000000001350000-0x0000000001357000-memory.dmp

Filesize
28KB

Download
memory/3500-58-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/3500-49-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/3500-42-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/3500-41-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/3500-40-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/3500-37-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/3500-36-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/3500-35-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/3500-34-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/3500-33-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/3500-32-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/3500-30-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/3500-29-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/3500-28-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/3500-27-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/3500-6-0x00007FFBC97CA000-0x00007FFBC97CB000-memory.dmp

Filesize
4KB

Download
memory/3500-25-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/3500-24-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/3500-23-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/3500-21-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/3500-22-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/3500-31-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/3500-18-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/3500-19-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/3500-17-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/3500-15-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/3500-16-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/3500-14-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/3500-13-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/3500-38-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/3500-11-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/3500-10-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/3500-9-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/3500-39-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/3500-8-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/3500-7-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/3500-4-0x00000000033D0000-0x00000000033D1000-memory.dmp

Filesize
4KB

Download
memory/3500-60-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/4200-108-0x0000027C955D0000-0x0000027C955D7000-memory.dmp

Filesize
28KB

Download
memory/4964-12-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/4964-3-0x00000163568F0000-0x00000163568F7000-memory.dmp

Filesize
28KB

Download
memory/4964-0-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/5020-77-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/5020-76-0x000001EA60B40000-0x000001EA60B47000-memory.dmp

Filesize
28KB

Download
memory/5020-71-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download