dridex | 84d3d619e2c19d65f1cd545a46284f1b0c8fed90e5e5ae3c2ea2c2fd8cd08dc3

Analysis

max time kernel
149s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-10-2024 14:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4d4735af8b4bff7c28411a6c45ab0712_JaffaCakes118.dll
Size

1.1MB
MD5

4d4735af8b4bff7c28411a6c45ab0712
SHA1

29d2150c2481ad8422a6c89efea1eba372a59db0
SHA256

84d3d619e2c19d65f1cd545a46284f1b0c8fed90e5e5ae3c2ea2c2fd8cd08dc3
SHA512

fa3587957044c7e7140d5897c39ccbbfaf90db55f31ae70d1500c29d572c059d6be87aa13e6d4d2e5275607d11598f7e5d1b057010bc9e2c85a95f1daa933160
SSDEEP

12288:RdMIwS97wJs6tSKDXEabXaC+jhc1S8XXk7CZzHsZH9dq0T:/MIJxSDX3bqjhcfHk7MzH6z

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3380-4-0x0000000000990000-0x0000000000991000-memory.dmp	dridex_stager_shellcode

Dridex payload 10 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3136-1-0x0000000140000000-0x000000014010F000-memory.dmp	dridex_payload
behavioral2/memory/3380-55-0x0000000140000000-0x000000014010F000-memory.dmp	dridex_payload
behavioral2/memory/3380-43-0x0000000140000000-0x000000014010F000-memory.dmp	dridex_payload
behavioral2/memory/3136-59-0x0000000140000000-0x000000014010F000-memory.dmp	dridex_payload
behavioral2/memory/4036-68-0x0000000140000000-0x0000000140155000-memory.dmp	dridex_payload
behavioral2/memory/4036-73-0x0000000140000000-0x0000000140155000-memory.dmp	dridex_payload
behavioral2/memory/2248-87-0x0000000140000000-0x0000000140110000-memory.dmp	dridex_payload
behavioral2/memory/2248-90-0x0000000140000000-0x0000000140110000-memory.dmp	dridex_payload
behavioral2/memory/1648-104-0x0000000140000000-0x0000000140111000-memory.dmp	dridex_payload
behavioral2/memory/1648-107-0x0000000140000000-0x0000000140111000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

dpapimig.exeWMPDMC.exemmc.exe

pid process

4036 dpapimig.exe
2248 WMPDMC.exe
1648 mmc.exe
Loads dropped DLL 3 IoCs

Processes:

dpapimig.exeWMPDMC.exemmc.exe

pid process

4036 dpapimig.exe
2248 WMPDMC.exe
1648 mmc.exe

pid	process
4036	dpapimig.exe
2248	WMPDMC.exe
1648	mmc.exe

pid	process
4036	dpapimig.exe
2248	WMPDMC.exe
1648	mmc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Labelis = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\TEMPLA~1\\LIVECO~1\\16\\User\\WORDDO~2\\1033\\Qr\\WMPDMC.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exedpapimig.exeWMPDMC.exemmc.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dpapimig.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WMPDMC.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mmc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
3136	rundll32.exe
3136	rundll32.exe
3136	rundll32.exe
3136	rundll32.exe
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3380
Token: SeCreatePagefilePrivilege	3380
Token: SeShutdownPrivilege	3380
Token: SeCreatePagefilePrivilege	3380

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

3380
3380

pid	process
3380
3380

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3380 wrote to memory of 4636	3380	dpapimig.exe
PID 3380 wrote to memory of 4636	3380	dpapimig.exe
PID 3380 wrote to memory of 4036	3380	dpapimig.exe
PID 3380 wrote to memory of 4036	3380	dpapimig.exe
PID 3380 wrote to memory of 4564	3380	WMPDMC.exe
PID 3380 wrote to memory of 4564	3380	WMPDMC.exe
PID 3380 wrote to memory of 2248	3380	WMPDMC.exe
PID 3380 wrote to memory of 2248	3380	WMPDMC.exe
PID 3380 wrote to memory of 4932	3380	mmc.exe
PID 3380 wrote to memory of 4932	3380	mmc.exe
PID 3380 wrote to memory of 1648	3380	mmc.exe
PID 3380 wrote to memory of 1648	3380	mmc.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4d4735af8b4bff7c28411a6c45ab0712_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3136

C:\Windows\system32\dpapimig.exe
C:\Windows\system32\dpapimig.exe
1⤵
PID:4636

C:\Users\Admin\AppData\Local\IZ0lC\dpapimig.exe
C:\Users\Admin\AppData\Local\IZ0lC\dpapimig.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4036

C:\Windows\system32\WMPDMC.exe
C:\Windows\system32\WMPDMC.exe
1⤵
PID:4564

C:\Users\Admin\AppData\Local\vKUL\WMPDMC.exe
C:\Users\Admin\AppData\Local\vKUL\WMPDMC.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2248

C:\Windows\system32\mmc.exe
C:\Windows\system32\mmc.exe
1⤵
PID:4932

C:\Users\Admin\AppData\Local\CgfCXP\mmc.exe
C:\Users\Admin\AppData\Local\CgfCXP\mmc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\CgfCXP\DUser.dll

Filesize
1.1MB

MD5
465bb03eaaac7f172c1dfe0f0d376223

SHA1
04405b1e72aa548eeaf3f7fd82c6498861d69f56

SHA256
13417bcb305e20ecc76394d3f256a75f7d79a0bc15c0e15f0370b36f8f15b54e

SHA512
7183d363552a3362d70cd2e7516b219ef21a11dfc069569cd2fc75fce488f1f0f5a9ed58eeaff02e769733352eb1909a63c023fb252bf826a805b9f188dffa71

Download Submit
C:\Users\Admin\AppData\Local\CgfCXP\mmc.exe

Filesize
1.8MB

MD5
8c86b80518406f14a4952d67185032d6

SHA1
9269f1fbcf65fefbc88a2e239519c21efe0f6ba5

SHA256
895eef1eda5700a425934ae3782d4741dfefb7deafa53891bde490150187b98a

SHA512
1bbdaa3ae8b5716ad2bd517055533e286ddb8a6c23cbc7aa602143dbb1ae132b513088ab61527c49737c554269c51416cceb80206ac8128ac6b003f1864eb099

Download Submit
C:\Users\Admin\AppData\Local\IZ0lC\DUI70.dll

Filesize
1.3MB

MD5
2fc4e7fd5ef383b0101a058d68e18aca

SHA1
452f2994e397ad5d645165f4b4fc68eb74db1acf

SHA256
8618846389b679eeef7d486fbedb2ab45cf301da6cb52c8f4d250b1ba5ce0bd7

SHA512
2aea555653e91a6333fa0b53db607c0e1da12609f4dc4b8a4742d264ae30bc8927d190808584a07927c17d6f5fb6f7338a50962a11d8d2078301c003f2274ed0

Download Submit
C:\Users\Admin\AppData\Local\IZ0lC\dpapimig.exe

Filesize
76KB

MD5
b6d6477a0c90a81624c6a8548026b4d0

SHA1
e6eac6941d27f76bbd306c2938c0a962dbf1ced1

SHA256
a8147d08b82609c72d588a0a604cd3c1f2076befcc719d282c7cbd6525ae89eb

SHA512
72ec8b79e3438f0f981129a323ad39db84df7dd14a796a820bdbc74ea8fa13eee843d1ea030a0c1caeda2e2d69952f14a821a73825b38dd9415047aca597b1fe

Download Submit
C:\Users\Admin\AppData\Local\vKUL\WMPDMC.exe

Filesize
1.5MB

MD5
59ce6e554da0a622febce19eb61c4d34

SHA1
176a4a410cb97b3d4361d2aea0edbf17e15d04c7

SHA256
c36eba7186f7367fe717595f3372a49503c9613893c2ab2eff38b625a50d04ba

SHA512
e9b0d310416b66e0055381391bb6b0c19ee26bbcf0e3bb9ea7d696d5851e6efbdd9bdeb250c74638b7d73b20528ea1dfb718e75ad5977aaad77aae36cc7b7e18

Download Submit
C:\Users\Admin\AppData\Local\vKUL\dwmapi.dll

Filesize
1.1MB

MD5
9d8002708665d633c6169430f3a9d406

SHA1
e1d81cecb0cfd097347260002d0720e3abd47f42

SHA256
5e404db7d8bef52ba17712d0b314970c26689e113433c420d2c06fcc4ce33b53

SHA512
6bb5ea811ec4452ce3b7887559bdc5631f9776d904a8ea31d70df18fbd59c96649ba98a7f56fa3ae28c338472f371260db4c8a8e7c1e34df09583dc0a0894065

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ltmfycbfnis.lnk

Filesize
1KB

MD5
0e0f06c866fc494e8755ac34ef565e62

SHA1
f191ac9ad73b737114251b3428d88c67bd61c7a1

SHA256
3b0fd16bfeddfd54edc156f80e8e1f68c6f74d04556999ef9ad3de264d193845

SHA512
8fae8eb31dd37b41e251e044288aef3c9bb9b4a9507b2464dbc01973fa7a6f93fdc188254115bd5f33b8eeae114bd77f3de57160540dd5bae8a532786dea962d

Download Submit
memory/1648-102-0x0000000140000000-0x0000000140111000-memory.dmp

Filesize
1.1MB

Download
memory/1648-107-0x0000000140000000-0x0000000140111000-memory.dmp

Filesize
1.1MB

Download
memory/1648-104-0x0000000140000000-0x0000000140111000-memory.dmp

Filesize
1.1MB

Download
memory/1648-105-0x0000000000FC0000-0x0000000000FC7000-memory.dmp

Filesize
28KB

Download
memory/2248-90-0x0000000140000000-0x0000000140110000-memory.dmp

Filesize
1.1MB

Download
memory/2248-87-0x0000000140000000-0x0000000140110000-memory.dmp

Filesize
1.1MB

Download
memory/2248-85-0x0000016F550E0000-0x0000016F550E7000-memory.dmp

Filesize
28KB

Download
memory/2248-84-0x0000000140000000-0x0000000140110000-memory.dmp

Filesize
1.1MB

Download
memory/3136-59-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/3136-1-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/3136-3-0x000001FBEFEB0000-0x000001FBEFEB7000-memory.dmp

Filesize
28KB

Download
memory/3136-2-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/3380-22-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/3380-9-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/3380-30-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/3380-29-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/3380-28-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/3380-27-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/3380-26-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/3380-24-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/3380-23-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/3380-43-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/3380-20-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/3380-18-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/3380-17-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/3380-16-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/3380-15-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/3380-13-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/3380-12-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/3380-11-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/3380-10-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/3380-31-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/3380-8-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/3380-33-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/3380-32-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/3380-25-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/3380-21-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/3380-6-0x00007FFDFDA5A000-0x00007FFDFDA5B000-memory.dmp

Filesize
4KB

Download
memory/3380-4-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download
memory/3380-34-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/3380-44-0x00007FFDFF640000-0x00007FFDFF650000-memory.dmp

Filesize
64KB

Download
memory/3380-45-0x00007FFDFF630000-0x00007FFDFF640000-memory.dmp

Filesize
64KB

Download
memory/3380-55-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/3380-50-0x0000000000370000-0x0000000000377000-memory.dmp

Filesize
28KB

Download
memory/3380-35-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/3380-19-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/3380-7-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/3380-14-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/4036-66-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/4036-67-0x000001E5D0FC0000-0x000001E5D0FC7000-memory.dmp

Filesize
28KB

Download
memory/4036-68-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/4036-73-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download