dridex | 00a4f5b50c281942629456327a8a4772f28e234abcb4dc6ecd755ff849714a93

Analysis

max time kernel
149s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-10-2024 23:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64aceb8bda31f573a45db0ea2c70c918_JaffaCakes118.dll
Size

872KB
MD5

64aceb8bda31f573a45db0ea2c70c918
SHA1

448bbb8dfded2f51b6b098cb2d650c961d0275b8
SHA256

00a4f5b50c281942629456327a8a4772f28e234abcb4dc6ecd755ff849714a93
SHA512

201c607317f291c84f417ca9b3c9c371c85140283c9d9279b62a8c46682224411ac3d612eafd95b606564893bea354df6af0ec7e443ae300e5862b591605e19f
SSDEEP

12288:SdMIwS97wJs6tSKDXEabXaC+jhc1S8XXk7CZzHsZH9dq0T:kMIJxSDX3bqjhcfHk7MzH6z

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3432-3-0x0000000002210000-0x0000000002211000-memory.dmp	dridex_stager_shellcode

Dridex payload 9 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

resource	yara_rule
behavioral2/memory/4040-0-0x0000000140000000-0x00000001400DA000-memory.dmp	dridex_payload
behavioral2/memory/3432-58-0x0000000140000000-0x00000001400DA000-memory.dmp	dridex_payload
behavioral2/memory/3432-47-0x0000000140000000-0x00000001400DA000-memory.dmp	dridex_payload
behavioral2/memory/4040-61-0x0000000140000000-0x00000001400DA000-memory.dmp	dridex_payload
behavioral2/memory/1912-68-0x0000000140000000-0x00000001400DB000-memory.dmp	dridex_payload
behavioral2/memory/1912-73-0x0000000140000000-0x00000001400DB000-memory.dmp	dridex_payload
behavioral2/memory/1744-89-0x0000000140000000-0x00000001400DB000-memory.dmp	dridex_payload
behavioral2/memory/1132-100-0x0000000140000000-0x0000000140120000-memory.dmp	dridex_payload
behavioral2/memory/1132-105-0x0000000140000000-0x0000000140120000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

pid	Process
1912	mblctr.exe
1744	MDMAppInstaller.exe
1132	CameraSettingsUIHost.exe

Loads dropped DLL 3 IoCs

pid	Process
1912	mblctr.exe
1744	MDMAppInstaller.exe
1132	CameraSettingsUIHost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mmqwm = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Excel\\yw3QzRI\\MDMAppInstaller.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	CameraSettingsUIHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mblctr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MDMAppInstaller.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3432	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3432 wrote to memory of 1668	3432	Process not Found	94
PID 3432 wrote to memory of 1668	3432	Process not Found	94
PID 3432 wrote to memory of 1912	3432	Process not Found	95
PID 3432 wrote to memory of 1912	3432	Process not Found	95
PID 3432 wrote to memory of 3356	3432	Process not Found	96
PID 3432 wrote to memory of 3356	3432	Process not Found	96
PID 3432 wrote to memory of 1744	3432	Process not Found	97
PID 3432 wrote to memory of 1744	3432	Process not Found	97
PID 3432 wrote to memory of 3140	3432	Process not Found	98
PID 3432 wrote to memory of 3140	3432	Process not Found	98
PID 3432 wrote to memory of 1132	3432	Process not Found	99
PID 3432 wrote to memory of 1132	3432	Process not Found	99

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\64aceb8bda31f573a45db0ea2c70c918_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4040

C:\Windows\system32\mblctr.exe
C:\Windows\system32\mblctr.exe
1⤵
PID:1668

C:\Users\Admin\AppData\Local\tDemivda\mblctr.exe
C:\Users\Admin\AppData\Local\tDemivda\mblctr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1912

C:\Windows\system32\MDMAppInstaller.exe
C:\Windows\system32\MDMAppInstaller.exe
1⤵
PID:3356

C:\Users\Admin\AppData\Local\HHlJ0HYXx\MDMAppInstaller.exe
C:\Users\Admin\AppData\Local\HHlJ0HYXx\MDMAppInstaller.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1744

C:\Windows\system32\CameraSettingsUIHost.exe
C:\Windows\system32\CameraSettingsUIHost.exe
1⤵
PID:3140

C:\Users\Admin\AppData\Local\Nglk5Hh\CameraSettingsUIHost.exe
C:\Users\Admin\AppData\Local\Nglk5Hh\CameraSettingsUIHost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\HHlJ0HYXx\MDMAppInstaller.exe

Filesize
151KB

MD5
30e978cc6830b04f1e7ed285cccaa746

SHA1
e915147c17e113c676c635e2102bbff90fb7aa52

SHA256
dc821931f63117962e2266acd3266e86bf8116d4a14b3adbebfade1d40b84766

SHA512
331923fa479f71c4c80b0e86ea238628666f95b6cf61cf4d741ae4a27ea2b8c636864dfac543d14599b4873f3b2ab397d07c4e4c17aca3f3b4e5871e24e50214

Download Submit
C:\Users\Admin\AppData\Local\HHlJ0HYXx\WTSAPI32.dll

Filesize
876KB

MD5
389a649810454407896daf18f2d07a16

SHA1
e66a33e3fc3e6331d5c1f707026fd5ebaa8f3be2

SHA256
448e111572aaa84c614e7d87e618f8e7a12b55cff5286b8b3a50a266617ebb62

SHA512
eb74f12782858b0bee1af4315c7e0f61534c4c460974fb767a3b305103377e922160072b1007476f80522aa9f037cf661b3ca1a81f9f0ce22d1ba642fbb21d2c

Download Submit
C:\Users\Admin\AppData\Local\Nglk5Hh\CameraSettingsUIHost.exe

Filesize
31KB

MD5
9e98636523a653c7a648f37be229cf69

SHA1
bd4da030e7cf4d55b7c644dfacd26b152e6a14c4

SHA256
3bf20bc5a208dfa1ea26a042fd0010b1268dcfedc94ed775f11890bc1d95e717

SHA512
41966166e2ddfe40e6f4e6da26bc490775caac9997465c6dd94ba6a664d3a797ffc2aa5684c95702e8657e5cea62a46a75aee3e7d5e07a47dcaaa5c4da565e78

Download Submit
C:\Users\Admin\AppData\Local\Nglk5Hh\DUI70.dll

Filesize
1.1MB

MD5
d9f353270bff5a72db9931c249dd1498

SHA1
afdd498c823adbbb501a730289b9f147d7e32370

SHA256
d6e1c05da3fd3d968ec7afef99ab51d7f5b6bb2e7420cd964dd6ca2011f2207d

SHA512
14404c74397953baebe7357432dfb73a1a0fccfa7264e3d8f916dfe2e6770a4a5815975201f3b4010af93885bb6a7be1f1d9025f6cc79ec0cac87e6eff51d1d3

Download Submit
C:\Users\Admin\AppData\Local\tDemivda\dwmapi.dll

Filesize
876KB

MD5
a51e8b625024d1f15eaf8c87cad779f5

SHA1
b0d03630d59f7ae4cb5d531cda85e3197b84d664

SHA256
4212b14f66f08bb2da17fe3c008d0d1fd98b9ab3f0ac5cf8019578744cb48f3b

SHA512
978c256960f0dd0a303b8886fba2da018330d29cb79e7ea7cced52e000de2293da2efedff467bdd98b0a0f76641db3faf03bb17720237b9125d9b8b3ac69ed32

Download Submit
C:\Users\Admin\AppData\Local\tDemivda\mblctr.exe

Filesize
790KB

MD5
d3db14eabb2679e08020bcd0c96fa9f6

SHA1
578dca7aad29409634064579d269e61e1f07d9dd

SHA256
3baa1dc0756ebb0c2c70a31be7147863d8d8ba056c1aa7f979307f8790d1ff69

SHA512
14dc895ae458ff0ca13d9c27aa5b4cfc906d338603d43389bb5f4429be593a587818855d1fe938f9ebebf46467fb0c1ab28247e8f9f5357098e8b822ecd8fffe

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Womuvunldsugi.lnk

Filesize
1KB

MD5
dfebed6b207f014fc014bea6e02fa0bd

SHA1
4c48a98d6bf7160c04440668577b0a7f75e2f88f

SHA256
5f027edb1e5f74454f666759a245bbdbc9f88ca521fd063aa77b24c50066f87f

SHA512
c24205215fcbc0a0f77ef720f65a7c585eb0ccd8992e733be24f4ea959477fe2a48a431d633bc6d890817acbb37a1329ea52bbb0113c9bcba63387c28b13b89a

Download Submit
memory/1132-100-0x0000000140000000-0x0000000140120000-memory.dmp

Filesize
1.1MB

Download
memory/1132-102-0x00000288FB6C0000-0x00000288FB6C7000-memory.dmp

Filesize
28KB

Download
memory/1132-105-0x0000000140000000-0x0000000140120000-memory.dmp

Filesize
1.1MB

Download
memory/1744-89-0x0000000140000000-0x00000001400DB000-memory.dmp

Filesize
876KB

Download
memory/1744-86-0x000001A8B3700000-0x000001A8B3707000-memory.dmp

Filesize
28KB

Download
memory/1912-73-0x0000000140000000-0x00000001400DB000-memory.dmp

Filesize
876KB

Download
memory/1912-70-0x000002439E800000-0x000002439E807000-memory.dmp

Filesize
28KB

Download
memory/1912-68-0x0000000140000000-0x00000001400DB000-memory.dmp

Filesize
876KB

Download
memory/3432-16-0x0000000140000000-0x00000001400DA000-memory.dmp

Filesize
872KB

Download
memory/3432-8-0x0000000140000000-0x00000001400DA000-memory.dmp

Filesize
872KB

Download
memory/3432-27-0x0000000140000000-0x00000001400DA000-memory.dmp

Filesize
872KB

Download
memory/3432-26-0x0000000140000000-0x00000001400DA000-memory.dmp

Filesize
872KB

Download
memory/3432-25-0x0000000140000000-0x00000001400DA000-memory.dmp

Filesize
872KB

Download
memory/3432-47-0x0000000140000000-0x00000001400DA000-memory.dmp

Filesize
872KB

Download
memory/3432-24-0x0000000140000000-0x00000001400DA000-memory.dmp

Filesize
872KB

Download
memory/3432-23-0x0000000140000000-0x00000001400DA000-memory.dmp

Filesize
872KB

Download
memory/3432-22-0x0000000140000000-0x00000001400DA000-memory.dmp

Filesize
872KB

Download
memory/3432-21-0x0000000140000000-0x00000001400DA000-memory.dmp

Filesize
872KB

Download
memory/3432-20-0x0000000140000000-0x00000001400DA000-memory.dmp

Filesize
872KB

Download
memory/3432-19-0x0000000140000000-0x00000001400DA000-memory.dmp

Filesize
872KB

Download
memory/3432-17-0x0000000140000000-0x00000001400DA000-memory.dmp

Filesize
872KB

Download
memory/3432-29-0x0000000140000000-0x00000001400DA000-memory.dmp

Filesize
872KB

Download
memory/3432-15-0x0000000140000000-0x00000001400DA000-memory.dmp

Filesize
872KB

Download
memory/3432-14-0x0000000140000000-0x00000001400DA000-memory.dmp

Filesize
872KB

Download
memory/3432-13-0x0000000140000000-0x00000001400DA000-memory.dmp

Filesize
872KB

Download
memory/3432-12-0x0000000140000000-0x00000001400DA000-memory.dmp

Filesize
872KB

Download
memory/3432-11-0x0000000140000000-0x00000001400DA000-memory.dmp

Filesize
872KB

Download
memory/3432-10-0x0000000140000000-0x00000001400DA000-memory.dmp

Filesize
872KB

Download
memory/3432-9-0x0000000140000000-0x00000001400DA000-memory.dmp

Filesize
872KB

Download
memory/3432-28-0x0000000140000000-0x00000001400DA000-memory.dmp

Filesize
872KB

Download
memory/3432-7-0x0000000140000000-0x00000001400DA000-memory.dmp

Filesize
872KB

Download
memory/3432-6-0x0000000140000000-0x00000001400DA000-memory.dmp

Filesize
872KB

Download
memory/3432-18-0x0000000140000000-0x00000001400DA000-memory.dmp

Filesize
872KB

Download
memory/3432-5-0x0000000140000000-0x00000001400DA000-memory.dmp

Filesize
872KB

Download
memory/3432-3-0x0000000002210000-0x0000000002211000-memory.dmp

Filesize
4KB

Download
memory/3432-33-0x0000000140000000-0x00000001400DA000-memory.dmp

Filesize
872KB

Download
memory/3432-31-0x00007FFCE7C6A000-0x00007FFCE7C6B000-memory.dmp

Filesize
4KB

Download
memory/3432-30-0x0000000140000000-0x00000001400DA000-memory.dmp

Filesize
872KB

Download
memory/3432-32-0x0000000140000000-0x00000001400DA000-memory.dmp

Filesize
872KB

Download
memory/3432-34-0x0000000140000000-0x00000001400DA000-memory.dmp

Filesize
872KB

Download
memory/3432-35-0x0000000140000000-0x00000001400DA000-memory.dmp

Filesize
872KB

Download
memory/3432-36-0x0000000140000000-0x00000001400DA000-memory.dmp

Filesize
872KB

Download
memory/3432-37-0x0000000140000000-0x00000001400DA000-memory.dmp

Filesize
872KB

Download
memory/3432-38-0x0000000140000000-0x00000001400DA000-memory.dmp

Filesize
872KB

Download
memory/3432-48-0x00007FFCE8260000-0x00007FFCE8270000-memory.dmp

Filesize
64KB

Download
memory/3432-58-0x0000000140000000-0x00000001400DA000-memory.dmp

Filesize
872KB

Download
memory/3432-49-0x00007FFCE8250000-0x00007FFCE8260000-memory.dmp

Filesize
64KB

Download
memory/3432-46-0x00000000006D0000-0x00000000006D7000-memory.dmp

Filesize
28KB

Download
memory/4040-61-0x0000000140000000-0x00000001400DA000-memory.dmp

Filesize
872KB

Download
memory/4040-0-0x0000000140000000-0x00000001400DA000-memory.dmp

Filesize
872KB

Download
memory/4040-1-0x000001FF44E60000-0x000001FF44E67000-memory.dmp

Filesize
28KB

Download