dridex | 45e0689c0505e4d32d651eeabac3c15072558c57fa8ed3403bdc3ffbb7197f2a

Analysis

max time kernel
150s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-10-2024 14:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

66f1c60cbffe0d19f4b0459ef14628ab_JaffaCakes118.dll
Size

800KB
MD5

66f1c60cbffe0d19f4b0459ef14628ab
SHA1

a1a37181f922c11159a5ea45272973e85563c7bc
SHA256

45e0689c0505e4d32d651eeabac3c15072558c57fa8ed3403bdc3ffbb7197f2a
SHA512

bf87f0a585bc271b99d3b4d2b966a40b70b147646489a730700f6ecd5fe095040ad0334955ff0845c00e6625e91a2726122b40f9a75530dcdfde7efef595b446
SSDEEP

12288:HdMIwS97wJs6tSKDXEabXaC+jhc1S8XXk7CZzHsZH9dq0T:9MIJxSDX3bqjhcfHk7MzH6z

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3536-4-0x0000000008B40000-0x0000000008B41000-memory.dmp	dridex_stager_shellcode

Dridex payload 9 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

resource	yara_rule
behavioral2/memory/840-0-0x0000000140000000-0x00000001400C8000-memory.dmp	dridex_payload
behavioral2/memory/3536-55-0x0000000140000000-0x00000001400C8000-memory.dmp	dridex_payload
behavioral2/memory/3536-44-0x0000000140000000-0x00000001400C8000-memory.dmp	dridex_payload
behavioral2/memory/840-58-0x0000000140000000-0x00000001400C8000-memory.dmp	dridex_payload
behavioral2/memory/2368-65-0x0000000140000000-0x00000001400CA000-memory.dmp	dridex_payload
behavioral2/memory/2368-70-0x0000000140000000-0x00000001400CA000-memory.dmp	dridex_payload
behavioral2/memory/2128-81-0x0000000140000000-0x00000001400C9000-memory.dmp	dridex_payload
behavioral2/memory/2128-86-0x0000000140000000-0x00000001400C9000-memory.dmp	dridex_payload
behavioral2/memory/4448-102-0x0000000140000000-0x00000001400C9000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

pid	Process
2368	mfpmp.exe
2128	SppExtComObj.Exe
4448	SystemPropertiesPerformance.exe

Loads dropped DLL 3 IoCs

pid	Process
2368	mfpmp.exe
2128	SppExtComObj.Exe
4448	SystemPropertiesPerformance.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qhmytabp = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\AccountPictures\\ScT40\\SppExtComObj.Exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mfpmp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SppExtComObj.Exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesPerformance.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
840	rundll32.exe
840	rundll32.exe
840	rundll32.exe
840	rundll32.exe
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found
3536	Process not Found

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3536	Process not Found
3536	Process not Found

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3536	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3536 wrote to memory of 3724	3536	Process not Found	100
PID 3536 wrote to memory of 3724	3536	Process not Found	100
PID 3536 wrote to memory of 2368	3536	Process not Found	101
PID 3536 wrote to memory of 2368	3536	Process not Found	101
PID 3536 wrote to memory of 3120	3536	Process not Found	102
PID 3536 wrote to memory of 3120	3536	Process not Found	102
PID 3536 wrote to memory of 2128	3536	Process not Found	103
PID 3536 wrote to memory of 2128	3536	Process not Found	103
PID 3536 wrote to memory of 4292	3536	Process not Found	104
PID 3536 wrote to memory of 4292	3536	Process not Found	104
PID 3536 wrote to memory of 4448	3536	Process not Found	105
PID 3536 wrote to memory of 4448	3536	Process not Found	105

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\66f1c60cbffe0d19f4b0459ef14628ab_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:840

C:\Windows\system32\mfpmp.exe
C:\Windows\system32\mfpmp.exe
1⤵
PID:3724

C:\Users\Admin\AppData\Local\LFF\mfpmp.exe
C:\Users\Admin\AppData\Local\LFF\mfpmp.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2368

C:\Windows\system32\SppExtComObj.Exe
C:\Windows\system32\SppExtComObj.Exe
1⤵
PID:3120

C:\Users\Admin\AppData\Local\yjOCSX\SppExtComObj.Exe
C:\Users\Admin\AppData\Local\yjOCSX\SppExtComObj.Exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2128

C:\Windows\system32\SystemPropertiesPerformance.exe
C:\Windows\system32\SystemPropertiesPerformance.exe
1⤵
PID:4292

C:\Users\Admin\AppData\Local\3AOzATaok\SystemPropertiesPerformance.exe
C:\Users\Admin\AppData\Local\3AOzATaok\SystemPropertiesPerformance.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\3AOzATaok\SYSDM.CPL

Filesize
804KB

MD5
f63a3b8de872eb590af8586eba15503a

SHA1
3b5c2d9ebd9de35ad6da13177c10189fd9773216

SHA256
15cdb2101298221b15dff1d0c7dd1049bece0316a163b227ce2396735a00bb18

SHA512
e3f56221306d4d854ac3aa48cec8afb41906f206af07f406896ce72c9befaa79be6c0b49cfe40dc7d3f546fa6949900265f74b8abcdb92937112f64ec5c319d3

Download Submit
C:\Users\Admin\AppData\Local\3AOzATaok\SystemPropertiesPerformance.exe

Filesize
82KB

MD5
e4fbf7cab8669c7c9cef92205d2f2ffc

SHA1
adbfa782b7998720fa85678cc85863b961975e28

SHA256
b266318d45a4245556a2e39b763f2f11eca780969105f6f103e53dd0a492bb30

SHA512
c5c62578d04133352d6cb7b018df96a7b55c18d6111ab8bf2bfe232a3315a63b07047fa5b0b88551d152085776c66169b47566242c8c4c5e0333c55adc64e1b6

Download Submit
C:\Users\Admin\AppData\Local\LFF\MFPlat.DLL

Filesize
808KB

MD5
6ed733b1d92bd1d04f72c219c75b4e70

SHA1
fc0a06ef98e660440ac503cb8c9ddd580cf39f0c

SHA256
f31d2c291a23af708fe07f61320fb13dd0ce4b238e901e06caa5fd5f36134ba9

SHA512
37809325cde78ebd1d3ac6bd21f6e9f05c3bf28986fee6f993f55e1593e8cf12681df994abde0c6ef9f6dce9364cf390968cc8c297a4cdc27e0c7a2d7e24a340

Download Submit
C:\Users\Admin\AppData\Local\LFF\mfpmp.exe

Filesize
46KB

MD5
8f8fd1988973bac0c5244431473b96a5

SHA1
ce81ea37260d7cafe27612606cf044921ad1304c

SHA256
27287ac874cef86be03aee7b6d34fdc3bd208070ed20e44621a305865fb7579e

SHA512
a91179e1561168b3b58f5ca893bce425d35f4a02aec20ac3d6fb944f5eb3c06b0a1b9d9f3fb9ea87869d65671d2b89b4ae19acf794372bdbd27f5e9756c5a8ab

Download Submit
C:\Users\Admin\AppData\Local\yjOCSX\ACTIVEDS.dll

Filesize
804KB

MD5
d0001f5252a504464bda337d8b2b15c3

SHA1
387cbcc6d3dbbb29a8893561b47262e1bf9b208a

SHA256
11a3e5bbc2ce2476d18973e43bc20790ce0235e032eab2a2c78a9ff6e9d038bd

SHA512
819f53195221051efce444a3a4df8bffdf7b6c160940aaec8670e24016028fc67491976013ab1ce3c56f3e0770a1b0cc3df622b9b3cbdccafe72088a2ed71111

Download Submit
C:\Users\Admin\AppData\Local\yjOCSX\SppExtComObj.Exe

Filesize
559KB

MD5
728a78909aa69ca0e976e94482350700

SHA1
6508dfcbf37df25cae8ae68cf1fcd4b78084abb7

SHA256
2a6581576305771044f07ea0fef27f77859996dbf66c2017e938f90bfc1e010c

SHA512
22bf985e71afa58a1365cc733c0aa03dabd4b44e7c6a136eb5f9b870db14470201b4ef88a19fa3864af6c44e79e1a01d6f8806062d9d4861ba7dac77d82074f1

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Fkasxldymr.lnk

Filesize
1KB

MD5
9b9988c6ace16d8ac0f0e757c97a25c5

SHA1
fa46f0525f9553d2f586fdff547f0672edb8b816

SHA256
8b356f5d78f7d6dfb68e6a0410b48a2f0c7e1c681bdf6cb151ed12e6dbc98f6b

SHA512
3eb8721ec3bcf476fc7c6e9e0dd857ac124f041633fbc1854bcb9dd1bd3e4bb5170c9496ecd9ec8e210d5dd01de6f9ed55d655cfad54b24df357c0daa20c8091

Download Submit
memory/840-58-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/840-0-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/840-2-0x00000285764E0000-0x00000285764E7000-memory.dmp

Filesize
28KB

Download
memory/2128-86-0x0000000140000000-0x00000001400C9000-memory.dmp

Filesize
804KB

Download
memory/2128-81-0x0000000140000000-0x00000001400C9000-memory.dmp

Filesize
804KB

Download
memory/2128-83-0x0000026765F10000-0x0000026765F17000-memory.dmp

Filesize
28KB

Download
memory/2368-70-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2368-65-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2368-67-0x000002D4D1460000-0x000002D4D1467000-memory.dmp

Filesize
28KB

Download
memory/3536-33-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/3536-8-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/3536-27-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/3536-26-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/3536-25-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/3536-24-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/3536-22-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/3536-21-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/3536-20-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/3536-19-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/3536-18-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/3536-17-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/3536-16-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/3536-15-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/3536-14-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/3536-13-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/3536-11-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/3536-10-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/3536-9-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/3536-28-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/3536-7-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/3536-31-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/3536-6-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/3536-29-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/3536-30-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/3536-32-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/3536-44-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/3536-55-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/3536-45-0x00007FF85AD40000-0x00007FF85AD50000-memory.dmp

Filesize
64KB

Download
memory/3536-46-0x00007FF85AD30000-0x00007FF85AD40000-memory.dmp

Filesize
64KB

Download
memory/3536-34-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/3536-43-0x0000000008B20000-0x0000000008B27000-memory.dmp

Filesize
28KB

Download
memory/3536-35-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/3536-23-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/3536-12-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/3536-3-0x00007FF85A52A000-0x00007FF85A52B000-memory.dmp

Filesize
4KB

Download
memory/3536-4-0x0000000008B40000-0x0000000008B41000-memory.dmp

Filesize
4KB

Download
memory/4448-102-0x0000000140000000-0x00000001400C9000-memory.dmp

Filesize
804KB

Download
memory/4448-97-0x0000018F941B0000-0x0000018F941B7000-memory.dmp

Filesize
28KB

Download