dridex | 7ec10a17f6970d4d8db9ee8b26fb8dff79a3d8a666701c91ca856f1e023df29d

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2024 22:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

910c0c807fac1d91d4f2c0e1b40669f8_JaffaCakes118.dll
Size

1.2MB
MD5

910c0c807fac1d91d4f2c0e1b40669f8
SHA1

837bd3d884170bb6b23de202e9cb17d0964ebfdb
SHA256

7ec10a17f6970d4d8db9ee8b26fb8dff79a3d8a666701c91ca856f1e023df29d
SHA512

b1a059f9bf9d401080d61e9c599dc2ac742483f72ff5fa5bb80a2d8511044af4922bf302625ba9c5124a4b69e1e9f7ed1808e19885bc6c66e3136f84b8bb874e
SSDEEP

12288:pVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:IfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex family
dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3528-4-0x0000000002C90000-0x0000000002C91000-memory.dmp	dridex_stager_shellcode

Drops startup file 6 IoCs

Processes:

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\80xWvpY
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\80xWvpY\UxTheme.dll
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\80xWvpY\CloudNotifications.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Pn9f2sxi
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Pn9f2sxi\NDFAPI.DLL
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Pn9f2sxi\msra.exe

Executes dropped EXE 3 IoCs

Processes:

upfc.exeCloudNotifications.exemsra.exe

pid	Process
336	upfc.exe
1916	CloudNotifications.exe
1844	msra.exe

Loads dropped DLL 3 IoCs

Processes:

upfc.exeCloudNotifications.exemsra.exe

pid	Process
336	upfc.exe
1916	CloudNotifications.exe
1844	msra.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Fzrdqelbmr = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\Startup\\80xWvpY\\CLOUDN~1.EXE"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeupfc.exeCloudNotifications.exemsra.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	upfc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	CloudNotifications.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msra.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	Process
2256	rundll32.exe
2256	rundll32.exe
2256	rundll32.exe
2256	rundll32.exe
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	procid_target
PID 3528 wrote to memory of 3620	3528	84
PID 3528 wrote to memory of 3620	3528	84
PID 3528 wrote to memory of 336	3528	85
PID 3528 wrote to memory of 336	3528	85
PID 3528 wrote to memory of 4584	3528	89
PID 3528 wrote to memory of 4584	3528	89
PID 3528 wrote to memory of 1916	3528	91
PID 3528 wrote to memory of 1916	3528	91
PID 3528 wrote to memory of 3844	3528	93
PID 3528 wrote to memory of 3844	3528	93
PID 3528 wrote to memory of 1844	3528	94
PID 3528 wrote to memory of 1844	3528	94

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\910c0c807fac1d91d4f2c0e1b40669f8_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2256

C:\Windows\system32\upfc.exe
C:\Windows\system32\upfc.exe
1⤵
PID:3620

C:\Users\Admin\AppData\Local\Fxa4yj2\upfc.exe
C:\Users\Admin\AppData\Local\Fxa4yj2\upfc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:336

C:\Windows\system32\CloudNotifications.exe
C:\Windows\system32\CloudNotifications.exe
1⤵
PID:4584

C:\Users\Admin\AppData\Local\F1WtA\CloudNotifications.exe
C:\Users\Admin\AppData\Local\F1WtA\CloudNotifications.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1916

C:\Windows\system32\msra.exe
C:\Windows\system32\msra.exe
1⤵
PID:3844

C:\Users\Admin\AppData\Local\SW8QvEV\msra.exe
C:\Users\Admin\AppData\Local\SW8QvEV\msra.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\F1WtA\CloudNotifications.exe

Filesize
59KB

MD5
b50dca49bc77046b6f480db6444c3d06

SHA1
cc9b38240b0335b1763badcceac37aa9ce547f9e

SHA256
96e7e1a3f0f4f6fc6bda3527ab8a739d6dfcab8e534aa7a02b023daebb3c0775

SHA512
2a0504ca336e86b92b2f5eff1c458ebd9df36c496331a7247ef0bb8b82eabd86ade7559ddb47ca4169e8365a97e80e5f1d3c1fc330364dea2450608bd692b1d3

Download Submit
C:\Users\Admin\AppData\Local\F1WtA\UxTheme.dll

Filesize
1.2MB

MD5
561fe0ba93f2463bdfbce486d08eceab

SHA1
e410c847ea3405798d684ef94833d883519365b7

SHA256
48baee822c6efeab99c15cab765199827416f8bd8b8f484c9fdb2bbe0f53bab6

SHA512
3c1f97067152b413d3bffd39fd3c12ec9dc37a4f3ca66486c93172bfc2556b5a2b37fac912b2544c4c7360ad1b865c524738bea2ab94a5284d88d83aa5f47160

Download Submit
C:\Users\Admin\AppData\Local\Fxa4yj2\XmlLite.dll

Filesize
1.2MB

MD5
a15c6ec6dfb363b9d2c2e387d16242f3

SHA1
3cc1f15cc995bc80d037bdfb1336ec48e7210109

SHA256
fbe8b8d7301dc1944965ac12806e95286e6f6f544da3755a03ab65d4b943e375

SHA512
4822c386e94760c69af7d0ca3bc406d1f4669d98e55a2224080e77983bbb9cc9246f83835653e11cae941750903ae4cd4b78d47d8a7d9bde6dd57ba4d2794ff7

Download Submit
C:\Users\Admin\AppData\Local\Fxa4yj2\upfc.exe

Filesize
118KB

MD5
299ea296575ccb9d2c1a779062535d5c

SHA1
2497169c13b0ba46a6be8a1fe493b250094079b7

SHA256
ee44fe14df89c4e5eaf8398f8fb4823fd910c5a94d913653d6b9e831254f6cc2

SHA512
02fc2b25167ebd7dfcc7b8aa74613e7004fdf33dfccccba6c3427434cca981c2eb50f4a801969b3a40c495a9bb0eac8176f4f2ec9091916cf3509a7f909b30fa

Download Submit
C:\Users\Admin\AppData\Local\SW8QvEV\NDFAPI.DLL

Filesize
1.2MB

MD5
9ba078197adfba537aae72aac188a3f6

SHA1
4ad2ff88aa944567a82e33b51576d94ff965e823

SHA256
49baeb0dc628bbf6dad148d680147e239f69e6e48898c9c2323bf7754e75bd27

SHA512
b96246b03f7b8590608480116367d890916bdd454c156465be60ec3fe54cb2418126014278cd193f995873ca044a7f7d0896e6b31795c863697249fe0e18e8e5

Download Submit
C:\Users\Admin\AppData\Local\SW8QvEV\msra.exe

Filesize
579KB

MD5
dcda3b7b8eb0bfbccb54b4d6a6844ad6

SHA1
316a2925e451f739f45e31bc233a95f91bf775fa

SHA256
011e1decd6683afe5f1e397fe9697f2cf592ae21766a7629e234682f721658ae

SHA512
18e8c99f8b86375627aba0d2b10cf4db24ee5ac61a3d6a73d382a83ec63217c7e455570d4fa7dcdbb188dcc73988689661f8cab2337ae8c615fa6bc9a08f71f5

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Updjljcn.lnk

Filesize
1KB

MD5
f66c47aff14097b0dd51639f20637319

SHA1
079dbe7b7806cd8cd8c39863017ca1541de062ba

SHA256
1a49c9bc7828f51b77f9e5c118c173d100a6a555da447e35b1b7364b8e163bfd

SHA512
2c6cebab7e72fbe18320cc9cfbb18b8d0f546f779914641f35577852af355671d979371b0c3a70457b192606cf215f7cf5e8b06f8a0ab3c72b1ec20d200638fa

Download Submit
memory/336-83-0x0000000140000000-0x000000014013A000-memory.dmp

Filesize
1.2MB

Download
memory/336-82-0x00000292B83C0000-0x00000292B83C7000-memory.dmp

Filesize
28KB

Download
memory/336-77-0x0000000140000000-0x000000014013A000-memory.dmp

Filesize
1.2MB

Download
memory/1844-111-0x000001BEBE1D0000-0x000001BEBE1D7000-memory.dmp

Filesize
28KB

Download
memory/1916-94-0x000001F102AE0000-0x000001F102AE7000-memory.dmp

Filesize
28KB

Download
memory/2256-16-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/2256-1-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/2256-0-0x00000212B8130000-0x00000212B8137000-memory.dmp

Filesize
28KB

Download
memory/3528-32-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/3528-47-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/3528-48-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/3528-46-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/3528-44-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/3528-43-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/3528-42-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/3528-41-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/3528-40-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/3528-39-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/3528-38-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/3528-37-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/3528-35-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/3528-34-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/3528-33-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/3528-64-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/3528-30-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/3528-29-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/3528-27-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/3528-26-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/3528-66-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/3528-72-0x0000000000C00000-0x0000000000C07000-memory.dmp

Filesize
28KB

Download
memory/3528-73-0x00007FFB43BC0000-0x00007FFB43BD0000-memory.dmp

Filesize
64KB

Download
memory/3528-55-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/3528-9-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/3528-7-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/3528-25-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/3528-24-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/3528-23-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/3528-21-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/3528-20-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/3528-19-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/3528-18-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/3528-17-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/3528-5-0x00007FFB41D1A000-0x00007FFB41D1B000-memory.dmp

Filesize
4KB

Download
memory/3528-15-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/3528-14-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/3528-11-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/3528-10-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/3528-8-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/3528-45-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/3528-36-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/3528-31-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/3528-28-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/3528-22-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/3528-12-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/3528-13-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/3528-4-0x0000000002C90000-0x0000000002C91000-memory.dmp

Filesize
4KB

Download