dridex | 7fab9e0fd730a322d526345ff7be62c4136e27a65bce62426db888db72811d81

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-12-2024 15:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d7d1a4ad90104b8715abe6ff3177b2ad_JaffaCakes118.dll
Size

956KB
MD5

d7d1a4ad90104b8715abe6ff3177b2ad
SHA1

37f2096b6d18dc5d928e8e58d811b28ecc83f762
SHA256

7fab9e0fd730a322d526345ff7be62c4136e27a65bce62426db888db72811d81
SHA512

a0edc3a1827783ccc78bb375ffc3d8fa36f81f3d6021b39dbab2a473ae0ee3256b06bbb99172fded761b4ecd355a4bae2baa2e38f572d3912086a036d375e4b6
SSDEEP

12288:+hEYeww+UVOnx3HUx88QnugdBcqfoeC1XE/fTPcCHfla:kxwq34ZStD1foeCmDPc

Score

10^/10

dridex botnet evasion payload persistence privilege_escalation trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex family
dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3556-3-0x0000000000F80000-0x0000000000F81000-memory.dmp	dridex_stager_shellcode

Dridex payload 10 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

resource	yara_rule
behavioral2/memory/1796-1-0x00007FFD74680000-0x00007FFD7476F000-memory.dmp	dridex_payload
behavioral2/memory/3556-31-0x0000000140000000-0x00000001400EF000-memory.dmp	dridex_payload
behavioral2/memory/3556-50-0x0000000140000000-0x00000001400EF000-memory.dmp	dridex_payload
behavioral2/memory/3556-39-0x0000000140000000-0x00000001400EF000-memory.dmp	dridex_payload
behavioral2/memory/1796-53-0x00007FFD74680000-0x00007FFD7476F000-memory.dmp	dridex_payload
behavioral2/memory/4296-69-0x00007FFD65B90000-0x00007FFD65C80000-memory.dmp	dridex_payload
behavioral2/memory/4296-73-0x00007FFD65B90000-0x00007FFD65C80000-memory.dmp	dridex_payload
behavioral2/memory/4992-84-0x00007FFD65010000-0x00007FFD65100000-memory.dmp	dridex_payload
behavioral2/memory/4992-89-0x00007FFD65010000-0x00007FFD65100000-memory.dmp	dridex_payload
behavioral2/memory/1532-104-0x00007FFD65010000-0x00007FFD65100000-memory.dmp	dridex_payload

Executes dropped EXE 4 IoCs

pid	Process
2568	Narrator.exe
4296	BdeUISrv.exe
4992	upfc.exe
1532	SystemPropertiesAdvanced.exe

Loads dropped DLL 3 IoCs

pid	Process
4296	BdeUISrv.exe
4992	upfc.exe
1532	SystemPropertiesAdvanced.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gbrhc = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\Zw3xaM\\upfc.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BdeUISrv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	upfc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesAdvanced.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1796	rundll32.exe
1796	rundll32.exe
1796	rundll32.exe
1796	rundll32.exe
3556	Process not Found
3556	Process not Found
3556	Process not Found
3556	Process not Found
3556	Process not Found
3556	Process not Found
3556	Process not Found
3556	Process not Found
3556	Process not Found
3556	Process not Found
3556	Process not Found
3556	Process not Found
3556	Process not Found
3556	Process not Found
3556	Process not Found
3556	Process not Found
3556	Process not Found
3556	Process not Found
3556	Process not Found
3556	Process not Found
3556	Process not Found
3556	Process not Found
3556	Process not Found
3556	Process not Found
3556	Process not Found
3556	Process not Found
3556	Process not Found
3556	Process not Found
3556	Process not Found
3556	Process not Found
3556	Process not Found
3556	Process not Found
3556	Process not Found
3556	Process not Found
3556	Process not Found
3556	Process not Found
3556	Process not Found
3556	Process not Found
3556	Process not Found
3556	Process not Found
3556	Process not Found
3556	Process not Found
3556	Process not Found
3556	Process not Found
3556	Process not Found
3556	Process not Found
3556	Process not Found
3556	Process not Found
3556	Process not Found
3556	Process not Found
3556	Process not Found
3556	Process not Found
3556	Process not Found
3556	Process not Found
3556	Process not Found
3556	Process not Found
3556	Process not Found
3556	Process not Found
3556	Process not Found
3556	Process not Found

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3556 wrote to memory of 4568	3556	Process not Found	92
PID 3556 wrote to memory of 4568	3556	Process not Found	92
PID 3556 wrote to memory of 1916	3556	Process not Found	94
PID 3556 wrote to memory of 1916	3556	Process not Found	94
PID 3556 wrote to memory of 4296	3556	Process not Found	95
PID 3556 wrote to memory of 4296	3556	Process not Found	95
PID 3556 wrote to memory of 1528	3556	Process not Found	100
PID 3556 wrote to memory of 1528	3556	Process not Found	100
PID 3556 wrote to memory of 4992	3556	Process not Found	101
PID 3556 wrote to memory of 4992	3556	Process not Found	101
PID 3556 wrote to memory of 4840	3556	Process not Found	102
PID 3556 wrote to memory of 4840	3556	Process not Found	102
PID 3556 wrote to memory of 1532	3556	Process not Found	103
PID 3556 wrote to memory of 1532	3556	Process not Found	103

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d7d1a4ad90104b8715abe6ff3177b2ad_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1796

C:\Windows\system32\Narrator.exe
C:\Windows\system32\Narrator.exe
1⤵
PID:4568

C:\Users\Admin\AppData\Local\vfqS2v8o\Narrator.exe
C:\Users\Admin\AppData\Local\vfqS2v8o\Narrator.exe
1⤵
- Executes dropped EXE
PID:2568

C:\Windows\system32\BdeUISrv.exe
C:\Windows\system32\BdeUISrv.exe
1⤵
PID:1916

C:\Users\Admin\AppData\Local\5cm7JF6\BdeUISrv.exe
C:\Users\Admin\AppData\Local\5cm7JF6\BdeUISrv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4296

C:\Windows\system32\upfc.exe
C:\Windows\system32\upfc.exe
1⤵
PID:1528

C:\Users\Admin\AppData\Local\f7YpbuIo\upfc.exe
C:\Users\Admin\AppData\Local\f7YpbuIo\upfc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4992

C:\Windows\system32\SystemPropertiesAdvanced.exe
C:\Windows\system32\SystemPropertiesAdvanced.exe
1⤵
PID:4840

C:\Users\Admin\AppData\Local\B3CLQc\SystemPropertiesAdvanced.exe
C:\Users\Admin\AppData\Local\B3CLQc\SystemPropertiesAdvanced.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\5cm7JF6\BdeUISrv.exe

Filesize
54KB

MD5
8595075667ff2c9a9f9e2eebc62d8f53

SHA1
c48b54e571f05d4e21d015bb3926c2129f19191a

SHA256
20b05c77f898be08737082e969b39f54fa39753c8c0a06142eb7ad5e0764a2db

SHA512
080dbcdd9234c07efe6cea4919ffa305fdc381ccebed9d1020dd6551b54e20e52387e62a344502fa4a85249defd0f9b506528b8dd34675bc9f51f664b8fc4d88

Download Submit
C:\Users\Admin\AppData\Local\5cm7JF6\WTSAPI32.dll

Filesize
960KB

MD5
f9f1753d1abc4ab2c4e11ca109e978e9

SHA1
d844bd38ef4c4f2c425454c114b2852e3998eae0

SHA256
55ea2ad443a169f0809d6f2c06bac0eb190b0965a751935fc79b0d4fa8c8bb4a

SHA512
1b0f85b0b6d6049482590f44cccce80900c99bef88cde8d186d93b5916f57fddf83228e3946502cfd82b2b893587257b766fd52119955dc25a2bfcc1aafdc16b

Download Submit
C:\Users\Admin\AppData\Local\B3CLQc\SYSDM.CPL

Filesize
960KB

MD5
ef79d7070b3de20dc35f8698991559b4

SHA1
fb065ea8305451da204b3b22303bba28cf0cf418

SHA256
12dfbe3911ecc534bcb46d8f4a34b32227f863b84b7f5266d0080cae36722509

SHA512
4faa6fbc39805cc204e41baf7a9fcd982e0560d07f68778f2df31aee107519e4c6018f087f2dd208ee3c4a4d47c56bf695cac485d00ee470e9b5a57f4ab1251f

Download Submit
C:\Users\Admin\AppData\Local\B3CLQc\SystemPropertiesAdvanced.exe

Filesize
82KB

MD5
fa040b18d2d2061ab38cf4e52e753854

SHA1
b1b37124e9afd6c860189ce4d49cebbb2e4c57bc

SHA256
c61fa0f8c5d8d61110adbcceaa453a6c1d31255b3244dc7e3b605a4a931c245c

SHA512
511f5981bd2c446f1f3039f6674f972651512305630bd688b1ef159af36a23cb836b43d7010b132a86b5f4d6c46206057abd31600f1e7dc930cb32ed962298a4

Download Submit
C:\Users\Admin\AppData\Local\f7YpbuIo\XmlLite.dll

Filesize
960KB

MD5
39742a44ced3cb907b09b871e1a016dc

SHA1
445039d8858f7f6e82a438c57d3633d7587e9e25

SHA256
48df7985026af904e1187e31a0e0d17b747cf8a282744de4501dca292ecede20

SHA512
4d565a3793d0d5cc966c97be01b5dcda7fa82d3f8bfb4fe7598a2f25244580ebe5d95ad69ad88cada6d22bc9bf40e4d02ed1fbd057dfe3630d97bc3683a67b54

Download Submit
C:\Users\Admin\AppData\Local\f7YpbuIo\upfc.exe

Filesize
118KB

MD5
299ea296575ccb9d2c1a779062535d5c

SHA1
2497169c13b0ba46a6be8a1fe493b250094079b7

SHA256
ee44fe14df89c4e5eaf8398f8fb4823fd910c5a94d913653d6b9e831254f6cc2

SHA512
02fc2b25167ebd7dfcc7b8aa74613e7004fdf33dfccccba6c3427434cca981c2eb50f4a801969b3a40c495a9bb0eac8176f4f2ec9091916cf3509a7f909b30fa

Download Submit
C:\Users\Admin\AppData\Local\vfqS2v8o\Narrator.exe

Filesize
521KB

MD5
d92defaa4d346278480d2780325d8d18

SHA1
6494d55b2e5064ffe8add579edfcd13c3e69fffe

SHA256
69b8c93d9b262b36e2bdc223cc0d6e312cc471b49d7cc36befbba1f863a05d83

SHA512
b82c0fbc07361e4ad6e4ab171e55e1e41e9312ba995dce90696ca90f734f5d1ea11371ca046e8680ea566a1c2e0643ab86f1f6dcf6cbd05aed8448425a2830b5

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ehuvmtvuxjwd.lnk

Filesize
1KB

MD5
b03bc9666f2a0814756d42cb33c0b558

SHA1
aee83a0e931de19cd16745cc797b22cb6f7c2ebc

SHA256
fe826503b46902a5b9a7112c52ef14fd98ea1d45a039b63cc29be8cc702e11c3

SHA512
5bc69cf916e58dc986dce323dac4f07671977fb05e71b2cd46e2b9292f029c86513a0e9cf626ce9fb306feb477019f407fd10b25246d7962c9e6027d7145c31d

Download Submit
memory/1532-104-0x00007FFD65010000-0x00007FFD65100000-memory.dmp

Filesize
960KB

Download
memory/1796-1-0x00007FFD74680000-0x00007FFD7476F000-memory.dmp

Filesize
956KB

Download
memory/1796-2-0x0000025C57F10000-0x0000025C57F17000-memory.dmp

Filesize
28KB

Download
memory/1796-53-0x00007FFD74680000-0x00007FFD7476F000-memory.dmp

Filesize
956KB

Download
memory/3556-39-0x0000000140000000-0x00000001400EF000-memory.dmp

Filesize
956KB

Download
memory/3556-11-0x0000000140000000-0x00000001400EF000-memory.dmp

Filesize
956KB

Download
memory/3556-27-0x0000000140000000-0x00000001400EF000-memory.dmp

Filesize
956KB

Download
memory/3556-26-0x0000000140000000-0x00000001400EF000-memory.dmp

Filesize
956KB

Download
memory/3556-25-0x0000000140000000-0x00000001400EF000-memory.dmp

Filesize
956KB

Download
memory/3556-24-0x0000000140000000-0x00000001400EF000-memory.dmp

Filesize
956KB

Download
memory/3556-23-0x0000000140000000-0x00000001400EF000-memory.dmp

Filesize
956KB

Download
memory/3556-22-0x0000000140000000-0x00000001400EF000-memory.dmp

Filesize
956KB

Download
memory/3556-21-0x0000000140000000-0x00000001400EF000-memory.dmp

Filesize
956KB

Download
memory/3556-20-0x0000000140000000-0x00000001400EF000-memory.dmp

Filesize
956KB

Download
memory/3556-19-0x0000000140000000-0x00000001400EF000-memory.dmp

Filesize
956KB

Download
memory/3556-18-0x0000000140000000-0x00000001400EF000-memory.dmp

Filesize
956KB

Download
memory/3556-17-0x0000000140000000-0x00000001400EF000-memory.dmp

Filesize
956KB

Download
memory/3556-16-0x0000000140000000-0x00000001400EF000-memory.dmp

Filesize
956KB

Download
memory/3556-15-0x0000000140000000-0x00000001400EF000-memory.dmp

Filesize
956KB

Download
memory/3556-14-0x0000000140000000-0x00000001400EF000-memory.dmp

Filesize
956KB

Download
memory/3556-13-0x0000000140000000-0x00000001400EF000-memory.dmp

Filesize
956KB

Download
memory/3556-12-0x0000000140000000-0x00000001400EF000-memory.dmp

Filesize
956KB

Download
memory/3556-40-0x00007FFD83600000-0x00007FFD83610000-memory.dmp

Filesize
64KB

Download
memory/3556-28-0x0000000140000000-0x00000001400EF000-memory.dmp

Filesize
956KB

Download
memory/3556-10-0x0000000140000000-0x00000001400EF000-memory.dmp

Filesize
956KB

Download
memory/3556-9-0x0000000140000000-0x00000001400EF000-memory.dmp

Filesize
956KB

Download
memory/3556-7-0x0000000140000000-0x00000001400EF000-memory.dmp

Filesize
956KB

Download
memory/3556-6-0x0000000140000000-0x00000001400EF000-memory.dmp

Filesize
956KB

Download
memory/3556-41-0x00007FFD835F0000-0x00007FFD83600000-memory.dmp

Filesize
64KB

Download
memory/3556-50-0x0000000140000000-0x00000001400EF000-memory.dmp

Filesize
956KB

Download
memory/3556-29-0x0000000140000000-0x00000001400EF000-memory.dmp

Filesize
956KB

Download
memory/3556-3-0x0000000000F80000-0x0000000000F81000-memory.dmp

Filesize
4KB

Download
memory/3556-4-0x00007FFD8301A000-0x00007FFD8301B000-memory.dmp

Filesize
4KB

Download
memory/3556-8-0x0000000140000000-0x00000001400EF000-memory.dmp

Filesize
956KB

Download
memory/3556-38-0x0000000000C10000-0x0000000000C17000-memory.dmp

Filesize
28KB

Download
memory/3556-31-0x0000000140000000-0x00000001400EF000-memory.dmp

Filesize
956KB

Download
memory/3556-30-0x0000000140000000-0x00000001400EF000-memory.dmp

Filesize
956KB

Download
memory/4296-73-0x00007FFD65B90000-0x00007FFD65C80000-memory.dmp

Filesize
960KB

Download
memory/4296-69-0x00007FFD65B90000-0x00007FFD65C80000-memory.dmp

Filesize
960KB

Download
memory/4296-68-0x00000215A57C0000-0x00000215A57C7000-memory.dmp

Filesize
28KB

Download
memory/4992-84-0x00007FFD65010000-0x00007FFD65100000-memory.dmp

Filesize
960KB

Download
memory/4992-89-0x00007FFD65010000-0x00007FFD65100000-memory.dmp

Filesize
960KB

Download
memory/4992-86-0x000001A4CB5F0000-0x000001A4CB5F7000-memory.dmp

Filesize
28KB

Download