dridex | 42c3f84d09b06797c56cad933f7451ba82d1de626e48d88a57c602475057454c

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 03:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2d1656941c05b70eae56d107d83f5577_JaffaCakes118.dll
Size

991KB
MD5

2d1656941c05b70eae56d107d83f5577
SHA1

f5b3b27def84a732714206ea9dad1c4b2072ea86
SHA256

42c3f84d09b06797c56cad933f7451ba82d1de626e48d88a57c602475057454c
SHA512

26ed912364236a321553a13fe7d19c886cb9b883481a54ba1a875a03055720dcb672e0e8aba8a37c9002b5267203cb88190ee08ae4391bade92713cacc4de883
SSDEEP

24576:VVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:VV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex Shellcode 1 IoCs
Detects Dridex Payload shellcode injected in Explorer process.
botnet payload

Processes:

resource yara_rule

behavioral2/memory/3212-4-0x0000000002E20000-0x0000000002E21000-memory.dmp dridex_stager_shellcode
Executes dropped EXE 3 IoCs

Processes:

rdpshell.exesdclt.exeWMPDMC.exe

pid process

2676 rdpshell.exe
4896 sdclt.exe
4848 WMPDMC.exe
Loads dropped DLL 3 IoCs

Processes:

rdpshell.exesdclt.exeWMPDMC.exe

pid process

2676 rdpshell.exe
4896 sdclt.exe
4848 WMPDMC.exe

resource	yara_rule
behavioral2/memory/3212-4-0x0000000002E20000-0x0000000002E21000-memory.dmp	dridex_stager_shellcode

pid	process
2676	rdpshell.exe
4896	sdclt.exe
4848	WMPDMC.exe

pid	process
2676	rdpshell.exe
4896	sdclt.exe
4848	WMPDMC.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Iphtcfjrejti = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\j4IMGMKoE\\sdclt.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exerdpshell.exesdclt.exeWMPDMC.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdpshell.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sdclt.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WMPDMC.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1632	rundll32.exe
1632	rundll32.exe
1632	rundll32.exe
1632	rundll32.exe
3212
3212
3212
3212
3212
3212
3212
3212
3212
3212
3212
3212
3212
3212
3212
3212
3212
3212
3212
3212
3212
3212
3212
3212
3212
3212
3212
3212
3212
3212
3212
3212
3212
3212
3212
3212
3212
3212
3212
3212
3212
3212
3212
3212
3212
3212
3212
3212
3212
3212
3212
3212
3212
3212
3212
3212
3212
3212
3212
3212

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3212 wrote to memory of 2104	3212	rdpshell.exe
PID 3212 wrote to memory of 2104	3212	rdpshell.exe
PID 3212 wrote to memory of 2676	3212	rdpshell.exe
PID 3212 wrote to memory of 2676	3212	rdpshell.exe
PID 3212 wrote to memory of 3432	3212	sdclt.exe
PID 3212 wrote to memory of 3432	3212	sdclt.exe
PID 3212 wrote to memory of 4896	3212	sdclt.exe
PID 3212 wrote to memory of 4896	3212	sdclt.exe
PID 3212 wrote to memory of 1392	3212	WMPDMC.exe
PID 3212 wrote to memory of 1392	3212	WMPDMC.exe
PID 3212 wrote to memory of 4848	3212	WMPDMC.exe
PID 3212 wrote to memory of 4848	3212	WMPDMC.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2d1656941c05b70eae56d107d83f5577_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1632

C:\Windows\system32\rdpshell.exe
C:\Windows\system32\rdpshell.exe
1⤵
PID:2104

C:\Users\Admin\AppData\Local\BhcL8AbHH\rdpshell.exe
C:\Users\Admin\AppData\Local\BhcL8AbHH\rdpshell.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2676

C:\Windows\system32\sdclt.exe
C:\Windows\system32\sdclt.exe
1⤵
PID:3432

C:\Users\Admin\AppData\Local\V92H\sdclt.exe
C:\Users\Admin\AppData\Local\V92H\sdclt.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4896

C:\Windows\system32\WMPDMC.exe
C:\Windows\system32\WMPDMC.exe
1⤵
PID:1392

C:\Users\Admin\AppData\Local\wKfcn7bg\WMPDMC.exe
C:\Users\Admin\AppData\Local\wKfcn7bg\WMPDMC.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4848

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\BhcL8AbHH\dwmapi.dll
Filesize
993KB

MD5
74dc7982ce6fb290c5123f6b74f670c3

SHA1
55678c456a9dea4a214b93ac0940c290a48c81e0

SHA256
7098e8d6978dc04d7b5e5ba3c65568c49c6ad3ef5ae98661d7f8d54693add7a5

SHA512
e2b1527e444a66799079f9d1d817ce7539c0c9a83f1bc8177fc7994de65a1880ea3bf652aec1f8e15df29dd74dec32892b365a55c724e192d3b18354c5d29f66

Download Submit
C:\Users\Admin\AppData\Local\BhcL8AbHH\rdpshell.exe
Filesize
468KB

MD5
428066713f225bb8431340fa670671d4

SHA1
47f6878ff33317c3fc09c494df729a463bda174c

SHA256
da6c395a2018d3439ad580a19e6a1ca5ff29ef9074411ee9f9f1b0a6365dfebd

SHA512
292aad2762ae4dc519c69411aa114a29894f60ffac103813db4946f2fac4f5a166f66523c421529d6847c0882d8ab467392ee8da1e3a4fca0d6d4e6ebda5b737

Download Submit
C:\Users\Admin\AppData\Local\V92H\SPP.dll
Filesize
992KB

MD5
65b730ca6beecc26053dddf03fce780e

SHA1
6ab8ed9c236e1a606518adae03684a35370b7d25

SHA256
275c2009d402e8961d5e9673257354565d4ca800497f14404bb4980e26ddb6b6

SHA512
16e63d843d24dbd37c405dc16cb6bf794638cf2ee244a2ac6cb9c30c12a1e710866868ad386914396a9dac085d45f7b5d07646edaaf9af3650bc8c1942344da8

Download Submit
C:\Users\Admin\AppData\Local\V92H\sdclt.exe
Filesize
1.2MB

MD5
e09d48f225e7abcab14ebd3b8a9668ec

SHA1
1c5b9322b51c09a407d182df481609f7cb8c425d

SHA256
efd238ea79b93d07852d39052f1411618c36e7597e8af0966c4a3223f0021dc3

SHA512
384d606b90c4803e5144b4de24edc537cb22dd59336a18a58d229500ed36aec92c8467cae6d3f326647bd044d8074931da553c7809727fb70227e99c257df0b4

Download Submit
C:\Users\Admin\AppData\Local\wKfcn7bg\WMPDMC.exe
Filesize
1.5MB

MD5
59ce6e554da0a622febce19eb61c4d34

SHA1
176a4a410cb97b3d4361d2aea0edbf17e15d04c7

SHA256
c36eba7186f7367fe717595f3372a49503c9613893c2ab2eff38b625a50d04ba

SHA512
e9b0d310416b66e0055381391bb6b0c19ee26bbcf0e3bb9ea7d696d5851e6efbdd9bdeb250c74638b7d73b20528ea1dfb718e75ad5977aaad77aae36cc7b7e18

Download Submit
C:\Users\Admin\AppData\Local\wKfcn7bg\dwmapi.dll
Filesize
993KB

MD5
f7e10d4130e9f313c0b00ee2f805b7bf

SHA1
f93e423b76329b4e8c7833b671f228b2de01d144

SHA256
a5161fb1911a23159a4b2b56d09989b424721a30d4cae69d2b1c1de7a25c62a9

SHA512
6371fc27bb83bdd9b3d6e61ed8f16a0401488f4aec343f5ed1ed290d68723c92fd3a4385b5f081cb2e45e148a76d77d39a9162c6996b303d114278bdb3cb19c8

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Lyvwlrjkvg.lnk
Filesize
1KB

MD5
ba8c234f23ad342ffe44be75b8a13a83

SHA1
d27d95c4dc64b713a8145e45615e9529c25aa0e8

SHA256
c0b950961fe211c249dee422f4444d8d31655e84579dbccf1204e28165049122

SHA512
f62ce9f98c3db08bc1e9bb8dcb5923d07a36e2e024a632032b22c5b0932d6648176b6706407e0aed04c4c40df88173e511ed6c3dffa65507b8c01d349974677f

Download Submit
memory/1632-37-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1632-0-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1632-3-0x0000015755AC0000-0x0000015755AC7000-memory.dmp

Filesize
28KB

Download
memory/2676-50-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/2676-44-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/2676-47-0x000001D6389E0000-0x000001D6389E7000-memory.dmp

Filesize
28KB

Download
memory/3212-31-0x0000000000ED0000-0x0000000000ED7000-memory.dmp

Filesize
28KB

Download
memory/3212-32-0x00007FFBA0730000-0x00007FFBA0740000-memory.dmp

Filesize
64KB

Download
memory/3212-7-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3212-9-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3212-10-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3212-11-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3212-13-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3212-30-0x00007FFBA051A000-0x00007FFBA051B000-memory.dmp

Filesize
4KB

Download
memory/3212-34-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3212-8-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3212-22-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3212-4-0x0000000002E20000-0x0000000002E21000-memory.dmp

Filesize
4KB

Download
memory/3212-6-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3212-12-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/4848-83-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/4896-67-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/4896-64-0x000001961CBE0000-0x000001961CBE7000-memory.dmp

Filesize
28KB

Download