dridex | af26296c75ff26f7ee865df424522d75366ae3e2e80d7d9e89ef8c9398b0836d

Analysis

max time kernel
150s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 17:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

304109f9a5c3726818b4c3668fdb71fd_JaffaCakes118.dll
Size

1.2MB
MD5

304109f9a5c3726818b4c3668fdb71fd
SHA1

2eb804e205d15d314e7f67d503940f69f5dc2ef8
SHA256

af26296c75ff26f7ee865df424522d75366ae3e2e80d7d9e89ef8c9398b0836d
SHA512

cf01fca33392dc40495f4c39eb1fd240b425018c7088ca9782d883bb135b5dd469a11941d0d680a69e881fa95c4147d70fe567aeba7e98ff6adfd5c0ca1a0e01
SSDEEP

24576:ZVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:ZV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex Shellcode 1 IoCs
Detects Dridex Payload shellcode injected in Explorer process.
botnet payload

Processes:

resource yara_rule

behavioral2/memory/3448-4-0x0000000002FE0000-0x0000000002FE1000-memory.dmp dridex_stager_shellcode
Executes dropped EXE 3 IoCs

Processes:

eudcedit.exemsdt.exeunregmp2.exe

pid process

3856 eudcedit.exe
3496 msdt.exe
1060 unregmp2.exe
Loads dropped DLL 3 IoCs

Processes:

eudcedit.exemsdt.exeunregmp2.exe

pid process

3856 eudcedit.exe
3496 msdt.exe
1060 unregmp2.exe

resource	yara_rule
behavioral2/memory/3448-4-0x0000000002FE0000-0x0000000002FE1000-memory.dmp	dridex_stager_shellcode

pid	process
3856	eudcedit.exe
3496	msdt.exe
1060	unregmp2.exe

pid	process
3856	eudcedit.exe
3496	msdt.exe
1060	unregmp2.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Esxju = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\CnShArsHWOV\\msdt.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeeudcedit.exemsdt.exeunregmp2.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	eudcedit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msdt.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unregmp2.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
888	rundll32.exe
888	rundll32.exe
888	rundll32.exe
888	rundll32.exe
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

description pid process

Token: SeShutdownPrivilege 3448
Token: SeCreatePagefilePrivilege 3448

description	pid	process
Token: SeShutdownPrivilege	3448
Token: SeCreatePagefilePrivilege	3448

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3448 wrote to memory of 3896	3448	eudcedit.exe
PID 3448 wrote to memory of 3896	3448	eudcedit.exe
PID 3448 wrote to memory of 3856	3448	eudcedit.exe
PID 3448 wrote to memory of 3856	3448	eudcedit.exe
PID 3448 wrote to memory of 4440	3448	msdt.exe
PID 3448 wrote to memory of 4440	3448	msdt.exe
PID 3448 wrote to memory of 3496	3448	msdt.exe
PID 3448 wrote to memory of 3496	3448	msdt.exe
PID 3448 wrote to memory of 3364	3448	unregmp2.exe
PID 3448 wrote to memory of 3364	3448	unregmp2.exe
PID 3448 wrote to memory of 1060	3448	unregmp2.exe
PID 3448 wrote to memory of 1060	3448	unregmp2.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\304109f9a5c3726818b4c3668fdb71fd_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1308,i,6593821857742176458,13646536021844995125,262144 --variations-seed-version --mojo-platform-channel-handle=1716 /prefetch:8
1⤵
PID:3036

C:\Windows\system32\eudcedit.exe
C:\Windows\system32\eudcedit.exe
1⤵
PID:3896

C:\Users\Admin\AppData\Local\HtGPUe\eudcedit.exe
C:\Users\Admin\AppData\Local\HtGPUe\eudcedit.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3856

C:\Windows\system32\msdt.exe
C:\Windows\system32\msdt.exe
1⤵
PID:4440

C:\Users\Admin\AppData\Local\Gf1\msdt.exe
C:\Users\Admin\AppData\Local\Gf1\msdt.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3496

C:\Windows\system32\unregmp2.exe
C:\Windows\system32\unregmp2.exe
1⤵
PID:3364

C:\Users\Admin\AppData\Local\XJcv\unregmp2.exe
C:\Users\Admin\AppData\Local\XJcv\unregmp2.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1060

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Gf1\msdt.exe
Filesize
421KB

MD5
992c3f0cc8180f2f51156671e027ae75

SHA1
942ec8c2ccfcacd75a1cd86cbe8873aee5115e29

SHA256
6859d1b5d1beaa2985b298f3fcee67f0aac747687a9dec2b4376585e99e9756f

SHA512
1f1b8d39e29274cfc87a9ef1510adb9c530086a421c121523376731c8933c6e234e9146310d3767ce888a8dce7a5713221f4d25e5b7b6398d06ae2be2b99eadf

Download Submit
C:\Users\Admin\AppData\Local\Gf1\wer.dll
Filesize
1.2MB

MD5
329a1ab36e2a5573431ef70520c447ef

SHA1
96ad13b994dfe9384e11470fe6c8bec7ce67d9f3

SHA256
970ebcf884d006d46a0e0b85b105f4df4d0a562353e62b758824a58ca8065cf7

SHA512
55f4342f47c679f2e13dd4d303fc40b60f2252bdf0dd75df1c0a518b91ac00835f9edbc328a67c270496a817e180adee2ebace0a08587c1c7cb6d98fce3f7855

Download Submit
C:\Users\Admin\AppData\Local\HtGPUe\MFC42u.dll
Filesize
1.3MB

MD5
55848e59e50a14243e4f9de1db476399

SHA1
16961645194e983d6e15d843cb0a2af8358221fa

SHA256
02c036e4d45fd29986ae9b41b7600e0601594c97ae7600537a50868f5a65477a

SHA512
290675864f6d281cc07c39cd101ce292b342704e2c2602c0d1db6d640aa9cdfebf6f1bd5f6714564bfc3e0f3333d16e4fa64a6ddf7ddc41d15de700321c7369a

Download Submit
C:\Users\Admin\AppData\Local\HtGPUe\eudcedit.exe
Filesize
365KB

MD5
a9de6557179d371938fbe52511b551ce

SHA1
def460b4028788ded82dc55c36cb0df28599fd5f

SHA256
83c8d1a7582b24b4bbc0d453c813487185c2b05c483bd1759ef647a7e7e92dfe

SHA512
5790cac8dae16a785b48f790e6645b137f211c1587fb64ea88e743b846ff3a886324afcfef4bebc61f869023b9a22ba925c461dfb2e12497b70f501e6b79153c

Download Submit
C:\Users\Admin\AppData\Local\XJcv\VERSION.dll
Filesize
1.2MB

MD5
7b3afc9f4ffb41df1617fc591111e377

SHA1
7531405da0ab7df5d7b8937857257c7a9e95cf67

SHA256
3fcf7e70e038eeff9a39cb770b4d5f825375e1574e8bb70e01500876e31f5c7a

SHA512
33d386d9666be83547990ff8ffb4b6bc06df079384c57474a811652db95827b605ae1734d58a7a039786a7b6092dca4c88f3f1c2d454e98a15d31af03cdbf4e1

Download Submit
C:\Users\Admin\AppData\Local\XJcv\unregmp2.exe
Filesize
259KB

MD5
a6fc8ce566dec7c5873cb9d02d7b874e

SHA1
a30040967f75df85a1e3927bdce159b102011a61

SHA256
21f41fea24dddc8a32f902af7b0387a53a745013429d8fd3f5fa6916eadc839d

SHA512
f83e17dd305eb1bc24cca1f197e2440f9b501eafb9c9d44ede7c88b1520030a87d059bdcb8eadeac1eaedabcbc4fe50206821965d73f0f6671e27edd55c01cbc

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Xpqmtuztdhk.lnk
Filesize
1KB

MD5
05b5367cca3526200fee95367dc2d523

SHA1
215ef6f0fd6ca02f30bcfe0ae816aa3291356657

SHA256
23bacada41dd34fddd943cc8273cf2ce56e4a429877b85b915df63581a09c3ce

SHA512
c31b119fc10d67bf3308e17afe8fcad9a202044b5a9a74a743f8f48370e00cc7795dec6f1095efdc489276c83aa6c4bd59cc857592425e2449eebfe88895be90

Download Submit
memory/888-39-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/888-0-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/888-3-0x0000023FF2C50000-0x0000023FF2C57000-memory.dmp

Filesize
28KB

Download
memory/1060-80-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/1060-83-0x0000024D54740000-0x0000024D54747000-memory.dmp

Filesize
28KB

Download
memory/1060-86-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/3448-13-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3448-12-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3448-8-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3448-7-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3448-37-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3448-16-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3448-10-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3448-11-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3448-4-0x0000000002FE0000-0x0000000002FE1000-memory.dmp

Filesize
4KB

Download
memory/3448-6-0x00007FF8CC2DA000-0x00007FF8CC2DB000-memory.dmp

Filesize
4KB

Download
memory/3448-15-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3448-9-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3448-14-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3448-25-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3448-27-0x00007FF8CCF10000-0x00007FF8CCF20000-memory.dmp

Filesize
64KB

Download
memory/3448-26-0x00000000010E0000-0x00000000010E7000-memory.dmp

Filesize
28KB

Download
memory/3496-69-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/3496-63-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/3496-66-0x000001F9266A0000-0x000001F9266A7000-memory.dmp

Filesize
28KB

Download
memory/3856-52-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/3856-49-0x00000254209E0000-0x00000254209E7000-memory.dmp

Filesize
28KB

Download
memory/3856-46-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download