dridex | 06b71ab910cc26e9189614d339b6b72c0ddc8cc6e3580cdb167a44b1b5ef6ba5

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
18-05-2024 00:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5249e19c9c02a641fdf65100c2c86524_JaffaCakes118.dll
Size

1.2MB
MD5

5249e19c9c02a641fdf65100c2c86524
SHA1

7c1059c5104c0b8bee47489ae517f6504cd12be9
SHA256

06b71ab910cc26e9189614d339b6b72c0ddc8cc6e3580cdb167a44b1b5ef6ba5
SHA512

81c175ab416775913f3ed05739b1f4fdd1b1a979452c27b9e297f85da345f349949eb4b20417833bc595f8db0955cc5f4d639bbb25f04dea025e96256ca9bffc
SSDEEP

24576:dVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:dV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex Shellcode 1 IoCs
Detects Dridex Payload shellcode injected in Explorer process.
botnet payload

Processes:

resource yara_rule

behavioral2/memory/3456-4-0x0000000006E50000-0x0000000006E51000-memory.dmp dridex_stager_shellcode
Executes dropped EXE 3 IoCs

Processes:

sppsvc.exedccw.exeDWWIN.EXE

pid process

4656 sppsvc.exe
4580 dccw.exe
4332 DWWIN.EXE
Loads dropped DLL 3 IoCs

Processes:

sppsvc.exedccw.exeDWWIN.EXE

pid process

4656 sppsvc.exe
4580 dccw.exe
4332 DWWIN.EXE

resource	yara_rule
behavioral2/memory/3456-4-0x0000000006E50000-0x0000000006E51000-memory.dmp	dridex_stager_shellcode

pid	process
4656	sppsvc.exe
4580	dccw.exe
4332	DWWIN.EXE

pid	process
4656	sppsvc.exe
4580	dccw.exe
4332	DWWIN.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ovnmkkvrgnxhq = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\Z93Y6Z~1\\dccw.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exesppsvc.exedccw.exeDWWIN.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dccw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DWWIN.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
3932	rundll32.exe
3932	rundll32.exe
3932	rundll32.exe
3932	rundll32.exe
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

description pid process

Token: SeShutdownPrivilege 3456
Token: SeCreatePagefilePrivilege 3456
Token: SeShutdownPrivilege 3456
Token: SeCreatePagefilePrivilege 3456
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

3456
3456
Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3456

description	pid	process
Token: SeShutdownPrivilege	3456
Token: SeCreatePagefilePrivilege	3456
Token: SeShutdownPrivilege	3456
Token: SeCreatePagefilePrivilege	3456

pid	process
3456
3456

pid	process
3456

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

description	pid	target process
PID 3456 wrote to memory of 4656	3456	sppsvc.exe
PID 3456 wrote to memory of 4656	3456	sppsvc.exe
PID 3456 wrote to memory of 848	3456	dccw.exe
PID 3456 wrote to memory of 848	3456	dccw.exe
PID 3456 wrote to memory of 4580	3456	dccw.exe
PID 3456 wrote to memory of 4580	3456	dccw.exe
PID 3456 wrote to memory of 436	3456	DWWIN.EXE
PID 3456 wrote to memory of 436	3456	DWWIN.EXE
PID 3456 wrote to memory of 4332	3456	DWWIN.EXE
PID 3456 wrote to memory of 4332	3456	DWWIN.EXE

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5249e19c9c02a641fdf65100c2c86524_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3932

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
1⤵
PID:3640

C:\Users\Admin\AppData\Local\j15I\sppsvc.exe
C:\Users\Admin\AppData\Local\j15I\sppsvc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4656

C:\Windows\system32\dccw.exe
C:\Windows\system32\dccw.exe
1⤵
PID:848

C:\Users\Admin\AppData\Local\DYFA3GYh\dccw.exe
C:\Users\Admin\AppData\Local\DYFA3GYh\dccw.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4580

C:\Windows\system32\DWWIN.EXE
C:\Windows\system32\DWWIN.EXE
1⤵
PID:436

C:\Users\Admin\AppData\Local\J3HGepsq\DWWIN.EXE
C:\Users\Admin\AppData\Local\J3HGepsq\DWWIN.EXE
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4332

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\DYFA3GYh\dccw.exe
Filesize
101KB

MD5
cb9374911bf5237179785c739a322c0f

SHA1
3f4d3dd3d58c9f19dfbb414ded16969ebd9f74b9

SHA256
f7f3300b78148a34f6a35796c777a832b638b6d3193e11f4a37f45d4c6dfa845

SHA512
9d47521538148b1823c0a17baa86ddf932f06f46d5d8b63fa87b2cc220fb98ce3f933e32d771222937bb8e41c88030839d489d1cd78b062bffeb2980dc6864be

Download Submit
C:\Users\Admin\AppData\Local\DYFA3GYh\dxva2.dll
Filesize
1.2MB

MD5
e7e213e8157dcb4b38e776ac62059922

SHA1
34f5c882bc9be3db69531d327b1e808e532f192b

SHA256
d746e33663c7dc80ec54039a5c2c3a7af499650c565d9d0d1fe00e1af0c3d798

SHA512
4316042e309bd9c7e11bb45febca371f4113ff7cd0dd8bdfe272d03c045061e2618a2435edb72b88b6b9ba3701d00e4c365fd3400d14039f8a0ff88073c99a8e

Download Submit
C:\Users\Admin\AppData\Local\J3HGepsq\DWWIN.EXE
Filesize
229KB

MD5
444cc4d3422a0fdd45c1b78070026c60

SHA1
97162ff341fff1ec54b827ec02f8b86fd2d41a97

SHA256
4b3f620272e709ce3e01ae5b19ef0300bd476f2da6412637f703bbaded2821f0

SHA512
21742d330a6a5763ea41a8fed4d71b98e4a1b4c685675c4cfeb7253033c3a208c23902caf0efdf470a85e0770cb8fac8af0eb6d3a8511445b0570054b42d5553

Download Submit
C:\Users\Admin\AppData\Local\J3HGepsq\wer.dll
Filesize
1.2MB

MD5
4eb270501e48cdd5d7673805b0cfc0a8

SHA1
1356d358ad53543ac19a8acc9f9a4d7802d7c3af

SHA256
d98aacea1885185811ac5979e23c6821476d4537c392828d756c3d534a74baa3

SHA512
5916dd60a7118d18208a0bfe32d4f75b48994dd638db68d84e56a90a23178a206c850019d450a8dd0c2c7bed146d72ff374827cf821d44b7c535c904589f3e3f

Download Submit
C:\Users\Admin\AppData\Local\j15I\XmlLite.dll
Filesize
1.2MB

MD5
bcc92f754ed4ab21aca46488cf2ea0de

SHA1
7ffbf04c226c506fe81484024d82cc428fa297e0

SHA256
8a7616ebb7f8ca45a0f50d35b0954315d243a2957a51d90137e61afe62a42927

SHA512
ba7cea0b094016a99bc1ebbc6b52fd5bb50c168bc49250534342655c8991f1ab39910d08a114baad25473c3d52c5cf2b754834b5761d4c12fc3146a53267aeb7

Download Submit
C:\Users\Admin\AppData\Local\j15I\sppsvc.exe
Filesize
4.4MB

MD5
ec6cef0a81f167668e18fa32f1606fce

SHA1
6d56837a388ae5573a38a439cee16e6dde5b4de8

SHA256
82c59a2f606ebf1a8a0de16be150600ac63ad8351c6bf3952c27a70257cb70f8

SHA512
f40b37675329ca7875d958b4b0019082548a563ada217c7431c2ca5c7f93957b242f095f7f04bcdd6240b97ea99e89bfe3a003f97c43366d00a93768fef7b4c5

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ymfrpxarx.lnk
Filesize
1KB

MD5
70f5e68060c85128526bf8c6b8ebdd59

SHA1
62e49d5c0eeac571094b281c8a1c69871f80ab25

SHA256
8f45ed471a70c124dd09390a44a3d6dfe27ecea0f4aa5f794e0d19be22803ff0

SHA512
52717d2fd56e43f787cccebd86087735f3c7142133fdabdff589f1b0cc43f57a85833b66777c354b916dffcae47e3475ec14816cbb5d9ec8d33ac6d30ba8db21

Download Submit
memory/3456-13-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3456-14-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3456-12-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3456-10-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3456-9-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3456-8-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3456-11-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3456-6-0x00007FFB6508A000-0x00007FFB6508B000-memory.dmp

Filesize
4KB

Download
memory/3456-4-0x0000000006E50000-0x0000000006E51000-memory.dmp

Filesize
4KB

Download
memory/3456-35-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3456-15-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3456-7-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3456-28-0x0000000002730000-0x0000000002737000-memory.dmp

Filesize
28KB

Download
memory/3456-24-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3456-29-0x00007FFB65110000-0x00007FFB65120000-memory.dmp

Filesize
64KB

Download
memory/3932-2-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3932-0-0x000001A242280000-0x000001A242287000-memory.dmp

Filesize
28KB

Download
memory/3932-38-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/4332-79-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/4332-82-0x0000020B3A7B0000-0x0000020B3A7B7000-memory.dmp

Filesize
28KB

Download
memory/4332-85-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/4580-68-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/4580-65-0x0000019ED82F0000-0x0000019ED82F7000-memory.dmp

Filesize
28KB

Download
memory/4656-51-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/4656-45-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/4656-48-0x000001FCCC350000-0x000001FCCC357000-memory.dmp

Filesize
28KB

Download