dridex | 8bd8f84b07f73b998355300ac5cd19607d1f4c4620fd781a1bc13d8cd3f76b44

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
18-05-2024 14:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

551fdc5da55993716de6de7861251c5b_JaffaCakes118.dll
Size

1.2MB
MD5

551fdc5da55993716de6de7861251c5b
SHA1

90275863862f7037386d029c9c88a6d85f4d4c44
SHA256

8bd8f84b07f73b998355300ac5cd19607d1f4c4620fd781a1bc13d8cd3f76b44
SHA512

4493c048c1c3697253c0f20d780e279030f1c0e179fd324710e5a38a90d035a353bfddeeabee86911e00ff2fcc0cabcea3969f83ffe14305c713956d224037a5
SSDEEP

24576:MVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:MV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex Shellcode 1 IoCs
Detects Dridex Payload shellcode injected in Explorer process.
botnet payload

Processes:

resource yara_rule

behavioral2/memory/3436-4-0x00000000020E0000-0x00000000020E1000-memory.dmp dridex_stager_shellcode
Executes dropped EXE 3 IoCs

Processes:

SystemSettingsAdminFlows.exeDisplaySwitch.exeSystemPropertiesComputerName.exe

pid process

4708 SystemSettingsAdminFlows.exe
3420 DisplaySwitch.exe
2372 SystemPropertiesComputerName.exe
Loads dropped DLL 3 IoCs

Processes:

SystemSettingsAdminFlows.exeDisplaySwitch.exeSystemPropertiesComputerName.exe

pid process

4708 SystemSettingsAdminFlows.exe
3420 DisplaySwitch.exe
2372 SystemPropertiesComputerName.exe

resource	yara_rule
behavioral2/memory/3436-4-0x00000000020E0000-0x00000000020E1000-memory.dmp	dridex_stager_shellcode

pid	process
4708	SystemSettingsAdminFlows.exe
3420	DisplaySwitch.exe
2372	SystemPropertiesComputerName.exe

pid	process
4708	SystemSettingsAdminFlows.exe
3420	DisplaySwitch.exe
2372	SystemPropertiesComputerName.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ihmks = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\PRINTE~1\\XNM9J1~1\\DISPLA~1.EXE"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeSystemSettingsAdminFlows.exeDisplaySwitch.exeSystemPropertiesComputerName.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemSettingsAdminFlows.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DisplaySwitch.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesComputerName.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1608	rundll32.exe
1608	rundll32.exe
1608	rundll32.exe
1608	rundll32.exe
1608	rundll32.exe
1608	rundll32.exe
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3436

pid	process
3436

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3436 wrote to memory of 768	3436	SystemSettingsAdminFlows.exe
PID 3436 wrote to memory of 768	3436	SystemSettingsAdminFlows.exe
PID 3436 wrote to memory of 4708	3436	SystemSettingsAdminFlows.exe
PID 3436 wrote to memory of 4708	3436	SystemSettingsAdminFlows.exe
PID 3436 wrote to memory of 4108	3436	DisplaySwitch.exe
PID 3436 wrote to memory of 4108	3436	DisplaySwitch.exe
PID 3436 wrote to memory of 3420	3436	DisplaySwitch.exe
PID 3436 wrote to memory of 3420	3436	DisplaySwitch.exe
PID 3436 wrote to memory of 1536	3436	SystemPropertiesComputerName.exe
PID 3436 wrote to memory of 1536	3436	SystemPropertiesComputerName.exe
PID 3436 wrote to memory of 2372	3436	SystemPropertiesComputerName.exe
PID 3436 wrote to memory of 2372	3436	SystemPropertiesComputerName.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\551fdc5da55993716de6de7861251c5b_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1608

C:\Windows\system32\SystemSettingsAdminFlows.exe
C:\Windows\system32\SystemSettingsAdminFlows.exe
1⤵
PID:768

C:\Users\Admin\AppData\Local\OMp3ht\SystemSettingsAdminFlows.exe
C:\Users\Admin\AppData\Local\OMp3ht\SystemSettingsAdminFlows.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4708

C:\Windows\system32\DisplaySwitch.exe
C:\Windows\system32\DisplaySwitch.exe
1⤵
PID:4108

C:\Users\Admin\AppData\Local\Od1oxi\DisplaySwitch.exe
C:\Users\Admin\AppData\Local\Od1oxi\DisplaySwitch.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3420

C:\Windows\system32\SystemPropertiesComputerName.exe
C:\Windows\system32\SystemPropertiesComputerName.exe
1⤵
PID:1536

C:\Users\Admin\AppData\Local\qFl7AmD\SystemPropertiesComputerName.exe
C:\Users\Admin\AppData\Local\qFl7AmD\SystemPropertiesComputerName.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2372

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\OMp3ht\SystemSettingsAdminFlows.exe
Filesize
506KB

MD5
50adb2c7c145c729b9de8b7cf967dd24

SHA1
a31757f08da6f95156777c1132b6d5f1db3d8f30

SHA256
a7a2e7122d27308df37b7ab718ef3ac239e4216669f51331e34e205f59fb0aec

SHA512
715b4c93e79e896da1cf86cf4455a84cba1aeac34b6fd72d2afdf203a2034f6f8fac1d6501f0dd277a17bd1d7ab73ddd1887e01a99f2d26f39efeb94d0aac9b0

Download Submit
C:\Users\Admin\AppData\Local\OMp3ht\newdev.dll
Filesize
1.2MB

MD5
e0d969e5bc40f9a4dc6f851a509e0eea

SHA1
3432fe588f65d8703216051f10f560d12398689a

SHA256
3541c1828013c845383f58f4b91513e652c6b70516811a93079ae798c67af1fe

SHA512
72a4874190174d58b5af3066899eb972e2a72afb2c68f027715aa762c5b0ebed5631b99cf2c6c6ba4b7173b4b9445a84ec713e4d46a655aba60f834aa8ad2998

Download Submit
C:\Users\Admin\AppData\Local\Od1oxi\DisplaySwitch.exe
Filesize
1.8MB

MD5
5338d4beddf23db817eb5c37500b5735

SHA1
1b5c56f00b53fca3205ff24770203af46cbc7c54

SHA256
8b581f1d15a6920e4ecfe172d8ef753d0a2bf1a47e686a8d5d8e01147fa4c65e

SHA512
173170b83e0048ee05da18c0c957744204954da58a93c532b669d62edb632c4c73d0744c13eb864ecf357ff12831aa46c4f2445dc33b62a4547385b9e0297b0c

Download Submit
C:\Users\Admin\AppData\Local\Od1oxi\WINSTA.dll
Filesize
1.2MB

MD5
1fbac62a55dba5440fec7aaa9fa47821

SHA1
941877e36f8c189ee27b5ed30249de14794abfc6

SHA256
d44a4378109f7c4d12116dc0a6bd43335d7209c301a0b3e8bd1c1db55d6925f9

SHA512
54979eb48ae22af4185603694995eac1db5f2f6823621c9e8e4c7a2c1c4725038553944f6adfa5f34b9583807aa6cd6223a0783e33d10d2b5f9bdb63de908ca9

Download Submit
C:\Users\Admin\AppData\Local\qFl7AmD\SYSDM.CPL
Filesize
1.2MB

MD5
ee234bc079857590b973b8bba923e5d0

SHA1
8fb120f56d13b09550195fe8ce90c689ba026ef4

SHA256
4900b77a1c5189db51708cbb61ade8c6fa8ed836e7c815ed7a002f5ba0c3b990

SHA512
d044d379aa8adf96f34fc5b5a312d234c11c2cc47d6b6b97af0e52739c793b0213a52a7e58b1868f37cca7d72b0b5de875e6dd92012ca842a3429c81c1249b2e

Download Submit
C:\Users\Admin\AppData\Local\qFl7AmD\SystemPropertiesComputerName.exe
Filesize
82KB

MD5
6711765f323289f5008a6a2a04b6f264

SHA1
d8116fdf73608b4b254ad83c74f2232584d24144

SHA256
bd3a97327326e2245938ec6099f20059b446ff0fe1c10b9317d15d1a1dd5331e

SHA512
438abd282d9d1c0e7e5db2ce027ff9522c3980278b32b2eae09c595884a8dcbfd5178bc5926b1d15f03174303382e13f5d5ecab9a5d8e31fc07ef39e66c012e8

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yvephsk.lnk
Filesize
1KB

MD5
a28f24bc7fda67c8325ad28411abc219

SHA1
fc5935620cde57acba3585b7307b80b3018e3fa7

SHA256
7fe92c51e40f992a6c2a51e726ac0076d8528faa64ef748d8dd893c9f414ea34

SHA512
03de4f73505b1db44daff330c367202deac027290d5310ba8954d148aae3ad922c181a632d116ab8f8437ca6483821c5d4fbb13ede4953afea60850ffbd77cd9

Download Submit
memory/1608-3-0x0000024B0AD70000-0x0000024B0AD77000-memory.dmp

Filesize
28KB

Download
memory/1608-39-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1608-1-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/2372-85-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/3420-69-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/3420-63-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/3420-66-0x000002A63FF70000-0x000002A63FF77000-memory.dmp

Filesize
28KB

Download
memory/3436-15-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3436-24-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3436-4-0x00000000020E0000-0x00000000020E1000-memory.dmp

Filesize
4KB

Download
memory/3436-6-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3436-8-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3436-9-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3436-10-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3436-12-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3436-27-0x00007FFF2D370000-0x00007FFF2D380000-memory.dmp

Filesize
64KB

Download
memory/3436-36-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3436-11-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3436-13-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3436-14-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3436-7-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3436-25-0x00007FFF2B5FA000-0x00007FFF2B5FB000-memory.dmp

Filesize
4KB

Download
memory/3436-26-0x0000000000690000-0x0000000000697000-memory.dmp

Filesize
28KB

Download
memory/4708-52-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/4708-46-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/4708-49-0x0000029498A50000-0x0000029498A57000-memory.dmp

Filesize
28KB

Download