dridex | 277cfe89b173e55243afc85867c0ccdf81b40800db1f16499c09544981a9ecfe

Analysis

max time kernel
149s
max time network
112s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
20-05-2024 04:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5d1acece864918cd32674b53b03b2782_JaffaCakes118.dll
Size

1.2MB
MD5

5d1acece864918cd32674b53b03b2782
SHA1

63818c48ec06eb1844c8a40bf931059664ec7473
SHA256

277cfe89b173e55243afc85867c0ccdf81b40800db1f16499c09544981a9ecfe
SHA512

d5024bb54815dc3162cda4bc5bfe81d8edc9f9356ee99de35ff17f01492c5e69026cc9ac31611719283b0e1ec3209501669b4b543ce4e6a9c275ca81b93845fa
SSDEEP

24576:vyTonNVlKTt/Q5ECvVP7hpJMvjtKpvPf9+m6kLRqgSyI:vyWRKTt/QlPVp3h9

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex Shellcode 1 IoCs
Detects Dridex Payload shellcode injected in Explorer process.
botnet payload

Processes:

resource yara_rule

behavioral2/memory/3440-4-0x0000000002E70000-0x0000000002E71000-memory.dmp dridex_stager_shellcode
Executes dropped EXE 3 IoCs

Processes:

usocoreworker.exeMoUsoCoreWorker.exeperfmon.exe

pid process

2608 usocoreworker.exe
3416 MoUsoCoreWorker.exe
956 perfmon.exe
Loads dropped DLL 3 IoCs

Processes:

usocoreworker.exeMoUsoCoreWorker.exeperfmon.exe

pid process

2608 usocoreworker.exe
3416 MoUsoCoreWorker.exe
956 perfmon.exe

resource	yara_rule
behavioral2/memory/3440-4-0x0000000002E70000-0x0000000002E71000-memory.dmp	dridex_stager_shellcode

pid	process
2608	usocoreworker.exe
3416	MoUsoCoreWorker.exe
956	perfmon.exe

pid	process
2608	usocoreworker.exe
3416	MoUsoCoreWorker.exe
956	perfmon.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Kjdyleps = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\n2JCoVtU6R\\MoUsoCoreWorker.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeusocoreworker.exeMoUsoCoreWorker.exeperfmon.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	usocoreworker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MoUsoCoreWorker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	perfmon.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1572	rundll32.exe
1572	rundll32.exe
1572	rundll32.exe
1572	rundll32.exe
1572	rundll32.exe
1572	rundll32.exe
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440
3440

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3440

pid	process
3440

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3440 wrote to memory of 440	3440	usocoreworker.exe
PID 3440 wrote to memory of 440	3440	usocoreworker.exe
PID 3440 wrote to memory of 2608	3440	usocoreworker.exe
PID 3440 wrote to memory of 2608	3440	usocoreworker.exe
PID 3440 wrote to memory of 2768	3440	MoUsoCoreWorker.exe
PID 3440 wrote to memory of 2768	3440	MoUsoCoreWorker.exe
PID 3440 wrote to memory of 3416	3440	MoUsoCoreWorker.exe
PID 3440 wrote to memory of 3416	3440	MoUsoCoreWorker.exe
PID 3440 wrote to memory of 116	3440	perfmon.exe
PID 3440 wrote to memory of 116	3440	perfmon.exe
PID 3440 wrote to memory of 956	3440	perfmon.exe
PID 3440 wrote to memory of 956	3440	perfmon.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5d1acece864918cd32674b53b03b2782_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1572

C:\Windows\system32\usocoreworker.exe
C:\Windows\system32\usocoreworker.exe
1⤵
PID:440

C:\Users\Admin\AppData\Local\1CWkmyZ\usocoreworker.exe
C:\Users\Admin\AppData\Local\1CWkmyZ\usocoreworker.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2608

C:\Windows\system32\MoUsoCoreWorker.exe
C:\Windows\system32\MoUsoCoreWorker.exe
1⤵
PID:2768

C:\Users\Admin\AppData\Local\G4dxYUNg\MoUsoCoreWorker.exe
C:\Users\Admin\AppData\Local\G4dxYUNg\MoUsoCoreWorker.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3416

C:\Windows\system32\perfmon.exe
C:\Windows\system32\perfmon.exe
1⤵
PID:116

C:\Users\Admin\AppData\Local\0D0r\perfmon.exe
C:\Users\Admin\AppData\Local\0D0r\perfmon.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:956

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\0D0r\credui.dll
Filesize
1.2MB

MD5
9c948924a0aa25c11185490efd93431c

SHA1
4afa19fa7ecacaf033eb77ef6d1a4c91b3f7adf9

SHA256
6dc5e5659e8f0af7f061a61aad65e885dbf62f731924c30512e8b56a5b4f6e5f

SHA512
f72753f4419e1027f9625951fa9fb34c8e16ba7a7c474a5c06c3039d3637d100d859608b00b51cb07760568a63e5ce6a64d7282783d42d70a8c5e6a6988a7d34

Download Submit
C:\Users\Admin\AppData\Local\0D0r\perfmon.exe
Filesize
177KB

MD5
d38aa59c3bea5456bd6f95c73ad3c964

SHA1
40170eab389a6ba35e949f9c92962646a302d9ef

SHA256
5f041cff346fb37e5c5c9dab3c1272c76f8b5f579205170e97d2248d04a4ea0c

SHA512
59fa552a46e5d6237c7244b03d09d60e9489217b4319a212e822c73fe1f31a81837cb906ae7da92072bd3d9263fe0b967e073110ba81da3a90126f25115fff68

Download Submit
C:\Users\Admin\AppData\Local\1CWkmyZ\XmlLite.dll
Filesize
1.2MB

MD5
2a6d4f1a881018a25d2bde0d03741818

SHA1
f2d849316e8316f435813bf150808085dea22296

SHA256
95167244c60d7b1416d38fbb027c1146365d5cf85e2f9852c1d2822c3ae1ce85

SHA512
1509224f70388cdf9bf6b3162df1a171869253febfb5a64699cdfa9a45c2f9006a455f9dc2fb68e1ebc1dc4df65f335d082a987ebce29f839f3dfe25880ff0cf

Download Submit
C:\Users\Admin\AppData\Local\1CWkmyZ\usocoreworker.exe
Filesize
1.3MB

MD5
2c5efb321aa64af37dedc6383ce3198e

SHA1
a06d7020dd43a57047a62bfb443091cd9de946ba

SHA256
0fb6688a32340036f3eaab4a09a82dee533bfb2ca266c36f6142083134de6f0e

SHA512
5448ea01b24af7444505bda80064849a2efcc459011d32879e021e836fd573c9b1b9d3b37291d3f53ff536c691ac13a545b12f318a16c8a367421986bbf002ed

Download Submit
C:\Users\Admin\AppData\Local\G4dxYUNg\MoUsoCoreWorker.exe
Filesize
1.6MB

MD5
47c6b45ff22b73caf40bb29392386ce3

SHA1
7e29a8d98fbb9b02d3d22e3576f4fd61ab50ffe9

SHA256
cbccb642725edb42e749e26ded68a16b3aa20e291a1a7793a2d4efebb75f99c0

SHA512
c919ab84a497616e7969d58c251f4e6efc337b41ef6956864b86d66ae1437294c124232fec54433eab3a6518ed529f8445dd0b23706b2f42f3fa42e69711f331

Download Submit
C:\Users\Admin\AppData\Local\G4dxYUNg\XmlLite.dll
Filesize
1.2MB

MD5
77bf8e186b3d94d0a9ade5a7b4e44f75

SHA1
c4581c4208652f3ea39993bb4f8596353ccddbd3

SHA256
00652d5c352c2512de3a808f7e74eebe4254a9abd716a41a4469c214cda127f3

SHA512
04ef75d6bcc8ab9bb249337d5f532a567b0910dccfb67ff32ee098c10b7bc93072209307bef7eec39b9c8668a01ff8194fc966c6adc8d103a1f7115c00db4d15

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Lkikclgcaixpoht.lnk
Filesize
1KB

MD5
762586a9e80235635af3ca8cd001d557

SHA1
6cf8903abd11018db8b98d5bbfcbf4bf1e1577c2

SHA256
bde72a399feaeba57365ca07fbd43b3a63a127b7619841a7395aae821be35b38

SHA512
4536d2fba20fac31d46da44147d035cee7b9f78ca8afce399889032067e284902001bf72ae68ce1034fb6e79ffd7f8d6bdec4cd65aa614676e9503e0dfa16e2a

Download Submit
memory/956-86-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/956-83-0x0000023552BD0000-0x0000023552BD7000-memory.dmp

Filesize
28KB

Download
memory/1572-0-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1572-39-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1572-3-0x00000297CAF90000-0x00000297CAF97000-memory.dmp

Filesize
28KB

Download
memory/2608-52-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/2608-49-0x000001BFCFD20000-0x000001BFCFD27000-memory.dmp

Filesize
28KB

Download
memory/2608-46-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3416-66-0x0000020DB16B0000-0x0000020DB16B7000-memory.dmp

Filesize
28KB

Download
memory/3416-69-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3440-36-0x00007FF8E9DFA000-0x00007FF8E9DFB000-memory.dmp

Filesize
4KB

Download
memory/3440-4-0x0000000002E70000-0x0000000002E71000-memory.dmp

Filesize
4KB

Download
memory/3440-6-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3440-24-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3440-8-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3440-9-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3440-12-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3440-11-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3440-13-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3440-33-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3440-37-0x0000000000F60000-0x0000000000F67000-memory.dmp

Filesize
28KB

Download
memory/3440-38-0x00007FF8EA230000-0x00007FF8EA240000-memory.dmp

Filesize
64KB

Download
memory/3440-15-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3440-14-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3440-7-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3440-10-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download