dridex | 13006766e78f6a3c8efa63593708b31e7d46a27abeb6f8f8fa3f1d0c02694e75

Analysis

max time kernel
150s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
25-05-2024 07:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

714155e541eb3bdfa590322d67d1f9d1_JaffaCakes118.dll
Size

1.2MB
MD5

714155e541eb3bdfa590322d67d1f9d1
SHA1

c17954b0e9e93d3e72a92208692541f6d8fa5d14
SHA256

13006766e78f6a3c8efa63593708b31e7d46a27abeb6f8f8fa3f1d0c02694e75
SHA512

7e83b5e0647c200ff59146d67701f5ecedc2cff7854f32c94f42c214d95f9ddb4d1b0cba73ac79b0099490fecf380bae83d9d8e5894d36211664257695325215
SSDEEP

24576:GVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:GV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex Shellcode 1 IoCs
Detects Dridex Payload shellcode injected in Explorer process.
botnet payload

Processes:

resource yara_rule

behavioral2/memory/3408-4-0x0000000002F60000-0x0000000002F61000-memory.dmp dridex_stager_shellcode
Executes dropped EXE 3 IoCs

Processes:

dpapimig.exemsinfo32.exeSystemPropertiesAdvanced.exe

pid process

2588 dpapimig.exe
2816 msinfo32.exe
4672 SystemPropertiesAdvanced.exe
Loads dropped DLL 3 IoCs

Processes:

dpapimig.exemsinfo32.exeSystemPropertiesAdvanced.exe

pid process

2588 dpapimig.exe
2816 msinfo32.exe
4672 SystemPropertiesAdvanced.exe

resource	yara_rule
behavioral2/memory/3408-4-0x0000000002F60000-0x0000000002F61000-memory.dmp	dridex_stager_shellcode

pid	process
2588	dpapimig.exe
2816	msinfo32.exe
4672	SystemPropertiesAdvanced.exe

pid	process
2588	dpapimig.exe
2816	msinfo32.exe
4672	SystemPropertiesAdvanced.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Iwctvdcrnln = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\WINDOW~1\\6h38JN3M\\msinfo32.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

dpapimig.exemsinfo32.exeSystemPropertiesAdvanced.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dpapimig.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesAdvanced.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Modifies registry class 1 IoCs

Processes:

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1112	rundll32.exe
1112	rundll32.exe
1112	rundll32.exe
1112	rundll32.exe
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3408
Token: SeCreatePagefilePrivilege	3408
Token: SeShutdownPrivilege	3408
Token: SeCreatePagefilePrivilege	3408
Token: SeShutdownPrivilege	3408
Token: SeCreatePagefilePrivilege	3408
Token: SeShutdownPrivilege	3408
Token: SeCreatePagefilePrivilege	3408
Token: SeShutdownPrivilege	3408
Token: SeCreatePagefilePrivilege	3408
Token: SeShutdownPrivilege	3408
Token: SeCreatePagefilePrivilege	3408
Token: SeShutdownPrivilege	3408
Token: SeCreatePagefilePrivilege	3408
Token: SeShutdownPrivilege	3408
Token: SeCreatePagefilePrivilege	3408

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

3408
3408
Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3408

pid	process
3408
3408

pid	process
3408

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3408 wrote to memory of 640	3408	dpapimig.exe
PID 3408 wrote to memory of 640	3408	dpapimig.exe
PID 3408 wrote to memory of 2588	3408	dpapimig.exe
PID 3408 wrote to memory of 2588	3408	dpapimig.exe
PID 3408 wrote to memory of 5068	3408	msinfo32.exe
PID 3408 wrote to memory of 5068	3408	msinfo32.exe
PID 3408 wrote to memory of 2816	3408	msinfo32.exe
PID 3408 wrote to memory of 2816	3408	msinfo32.exe
PID 3408 wrote to memory of 3124	3408	SystemPropertiesAdvanced.exe
PID 3408 wrote to memory of 3124	3408	SystemPropertiesAdvanced.exe
PID 3408 wrote to memory of 4672	3408	SystemPropertiesAdvanced.exe
PID 3408 wrote to memory of 4672	3408	SystemPropertiesAdvanced.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\714155e541eb3bdfa590322d67d1f9d1_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1112

C:\Windows\system32\dpapimig.exe
C:\Windows\system32\dpapimig.exe
1⤵
PID:640

C:\Users\Admin\AppData\Local\QjjjDJVc\dpapimig.exe
C:\Users\Admin\AppData\Local\QjjjDJVc\dpapimig.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2588

C:\Windows\system32\msinfo32.exe
C:\Windows\system32\msinfo32.exe
1⤵
PID:5068

C:\Users\Admin\AppData\Local\LchPv\msinfo32.exe
C:\Users\Admin\AppData\Local\LchPv\msinfo32.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2816

C:\Windows\system32\SystemPropertiesAdvanced.exe
C:\Windows\system32\SystemPropertiesAdvanced.exe
1⤵
PID:3124

C:\Users\Admin\AppData\Local\wOtidHS\SystemPropertiesAdvanced.exe
C:\Users\Admin\AppData\Local\wOtidHS\SystemPropertiesAdvanced.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4672

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\LchPv\SLC.dll
Filesize
1.2MB

MD5
8387ae0cb38b917e8b89a8f9c1c21d7d

SHA1
33a8640ef4a689f291f482c5cdf31671035fcbf5

SHA256
78ca0f6eb787630e81a85641cb01937473be5b7eb19413008cf51a0b2196d50f

SHA512
53407304fe9ff30a7dad9e72f8b8755e8b46242fe3e05dbe4b7789ac27f69dcbd7a5bec93a300d7581b2f737e890ec0337439ac7046533494dddf2a700458068

Download Submit
C:\Users\Admin\AppData\Local\LchPv\msinfo32.exe
Filesize
376KB

MD5
0aed91da63713bf9f881b03a604a1c9d

SHA1
b1b2d292cb1a4c13dc243b5eab13afb316a28b9a

SHA256
5cf1604d2473661266e08fc0e4e144ea98f99b7584c43585eb2b01551130fd14

SHA512
04bca9b321d702122b6e72c2ad15b7cd98924e5dfc3b8dd0e907ea28fd7826d3f72b98c67242b6698594df648d3c2b6b0952bb52a2363b687bbe44a66e830c03

Download Submit
C:\Users\Admin\AppData\Local\QjjjDJVc\DUI70.dll
Filesize
1.5MB

MD5
3a5a341aa7754c8e92b31736b853c02a

SHA1
9eed5c8aaa3fc65491122e5018723c1ae1b4b0e7

SHA256
1de0d9be9ebdd01d7cb230411a59e3de7ab9f5f826730e593db20198d5df1291

SHA512
3bc16baac0704c218cf35ce1fb62e39b963003502a7d4ceb19415e4a5acc4e016fd47e340d3eb83c7a17a618af67af93c8689cee80a7f470b30025f68a108547

Download Submit
C:\Users\Admin\AppData\Local\QjjjDJVc\dpapimig.exe
Filesize
76KB

MD5
b6d6477a0c90a81624c6a8548026b4d0

SHA1
e6eac6941d27f76bbd306c2938c0a962dbf1ced1

SHA256
a8147d08b82609c72d588a0a604cd3c1f2076befcc719d282c7cbd6525ae89eb

SHA512
72ec8b79e3438f0f981129a323ad39db84df7dd14a796a820bdbc74ea8fa13eee843d1ea030a0c1caeda2e2d69952f14a821a73825b38dd9415047aca597b1fe

Download Submit
C:\Users\Admin\AppData\Local\wOtidHS\SYSDM.CPL
Filesize
1.2MB

MD5
8f65a32f39416c6860dc79c27283c362

SHA1
332ada773c613a23fb9bb888cf942dd7712b5c8b

SHA256
2404a5b9a90aba7027e71bc55911775a5137def9984b37275ce79922035ed879

SHA512
b8449dac57f30f7f80815ab7ed3a25a36c14c1916db42349ad9adf6484ebeab2126c3c56cc0b4542099f664e91bb166905e2d3c084440c9557c14c5fe3bb80e7

Download Submit
C:\Users\Admin\AppData\Local\wOtidHS\SystemPropertiesAdvanced.exe
Filesize
82KB

MD5
fa040b18d2d2061ab38cf4e52e753854

SHA1
b1b37124e9afd6c860189ce4d49cebbb2e4c57bc

SHA256
c61fa0f8c5d8d61110adbcceaa453a6c1d31255b3244dc7e3b605a4a931c245c

SHA512
511f5981bd2c446f1f3039f6674f972651512305630bd688b1ef159af36a23cb836b43d7010b132a86b5f4d6c46206057abd31600f1e7dc930cb32ed962298a4

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Puokv.lnk
Filesize
1KB

MD5
27ff6be59a8bc164e1f07819bb450fe6

SHA1
751de128b023f4f2028c0c17b7fc4b224847364d

SHA256
44fa00ef3ca39d431a00a5656f3359986cc37830c4c13e6129b227e83d6a9cb5

SHA512
edce4feb453891e5e206800215af29c64d9dcbfca44d040a5307b175118195c46c735be22df838efdf257bf78aa258dd45baad59097620834ebcb0e9756dc6d6

Download Submit
memory/1112-1-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1112-39-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1112-0-0x0000021CC6BA0000-0x0000021CC6BA7000-memory.dmp

Filesize
28KB

Download
memory/2588-52-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/2588-49-0x000001B86FA70000-0x000001B86FA77000-memory.dmp

Filesize
28KB

Download
memory/2588-47-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/2816-63-0x0000023328AF0000-0x0000023328AF7000-memory.dmp

Filesize
28KB

Download
memory/2816-64-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/2816-69-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/3408-35-0x00007FF81B8B0000-0x00007FF81B8C0000-memory.dmp

Filesize
64KB

Download
memory/3408-34-0x0000000002F40000-0x0000000002F47000-memory.dmp

Filesize
28KB

Download
memory/3408-7-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3408-8-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3408-9-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3408-11-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3408-12-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3408-13-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3408-33-0x00007FF81A4DA000-0x00007FF81A4DB000-memory.dmp

Filesize
4KB

Download
memory/3408-24-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3408-36-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3408-15-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3408-14-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3408-6-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3408-10-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3408-4-0x0000000002F60000-0x0000000002F61000-memory.dmp

Filesize
4KB

Download
memory/4672-86-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/4672-80-0x0000019B08460000-0x0000019B08467000-memory.dmp

Filesize
28KB

Download