dridex | a00e30735a9c57cf4ecc0b3f55291dd33cb224df7958275b4f4ee68240b2cc20

Analysis

max time kernel
150s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
25-05-2024 11:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

71c69de7c83209a1bf71d62abae46b83_JaffaCakes118.dll
Size

989KB
MD5

71c69de7c83209a1bf71d62abae46b83
SHA1

2bc4a12a267d0cf44de82094c44c3555f2e775ac
SHA256

a00e30735a9c57cf4ecc0b3f55291dd33cb224df7958275b4f4ee68240b2cc20
SHA512

8ba0c7e0dc7b8ba55a94792a3e4921792ee6ed314928e5e6a43897e5e8a6ca43a302a978195bb1a1d8bba348f66e656431686aba95fb9d7c580bca5d394b4e11
SSDEEP

24576:yVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:yV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex Shellcode 1 IoCs
Detects Dridex Payload shellcode injected in Explorer process.
botnet payload

Processes:

resource yara_rule

behavioral2/memory/3476-4-0x00000000030E0000-0x00000000030E1000-memory.dmp dridex_stager_shellcode
Executes dropped EXE 3 IoCs

Processes:

dialer.exeomadmclient.exeosk.exe

pid process

2000 dialer.exe
2568 omadmclient.exe
2864 osk.exe
Loads dropped DLL 4 IoCs

Processes:

dialer.exeomadmclient.exeosk.exe

pid process

2000 dialer.exe
2568 omadmclient.exe
2568 omadmclient.exe
2864 osk.exe

resource	yara_rule
behavioral2/memory/3476-4-0x00000000030E0000-0x00000000030E1000-memory.dmp	dridex_stager_shellcode

pid	process
2000	dialer.exe
2568	omadmclient.exe
2864	osk.exe

pid	process
2000	dialer.exe
2568	omadmclient.exe
2568	omadmclient.exe
2864	osk.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Eeaxmqtu = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\UProof\\yawcwx\\omadmclient.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exedialer.exeomadmclient.exeosk.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dialer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	omadmclient.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	osk.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2544	rundll32.exe
2544	rundll32.exe
2544	rundll32.exe
2544	rundll32.exe
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3476

pid	process
3476

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3476 wrote to memory of 3604	3476	dialer.exe
PID 3476 wrote to memory of 3604	3476	dialer.exe
PID 3476 wrote to memory of 2000	3476	dialer.exe
PID 3476 wrote to memory of 2000	3476	dialer.exe
PID 3476 wrote to memory of 2372	3476	omadmclient.exe
PID 3476 wrote to memory of 2372	3476	omadmclient.exe
PID 3476 wrote to memory of 2568	3476	omadmclient.exe
PID 3476 wrote to memory of 2568	3476	omadmclient.exe
PID 3476 wrote to memory of 3104	3476	osk.exe
PID 3476 wrote to memory of 3104	3476	osk.exe
PID 3476 wrote to memory of 2864	3476	osk.exe
PID 3476 wrote to memory of 2864	3476	osk.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\71c69de7c83209a1bf71d62abae46b83_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2544

C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
1⤵
PID:3604

C:\Users\Admin\AppData\Local\7PafQuST\dialer.exe
C:\Users\Admin\AppData\Local\7PafQuST\dialer.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2000

C:\Windows\system32\omadmclient.exe
C:\Windows\system32\omadmclient.exe
1⤵
PID:2372

C:\Users\Admin\AppData\Local\2pG\omadmclient.exe
C:\Users\Admin\AppData\Local\2pG\omadmclient.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2568

C:\Windows\system32\osk.exe
C:\Windows\system32\osk.exe
1⤵
PID:3104

C:\Users\Admin\AppData\Local\uVwDolObz\osk.exe
C:\Users\Admin\AppData\Local\uVwDolObz\osk.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2864

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\2pG\XmlLite.dll
Filesize
989KB

MD5
e9eb1987b6ad493074a85b840fcd956f

SHA1
e0a7008f6871ed28e768f3035b4fbc987c15cd53

SHA256
92e5835193fe3d597ccee0a7def55cbcb7ff744ccdd68cc227c12efecc583830

SHA512
771602424f3024be12d0e8a959eac917e857eb655e392c047797dd6afb247a9c736af3b93aa4dee935114baaabf431ffcacd2fc97f4d699978ec445e43f9e178

Download Submit
C:\Users\Admin\AppData\Local\2pG\omadmclient.exe
Filesize
425KB

MD5
8992b5b28a996eb83761dafb24959ab4

SHA1
697ecb33b8ff5b0e73ef29ce471153b368b1b729

SHA256
e0c6c1b082c5d61be95b7fad95155b7cb2e516d6dcd51b8e1554a176876699e7

SHA512
4ab0d71f6f9e5a5d0870d8e6eaa4b5db74ea6148de0a00603e3e56303d0fec4722172e0207b9678a5bd0136f2d43d43b9d34907183369ab3b9b9c1484034fe3d

Download Submit
C:\Users\Admin\AppData\Local\7PafQuST\TAPI32.dll
Filesize
997KB

MD5
04226356be73bc5bcbabcfa6eafce8de

SHA1
9fdde709ee775687518a080d331351dd6933e472

SHA256
f652e5a36060b142583b4a5dd3fed37d19ecb852067f1f19a92e416de82428fe

SHA512
46e3b525c08e36fe6abd8879f608015e1cf31cf50b0cf7d60adfa20bd6b130194833fd1379fee0bcd2953b726cb6df38920f7962642e88d748c351a4ab71060b

Download Submit
C:\Users\Admin\AppData\Local\7PafQuST\dialer.exe
Filesize
39KB

MD5
b2626bdcf079c6516fc016ac5646df93

SHA1
838268205bd97d62a31094d53643c356ea7848a6

SHA256
e3ac5e6196f3a98c1946d85c653866c318bb2a86dd865deffa7b52f665d699bb

SHA512
615cfe1f91b895513c687906bf3439ca352afcadd3b73f950af0a3b5fb1b358168a7a25a6796407b212fde5f803dd880bcdc350d8bac7e7594090d37ce259971

Download Submit
C:\Users\Admin\AppData\Local\uVwDolObz\OLEACC.dll
Filesize
990KB

MD5
f9315e8f4a024c23abdf392d2c558a9c

SHA1
35aacdf9e0162f0ededc9db1fb70f7358cfcb2a1

SHA256
7ed2c58fe4a7ce3434cf81d289714a8c4dfcb9c6c028816c7ac780902ae5a1e1

SHA512
de4ef2923426035eb63d32a3a565a22ebe4459af65bc4d91e9c8101b5a6336717c21b1cbd7724aa1915880512c85554628de370361d32774e4a9379221f7993c

Download Submit
C:\Users\Admin\AppData\Local\uVwDolObz\osk.exe
Filesize
638KB

MD5
745f2df5beed97b8c751df83938cb418

SHA1
2f9fc33b1bf28e0f14fd75646a7b427ddbe14d25

SHA256
f67ef6e31fa0eaed44bfbab5b908be06b56cbc7d5a16ab2a72334d91f2bb6a51

SHA512
2125d021e6f45a81bd75c9129f4b098ad9aa15c25d270051f4da42458a9737bff44d6adf17aa1f2547715d159fb621829f7cd3b9d42f1521c919549cc7deb228

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Rkjap.lnk
Filesize
1KB

MD5
834ec5abd5d86f8447841e3897e9af5d

SHA1
3a9aaf29b837c002e525c725514e3efb24b45f54

SHA256
9e778ab8afc15799772b8108f942a6613709704c1c750326beddc2752b45bd43

SHA512
aee10532e746fe3bd1fdb85e76f1ac81ef4849ce6678d9809953ebab834c4e45b77c5cd9b6d9343def372a611abbcd457f9d0b5c6d54c8b6578e2c197c338a27

Download Submit
memory/2000-50-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/2000-47-0x00000240B5C20000-0x00000240B5C27000-memory.dmp

Filesize
28KB

Download
memory/2000-44-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/2544-0-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/2544-37-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/2544-3-0x000001773B630000-0x000001773B637000-memory.dmp

Filesize
28KB

Download
memory/2568-65-0x000001DB4C470000-0x000001DB4C477000-memory.dmp

Filesize
28KB

Download
memory/2568-68-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/2568-62-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/2864-87-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/2864-84-0x000002476F480000-0x000002476F487000-memory.dmp

Filesize
28KB

Download
memory/3476-11-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3476-7-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3476-13-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3476-26-0x00007FFCD55DA000-0x00007FFCD55DB000-memory.dmp

Filesize
4KB

Download
memory/3476-27-0x00000000029D0000-0x00000000029D7000-memory.dmp

Filesize
28KB

Download
memory/3476-34-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3476-28-0x00007FFCD6B50000-0x00007FFCD6B60000-memory.dmp

Filesize
64KB

Download
memory/3476-12-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3476-10-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3476-22-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3476-8-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3476-9-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3476-6-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3476-4-0x00000000030E0000-0x00000000030E1000-memory.dmp

Filesize
4KB

Download