dridex | 301841aaf350823c55016d1092ffe88785d5cd97263bc2eb025ef908dadef41a

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
31-05-2024 04:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8604774bbfe1f722a0064a287ae9309c_JaffaCakes118.dll
Size

987KB
MD5

8604774bbfe1f722a0064a287ae9309c
SHA1

ff9d68148a3e3e1b55421ec68745ae1b3f09c3d1
SHA256

301841aaf350823c55016d1092ffe88785d5cd97263bc2eb025ef908dadef41a
SHA512

eafac14440bec2452c1b36edc82fa7e536433e1fcbe8f80cda4cfe7e5a9b4f4cb080189d61c826c1aa090105eb42e50101f7f56c777a062ab93d9d691e323e42
SSDEEP

24576:WVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:WV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex Shellcode 1 IoCs
Detects Dridex Payload shellcode injected in Explorer process.
botnet payload

Processes:

resource yara_rule

behavioral2/memory/3456-4-0x0000000002680000-0x0000000002681000-memory.dmp dridex_stager_shellcode
Executes dropped EXE 3 IoCs

Processes:

EaseOfAccessDialog.exeMagnify.exerdpinput.exe

pid process

2764 EaseOfAccessDialog.exe
4740 Magnify.exe
4540 rdpinput.exe
Loads dropped DLL 3 IoCs

Processes:

EaseOfAccessDialog.exeMagnify.exerdpinput.exe

pid process

2764 EaseOfAccessDialog.exe
4740 Magnify.exe
4540 rdpinput.exe

resource	yara_rule
behavioral2/memory/3456-4-0x0000000002680000-0x0000000002681000-memory.dmp	dridex_stager_shellcode

pid	process
2764	EaseOfAccessDialog.exe
4740	Magnify.exe
4540	rdpinput.exe

pid	process
2764	EaseOfAccessDialog.exe
4740	Magnify.exe
4540	rdpinput.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Pruztwesow = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Templates\\z0VcFwHj6\\Magnify.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeEaseOfAccessDialog.exeMagnify.exerdpinput.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	EaseOfAccessDialog.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Magnify.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdpinput.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
4092	rundll32.exe
4092	rundll32.exe
4092	rundll32.exe
4092	rundll32.exe
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3456

pid	process
3456

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3456 wrote to memory of 868	3456	EaseOfAccessDialog.exe
PID 3456 wrote to memory of 868	3456	EaseOfAccessDialog.exe
PID 3456 wrote to memory of 2764	3456	EaseOfAccessDialog.exe
PID 3456 wrote to memory of 2764	3456	EaseOfAccessDialog.exe
PID 3456 wrote to memory of 4476	3456	Magnify.exe
PID 3456 wrote to memory of 4476	3456	Magnify.exe
PID 3456 wrote to memory of 4740	3456	Magnify.exe
PID 3456 wrote to memory of 4740	3456	Magnify.exe
PID 3456 wrote to memory of 4964	3456	rdpinput.exe
PID 3456 wrote to memory of 4964	3456	rdpinput.exe
PID 3456 wrote to memory of 4540	3456	rdpinput.exe
PID 3456 wrote to memory of 4540	3456	rdpinput.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\8604774bbfe1f722a0064a287ae9309c_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4092

C:\Windows\system32\EaseOfAccessDialog.exe
C:\Windows\system32\EaseOfAccessDialog.exe
1⤵
PID:868

C:\Users\Admin\AppData\Local\Dc34o\EaseOfAccessDialog.exe
C:\Users\Admin\AppData\Local\Dc34o\EaseOfAccessDialog.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2764

C:\Windows\system32\Magnify.exe
C:\Windows\system32\Magnify.exe
1⤵
PID:4476

C:\Users\Admin\AppData\Local\INe\Magnify.exe
C:\Users\Admin\AppData\Local\INe\Magnify.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4740

C:\Windows\system32\rdpinput.exe
C:\Windows\system32\rdpinput.exe
1⤵
PID:4964

C:\Users\Admin\AppData\Local\384luK\rdpinput.exe
C:\Users\Admin\AppData\Local\384luK\rdpinput.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4540

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\384luK\WINSTA.dll
Filesize
994KB

MD5
47632987d3c554b04e85088054a8fb84

SHA1
224e6353f4746f0932adebcd93378477889ed086

SHA256
a858e6c60c7c7f816724c11e80a332fa8b5df75dd4acd01050ca741a09b581f4

SHA512
3eb57286665118f9503b2a0c6119d6246aa26688bcb05f2fda2f5f09ab400dd7a37119db0511ac766710f84310846a1e2c1328bdfb513d760451a33c035fc040

Download Submit
C:\Users\Admin\AppData\Local\384luK\rdpinput.exe
Filesize
180KB

MD5
bd99eeca92869f9a3084d689f335c734

SHA1
a2839f6038ea50a4456cd5c2a3ea003e7b77688c

SHA256
39bfb2214efeed47f4f5e50e6dff05541e29caeb27966520bdadd52c3d5e7143

SHA512
355433c3bbbaa3bcb849633d45713d8a7ac6f87a025732fbe83e259ec3a0cb4eabb18239df26609453f9fc6764c7276c5d0472f11cf12d15ef806aa7594d090e

Download Submit
C:\Users\Admin\AppData\Local\Dc34o\DUser.dll
Filesize
991KB

MD5
b0e3a829512ccde73b7424903340df76

SHA1
df8143c4fdf43355f4f485ced6177868b5047428

SHA256
f5c14d9aca0867af46c69a4144c01f56968f524157d8d1eb4491d484fcd6df44

SHA512
39a09177a91691b2cabbe2295d7d5bd99ef831c777e6d889e8d7d2411407b5b84ec22de9839c2c3e60b41fc573c94027ca3fe29a7cf08c0eec7c11108caf1423

Download Submit
C:\Users\Admin\AppData\Local\Dc34o\EaseOfAccessDialog.exe
Filesize
123KB

MD5
e75ee992c1041341f709a517c8723c87

SHA1
471021260055eac0021f0abffa2d0ba77a2f380e

SHA256
0b1731562413eaa972b373cd7388c644a3059940ce67eb89668e4073f3e068dc

SHA512
48c3a8531df6bcc5077367cdf32af104c94cf7701118a85e8beabba2e9c4f511ae14e47b6d1b57d11a2bc1e8b4f6d5bacae27a8d16fcd09a8f9e0018f5a6370a

Download Submit
C:\Users\Admin\AppData\Local\INe\MAGNIFICATION.dll
Filesize
988KB

MD5
12680546835b1c4a9fcee4d511a3c60d

SHA1
07cd05d3502daae99a48145066d111dc71fa982d

SHA256
3f7327580952da7825e1ec122bafacfeff05c8a2667a1f4d6d27ef21d7e5f05d

SHA512
f2345e39d7f738f138676f8dc9e4c451347e02b40089589d0f89f2a168dea1c2baea57eae0a2099f2bea85e78e46136df6780606b1906f1fd15fde795348c1b2

Download Submit
C:\Users\Admin\AppData\Local\INe\Magnify.exe
Filesize
639KB

MD5
4029890c147e3b4c6f41dfb5f9834d42

SHA1
10d08b3f6dabe8171ca2dd52e5737e3402951c75

SHA256
57137f784594793dc0669042ccd3a71ddbfedeb77da6d97173d82613e08add4d

SHA512
dbdc60f8692f13c23dbed0b76e9c6758a5b413bd6aaf4e4d0ba74e69c0871eb759da95c3f85a31d972388b545dcf3bb8abbcbedd29a1e7e48c065130b98b893d

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Arcabpqqvo.lnk
Filesize
1KB

MD5
5e348cf2f9d67de84b74f7f38ddc7127

SHA1
eb7a5ef67899d622c1acd2fd781e5950b7c2c488

SHA256
f74d90a2a2312c462787fc9071a8fe91eaa90e88be483094179d492917aa300b

SHA512
1f1805ce083904c6eaedeeb7291f1bd9fccc6d7273e21f4a6b9718044eca3cb7918976c5aa65bb057135257502665733f5b017e84a7b7300a08878dd0166d27b

Download Submit
memory/2764-50-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/2764-47-0x000001E0E8C80000-0x000001E0E8C87000-memory.dmp

Filesize
28KB

Download
memory/2764-44-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/3456-22-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3456-23-0x00007FFF8452A000-0x00007FFF8452B000-memory.dmp

Filesize
4KB

Download
memory/3456-10-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3456-7-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3456-6-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3456-34-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3456-13-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3456-11-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3456-24-0x0000000000D60000-0x0000000000D67000-memory.dmp

Filesize
28KB

Download
memory/3456-25-0x00007FFF85070000-0x00007FFF85080000-memory.dmp

Filesize
64KB

Download
memory/3456-12-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3456-8-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3456-9-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3456-4-0x0000000002680000-0x0000000002681000-memory.dmp

Filesize
4KB

Download
memory/4092-37-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/4092-0-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/4092-3-0x0000021688400000-0x0000021688407000-memory.dmp

Filesize
28KB

Download
memory/4540-81-0x00000250B8D90000-0x00000250B8D97000-memory.dmp

Filesize
28KB

Download
memory/4540-84-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/4740-64-0x00000242A58A0000-0x00000242A58A7000-memory.dmp

Filesize
28KB

Download
memory/4740-67-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/4740-61-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download