dridex | 853e9859d31b351e3aa4d945f86649537f80d6f9eb5db5389d5e14fe96133ff8

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
02-06-2024 15:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8e9f9da05dd2ec3af6e062a95b717291_JaffaCakes118.dll
Size

1.2MB
MD5

8e9f9da05dd2ec3af6e062a95b717291
SHA1

aa8f45c4f03a62d34bdeaba4e592da0ba794b443
SHA256

853e9859d31b351e3aa4d945f86649537f80d6f9eb5db5389d5e14fe96133ff8
SHA512

215faa588cdab93807a396c4521cc23068df128000c2c2d953638e39eeed79d085fba3ea46da136680513ee5907b4cd230f0fbe70840aded2d0578cca6eac674
SSDEEP

24576:XyTonNVlKTt/Q5ECvVP7hpJMvjtKpvPf9+m6kLRqgSyI:XyWRKTt/QlPVp3h9

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex Shellcode 1 IoCs
Detects Dridex Payload shellcode injected in Explorer process.
botnet payload

Processes:

resource yara_rule

behavioral2/memory/3524-4-0x00000000024D0000-0x00000000024D1000-memory.dmp dridex_stager_shellcode
Executes dropped EXE 3 IoCs

Processes:

SystemSettingsRemoveDevice.exeOptionalFeatures.exerdpclip.exe

pid process

3260 SystemSettingsRemoveDevice.exe
3728 OptionalFeatures.exe
3120 rdpclip.exe
Loads dropped DLL 3 IoCs

Processes:

SystemSettingsRemoveDevice.exeOptionalFeatures.exerdpclip.exe

pid process

3260 SystemSettingsRemoveDevice.exe
3728 OptionalFeatures.exe
3120 rdpclip.exe

resource	yara_rule
behavioral2/memory/3524-4-0x00000000024D0000-0x00000000024D1000-memory.dmp	dridex_stager_shellcode

pid	process
3260	SystemSettingsRemoveDevice.exe
3728	OptionalFeatures.exe
3120	rdpclip.exe

pid	process
3260	SystemSettingsRemoveDevice.exe
3728	OptionalFeatures.exe
3120	rdpclip.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Welddizcvtwl = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\N287x0fE\\OptionalFeatures.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeSystemSettingsRemoveDevice.exeOptionalFeatures.exerdpclip.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemSettingsRemoveDevice.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OptionalFeatures.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdpclip.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2708	rundll32.exe
2708	rundll32.exe
2708	rundll32.exe
2708	rundll32.exe
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3524

pid	process
3524

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3524 wrote to memory of 5116	3524	SystemSettingsRemoveDevice.exe
PID 3524 wrote to memory of 5116	3524	SystemSettingsRemoveDevice.exe
PID 3524 wrote to memory of 3260	3524	SystemSettingsRemoveDevice.exe
PID 3524 wrote to memory of 3260	3524	SystemSettingsRemoveDevice.exe
PID 3524 wrote to memory of 2680	3524	OptionalFeatures.exe
PID 3524 wrote to memory of 2680	3524	OptionalFeatures.exe
PID 3524 wrote to memory of 3728	3524	OptionalFeatures.exe
PID 3524 wrote to memory of 3728	3524	OptionalFeatures.exe
PID 3524 wrote to memory of 3296	3524	rdpclip.exe
PID 3524 wrote to memory of 3296	3524	rdpclip.exe
PID 3524 wrote to memory of 3120	3524	rdpclip.exe
PID 3524 wrote to memory of 3120	3524	rdpclip.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\8e9f9da05dd2ec3af6e062a95b717291_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2708

C:\Windows\system32\SystemSettingsRemoveDevice.exe
C:\Windows\system32\SystemSettingsRemoveDevice.exe
1⤵
PID:5116

C:\Users\Admin\AppData\Local\ljMxIWP\SystemSettingsRemoveDevice.exe
C:\Users\Admin\AppData\Local\ljMxIWP\SystemSettingsRemoveDevice.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3260

C:\Windows\system32\OptionalFeatures.exe
C:\Windows\system32\OptionalFeatures.exe
1⤵
PID:2680

C:\Users\Admin\AppData\Local\2zI\OptionalFeatures.exe
C:\Users\Admin\AppData\Local\2zI\OptionalFeatures.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3728

C:\Windows\system32\rdpclip.exe
C:\Windows\system32\rdpclip.exe
1⤵
PID:3296

C:\Users\Admin\AppData\Local\GwCKwO\rdpclip.exe
C:\Users\Admin\AppData\Local\GwCKwO\rdpclip.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3120

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\2zI\OptionalFeatures.exe
Filesize
110KB

MD5
d6cd8bef71458804dbc33b88ace56372

SHA1
a18b58445be2492c5d37abad69b5aa0d29416a60

SHA256
fa2e741416994f2c1bf9ef7a16b9c4dbf20c84267e3da91ae6f1ad75ee9f49b8

SHA512
1bed8af2cf99a7f3bb36a34f4a71c34787904bd072ecdc731fb7498290dcf4024b956fb8b6912ad050b74aa861f0b0349081b77088f72732bda5075413b1f83d

Download Submit
C:\Users\Admin\AppData\Local\2zI\appwiz.cpl
Filesize
1.2MB

MD5
ae5c3c1ecbd6819363b1b8ed49574aa5

SHA1
4f7ba71949c3d8006d8d5079d2ebd6df8242bd8f

SHA256
efb9eafab8ab576f4cf8f4e9121f3d295cbdf4a27fa8ae4d1c4646ada4e7f9db

SHA512
3fef140accb8cfa2635bacc4fe08c0272ba919d9227a299b637b919815a75d7704458671e9e40f1d7b8d301f5191c9cc9e6ccb0bc44f6920bbd9fda7d2aac0d2

Download Submit
C:\Users\Admin\AppData\Local\GwCKwO\WINSTA.dll
Filesize
1.2MB

MD5
900d68cd087a6862a4abeea4c851bc26

SHA1
9bfbca309d9dcf9ee3ee0e56ad81cbdfa80d11cd

SHA256
8fa6133f270571fd8a2e60228bd19209f5c1d6d71126303692e4b4dd5b57186d

SHA512
ffb87c39b2e674688273ed8111e4c1ea01cafa12c19f406d54c8eb588d71c6c4bf4f46ca6f98865123d623420921ac685d02f66a69979ae9eb52d97783f5c231

Download Submit
C:\Users\Admin\AppData\Local\GwCKwO\rdpclip.exe
Filesize
446KB

MD5
a52402d6bd4e20a519a2eeec53332752

SHA1
129f2b6409395ef877b9ca39dd819a2703946a73

SHA256
9d5be181d9309dea98039d2ce619afe745fc8a9a1b1c05cf860b3620b5203308

SHA512
632dda67066cff2b940f27e3f409e164684994a02bda57d74e958c462b9a0963e922be4a487c06126cecc9ef34d34913ef8315524bf8422f83c0c135b8af924e

Download Submit
C:\Users\Admin\AppData\Local\ljMxIWP\DUI70.dll
Filesize
1.4MB

MD5
a73fcdf88734531c64fb2c9629689283

SHA1
e3fdeccf0cbbc3a571472904c3cd926cf36cf93e

SHA256
537582c71d83f0d86f86f8024949bd3545b524b62a9fd5b4c453a8848a208ef3

SHA512
ed6dbbd9afd1dfe7d20d03708b90da7773c8a547599d1f8e10033eedc55ee43d108b024a3ef2a3fbb099b52b8e1a1734fdb276377ade45b3d66b0127859f4bcb

Download Submit
C:\Users\Admin\AppData\Local\ljMxIWP\SystemSettingsRemoveDevice.exe
Filesize
39KB

MD5
7853f1c933690bb7c53c67151cbddeb0

SHA1
d47a1ad0ccba4c988c8ffc5cbf9636fd4f4fa6e6

SHA256
9500731b2a3442f11dfd08a8adfe027e7f32ef5834c628eed4b78be74168470d

SHA512
831993d610539d44422d769de6561a4622e1b9cb3d73253774b6cecabf57654a74cd88b4ebe20921585ea96d977225b9501f02a0f6a1fc7d2cad6824fd539304

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Hjyomsugwtoazg.lnk
Filesize
1KB

MD5
1cfb01523be91c5478076a958a930dd1

SHA1
a2bbed76b2292c7bb9674283267d5056e07a6bf3

SHA256
41c0418414b9e936d330cf2d529ae99753988c5d005e2630b2a9b4321d64c7a5

SHA512
c047504fd85e4250ac714ead91f238a3f9656572aacf81b4c7de719b9ad4a113fe62c3407bacda20f44f9710cb2f036be14a2c88174809f986f8c28570e54cc0

Download Submit
memory/2708-3-0x000001D7F9EA0000-0x000001D7F9EA7000-memory.dmp

Filesize
28KB

Download
memory/2708-39-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/2708-0-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3120-80-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/3120-83-0x0000021034360000-0x0000021034367000-memory.dmp

Filesize
28KB

Download
memory/3120-86-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/3260-52-0x0000000140000000-0x0000000140178000-memory.dmp

Filesize
1.5MB

Download
memory/3260-46-0x0000000140000000-0x0000000140178000-memory.dmp

Filesize
1.5MB

Download
memory/3260-49-0x0000026E66280000-0x0000026E66287000-memory.dmp

Filesize
28KB

Download
memory/3524-37-0x0000000001E80000-0x0000000001E87000-memory.dmp

Filesize
28KB

Download
memory/3524-34-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3524-8-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3524-9-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3524-10-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3524-12-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3524-13-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3524-15-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3524-16-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3524-7-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3524-6-0x00007FFB7707A000-0x00007FFB7707B000-memory.dmp

Filesize
4KB

Download
memory/3524-4-0x00000000024D0000-0x00000000024D1000-memory.dmp

Filesize
4KB

Download
memory/3524-11-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3524-38-0x00007FFB78E70000-0x00007FFB78E80000-memory.dmp

Filesize
64KB

Download
memory/3524-25-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3524-14-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3728-69-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/3728-63-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/3728-66-0x00000284AB080000-0x00000284AB087000-memory.dmp

Filesize
28KB

Download