dridex | f098328e0bc6d2b258c50a3edc49a757403d9e081245aacc8eac924606d66103

Analysis

max time kernel
150s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
05-06-2024 00:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

96b832274e61991a1b255bdab51a546d_JaffaCakes118.dll
Size

1.2MB
MD5

96b832274e61991a1b255bdab51a546d
SHA1

a4ed93751ec4b20393f42b3c4f6ce45e71bd77c0
SHA256

f098328e0bc6d2b258c50a3edc49a757403d9e081245aacc8eac924606d66103
SHA512

5c7f7291112d0a35a132d353286e0ae04ab3d2335bf958cedc5f438a959f7fae79a68b22b0870936db9da72e42b15555e0262ccf257c207fd240fd7667f93282
SSDEEP

24576:MyTonNVlKTt/Q5ECvVP7hpJMvjtKpvPf9+m6kLRqgSyI:MyWRKTt/QlPVp3h9

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex Shellcode 1 IoCs
Detects Dridex Payload shellcode injected in Explorer process.
botnet payload

Processes:

resource yara_rule

behavioral2/memory/3376-4-0x0000000008710000-0x0000000008711000-memory.dmp dridex_stager_shellcode
Executes dropped EXE 3 IoCs

Processes:

SystemPropertiesProtection.exemstsc.exewextract.exe

pid process

1096 SystemPropertiesProtection.exe
1520 mstsc.exe
3736 wextract.exe
Loads dropped DLL 3 IoCs

Processes:

SystemPropertiesProtection.exemstsc.exewextract.exe

pid process

1096 SystemPropertiesProtection.exe
1520 mstsc.exe
3736 wextract.exe

resource	yara_rule
behavioral2/memory/3376-4-0x0000000008710000-0x0000000008711000-memory.dmp	dridex_stager_shellcode

pid	process
1096	SystemPropertiesProtection.exe
1520	mstsc.exe
3736	wextract.exe

pid	process
1096	SystemPropertiesProtection.exe
1520	mstsc.exe
3736	wextract.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Iphtcfjrejti = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\CachedFiles\\iXZRJakp42\\mstsc.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

SystemPropertiesProtection.exemstsc.exewextract.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesProtection.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mstsc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wextract.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Modifies registry class 3 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3764	rundll32.exe
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3376
Token: SeCreatePagefilePrivilege	3376
Token: SeShutdownPrivilege	3376
Token: SeCreatePagefilePrivilege	3376
Token: SeShutdownPrivilege	3376
Token: SeCreatePagefilePrivilege	3376
Token: SeShutdownPrivilege	3376
Token: SeCreatePagefilePrivilege	3376

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

3376
3376
Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3376

pid	process
3376
3376

pid	process
3376

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3376 wrote to memory of 4036	3376	SystemPropertiesProtection.exe
PID 3376 wrote to memory of 4036	3376	SystemPropertiesProtection.exe
PID 3376 wrote to memory of 1096	3376	SystemPropertiesProtection.exe
PID 3376 wrote to memory of 1096	3376	SystemPropertiesProtection.exe
PID 3376 wrote to memory of 4416	3376	mstsc.exe
PID 3376 wrote to memory of 4416	3376	mstsc.exe
PID 3376 wrote to memory of 1520	3376	mstsc.exe
PID 3376 wrote to memory of 1520	3376	mstsc.exe
PID 3376 wrote to memory of 1668	3376	wextract.exe
PID 3376 wrote to memory of 1668	3376	wextract.exe
PID 3376 wrote to memory of 3736	3376	wextract.exe
PID 3376 wrote to memory of 3736	3376	wextract.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\96b832274e61991a1b255bdab51a546d_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3764

C:\Windows\system32\SystemPropertiesProtection.exe
C:\Windows\system32\SystemPropertiesProtection.exe
1⤵
PID:4036

C:\Users\Admin\AppData\Local\VBphnY6b\SystemPropertiesProtection.exe
C:\Users\Admin\AppData\Local\VBphnY6b\SystemPropertiesProtection.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1096

C:\Windows\system32\mstsc.exe
C:\Windows\system32\mstsc.exe
1⤵
PID:4416

C:\Users\Admin\AppData\Local\Xq9Yhs5hc\mstsc.exe
C:\Users\Admin\AppData\Local\Xq9Yhs5hc\mstsc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1520

C:\Windows\system32\wextract.exe
C:\Windows\system32\wextract.exe
1⤵
PID:1668

C:\Users\Admin\AppData\Local\2HPdhY1\wextract.exe
C:\Users\Admin\AppData\Local\2HPdhY1\wextract.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3736

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\2HPdhY1\VERSION.dll
Filesize
1.2MB

MD5
9a6df4587eae5a70c7261bf3050def9a

SHA1
0bbb8e8b009d4182f4e7c20659aa61ca22ed3c51

SHA256
10e24b8c35cac4bbf3a45bd7696db55ad80b1f5a7be42c9e3246036f1f746c97

SHA512
18118e5f2d1f7badf60fc0355cb7833aff69b34c0c129d549c91faf174890e1dc1fac0e6f6906d7c6e700efebdef93c3b3d719902d4b7b1498f83176ab25a96b

Download Submit
C:\Users\Admin\AppData\Local\2HPdhY1\wextract.exe
Filesize
143KB

MD5
56e501e3e49cfde55eb1caabe6913e45

SHA1
ab2399cbf17dbee7b302bea49e40d4cee7caea76

SHA256
fbb6dc62abeeb222b49a63f43dc6eea96f3d7e9a8da55381c15d57a5d099f3e0

SHA512
2b536e86cbd8ab026529ba2c72c0fda97e9b6f0bc4fd96777024155852670cb41d17937cde372a44cdbad3e53b8cd3ef1a4a3ee9b34dfb3c2069822095f7a172

Download Submit
C:\Users\Admin\AppData\Local\VBphnY6b\SYSDM.CPL
Filesize
1.2MB

MD5
ffe1fe24033b93b9616d67dd38148507

SHA1
8e2762c79622997e347323a93eef027578bdbb4c

SHA256
45de0e52efeb02710d3b68e70f80ef31055952ecb4ee030931463ff1e3ea3927

SHA512
24fb191c86b13aee4b723284b00a7dc384feaef1303cb22658cac09669bb090feb9706770ef119313389c89a2239abab57846032df7aa712e081805afa02015f

Download Submit
C:\Users\Admin\AppData\Local\VBphnY6b\SystemPropertiesProtection.exe
Filesize
82KB

MD5
26640d2d4fa912fc9a354ef6cfe500ff

SHA1
a343fd82659ce2d8de3beb587088867cf2ab8857

SHA256
a8ddf1b17b0cbc96a7eaedb0003aa7b1631da09ebfe85b387f8f630222511b37

SHA512
26162a3d9d4a8e3290dbcf6fe387b5c48ab1d9552aa02a38954649d877f408cb282e57580f81e15128e3a41da0eb58328d1d6253e1b57232f9a8cecdd99991dc

Download Submit
C:\Users\Admin\AppData\Local\Xq9Yhs5hc\WINMM.dll
Filesize
1.2MB

MD5
8e1c01fbaf7c98bb2704a67e56e6e1d6

SHA1
9fb238056f758bf3126b2515905008c019e5b1b9

SHA256
953815d9b34d2687911b2b885b934987ed53e0e6c519bb351ca07c48ac1a0777

SHA512
7002695779c3a8f787362c404668a0c88161c5edfb00026e6ab501f5f32fe9adf17211d20b0ce5e8d74580ae8cb119c9224ae16b1f475594b57dc5b6d03b5f8e

Download Submit
C:\Users\Admin\AppData\Local\Xq9Yhs5hc\mstsc.exe
Filesize
1.5MB

MD5
3a26640414cee37ff5b36154b1a0b261

SHA1
e0c28b5fdf53a202a7543b67bbc97214bad490ed

SHA256
1d1b6b2edac7ac6494c9eecda3afb804f679d7190f4d1a80929380e85743823f

SHA512
76fc70ead57ddacd3dbcec1a4772bd46924d30b30018a36b13052d2f7272cc86b63bf85d5e4ec04aac08630d4b2637ca6e7d35c08ce6b675d63ed011f7d95ba2

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Lyvwlrjkvg.lnk
Filesize
1KB

MD5
ff99974eda9921108cbc863b4c2511b9

SHA1
46385723f9acecd8eb7117e44ee23c3020676837

SHA256
08dcc186c9b9d43050b5c7d1586cad80c14357b73bb9eb229adfc4b3fc344f14

SHA512
86686ae21f7f0e65363d42004cfe095ff04fb339196b83029a01f48c8d61979de4b99b5abee86a3a6f14a592d09ced5580e2caa3c5218c328a3fbb18663c771b

Download Submit
memory/1096-52-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1096-49-0x000001B63BBC0000-0x000001B63BBC7000-memory.dmp

Filesize
28KB

Download
memory/1096-46-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1520-63-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/1520-66-0x0000013BEFA60000-0x0000013BEFA67000-memory.dmp

Filesize
28KB

Download
memory/1520-69-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/3376-35-0x00007FFA145F0000-0x00007FFA14600000-memory.dmp

Filesize
64KB

Download
memory/3376-5-0x00007FFA12DBA000-0x00007FFA12DBB000-memory.dmp

Filesize
4KB

Download
memory/3376-9-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3376-8-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3376-7-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3376-4-0x0000000008710000-0x0000000008711000-memory.dmp

Filesize
4KB

Download
memory/3376-11-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3376-13-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3376-14-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3376-16-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3376-34-0x0000000008670000-0x0000000008677000-memory.dmp

Filesize
28KB

Download
memory/3376-10-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3376-36-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3376-25-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3376-15-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3376-12-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3736-80-0x00000213921B0000-0x00000213921B7000-memory.dmp

Filesize
28KB

Download
memory/3736-86-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/3764-1-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3764-39-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3764-3-0x0000016A0A500000-0x0000016A0A507000-memory.dmp

Filesize
28KB

Download