dridex | 2f60124860d5be9579a4a37ed8e8800197f77dfa7292ea79215897aa1f5aa81a

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06-06-2024 03:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

99daf6981ed0868d09623c8463847c9a_JaffaCakes118.dll
Size

987KB
MD5

99daf6981ed0868d09623c8463847c9a
SHA1

ad9ce6e2dc54be25d7b23c8902a549a2897e2fef
SHA256

2f60124860d5be9579a4a37ed8e8800197f77dfa7292ea79215897aa1f5aa81a
SHA512

8e3b74ed0189f0528c398de4772e77c7b9019e1ed6a281bbd41663778990eb4a1d6ba0a0006e15a14e52d3a8d237f8c1981a1447a9a267de50aa8f1ffe776965
SSDEEP

24576:CVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:CV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex Shellcode 1 IoCs
Detects Dridex Payload shellcode injected in Explorer process.
botnet payload

Processes:

resource yara_rule

behavioral2/memory/3332-4-0x00000000026C0000-0x00000000026C1000-memory.dmp dridex_stager_shellcode
Executes dropped EXE 3 IoCs

Processes:

dpapimig.exerecdisc.exeCloudNotifications.exe

pid process

960 dpapimig.exe
3300 recdisc.exe
3484 CloudNotifications.exe
Loads dropped DLL 3 IoCs

Processes:

dpapimig.exerecdisc.exeCloudNotifications.exe

pid process

960 dpapimig.exe
3300 recdisc.exe
3484 CloudNotifications.exe

resource	yara_rule
behavioral2/memory/3332-4-0x00000000026C0000-0x00000000026C1000-memory.dmp	dridex_stager_shellcode

pid	process
960	dpapimig.exe
3300	recdisc.exe
3484	CloudNotifications.exe

pid	process
960	dpapimig.exe
3300	recdisc.exe
3484	CloudNotifications.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Xcdbzlxvqxxhz = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\iNvom\\recdisc.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

dpapimig.exerecdisc.exeCloudNotifications.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dpapimig.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	recdisc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	CloudNotifications.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
4292	rundll32.exe
4292	rundll32.exe
4292	rundll32.exe
4292	rundll32.exe
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3332 wrote to memory of 1816	3332	dpapimig.exe
PID 3332 wrote to memory of 1816	3332	dpapimig.exe
PID 3332 wrote to memory of 960	3332	dpapimig.exe
PID 3332 wrote to memory of 960	3332	dpapimig.exe
PID 3332 wrote to memory of 4768	3332	recdisc.exe
PID 3332 wrote to memory of 4768	3332	recdisc.exe
PID 3332 wrote to memory of 3300	3332	recdisc.exe
PID 3332 wrote to memory of 3300	3332	recdisc.exe
PID 3332 wrote to memory of 1128	3332	CloudNotifications.exe
PID 3332 wrote to memory of 1128	3332	CloudNotifications.exe
PID 3332 wrote to memory of 3484	3332	CloudNotifications.exe
PID 3332 wrote to memory of 3484	3332	CloudNotifications.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\99daf6981ed0868d09623c8463847c9a_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4292

C:\Windows\system32\dpapimig.exe
C:\Windows\system32\dpapimig.exe
1⤵
PID:1816

C:\Users\Admin\AppData\Local\In4VJctYY\dpapimig.exe
C:\Users\Admin\AppData\Local\In4VJctYY\dpapimig.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:960

C:\Windows\system32\recdisc.exe
C:\Windows\system32\recdisc.exe
1⤵
PID:4768

C:\Users\Admin\AppData\Local\9OmgcNPl\recdisc.exe
C:\Users\Admin\AppData\Local\9OmgcNPl\recdisc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3300

C:\Windows\system32\CloudNotifications.exe
C:\Windows\system32\CloudNotifications.exe
1⤵
PID:1128

C:\Users\Admin\AppData\Local\03mHnrf\CloudNotifications.exe
C:\Users\Admin\AppData\Local\03mHnrf\CloudNotifications.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4080 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:8
1⤵
PID:3584

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\03mHnrf\CloudNotifications.exe
Filesize
59KB

MD5
b50dca49bc77046b6f480db6444c3d06

SHA1
cc9b38240b0335b1763badcceac37aa9ce547f9e

SHA256
96e7e1a3f0f4f6fc6bda3527ab8a739d6dfcab8e534aa7a02b023daebb3c0775

SHA512
2a0504ca336e86b92b2f5eff1c458ebd9df36c496331a7247ef0bb8b82eabd86ade7559ddb47ca4169e8365a97e80e5f1d3c1fc330364dea2450608bd692b1d3

Download Submit
C:\Users\Admin\AppData\Local\03mHnrf\UxTheme.dll
Filesize
990KB

MD5
66ff684001017cf8efa0302cac28e770

SHA1
b256b51d6bba14956e262e4eefb279d7a519f8e1

SHA256
2f924ff7976118d97de155310fa7d0c9ff51ff341bc9655d1ec44ef08526f63b

SHA512
5c714a28b51a475ce92010e92edbd112fc56248bb453e7d39fff5c9280a1ea1019625e12907e3f3b543c87690374140729bf299050b252b0bdd81b348bf062da

Download Submit
C:\Users\Admin\AppData\Local\9OmgcNPl\ReAgent.dll
Filesize
989KB

MD5
75138e2400373d1cd3a2748cad1da7bf

SHA1
20dc55f5ce172ecb95cac9f8f90eeaa38981be64

SHA256
0069f629ad1c0fff5c650e74e6a520035b386a732d1bda14332d352ed3e8ea3f

SHA512
1a74ccaec4dac4bb8028690bcee7b1b49ecd6c1af12e4373e83b546660e9e7e0df872129c855bf447843ad63fa6d8d33f2f851f969a1587e3165af2f93eaa177

Download Submit
C:\Users\Admin\AppData\Local\9OmgcNPl\recdisc.exe
Filesize
193KB

MD5
18afee6824c84bf5115bada75ff0a3e7

SHA1
d10f287a7176f57b3b2b315a5310d25b449795aa

SHA256
0787b37cf197595b8149ffe3784f9c59eacde3616011f185513ff5c075a5ac4e

SHA512
517356165b401dbebf15437d3b17746aef5a6a4cc62a0afe45966abc92b4cf377eee4514a36ee28b1e88e55a22a2f8a6c997df45971e7f354b66ac7d9e141845

Download Submit
C:\Users\Admin\AppData\Local\In4VJctYY\DUI70.dll
Filesize
1.2MB

MD5
26c6b955ea1552201ada5eb579703163

SHA1
b892d56a6fcae1bf09337ddc427e3c0a0c61a791

SHA256
36fa98d67b7d3352a19b92d22edcb9ca8032ba6d2e7994478a991d9044c1d832

SHA512
a6f6267d683c6dd54d36e0e3bf529aea7313981685ddec5755c233856b7b040a1c3e9abce18905428016276636200de2239e39bcc91791f2e721c673e636be1d

Download Submit
C:\Users\Admin\AppData\Local\In4VJctYY\dpapimig.exe
Filesize
76KB

MD5
b6d6477a0c90a81624c6a8548026b4d0

SHA1
e6eac6941d27f76bbd306c2938c0a962dbf1ced1

SHA256
a8147d08b82609c72d588a0a604cd3c1f2076befcc719d282c7cbd6525ae89eb

SHA512
72ec8b79e3438f0f981129a323ad39db84df7dd14a796a820bdbc74ea8fa13eee843d1ea030a0c1caeda2e2d69952f14a821a73825b38dd9415047aca597b1fe

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Axoeay.lnk
Filesize
1019B

MD5
db96d306c56c44d8f49a08a564961b04

SHA1
cb06e4a39927fc7e152b985414aec28dfaf8082d

SHA256
47b83a9af6e0cb3f7aa5bb9d6cf8c7850383efca159048470787ab8950a586d3

SHA512
78889098bf777eb507c1634adafae4855e78a88eee7e9f1417be5c28b9d3271b5ea6eeccd90aca95fc9a086b8ceb256804567ed1a32463b706e75aa5ab41a5b3

Download Submit
memory/960-50-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/960-44-0x000002CFAACB0000-0x000002CFAACB7000-memory.dmp

Filesize
28KB

Download
memory/960-45-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3300-67-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3300-64-0x000001758DDF0000-0x000001758DDF7000-memory.dmp

Filesize
28KB

Download
memory/3300-61-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3332-22-0x00007FFD078DA000-0x00007FFD078DB000-memory.dmp

Filesize
4KB

Download
memory/3332-11-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3332-12-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3332-4-0x00000000026C0000-0x00000000026C1000-memory.dmp

Filesize
4KB

Download
memory/3332-7-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3332-34-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3332-13-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3332-9-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3332-10-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3332-8-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3332-23-0x0000000000890000-0x0000000000897000-memory.dmp

Filesize
28KB

Download
memory/3332-27-0x00007FFD07CF0000-0x00007FFD07D00000-memory.dmp

Filesize
64KB

Download
memory/3332-24-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3332-6-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3484-78-0x000002B8302F0000-0x000002B8302F7000-memory.dmp

Filesize
28KB

Download
memory/3484-84-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/4292-0-0x000002005F2A0000-0x000002005F2A7000-memory.dmp

Filesize
28KB

Download
memory/4292-37-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/4292-1-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download