dridex | 3b3f6912efd246ea622818440eeaa38e8a01710721713270b85d912c9fc03e66

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
13-06-2024 23:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a71c52fe86f8d9c2bbf951c11532e60c_JaffaCakes118.dll
Size

1.2MB
MD5

a71c52fe86f8d9c2bbf951c11532e60c
SHA1

bb1d4e0c6b530f6d991a304ecb9a53a466899329
SHA256

3b3f6912efd246ea622818440eeaa38e8a01710721713270b85d912c9fc03e66
SHA512

62f1a60da642ce2cc99a5953cb1969d9d64d351bd81772cc15c1bb3e233db92fa2b986d0701cb8a49c2d2383a7cb417cfa15731fc6889294bcbac8c914077aa4
SSDEEP

24576:UuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9NCt:M9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex Shellcode 1 IoCs
Detects Dridex Payload shellcode injected in Explorer process.
botnet payload

Processes:

resource yara_rule

behavioral2/memory/3484-4-0x0000000002E20000-0x0000000002E21000-memory.dmp dridex_stager_shellcode
Executes dropped EXE 3 IoCs

Processes:

SppExtComObj.Exeshrpubw.exeSndVol.exe

pid process

5060 SppExtComObj.Exe
1768 shrpubw.exe
1236 SndVol.exe
Loads dropped DLL 3 IoCs

Processes:

SppExtComObj.Exeshrpubw.exeSndVol.exe

pid process

5060 SppExtComObj.Exe
1768 shrpubw.exe
1236 SndVol.exe

resource	yara_rule
behavioral2/memory/3484-4-0x0000000002E20000-0x0000000002E21000-memory.dmp	dridex_stager_shellcode

pid	process
5060	SppExtComObj.Exe
1768	shrpubw.exe
1236	SndVol.exe

pid	process
5060	SppExtComObj.Exe
1768	shrpubw.exe
1236	SndVol.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tyoytnnsf = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab\\gNg9TyaN94e\\shrpubw.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeSppExtComObj.Exeshrpubw.exeSndVol.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SppExtComObj.Exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	shrpubw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SndVol.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2984	rundll32.exe
2984	rundll32.exe
2984	rundll32.exe
2984	rundll32.exe
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3484 wrote to memory of 3056	3484	SppExtComObj.Exe
PID 3484 wrote to memory of 3056	3484	SppExtComObj.Exe
PID 3484 wrote to memory of 5060	3484	SppExtComObj.Exe
PID 3484 wrote to memory of 5060	3484	SppExtComObj.Exe
PID 3484 wrote to memory of 3184	3484	shrpubw.exe
PID 3484 wrote to memory of 3184	3484	shrpubw.exe
PID 3484 wrote to memory of 1768	3484	shrpubw.exe
PID 3484 wrote to memory of 1768	3484	shrpubw.exe
PID 3484 wrote to memory of 436	3484	SndVol.exe
PID 3484 wrote to memory of 436	3484	SndVol.exe
PID 3484 wrote to memory of 1236	3484	SndVol.exe
PID 3484 wrote to memory of 1236	3484	SndVol.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a71c52fe86f8d9c2bbf951c11532e60c_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2984

C:\Windows\system32\SppExtComObj.Exe
C:\Windows\system32\SppExtComObj.Exe
1⤵
PID:3056

C:\Users\Admin\AppData\Local\Dgb\SppExtComObj.Exe
C:\Users\Admin\AppData\Local\Dgb\SppExtComObj.Exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:5060

C:\Windows\system32\shrpubw.exe
C:\Windows\system32\shrpubw.exe
1⤵
PID:3184

C:\Users\Admin\AppData\Local\TH7nJD\shrpubw.exe
C:\Users\Admin\AppData\Local\TH7nJD\shrpubw.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1768

C:\Windows\system32\SndVol.exe
C:\Windows\system32\SndVol.exe
1⤵
PID:436

C:\Users\Admin\AppData\Local\OJ5\SndVol.exe
C:\Users\Admin\AppData\Local\OJ5\SndVol.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1236

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Dgb\ACTIVEDS.dll
Filesize
1.2MB

MD5
69f1e5050b88bd13977bec2d9a49642c

SHA1
9b1b1a846b6dd1b9820ad610074ecee3809c3c97

SHA256
1533654052b7d6aa250e825d69c549243c02ce9128a290154872ebc5195272f6

SHA512
36750010ed8499f28ff43592e0f5413c6669047dd4c3cab3446e9428234ce98e3df0541f607d73997a601c2d101f6e62417b8237d51fe1c514ecff61a8f8a296

Download Submit
C:\Users\Admin\AppData\Local\Dgb\SppExtComObj.Exe
Filesize
559KB

MD5
728a78909aa69ca0e976e94482350700

SHA1
6508dfcbf37df25cae8ae68cf1fcd4b78084abb7

SHA256
2a6581576305771044f07ea0fef27f77859996dbf66c2017e938f90bfc1e010c

SHA512
22bf985e71afa58a1365cc733c0aa03dabd4b44e7c6a136eb5f9b870db14470201b4ef88a19fa3864af6c44e79e1a01d6f8806062d9d4861ba7dac77d82074f1

Download Submit
C:\Users\Admin\AppData\Local\OJ5\SndVol.exe
Filesize
269KB

MD5
c5d939ac3f9d885c8355884199e36433

SHA1
b8f277549c23953e8683746e225e7af1c193ad70

SHA256
68b6ced01f5dfc2bc9556b005f4fff235a3d02449ad9f9e4de627c0e1424d605

SHA512
8488e7928e53085c00df096af2315490cd4b22ce2ce196b157dc0fbb820c5399a9dbd5dead40b24b99a4a32b6de66b4edc28339d7bacd9c1e7d5936604d1a4f0

Download Submit
C:\Users\Admin\AppData\Local\OJ5\UxTheme.dll
Filesize
1.2MB

MD5
344109ee1b8509fbae1b6332c8fb233b

SHA1
72a3921326595ca285387353b0d5c32bb617280e

SHA256
739c62b7099a18e9cc5b4c9dc5c07db482817323d5e1b93504c02195336d642a

SHA512
24c7ea8449442eb57789ed4d08c109c25265a0f494d0f8e9a6089c864c3e9952dd0cc7a68478ab65b8aaa84e665241bd6a117b43d8f1ffe5a0d14a1ca8604009

Download Submit
C:\Users\Admin\AppData\Local\TH7nJD\shrpubw.exe
Filesize
59KB

MD5
9910d5c62428ec5f92b04abf9428eec9

SHA1
05f27d7515e8ae1fa3bc974ec65b864ec4c9ac8b

SHA256
6b84e6e55d8572d7edf0b6243d00abb651fcb0cddddac8461de5f9bb80035a2e

SHA512
01be043f7ff879a683e53962eec58456ba200d6787ea66581bb62669ae65d5e58a5577cdf23441165f7a535fce1dec933e3ad2465c72172b4a1488b24ce722cb

Download Submit
C:\Users\Admin\AppData\Local\TH7nJD\srvcli.dll
Filesize
1.2MB

MD5
c7a34ff4a7477e368a0b3da229085825

SHA1
070917fcee576a1628c53e972dd6d781b2cc4e1c

SHA256
2dbaa2dc63cc82dfa2dae9d1c57aa22d315210bb4284a9767b33d2ae990b2f3c

SHA512
9f4dcaa34cccccd1283c41c8dccc8655eb0a5596b3285f3e387d5d553de46071df46dea9798e80b2f6484fb76141fe89e4011591dbfdbffbfa8da859c7cf7366

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Fotgztfwispj.lnk
Filesize
1KB

MD5
0481eac0b66a2db7b9afbcc9d60fc706

SHA1
1a15891c786c0e136ba724cce31a9deea6bff319

SHA256
f49d04811cb7473c02462a6ef9bf1a419af0bbe2a8d2c53284c2feb45a65b4ad

SHA512
454abe69c53effa1124b99fe8b3b8a11b263c222a83139e1d1482d4ec28e8f28164a58132893aa9273197e2e4afc83003413eaaad2747f5c9a7d0e54aa93c85c

Download Submit
memory/1236-88-0x00007FFCBBC40000-0x00007FFCBBD75000-memory.dmp

Filesize
1.2MB

Download
memory/1236-85-0x00000282D50C0000-0x00000282D50C7000-memory.dmp

Filesize
28KB

Download
memory/1768-68-0x000001C249110000-0x000001C249117000-memory.dmp

Filesize
28KB

Download
memory/1768-71-0x00007FFCBBC40000-0x00007FFCBBD75000-memory.dmp

Filesize
1.2MB

Download
memory/2984-0-0x000002BAFC800000-0x000002BAFC807000-memory.dmp

Filesize
28KB

Download
memory/2984-41-0x00007FFCBBC30000-0x00007FFCBBD64000-memory.dmp

Filesize
1.2MB

Download
memory/2984-2-0x00007FFCBBC30000-0x00007FFCBBD64000-memory.dmp

Filesize
1.2MB

Download
memory/3484-40-0x00007FFCCA830000-0x00007FFCCA840000-memory.dmp

Filesize
64KB

Download
memory/3484-26-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/3484-13-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/3484-12-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/3484-11-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/3484-10-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/3484-7-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/3484-15-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/3484-17-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/3484-19-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/3484-4-0x0000000002E20000-0x0000000002E21000-memory.dmp

Filesize
4KB

Download
memory/3484-9-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/3484-8-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/3484-38-0x00007FFCCA4AA000-0x00007FFCCA4AB000-memory.dmp

Filesize
4KB

Download
memory/3484-39-0x0000000002E30000-0x0000000002E37000-memory.dmp

Filesize
28KB

Download
memory/3484-36-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/3484-14-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/3484-16-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/3484-6-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/5060-54-0x00007FFCBBC40000-0x00007FFCBBD75000-memory.dmp

Filesize
1.2MB

Download
memory/5060-48-0x00007FFCBBC40000-0x00007FFCBBD75000-memory.dmp

Filesize
1.2MB

Download
memory/5060-51-0x000001E1FADD0000-0x000001E1FADD7000-memory.dmp

Filesize
28KB

Download