dridex | 80945307d35592bafc62a4521f865dccdee21e442dc15d533675207d6c012614

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15-06-2024 21:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b0386ba950a1b343ae0b01e8c98e0a4c_JaffaCakes118.dll
Size

1.4MB
MD5

b0386ba950a1b343ae0b01e8c98e0a4c
SHA1

5f2cca191a83203b55710072c5cef194bdfc7b83
SHA256

80945307d35592bafc62a4521f865dccdee21e442dc15d533675207d6c012614
SHA512

088224073d06521d9c43ecea1b493d12bb39ffa3f40db879c0b69c462a621db343cf7c03740304e063158b18d41ab747ecd99980c865068abcb8ced2125eda5c
SSDEEP

24576:4uYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9NP:I9cKrUqZWLAcUH

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex Shellcode 1 IoCs
Detects Dridex Payload shellcode injected in Explorer process.
botnet payload

Processes:

resource yara_rule

behavioral2/memory/3572-4-0x0000000002640000-0x0000000002641000-memory.dmp dridex_stager_shellcode
Executes dropped EXE 3 IoCs

Processes:

SysResetErr.exerdpclip.exesethc.exe

pid process

3044 SysResetErr.exe
2512 rdpclip.exe
60 sethc.exe
Loads dropped DLL 3 IoCs

Processes:

SysResetErr.exerdpclip.exesethc.exe

pid process

3044 SysResetErr.exe
2512 rdpclip.exe
60 sethc.exe

resource	yara_rule
behavioral2/memory/3572-4-0x0000000002640000-0x0000000002641000-memory.dmp	dridex_stager_shellcode

pid	process
3044	SysResetErr.exe
2512	rdpclip.exe
60	sethc.exe

pid	process
3044	SysResetErr.exe
2512	rdpclip.exe
60	sethc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bhelxfhv = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\SYSTEM~1\\2mMyy\\rdpclip.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rdpclip.exesethc.exerundll32.exeSysResetErr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdpclip.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sethc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SysResetErr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2184	rundll32.exe
2184	rundll32.exe
2184	rundll32.exe
2184	rundll32.exe
2184	rundll32.exe
2184	rundll32.exe
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

pid process

3572
3572
3572
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

pid process

3572
3572
3572
Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3572

pid	process
3572
3572
3572

pid	process
3572
3572
3572

pid	process
3572

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3572 wrote to memory of 4756	3572	SysResetErr.exe
PID 3572 wrote to memory of 4756	3572	SysResetErr.exe
PID 3572 wrote to memory of 3044	3572	SysResetErr.exe
PID 3572 wrote to memory of 3044	3572	SysResetErr.exe
PID 3572 wrote to memory of 2768	3572	rdpclip.exe
PID 3572 wrote to memory of 2768	3572	rdpclip.exe
PID 3572 wrote to memory of 2512	3572	rdpclip.exe
PID 3572 wrote to memory of 2512	3572	rdpclip.exe
PID 3572 wrote to memory of 344	3572	sethc.exe
PID 3572 wrote to memory of 344	3572	sethc.exe
PID 3572 wrote to memory of 60	3572	sethc.exe
PID 3572 wrote to memory of 60	3572	sethc.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b0386ba950a1b343ae0b01e8c98e0a4c_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2184

C:\Windows\system32\SysResetErr.exe
C:\Windows\system32\SysResetErr.exe
1⤵
PID:4756

C:\Users\Admin\AppData\Local\AB0\SysResetErr.exe
C:\Users\Admin\AppData\Local\AB0\SysResetErr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3044

C:\Windows\system32\rdpclip.exe
C:\Windows\system32\rdpclip.exe
1⤵
PID:2768

C:\Users\Admin\AppData\Local\FFzd012uj\rdpclip.exe
C:\Users\Admin\AppData\Local\FFzd012uj\rdpclip.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2512

C:\Windows\system32\sethc.exe
C:\Windows\system32\sethc.exe
1⤵
PID:344

C:\Users\Admin\AppData\Local\7xmqnl\sethc.exe
C:\Users\Admin\AppData\Local\7xmqnl\sethc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:60

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\7xmqnl\WTSAPI32.dll
Filesize
1.4MB

MD5
245409dfc447b77520336c8252b2012e

SHA1
7f8fb399c14876f6b0644825a030005644a0fa9f

SHA256
b81b76e6d70439cad03d1a357c84f021d2ca27b563ad7831626812a80b7c8e62

SHA512
788516a14dae692e087cefb18b512c6c1b7c68326f555760ebdd6a7c29e38c35c8dc84163cc84ebc424e9a58eca52324f9045fae98005f84e753ffc779a86cf6

Download Submit
C:\Users\Admin\AppData\Local\7xmqnl\sethc.exe
Filesize
104KB

MD5
8ba3a9702a3f1799431cad6a290223a6

SHA1
9c7dc9b6830297c8f759d1f46c8b36664e26c031

SHA256
615b2f2d7e3fce340839a9b54bdc3445eb2333d0fafee477d6113379e90935b8

SHA512
680c216d54f4fd2a14f0398e4461c8340ac15acdca75c36a42083625e1081d5e7d262c4c12296b6f21ba2f593f92816edf1c9a0cf4cbee23588e590713b87746

Download Submit
C:\Users\Admin\AppData\Local\AB0\DUI70.dll
Filesize
1.7MB

MD5
4b1cbfe3639482825f57ac2e955bbc8f

SHA1
c0f69986e33c39d5914d28f5d6731a37fc795ed9

SHA256
6f8b78ea572014ce5e6a2d666b9bfffccb30f5f39c0ea488b4a440b0f616d27c

SHA512
36fe7aff76793b2f1ca36145a335a78fc96495613ed16d3207f47188f18b734cab77614f5426073aa5cd03b6b02e410e1b93a265e6d1e0b61b7b9a7aa04b8d0d

Download Submit
C:\Users\Admin\AppData\Local\AB0\SysResetErr.exe
Filesize
41KB

MD5
090c6f458d61b7ddbdcfa54e761b8b57

SHA1
c5a93e9d6eca4c3842156cc0262933b334113864

SHA256
a324e3ba7309164f215645a6db3e74ed35c7034cc07a011ebed2fa60fda4d9cd

SHA512
c9ef79397f3a843dcf2bcb5f761d90a4bdadb08e2ca85a35d8668cb13c308b275ed6aa2c8b9194a1f29964e0754ad05e89589025a0b670656386a8d448a1f542

Download Submit
C:\Users\Admin\AppData\Local\FFzd012uj\WINSTA.dll
Filesize
1.4MB

MD5
84969a4330ff6bc147535cd879588215

SHA1
2f08a07e756e6a7a12c0d581e01c3d5e25d520a8

SHA256
124af552359d01f72355c347e8d4d60901359b8a98c1cca087806337e8dde1eb

SHA512
d27a4a6fa92e82813ee81408e2f4fb46fd208d5621948b5f1f1c54da4fb7d92daa5350d0b85a85904480fa1a67c519cfa25367e4aba2f519d9f0de6581169ffb

Download Submit
C:\Users\Admin\AppData\Local\FFzd012uj\rdpclip.exe
Filesize
446KB

MD5
a52402d6bd4e20a519a2eeec53332752

SHA1
129f2b6409395ef877b9ca39dd819a2703946a73

SHA256
9d5be181d9309dea98039d2ce619afe745fc8a9a1b1c05cf860b3620b5203308

SHA512
632dda67066cff2b940f27e3f409e164684994a02bda57d74e958c462b9a0963e922be4a487c06126cecc9ef34d34913ef8315524bf8422f83c0c135b8af924e

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Oabtankaq.lnk
Filesize
1KB

MD5
4e8177e72653790e439104fcb6ec0d60

SHA1
f5da707f630441fd7d062b7818023005a3d0deef

SHA256
4c5a8b6fc66fd7c17149a398442a1f52f6f2e1eb45f0e065d67e911d8d20af55

SHA512
cfde9e9fb771734528c0672087f3f16565b89dfdeef270de9a31d1ce84ac1815e5b027bc202f794e06dc627f058293b0b9a61cc587d31496ef7e3dc1c627eae5

Download Submit
memory/60-85-0x0000024C30410000-0x0000024C30417000-memory.dmp

Filesize
28KB

Download
memory/60-82-0x00007FFBA7D20000-0x00007FFBA7E8F000-memory.dmp

Filesize
1.4MB

Download
memory/60-88-0x00007FFBA7D20000-0x00007FFBA7E8F000-memory.dmp

Filesize
1.4MB

Download
memory/2184-0-0x00007FFBA8650000-0x00007FFBA87BE000-memory.dmp

Filesize
1.4MB

Download
memory/2184-41-0x00007FFBA8650000-0x00007FFBA87BE000-memory.dmp

Filesize
1.4MB

Download
memory/2184-3-0x000001D7BE2E0000-0x000001D7BE2E7000-memory.dmp

Filesize
28KB

Download
memory/2512-71-0x00007FFBA81B0000-0x00007FFBA8320000-memory.dmp

Filesize
1.4MB

Download
memory/2512-65-0x00007FFBA81B0000-0x00007FFBA8320000-memory.dmp

Filesize
1.4MB

Download
memory/2512-68-0x00000136F7F10000-0x00000136F7F17000-memory.dmp

Filesize
28KB

Download
memory/3044-54-0x00007FFBA8160000-0x00007FFBA8314000-memory.dmp

Filesize
1.7MB

Download
memory/3044-51-0x0000014CB5590000-0x0000014CB5597000-memory.dmp

Filesize
28KB

Download
memory/3044-48-0x00007FFBA8160000-0x00007FFBA8314000-memory.dmp

Filesize
1.7MB

Download
memory/3572-35-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/3572-26-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/3572-7-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/3572-8-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/3572-9-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/3572-10-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/3572-11-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/3572-12-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/3572-13-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/3572-14-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/3572-15-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/3572-16-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/3572-38-0x00007FFBB6CCA000-0x00007FFBB6CCB000-memory.dmp

Filesize
4KB

Download
memory/3572-39-0x0000000002600000-0x0000000002607000-memory.dmp

Filesize
28KB

Download
memory/3572-40-0x00007FFBB6E70000-0x00007FFBB6E80000-memory.dmp

Filesize
64KB

Download
memory/3572-18-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/3572-17-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/3572-6-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/3572-4-0x0000000002640000-0x0000000002641000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads