dridex | 4791c7c67653f43871c62ee20af9460c6d78a05572750644c3d64cb6fc5e0ace

Analysis

max time kernel
149s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16-06-2024 03:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b17dcef30ff24e8b5496174af6faf8db_JaffaCakes118.dll
Size

985KB
MD5

b17dcef30ff24e8b5496174af6faf8db
SHA1

b7d13894c9de90517a5fc4283116052052fb01db
SHA256

4791c7c67653f43871c62ee20af9460c6d78a05572750644c3d64cb6fc5e0ace
SHA512

f6e0601226cb4469d5d01486a6c68dd98b7e51c20912708a02482d4e5adfe479b3553c92ee6af8c92654a2e64539aaa8318346c9f1428965955bb30ca495f19f
SSDEEP

24576:2VHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:2V8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex Shellcode 1 IoCs
Detects Dridex Payload shellcode injected in Explorer process.
botnet payload

Processes:

resource yara_rule

behavioral2/memory/3500-4-0x0000000006D60000-0x0000000006D61000-memory.dmp dridex_stager_shellcode
Executes dropped EXE 3 IoCs

Processes:

psr.exerdpinit.exeSppExtComObj.Exe

pid process

1568 psr.exe
4116 rdpinit.exe
4432 SppExtComObj.Exe
Loads dropped DLL 4 IoCs

Processes:

psr.exerdpinit.exeSppExtComObj.Exe

pid process

1568 psr.exe
1568 psr.exe
4116 rdpinit.exe
4432 SppExtComObj.Exe

resource	yara_rule
behavioral2/memory/3500-4-0x0000000006D60000-0x0000000006D61000-memory.dmp	dridex_stager_shellcode

pid	process
1568	psr.exe
4116	rdpinit.exe
4432	SppExtComObj.Exe

pid	process
1568	psr.exe
1568	psr.exe
4116	rdpinit.exe
4432	SppExtComObj.Exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Pruztwesow = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Word\\flpAoKk\\rdpinit.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exepsr.exerdpinit.exeSppExtComObj.Exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	psr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdpinit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SppExtComObj.Exe

Modifies registry class 1 IoCs

Processes:

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
3756	rundll32.exe
3756	rundll32.exe
3756	rundll32.exe
3756	rundll32.exe
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

description pid process

Token: SeShutdownPrivilege 3500
Token: SeCreatePagefilePrivilege 3500
Token: SeShutdownPrivilege 3500
Token: SeCreatePagefilePrivilege 3500
Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

pid process

3500
3500
3500
3500
3500
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

pid process

3500
3500
3500
Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3500

description	pid	process
Token: SeShutdownPrivilege	3500
Token: SeCreatePagefilePrivilege	3500
Token: SeShutdownPrivilege	3500
Token: SeCreatePagefilePrivilege	3500

pid	process
3500
3500
3500
3500
3500

pid	process
3500
3500
3500

pid	process
3500

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3500 wrote to memory of 4676	3500	psr.exe
PID 3500 wrote to memory of 4676	3500	psr.exe
PID 3500 wrote to memory of 1568	3500	psr.exe
PID 3500 wrote to memory of 1568	3500	psr.exe
PID 3500 wrote to memory of 5064	3500	rdpinit.exe
PID 3500 wrote to memory of 5064	3500	rdpinit.exe
PID 3500 wrote to memory of 4116	3500	rdpinit.exe
PID 3500 wrote to memory of 4116	3500	rdpinit.exe
PID 3500 wrote to memory of 4524	3500	SppExtComObj.Exe
PID 3500 wrote to memory of 4524	3500	SppExtComObj.Exe
PID 3500 wrote to memory of 4432	3500	SppExtComObj.Exe
PID 3500 wrote to memory of 4432	3500	SppExtComObj.Exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b17dcef30ff24e8b5496174af6faf8db_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3756

C:\Windows\system32\psr.exe
C:\Windows\system32\psr.exe
1⤵
PID:4676

C:\Users\Admin\AppData\Local\3zKiC\psr.exe
C:\Users\Admin\AppData\Local\3zKiC\psr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1568

C:\Windows\system32\rdpinit.exe
C:\Windows\system32\rdpinit.exe
1⤵
PID:5064

C:\Users\Admin\AppData\Local\mvTYfGDY\rdpinit.exe
C:\Users\Admin\AppData\Local\mvTYfGDY\rdpinit.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4116

C:\Windows\system32\SppExtComObj.Exe
C:\Windows\system32\SppExtComObj.Exe
1⤵
PID:4524

C:\Users\Admin\AppData\Local\uHiSyZJYx\SppExtComObj.Exe
C:\Users\Admin\AppData\Local\uHiSyZJYx\SppExtComObj.Exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4432

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\3zKiC\VERSION.dll
Filesize
986KB

MD5
69a1eba879696ed9cb7b59920a67f7c5

SHA1
384fd6a4761ab01671ab99a964964fe5b6698de4

SHA256
64d93c88dd73242027183bb88ccef00fc4f3726a69cf38564135402a4f73e945

SHA512
f31c7e3e627ef6377c67b88f19fc1a39608aef2c6f85adc627072d5b31ebdb272d907b16efd47d18e56962a1dfd65bf4c0779c343b7589deb7b5a6018e919aae

Download Submit
C:\Users\Admin\AppData\Local\3zKiC\psr.exe
Filesize
232KB

MD5
ad53ead5379985081b7c3f1f357e545a

SHA1
6f5aa32c1d15fbf073558fadafd046d97b60184e

SHA256
4f0144f0e3e721b44babbf41b513942e4117f730546105480571f9c8fce56a1f

SHA512
433098bd74c34fbadfa447ef45cfa9dc076aef4cf7f2a0a6fe79d5e67f2504eebe8aa31fc1b7a4c5eeb20ede2c5485f75ad0fd77b4ecba3d68ca63313e6f6ea0

Download Submit
C:\Users\Admin\AppData\Local\mvTYfGDY\dwmapi.dll
Filesize
987KB

MD5
4ed3131cbe2dcdb4fafb5d27b77c2cec

SHA1
5a6a9c1b5e4d54c64a4193e65b386f25917f2813

SHA256
d0fe363c973466d1fdb053dc929fd70da949ea0bcca4348819428c226f06988b

SHA512
ed552ad7fa6fb8419b4d6eb792838a010c1f3d0f706c5054a12a4610f3808aea319d983706c2bea6033b973bd1362fc1caf7d8156101c2f1297215c51d991356

Download Submit
C:\Users\Admin\AppData\Local\mvTYfGDY\rdpinit.exe
Filesize
343KB

MD5
b0ecd76d99c5f5134aeb52460add6f80

SHA1
51462078092c9d6b7fa2b9544ffe0a49eb258106

SHA256
51251863097f7c80ef59606152ec59e7522881c8e3886c194c43f56bcab92e1b

SHA512
16855c7db48b26297c78d37d52ad03f6af0f5a58e333e17ad83b34f5e8b200c5517c6481043af0ecf1b962af2378f38600bd968592f4e1018b5a1b9400adb367

Download Submit
C:\Users\Admin\AppData\Local\uHiSyZJYx\ACTIVEDS.dll
Filesize
986KB

MD5
5a52f91424962523a720dfe17997bb1c

SHA1
0851848ad8b0d2362133c64412f6e1cdb84f64c4

SHA256
6a0d597c1de5a924048d76090a0a9a4fbe00a89654b5cca8b1eed95663ef9e15

SHA512
1f756328c4d1ff0edca68091f810c5e23758d1328cce94b35e4a0c4dbc6c0f0a107abc5349753b59345fa013f6b6c0ffecf52eeeb10fc7064b1aac30f16f8394

Download Submit
C:\Users\Admin\AppData\Local\uHiSyZJYx\SppExtComObj.Exe
Filesize
559KB

MD5
728a78909aa69ca0e976e94482350700

SHA1
6508dfcbf37df25cae8ae68cf1fcd4b78084abb7

SHA256
2a6581576305771044f07ea0fef27f77859996dbf66c2017e938f90bfc1e010c

SHA512
22bf985e71afa58a1365cc733c0aa03dabd4b44e7c6a136eb5f9b870db14470201b4ef88a19fa3864af6c44e79e1a01d6f8806062d9d4861ba7dac77d82074f1

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Arcabpqqvo.lnk
Filesize
1KB

MD5
ceed5ea9a679dee3662a2fa2e217a720

SHA1
78284c8cecee441ebc7abec610feafc2f739b44d

SHA256
336cb0d44098a095627f3c2301373d737663807bba929853ac883f79ff8555d2

SHA512
3fafb40ab31bd4caa5fdb37dce37a1eeadfa5c17c051a771f95a81b489b7a386064508242bf25f1c0554f3d2079e927efece4b69ac9ce8ffdce9e749ee13ffc0

Download Submit
memory/1568-45-0x0000027585E00000-0x0000027585E07000-memory.dmp

Filesize
28KB

Download
memory/1568-46-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1568-51-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3500-32-0x0000000007230000-0x0000000007237000-memory.dmp

Filesize
28KB

Download
memory/3500-11-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3500-7-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3500-6-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3500-12-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3500-34-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3500-4-0x0000000006D60000-0x0000000006D61000-memory.dmp

Filesize
4KB

Download
memory/3500-9-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3500-13-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3500-31-0x00007FFE4E1BA000-0x00007FFE4E1BB000-memory.dmp

Filesize
4KB

Download
memory/3500-8-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3500-33-0x00007FFE4F590000-0x00007FFE4F5A0000-memory.dmp

Filesize
64KB

Download
memory/3500-22-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3500-10-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3756-1-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3756-37-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3756-3-0x000001AB9DA20000-0x000001AB9DA27000-memory.dmp

Filesize
28KB

Download
memory/4116-65-0x0000021A1D5C0000-0x0000021A1D5C7000-memory.dmp

Filesize
28KB

Download
memory/4116-68-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/4432-82-0x000002482C9D0000-0x000002482C9D7000-memory.dmp

Filesize
28KB

Download
memory/4432-85-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download