dridex | 4f1f5e5b9f30d646997d0de0b5fd38fb7f4b9c877643621807910391d8466431

Analysis

max time kernel
149s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
17-06-2024 13:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b8da680c2ec2b54a1a927e4e687cc44e_JaffaCakes118.dll
Size

1.2MB
MD5

b8da680c2ec2b54a1a927e4e687cc44e
SHA1

5ba391ec8c41655ebb76732dfe1b4bd470e34dc6
SHA256

4f1f5e5b9f30d646997d0de0b5fd38fb7f4b9c877643621807910391d8466431
SHA512

99925a5e56d137785c13126b2d75472cfaf7d271ea4f2d434c86544f555d208816bd97c9a2c58b2316b452cdf9bb29b695fbbc23af0ae2e56b98f38fbb37e22d
SSDEEP

24576:duYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:39cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex Shellcode 1 IoCs
Detects Dridex Payload shellcode injected in Explorer process.
botnet payload

Processes:

resource yara_rule

behavioral2/memory/3524-4-0x0000000002A90000-0x0000000002A91000-memory.dmp dridex_stager_shellcode
Executes dropped EXE 3 IoCs

Processes:

usocoreworker.exewusa.exewextract.exe

pid process

1064 usocoreworker.exe
2592 wusa.exe
4808 wextract.exe
Loads dropped DLL 3 IoCs

Processes:

usocoreworker.exewusa.exewextract.exe

pid process

1064 usocoreworker.exe
2592 wusa.exe
4808 wextract.exe

resource	yara_rule
behavioral2/memory/3524-4-0x0000000002A90000-0x0000000002A91000-memory.dmp	dridex_stager_shellcode

pid	process
1064	usocoreworker.exe
2592	wusa.exe
4808	wextract.exe

pid	process
1064	usocoreworker.exe
2592	wusa.exe
4808	wextract.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Esxju = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\CloudStore\\a9j5kcNrVW\\wusa.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

usocoreworker.exewusa.exewextract.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	usocoreworker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wusa.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wextract.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2244	rundll32.exe
2244	rundll32.exe
2244	rundll32.exe
2244	rundll32.exe
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524
3524

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3524
Token: SeCreatePagefilePrivilege	3524
Token: SeShutdownPrivilege	3524
Token: SeCreatePagefilePrivilege	3524
Token: SeShutdownPrivilege	3524
Token: SeCreatePagefilePrivilege	3524

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

3524
3524
Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3524

pid	process
3524
3524

pid	process
3524

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3524 wrote to memory of 4204	3524	usocoreworker.exe
PID 3524 wrote to memory of 4204	3524	usocoreworker.exe
PID 3524 wrote to memory of 1064	3524	usocoreworker.exe
PID 3524 wrote to memory of 1064	3524	usocoreworker.exe
PID 3524 wrote to memory of 4564	3524	wusa.exe
PID 3524 wrote to memory of 4564	3524	wusa.exe
PID 3524 wrote to memory of 2592	3524	wusa.exe
PID 3524 wrote to memory of 2592	3524	wusa.exe
PID 3524 wrote to memory of 1616	3524	wextract.exe
PID 3524 wrote to memory of 1616	3524	wextract.exe
PID 3524 wrote to memory of 4808	3524	wextract.exe
PID 3524 wrote to memory of 4808	3524	wextract.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b8da680c2ec2b54a1a927e4e687cc44e_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2244

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3416,i,13879737908471496610,15335851594401413307,262144 --variations-seed-version --mojo-platform-channel-handle=3756 /prefetch:8
1⤵
PID:3280

C:\Windows\system32\usocoreworker.exe
C:\Windows\system32\usocoreworker.exe
1⤵
PID:4204

C:\Users\Admin\AppData\Local\8ym\usocoreworker.exe
C:\Users\Admin\AppData\Local\8ym\usocoreworker.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1064

C:\Windows\system32\wusa.exe
C:\Windows\system32\wusa.exe
1⤵
PID:4564

C:\Users\Admin\AppData\Local\oRn7RS\wusa.exe
C:\Users\Admin\AppData\Local\oRn7RS\wusa.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2592

C:\Windows\system32\wextract.exe
C:\Windows\system32\wextract.exe
1⤵
PID:1616

C:\Users\Admin\AppData\Local\q8VCt\wextract.exe
C:\Users\Admin\AppData\Local\q8VCt\wextract.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4808

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\8ym\XmlLite.dll
Filesize
1.2MB

MD5
73042d01ccbf1fd37c6de084396bece7

SHA1
fc81ba90a3b187570f9b118a024c3d3e88c4613b

SHA256
a6f0452c18cfa1bf0c9506b1286684c71918f061f553341cca4110625ac31151

SHA512
ee6f18122a696938b190296412b3e1e78dda8ec828b56b0e962e7c3b8a79564f8e99e81ba17e605ff3a1fc4fe5e73aa4e38ea76ce38a9f221e6e82ff79c8b7aa

Download Submit
C:\Users\Admin\AppData\Local\8ym\usocoreworker.exe
Filesize
1.3MB

MD5
2c5efb321aa64af37dedc6383ce3198e

SHA1
a06d7020dd43a57047a62bfb443091cd9de946ba

SHA256
0fb6688a32340036f3eaab4a09a82dee533bfb2ca266c36f6142083134de6f0e

SHA512
5448ea01b24af7444505bda80064849a2efcc459011d32879e021e836fd573c9b1b9d3b37291d3f53ff536c691ac13a545b12f318a16c8a367421986bbf002ed

Download Submit
C:\Users\Admin\AppData\Local\oRn7RS\dpx.dll
Filesize
1.2MB

MD5
54bc8de9f1f9e8626b193f9957a4fb32

SHA1
31b941396a8b07f68ebecafcb11745c187649fdf

SHA256
a380c9a05b306ae7a7daed9ca80074587eb948d406b58b07e016ac76e4e136a2

SHA512
43c87ea2b3550a227fd991d648341778bef8c74a1257559c3f61c313849964705d81f44fd0809e3ef8183760fa16b6ca3cc83d2a388773d84e8c212d27c5b0a4

Download Submit
C:\Users\Admin\AppData\Local\oRn7RS\wusa.exe
Filesize
309KB

MD5
e43499ee2b4cf328a81bace9b1644c5d

SHA1
b2b55641f2799e3fdb3bea709c9532017bbac59d

SHA256
3e30230bbf3ceee3e58162b61eed140e9616210833a6ad7df3e106bc7492d2fb

SHA512
04823764520871f9202d346b08a194bdd5f5929db6d5c2f113911f84aece7471c8d3bd2c4256119a303dbe18a0c055dbc5034d80b1f27a43744104544731f52b

Download Submit
C:\Users\Admin\AppData\Local\q8VCt\VERSION.dll
Filesize
1.2MB

MD5
600bd938a065d1b80358ce49b2a1a011

SHA1
c45f825fea47147abf91f8d24a2ff7809aa6f7f7

SHA256
aaa1c75528b79c4528e57686ff760d18967bbac3a3adf9e88c91fbc71989b37c

SHA512
f3c001dc1379efc4e2adeeb0cb53eabee4af43160c7a166baeecbf61de7b8c80325559addff51aa537af367987ce7fdeda9377577eea164631c551f338e5c847

Download Submit
C:\Users\Admin\AppData\Local\q8VCt\wextract.exe
Filesize
143KB

MD5
56e501e3e49cfde55eb1caabe6913e45

SHA1
ab2399cbf17dbee7b302bea49e40d4cee7caea76

SHA256
fbb6dc62abeeb222b49a63f43dc6eea96f3d7e9a8da55381c15d57a5d099f3e0

SHA512
2b536e86cbd8ab026529ba2c72c0fda97e9b6f0bc4fd96777024155852670cb41d17937cde372a44cdbad3e53b8cd3ef1a4a3ee9b34dfb3c2069822095f7a172

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Xpqmtuztdhk.lnk
Filesize
1KB

MD5
9338b5a17f469dc431096c42c094e50e

SHA1
78ceaafd8289958990023e6213d3ae74bd88dfb4

SHA256
f0f131f3f50331136f0d1bfd081d20d7b765970fba6487da937681a512faedb6

SHA512
16fd0b17ab123766a25a8e6dd4779733e0f50663b30dfce5a6dc88fe42768cbfad16143c0bd19ac97a2d9f91941162cb97df92abe58c3d7dd69f6b637c71a1b5

Download Submit
memory/1064-47-0x00007FF843390000-0x00007FF8434D2000-memory.dmp

Filesize
1.3MB

Download
memory/1064-53-0x00007FF843390000-0x00007FF8434D2000-memory.dmp

Filesize
1.3MB

Download
memory/1064-50-0x000001C759310000-0x000001C759317000-memory.dmp

Filesize
28KB

Download
memory/2244-0-0x00007FF853570000-0x00007FF8536B1000-memory.dmp

Filesize
1.3MB

Download
memory/2244-40-0x00007FF853570000-0x00007FF8536B1000-memory.dmp

Filesize
1.3MB

Download
memory/2244-3-0x0000024C7F470000-0x0000024C7F477000-memory.dmp

Filesize
28KB

Download
memory/2592-72-0x00007FF843390000-0x00007FF8434D2000-memory.dmp

Filesize
1.3MB

Download
memory/2592-69-0x0000022117C10000-0x0000022117C17000-memory.dmp

Filesize
28KB

Download
memory/3524-37-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/3524-17-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/3524-26-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/3524-8-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/3524-7-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/3524-11-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/3524-13-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/3524-14-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/3524-16-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/3524-10-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/3524-35-0x0000000002A70000-0x0000000002A77000-memory.dmp

Filesize
28KB

Download
memory/3524-36-0x00007FF860F90000-0x00007FF860FA0000-memory.dmp

Filesize
64KB

Download
memory/3524-18-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/3524-15-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/3524-9-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/3524-12-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/3524-4-0x0000000002A90000-0x0000000002A91000-memory.dmp

Filesize
4KB

Download
memory/3524-6-0x00007FF860BAA000-0x00007FF860BAB000-memory.dmp

Filesize
4KB

Download
memory/4808-89-0x00007FF843390000-0x00007FF8434D2000-memory.dmp

Filesize
1.3MB

Download
memory/4808-85-0x0000028F735F0000-0x0000028F735F7000-memory.dmp

Filesize
28KB

Download