dridex | a76ff5cfd79b710ffa6ebc30766c92d0230e59e046412e012f6d5d3ff8b0e6eb

Analysis

max time kernel
151s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
25-05-2024 10:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7199547e54202ebc6bad47e5cb7ea02e_JaffaCakes118.dll
Size

1.2MB
MD5

7199547e54202ebc6bad47e5cb7ea02e
SHA1

574ce65b4d1548cafaae88fb14186ffbac7ea9cf
SHA256

a76ff5cfd79b710ffa6ebc30766c92d0230e59e046412e012f6d5d3ff8b0e6eb
SHA512

2e2401e2967a52be847b647e8f2f9e939f2d76ea9f6fae9659829719f291f260cf302328771efc077c7f56c9160e3eb99042728fbc751588052b98e07b013d1f
SSDEEP

24576:CVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:CV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3360-4-0x0000000002FF0000-0x0000000002FF1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 4 IoCs

Processes:

PresentationHost.exeBitLockerWizardElev.exeSystemPropertiesDataExecutionPrevention.exeupfc.exe

pid process

4540 PresentationHost.exe
3968 BitLockerWizardElev.exe
3028 SystemPropertiesDataExecutionPrevention.exe
2836 upfc.exe
Loads dropped DLL 5 IoCs

Processes:

PresentationHost.exeBitLockerWizardElev.exeSystemPropertiesDataExecutionPrevention.exeupfc.exe

pid process

4540 PresentationHost.exe
4540 PresentationHost.exe
3968 BitLockerWizardElev.exe
3028 SystemPropertiesDataExecutionPrevention.exe
2836 upfc.exe

pid	process
4540	PresentationHost.exe
3968	BitLockerWizardElev.exe
3028	SystemPropertiesDataExecutionPrevention.exe
2836	upfc.exe

pid	process
4540	PresentationHost.exe
4540	PresentationHost.exe
3968	BitLockerWizardElev.exe
3028	SystemPropertiesDataExecutionPrevention.exe
2836	upfc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Xcdbzlxvqxxhz = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\Y1\\SYSTEM~1.EXE"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

SystemPropertiesDataExecutionPrevention.exeupfc.exerundll32.exeBitLockerWizardElev.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesDataExecutionPrevention.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	upfc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BitLockerWizardElev.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1600	rundll32.exe
1600	rundll32.exe
1600	rundll32.exe
1600	rundll32.exe
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

description	pid	target process
PID 3360 wrote to memory of 1056	3360	PresentationHost.exe
PID 3360 wrote to memory of 1056	3360	PresentationHost.exe
PID 3360 wrote to memory of 4540	3360	PresentationHost.exe
PID 3360 wrote to memory of 4540	3360	PresentationHost.exe
PID 3360 wrote to memory of 756	3360	BitLockerWizardElev.exe
PID 3360 wrote to memory of 756	3360	BitLockerWizardElev.exe
PID 3360 wrote to memory of 3968	3360	BitLockerWizardElev.exe
PID 3360 wrote to memory of 3968	3360	BitLockerWizardElev.exe
PID 3360 wrote to memory of 4996	3360	SystemPropertiesDataExecutionPrevention.exe
PID 3360 wrote to memory of 4996	3360	SystemPropertiesDataExecutionPrevention.exe
PID 3360 wrote to memory of 3028	3360	SystemPropertiesDataExecutionPrevention.exe
PID 3360 wrote to memory of 3028	3360	SystemPropertiesDataExecutionPrevention.exe
PID 3360 wrote to memory of 1856	3360	upfc.exe
PID 3360 wrote to memory of 1856	3360	upfc.exe
PID 3360 wrote to memory of 2836	3360	upfc.exe
PID 3360 wrote to memory of 2836	3360	upfc.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7199547e54202ebc6bad47e5cb7ea02e_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1600

C:\Windows\system32\PresentationHost.exe
C:\Windows\system32\PresentationHost.exe
1⤵
PID:1056

C:\Users\Admin\AppData\Local\zIPYsD\PresentationHost.exe
C:\Users\Admin\AppData\Local\zIPYsD\PresentationHost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4540

C:\Windows\system32\BitLockerWizardElev.exe
C:\Windows\system32\BitLockerWizardElev.exe
1⤵
PID:756

C:\Users\Admin\AppData\Local\SkKCm\BitLockerWizardElev.exe
C:\Users\Admin\AppData\Local\SkKCm\BitLockerWizardElev.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3968

C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
1⤵
PID:4996

C:\Users\Admin\AppData\Local\2jlYN\SystemPropertiesDataExecutionPrevention.exe
C:\Users\Admin\AppData\Local\2jlYN\SystemPropertiesDataExecutionPrevention.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3028

C:\Windows\system32\upfc.exe
C:\Windows\system32\upfc.exe
1⤵
PID:1856

C:\Users\Admin\AppData\Local\KCmq5Si\upfc.exe
C:\Users\Admin\AppData\Local\KCmq5Si\upfc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2836

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1344 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8
1⤵
PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\2jlYN\SYSDM.CPL

Filesize
1.2MB

MD5
8f1711ae9f0d0e2af39d424dba43273c

SHA1
adfa3c155ce02fdd6f4b376344d7cbdc7c009308

SHA256
aae734da860451acedbab4ce1c5f97ff34d03bca27f4ade199ca13ae94ea9abb

SHA512
279bddad74ddd6a79bb9e3ff2dc8dd7a4235d2db8cc5d7201dd7fba1d3c9e0a1e8eb4c5d983e1ed02f9e635775d19996a326ebb9cc58319e7001c17cd6d37c87

Download Submit
C:\Users\Admin\AppData\Local\2jlYN\SystemPropertiesDataExecutionPrevention.exe

Filesize
82KB

MD5
de58532954c2704f2b2309ffc320651d

SHA1
0a9fc98f4d47dccb0b231edf9a63309314f68e3b

SHA256
1f810658969560f6e7d7a14f71d1196382e53b984ca190fa9b178ac4a32acfb3

SHA512
d4d57cc30d9079f4e9193ba42631e8e53d86b22e9c655d7a8c25e5be0e5e1d6dfff4714ddc23e3e392809d623b4f8d43c63893f74c325fc77459ac03c7a451ed

Download Submit
C:\Users\Admin\AppData\Local\KCmq5Si\XmlLite.dll

Filesize
1.2MB

MD5
2b3e83495b2fe5fe17d5792157a528ed

SHA1
63f24113f420c353fa893050203fa853a121c2e7

SHA256
e857d28d13880a7e2431b8c9cc80ea8778e176055b725d3fbb375bfc343f6e05

SHA512
b140b19f498eb35ded075793a72dfe78f9addfc3d34829580e590749ede28adcd2f5d00b715280acfe2ab910c86c7d759ccec1a8524b6f328fc2cfd0c1cd25dd

Download Submit
C:\Users\Admin\AppData\Local\KCmq5Si\upfc.exe

Filesize
118KB

MD5
299ea296575ccb9d2c1a779062535d5c

SHA1
2497169c13b0ba46a6be8a1fe493b250094079b7

SHA256
ee44fe14df89c4e5eaf8398f8fb4823fd910c5a94d913653d6b9e831254f6cc2

SHA512
02fc2b25167ebd7dfcc7b8aa74613e7004fdf33dfccccba6c3427434cca981c2eb50f4a801969b3a40c495a9bb0eac8176f4f2ec9091916cf3509a7f909b30fa

Download Submit
C:\Users\Admin\AppData\Local\SkKCm\BitLockerWizardElev.exe

Filesize
100KB

MD5
8ac5a3a20cf18ae2308c64fd707eeb81

SHA1
31f2f0bdc2eb3e0d2a6cd626ea8ed71262865544

SHA256
803eb37617d450704766cb167dc9766e82102a94940a26a988ad26ab8be3f2f5

SHA512
85d0e28e4bffec709f26b2f0d20eb76373134af43bcaa70b97a03efa273b77dd4fbd4f6ee026774ce4029ab5a983aea057111efcd234ab1686a9bd0f7202748b

Download Submit
C:\Users\Admin\AppData\Local\SkKCm\FVEWIZ.dll

Filesize
1.2MB

MD5
9fbf7272176da8cd4db70582ee4990d7

SHA1
4d2ac820f2c3c4f12866c97af9f4df44040f86d6

SHA256
384fc64b0d683f1012ee912a69a7121b6f21361382d450f78171ff6b918c1ff5

SHA512
a43405abbae5cd5b590f36103327f8892d0d8e3b3c58f91983f1d665bb7d0033fa453b51631fd9ccafd5e8a4c4c1c6a3661a60267ab54015edcfa837de0f46b8

Download Submit
C:\Users\Admin\AppData\Local\zIPYsD\PresentationHost.exe

Filesize
276KB

MD5
ef27d65b92d89e8175e6751a57ed9d93

SHA1
7279b58e711b459434f047e9098f9131391c3778

SHA256
17d6dcfaced6873a4ac0361ff14f48313f270ac9c465e9f02b5c12b5a5274c48

SHA512
40f46c3a131bb0388b8a3f7aee422936f6e2aa8d2cda547c43c4e7979c163d06c5aa20033a5156d3eeee5d455eeb929cbce89bcc8bb1766cbb65d7f03dd23e2e

Download Submit
C:\Users\Admin\AppData\Local\zIPYsD\VERSION.dll

Filesize
1.2MB

MD5
40a41c48823604d0adbb3926427126fb

SHA1
0114ee2a32a8434abfdd63293c08432474181fb8

SHA256
440d7bbce0aa6ecf8713e8e297deeea024f2780d86d7e373bb3159c96fd6033e

SHA512
7cbd39fbcec1c5660b476b99932b31208c98698041fd0646474cb7e975a7330abc73b934cc1b1eb50958e43fbf2d1af3ed908351248ca473c671bbcf1deccdeb

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Axoeay.lnk

Filesize
1KB

MD5
c93568495fc04b0fd992354558749344

SHA1
49eeadeb42ac3e2664b3f545bf5ad5ac2fd69a6b

SHA256
9a9d3e9cf3908e7c3b7d0796cf0b744c3cf556d9be64f3883bba739dd8542ffd

SHA512
cf38c3b22bf375f9a7f3974c7c4f6161f9bba0eb629b276c2cbaa09e8e002daddc9cb96705edf524002b015f806e2558aa1047e896bf762cbd457b612787fb1d

Download Submit
memory/1600-1-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1600-0-0x000002A953F90000-0x000002A953F97000-memory.dmp

Filesize
28KB

Download
memory/1600-38-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/2836-93-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3028-71-0x000001D942D10000-0x000001D942D17000-memory.dmp

Filesize
28KB

Download
memory/3028-77-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3360-12-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3360-24-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3360-35-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3360-8-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3360-9-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3360-11-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3360-14-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3360-5-0x00007FF9A24AA000-0x00007FF9A24AB000-memory.dmp

Filesize
4KB

Download
memory/3360-4-0x0000000002FF0000-0x0000000002FF1000-memory.dmp

Filesize
4KB

Download
memory/3360-7-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3360-13-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3360-25-0x0000000000D40000-0x0000000000D47000-memory.dmp

Filesize
28KB

Download
memory/3360-26-0x00007FF9A4250000-0x00007FF9A4260000-memory.dmp

Filesize
64KB

Download
memory/3360-15-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3360-10-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3968-60-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3968-56-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3968-54-0x000001C0E8FB0000-0x000001C0E8FB7000-memory.dmp

Filesize
28KB

Download