dridex | 3b2d01d04f1d9eac4c480c16befd364cdd797febe47b96ad4a78380af63cf33f

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
29-07-2024 00:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2eba1f3e3c4d522681391430b61ebf5e_JaffaCakes118.dll
Size

1.2MB
MD5

2eba1f3e3c4d522681391430b61ebf5e
SHA1

fa261d032dff878e2b05185a88ff061f2ad8cc79
SHA256

3b2d01d04f1d9eac4c480c16befd364cdd797febe47b96ad4a78380af63cf33f
SHA512

e35975deb8ec44d47cff6ca13407511b8dca41706069ab975c28e8f606c62b908e7e6c8298e0e975a4cb4f816f4314de895e6065eea819351384e6023227bf33
SSDEEP

24576:2uYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:29cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3512-4-0x0000000003100000-0x0000000003101000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
2928	slui.exe
1824	BitLockerWizardElev.exe
3472	Taskmgr.exe

Loads dropped DLL 3 IoCs

pid	Process
2928	slui.exe
1824	BitLockerWizardElev.exe
3472	Taskmgr.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3881032017-2947584075-2120384563-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ofwfdysxg = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\FLASHP~1\\NATIVE~1\\nZ5wqfU\\BITLOC~1.EXE"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	slui.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BitLockerWizardElev.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Taskmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
224	rundll32.exe
224	rundll32.exe
224	rundll32.exe
224	rundll32.exe
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found
3512	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3512 wrote to memory of 1996	3512	Process not Found	84
PID 3512 wrote to memory of 1996	3512	Process not Found	84
PID 3512 wrote to memory of 2928	3512	Process not Found	85
PID 3512 wrote to memory of 2928	3512	Process not Found	85
PID 3512 wrote to memory of 536	3512	Process not Found	86
PID 3512 wrote to memory of 536	3512	Process not Found	86
PID 3512 wrote to memory of 1824	3512	Process not Found	87
PID 3512 wrote to memory of 1824	3512	Process not Found	87
PID 3512 wrote to memory of 2948	3512	Process not Found	88
PID 3512 wrote to memory of 2948	3512	Process not Found	88
PID 3512 wrote to memory of 3472	3512	Process not Found	89
PID 3512 wrote to memory of 3472	3512	Process not Found	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2eba1f3e3c4d522681391430b61ebf5e_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:224

C:\Windows\system32\slui.exe
C:\Windows\system32\slui.exe
1⤵
PID:1996

C:\Users\Admin\AppData\Local\dsOHoIrlh\slui.exe
C:\Users\Admin\AppData\Local\dsOHoIrlh\slui.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2928

C:\Windows\system32\BitLockerWizardElev.exe
C:\Windows\system32\BitLockerWizardElev.exe
1⤵
PID:536

C:\Users\Admin\AppData\Local\buY2hc7P\BitLockerWizardElev.exe
C:\Users\Admin\AppData\Local\buY2hc7P\BitLockerWizardElev.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1824

C:\Windows\system32\Taskmgr.exe
C:\Windows\system32\Taskmgr.exe
1⤵
PID:2948

C:\Users\Admin\AppData\Local\Op5XUVlSp\Taskmgr.exe
C:\Users\Admin\AppData\Local\Op5XUVlSp\Taskmgr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Op5XUVlSp\DUI70.dll

Filesize
1.4MB

MD5
5ae62c2ffd5208f265521270938286a5

SHA1
1d245ca2c268aff3a7b5febc4f85dfc41582d672

SHA256
49449e95de4beec16930bb8076e22774ff54d18a6fe2d50dc2ea13dc67b9767e

SHA512
d0896436b310a24772b624b329ac0357cc251b387b21fce55df75eac2497cef532e708f6b934ce75a289376da3fa1a0bcf48c8745a812c18de167ef5a2ae9268

Download Submit
C:\Users\Admin\AppData\Local\Op5XUVlSp\Taskmgr.exe

Filesize
1.2MB

MD5
58d5bc7895f7f32ee308e34f06f25dd5

SHA1
7a7f5e991ddeaf73e15a0fdcb5c999c0248a2fa4

SHA256
4e305198f15bafd5728b5fb8e7ff48d9f312399c744ecfea0ecac79d93c5e478

SHA512
872c84c92b0e4050ae4a4137330ec3cda30008fd15d6413bf7a913c03a021ad41b6131e5a7356b374ced98d37ae207147ebefd93893560dc15c3e9875f93f7a9

Download Submit
C:\Users\Admin\AppData\Local\buY2hc7P\BitLockerWizardElev.exe

Filesize
100KB

MD5
8ac5a3a20cf18ae2308c64fd707eeb81

SHA1
31f2f0bdc2eb3e0d2a6cd626ea8ed71262865544

SHA256
803eb37617d450704766cb167dc9766e82102a94940a26a988ad26ab8be3f2f5

SHA512
85d0e28e4bffec709f26b2f0d20eb76373134af43bcaa70b97a03efa273b77dd4fbd4f6ee026774ce4029ab5a983aea057111efcd234ab1686a9bd0f7202748b

Download Submit
C:\Users\Admin\AppData\Local\buY2hc7P\FVEWIZ.dll

Filesize
1.2MB

MD5
65694730f2ad168209481e79bb5fb40a

SHA1
821f95acc6127c26eea869e0991b8477dca42da5

SHA256
7e3322988d09dd8831a564077d995f1911b3e6a04eec9497934f5090ccd56274

SHA512
dfadaa3977b2e5b9e97480497e61ab040abc0f0141b4cfbb805739d81a66b3992cad5c950122c6a47852c9d82c4f2c4cee9a763399febfed1a73ed20047156cc

Download Submit
C:\Users\Admin\AppData\Local\dsOHoIrlh\WINBRAND.dll

Filesize
1.2MB

MD5
aae8385e26535806e734e560102b692e

SHA1
70cce79de6699a21715b8eafc53d1ac20771283f

SHA256
07700cda1dbb641ba93cd89f9396465494728c98e1629660c3c497ef6cffad31

SHA512
0547d5457fb54994ce3c9170a8bdda7f04303fca997a00668c5b3d0bf680d22aa589d632097e58921eb4fb9859b842ecb7da475d5865484e5134518ef8df9944

Download Submit
C:\Users\Admin\AppData\Local\dsOHoIrlh\slui.exe

Filesize
534KB

MD5
eb725ea35a13dc18eac46aa81e7f2841

SHA1
c0b3304c970324952e18c4a51073e3bdec73440b

SHA256
25e7624d469a592934ab8c509d12c153c2799e604c2a4b8a83650a7268577dff

SHA512
39192a1fad29654b3769f007298eff049d0688a3cb51390833ec563f44f9931cd3f6f8693db37b649b061b5aab379b166c15dade56d0fc414375243320375b26

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Evbxgkmeevkeagz.lnk

Filesize
1KB

MD5
897b6c8e9cdb11f67d72bdf57788d12b

SHA1
ec55c3d1430c52fc5b3ac9d8d7ca2efd589c5c5e

SHA256
2ff2b0dba880de27add1e6fc1784be7c87dc267b025c15256e071bcca18cb55b

SHA512
991523246f6e663f9cf58dbc6c7eb384fcf492cccee3cafd334b286e6abe2dc8cb1ef546d326fb5f92b2665c9ba9b57d7eacef2b0b05929576674bec8fee6954

Download Submit
memory/224-38-0x00007FF974BD0000-0x00007FF974D00000-memory.dmp

Filesize
1.2MB

Download
memory/224-3-0x0000023731DF0000-0x0000023731DF7000-memory.dmp

Filesize
28KB

Download
memory/224-1-0x00007FF974BD0000-0x00007FF974D00000-memory.dmp

Filesize
1.2MB

Download
memory/1824-68-0x00007FF974BC0000-0x00007FF974CF1000-memory.dmp

Filesize
1.2MB

Download
memory/1824-65-0x000001DE94820000-0x000001DE94827000-memory.dmp

Filesize
28KB

Download
memory/2928-51-0x00007FF974BC0000-0x00007FF974CF1000-memory.dmp

Filesize
1.2MB

Download
memory/2928-46-0x00007FF974BC0000-0x00007FF974CF1000-memory.dmp

Filesize
1.2MB

Download
memory/2928-45-0x0000022B3DA30000-0x0000022B3DA37000-memory.dmp

Filesize
28KB

Download
memory/3472-79-0x00007FF974960000-0x00007FF974AD6000-memory.dmp

Filesize
1.5MB

Download
memory/3472-84-0x00007FF974960000-0x00007FF974AD6000-memory.dmp

Filesize
1.5MB

Download
memory/3512-33-0x00000000029B0000-0x00000000029B7000-memory.dmp

Filesize
28KB

Download
memory/3512-6-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3512-7-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3512-8-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3512-9-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3512-11-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3512-12-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3512-14-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3512-15-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3512-32-0x00007FF9818DA000-0x00007FF9818DB000-memory.dmp

Filesize
4KB

Download
memory/3512-35-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3512-34-0x00007FF982E50000-0x00007FF982E60000-memory.dmp

Filesize
64KB

Download
memory/3512-23-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3512-13-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3512-10-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3512-4-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download