dridex | e5fcac5911dd1633ceac928cc930e5041484bdb95ebb4dba5103d2add754f741

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
29-07-2024 02:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

334adbca3e999c94a0bffe4648723a0c_JaffaCakes118.dll
Size

1.2MB
MD5

334adbca3e999c94a0bffe4648723a0c
SHA1

2d7306300ac5a1664cb91635ab3c3d6f99b7d4bb
SHA256

e5fcac5911dd1633ceac928cc930e5041484bdb95ebb4dba5103d2add754f741
SHA512

f42d2a5fc6c89e6a897f1733d85fbd096b7c702ee92edf7b8182e60efe27cade4fb2ed62e95752fefe9b136f910ec63e7cad7f4ddff7492a2378880dc9ed3fbf
SSDEEP

24576:muYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:G9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3500-4-0x0000000001080000-0x0000000001081000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
4576	LicensingUI.exe
4020	SysResetErr.exe
5032	BitLockerWizard.exe

Loads dropped DLL 3 IoCs

pid	Process
4576	LicensingUI.exe
4020	SysResetErr.exe
5032	BitLockerWizard.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-857544305-989156968-2929034274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bapkbs = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Vault\\5guKT\\SysResetErr.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	LicensingUI.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SysResetErr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BitLockerWizard.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3336	rundll32.exe
3336	rundll32.exe
3336	rundll32.exe
3336	rundll32.exe
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3500 wrote to memory of 2056	3500	Process not Found	84
PID 3500 wrote to memory of 2056	3500	Process not Found	84
PID 3500 wrote to memory of 4576	3500	Process not Found	85
PID 3500 wrote to memory of 4576	3500	Process not Found	85
PID 3500 wrote to memory of 3316	3500	Process not Found	86
PID 3500 wrote to memory of 3316	3500	Process not Found	86
PID 3500 wrote to memory of 4020	3500	Process not Found	87
PID 3500 wrote to memory of 4020	3500	Process not Found	87
PID 3500 wrote to memory of 3292	3500	Process not Found	88
PID 3500 wrote to memory of 3292	3500	Process not Found	88
PID 3500 wrote to memory of 5032	3500	Process not Found	89
PID 3500 wrote to memory of 5032	3500	Process not Found	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\334adbca3e999c94a0bffe4648723a0c_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3336

C:\Windows\system32\LicensingUI.exe
C:\Windows\system32\LicensingUI.exe
1⤵
PID:2056

C:\Users\Admin\AppData\Local\a2h\LicensingUI.exe
C:\Users\Admin\AppData\Local\a2h\LicensingUI.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4576

C:\Windows\system32\SysResetErr.exe
C:\Windows\system32\SysResetErr.exe
1⤵
PID:3316

C:\Users\Admin\AppData\Local\tpBHcGz\SysResetErr.exe
C:\Users\Admin\AppData\Local\tpBHcGz\SysResetErr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4020

C:\Windows\system32\BitLockerWizard.exe
C:\Windows\system32\BitLockerWizard.exe
1⤵
PID:3292

C:\Users\Admin\AppData\Local\kVbu\BitLockerWizard.exe
C:\Users\Admin\AppData\Local\kVbu\BitLockerWizard.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:5032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\a2h\DUI70.dll

Filesize
1.4MB

MD5
d8eb0d7036671b9851bb590f6b582609

SHA1
06921aaebe47e7d26cb9aeba391850c8df854711

SHA256
f6fde28230a419dafded865dcc50bf642452470827351130d566035b2f5500fe

SHA512
f56000b5e8c80532c9d33f22421a255889323d251abfc84864cc090d99bf30e0ab6aa9422ad483df9e7deef8e2ab8d77224b0bc127827323510e7967d19288ab

Download Submit
C:\Users\Admin\AppData\Local\a2h\LicensingUI.exe

Filesize
142KB

MD5
8b4abc637473c79a003d30bb9c7a05e5

SHA1
d1cab953c16d4fdec2b53262f56ac14a914558ca

SHA256
0e9eb89aa0df9bb84a8f11b0bb3e9d89905355de34c91508968b4cb78bc3f6c5

SHA512
5a40c846c5b3a53ae09114709239d8238c322a7d3758b20ed3fc8e097fc1409f62b4990557c1192e894eabfa89741a9d88bd5175850d039b97dfdf380d1c6eeb

Download Submit
C:\Users\Admin\AppData\Local\kVbu\BitLockerWizard.exe

Filesize
100KB

MD5
6d30c96f29f64b34bc98e4c81d9b0ee8

SHA1
4a3adc355f02b9c69bdbe391bfb01469dee15cf0

SHA256
7758227642702e645af5e84d1c0e5690e07687c8209072a2c5f79379299edf74

SHA512
25471b0ac7156d9ee9d12181020039bf551ba3efe252b656030c12d93b8db2648a18bdf762740f2a5cd8e43640e4bd4e8742310dea15823fc76b9e1c126876b8

Download Submit
C:\Users\Admin\AppData\Local\kVbu\FVEWIZ.dll

Filesize
1.2MB

MD5
3309a2b189b24c6536532f86371e6039

SHA1
fb37acd09a20f21145dccf693eb9d9238743369a

SHA256
1f5d119b472802f2c5f84e58472a94f0b7df83621e122586ca9b601dae0ff9a2

SHA512
9b5811f53d3ecafdf288b58697b94faeef1ab84c32f1f8637afbdc7923f0837b69cb81ba0e0b3b345e133e3c8221255732e8a621b22679cb0d3d37b391f5dfaf

Download Submit
C:\Users\Admin\AppData\Local\tpBHcGz\DUI70.dll

Filesize
1.4MB

MD5
7335f547b54e69931e9b831a54f58c86

SHA1
6423fa790e0d13357ecd7a57b049083eb283173b

SHA256
82ba4dd84aa4ed363c131f8f4a013e3954e594d9d9de8cbe3f7f8e7e6920893a

SHA512
556eddd795fc7af64ab2b2a283ceb5e65185e2b63783a75e8205a52ea495829ab7eb1bf3bf36db1fb08939e430fd9b12770f00708b232d9ae954e633d60f6e66

Download Submit
C:\Users\Admin\AppData\Local\tpBHcGz\SysResetErr.exe

Filesize
41KB

MD5
090c6f458d61b7ddbdcfa54e761b8b57

SHA1
c5a93e9d6eca4c3842156cc0262933b334113864

SHA256
a324e3ba7309164f215645a6db3e74ed35c7034cc07a011ebed2fa60fda4d9cd

SHA512
c9ef79397f3a843dcf2bcb5f761d90a4bdadb08e2ca85a35d8668cb13c308b275ed6aa2c8b9194a1f29964e0754ad05e89589025a0b670656386a8d448a1f542

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Vmoyh.lnk

Filesize
1KB

MD5
584b5e403e5f93de31696d80bad9903c

SHA1
c705b922da57d960cda500ea2fbf368fb557a8b0

SHA256
480b73474dee07d37a9d0234b9865421ec839ed07fdc486741a61acc2bb05fd7

SHA512
3aed9ed2886634f38fc1ededc1252c2f8f7707182e59ad3c0eec30467ec03c6c09a3b1dedc24788a26da23e4203df5eabf509a0a6f9c407d833d0b11c816cf97

Download Submit
memory/3336-1-0x00007FF87B8D0000-0x00007FF87BA01000-memory.dmp

Filesize
1.2MB

Download
memory/3336-3-0x000001C994C60000-0x000001C994C67000-memory.dmp

Filesize
28KB

Download
memory/3336-39-0x00007FF87B8D0000-0x00007FF87BA01000-memory.dmp

Filesize
1.2MB

Download
memory/3500-9-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3500-16-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3500-13-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3500-12-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3500-11-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3500-10-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3500-15-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3500-8-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3500-7-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3500-24-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3500-33-0x00007FF88B0AA000-0x00007FF88B0AB000-memory.dmp

Filesize
4KB

Download
memory/3500-36-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3500-4-0x0000000001080000-0x0000000001081000-memory.dmp

Filesize
4KB

Download
memory/3500-6-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3500-14-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3500-34-0x0000000000E90000-0x0000000000E97000-memory.dmp

Filesize
28KB

Download
memory/3500-35-0x00007FF88B130000-0x00007FF88B140000-memory.dmp

Filesize
64KB

Download
memory/4020-66-0x0000024F76EC0000-0x0000024F76EC7000-memory.dmp

Filesize
28KB

Download
memory/4020-69-0x00007FF87BC10000-0x00007FF87BD87000-memory.dmp

Filesize
1.5MB

Download
memory/4576-52-0x00007FF87BC10000-0x00007FF87BD87000-memory.dmp

Filesize
1.5MB

Download
memory/4576-47-0x00007FF87BC10000-0x00007FF87BD87000-memory.dmp

Filesize
1.5MB

Download
memory/4576-46-0x0000023949760000-0x0000023949767000-memory.dmp

Filesize
28KB

Download
memory/5032-80-0x00007FF87BC50000-0x00007FF87BD82000-memory.dmp

Filesize
1.2MB

Download
memory/5032-83-0x00000204EFBB0000-0x00000204EFBB7000-memory.dmp

Filesize
28KB

Download
memory/5032-86-0x00007FF87BC50000-0x00007FF87BD82000-memory.dmp

Filesize
1.2MB

Download