dridex | e27f783be3af08c4f00e2b4db7c18fe736c86979491b2fc1e849b1e5fcf97b63

Analysis

max time kernel
97s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
30-07-2024 14:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73eb5182708f94d4d29563da6ccaccb9_JaffaCakes118.dll
Size

1.2MB
MD5

73eb5182708f94d4d29563da6ccaccb9
SHA1

2dfcfa915d7877942745d3af43fe5d017a3fb0cc
SHA256

e27f783be3af08c4f00e2b4db7c18fe736c86979491b2fc1e849b1e5fcf97b63
SHA512

c959b398348a2514752d72a5fe7e8ff66ad19e577465efac1f03fe6861f22982f0af8e7e0e1e4639f7845b58fcbb1b45f42e55fb8af1a903f37691726ebc3071
SSDEEP

24576:tuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:n9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3452-4-0x0000000006E30000-0x0000000006E31000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
2496	AgentService.exe
1144	LicensingUI.exe
2808	BitLockerWizardElev.exe

Loads dropped DLL 3 IoCs

pid	Process
2496	AgentService.exe
1144	LicensingUI.exe
2808	BitLockerWizardElev.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sheouyngrxr = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\TEMPLA~1\\LIVECO~1\\16\\Managed\\DOCUME~1\\lKRRtO1c\\LICENS~1.EXE"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	AgentService.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	LicensingUI.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BitLockerWizardElev.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2248	rundll32.exe
2248	rundll32.exe
2248	rundll32.exe
2248	rundll32.exe
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3452	Process not Found
Token: SeCreatePagefilePrivilege	3452	Process not Found
Token: SeShutdownPrivilege	3452	Process not Found
Token: SeCreatePagefilePrivilege	3452	Process not Found
Token: SeShutdownPrivilege	3452	Process not Found
Token: SeCreatePagefilePrivilege	3452	Process not Found
Token: SeShutdownPrivilege	3452	Process not Found
Token: SeCreatePagefilePrivilege	3452	Process not Found

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3452	Process not Found
3452	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3452 wrote to memory of 1612	3452	Process not Found	92
PID 3452 wrote to memory of 1612	3452	Process not Found	92
PID 3452 wrote to memory of 2496	3452	Process not Found	93
PID 3452 wrote to memory of 2496	3452	Process not Found	93
PID 3452 wrote to memory of 1416	3452	Process not Found	95
PID 3452 wrote to memory of 1416	3452	Process not Found	95
PID 3452 wrote to memory of 1144	3452	Process not Found	98
PID 3452 wrote to memory of 1144	3452	Process not Found	98
PID 3452 wrote to memory of 2264	3452	Process not Found	99
PID 3452 wrote to memory of 2264	3452	Process not Found	99
PID 3452 wrote to memory of 2808	3452	Process not Found	100
PID 3452 wrote to memory of 2808	3452	Process not Found	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\73eb5182708f94d4d29563da6ccaccb9_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2248

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
PID:1612

C:\Users\Admin\AppData\Local\TDYzlzR\AgentService.exe
C:\Users\Admin\AppData\Local\TDYzlzR\AgentService.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2496

C:\Windows\system32\LicensingUI.exe
C:\Windows\system32\LicensingUI.exe
1⤵
PID:1416

C:\Users\Admin\AppData\Local\YjgNPyo\LicensingUI.exe
C:\Users\Admin\AppData\Local\YjgNPyo\LicensingUI.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1144

C:\Windows\system32\BitLockerWizardElev.exe
C:\Windows\system32\BitLockerWizardElev.exe
1⤵
PID:2264

C:\Users\Admin\AppData\Local\bBi\BitLockerWizardElev.exe
C:\Users\Admin\AppData\Local\bBi\BitLockerWizardElev.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TDYzlzR\AgentService.exe

Filesize
1.2MB

MD5
f8bac206def3e87ceb8ef3cb0fb5a194

SHA1
a28ea816e7b5ca511da4576262a5887a75171276

SHA256
c69e4520d5dd84a409c2df1825ba30ec367400e4f7b001c8e971da8bef1a2268

SHA512
8df9a814c738e79492a3b72ba359bf3aedfb89fe02215ef58e743c541a2194ba47e227969d76c55387eee6eb367ca68e4b3cdf054022cb86e62376cc2fdef909

Download Submit
C:\Users\Admin\AppData\Local\TDYzlzR\VERSION.dll

Filesize
1.2MB

MD5
15c81291102a49e59d82604079abf3c1

SHA1
b1c10f5ac8c6ced36cbc426851f7100635994c9c

SHA256
8fc78c96efee3fcbbd8291921b5f71f90cb7e510abfd3237d588df61f8cb45c0

SHA512
47b77fe9197997113fef40f8048a5d6b5a2a21a33cc5572eeff18c21ea367d3a1edd76aea92596c2cc2b24cb624ace5e86faf769133330483f519a2fe2296873

Download Submit
C:\Users\Admin\AppData\Local\YjgNPyo\DUI70.dll

Filesize
1.4MB

MD5
fa1a54dfacbbeb9d3b7e4a73b1d3c994

SHA1
88ffb1f007a80213e185572774a58e3c9d3cca4a

SHA256
520831909e2f4a10b912bed2bf30235989dcae8cf44c69da581cc266fef9a7f1

SHA512
96bd727458bcda9a1274faacb9eff495e4db50acd1f48c7098635f27d0932d423a1be9b49b3f1b622305a8ac46c01fcac6e5077d2b0d9e3743c760b1682d0b58

Download Submit
C:\Users\Admin\AppData\Local\YjgNPyo\LicensingUI.exe

Filesize
142KB

MD5
8b4abc637473c79a003d30bb9c7a05e5

SHA1
d1cab953c16d4fdec2b53262f56ac14a914558ca

SHA256
0e9eb89aa0df9bb84a8f11b0bb3e9d89905355de34c91508968b4cb78bc3f6c5

SHA512
5a40c846c5b3a53ae09114709239d8238c322a7d3758b20ed3fc8e097fc1409f62b4990557c1192e894eabfa89741a9d88bd5175850d039b97dfdf380d1c6eeb

Download Submit
C:\Users\Admin\AppData\Local\bBi\BitLockerWizardElev.exe

Filesize
100KB

MD5
8ac5a3a20cf18ae2308c64fd707eeb81

SHA1
31f2f0bdc2eb3e0d2a6cd626ea8ed71262865544

SHA256
803eb37617d450704766cb167dc9766e82102a94940a26a988ad26ab8be3f2f5

SHA512
85d0e28e4bffec709f26b2f0d20eb76373134af43bcaa70b97a03efa273b77dd4fbd4f6ee026774ce4029ab5a983aea057111efcd234ab1686a9bd0f7202748b

Download Submit
C:\Users\Admin\AppData\Local\bBi\FVEWIZ.dll

Filesize
1.2MB

MD5
fc70f5245ca63f049b9f2c530fa6f05b

SHA1
2b18970a9264980e2cb3d2fcd65d6634c1a5fbc3

SHA256
be4eb9e3757dbed4dbbfede189d8d92456508e52fe8688dda661dd120be76a88

SHA512
77bb325184cdf3acf8492b4e47507d1d2175e428f66a78f5b48cacac8b9d7d1a18790f3d899361824399abe4c59f514e7c982879f06c9bbc3a93999f4572ffdb

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Zkmqfrdydbun.lnk

Filesize
1KB

MD5
a2cc006556da01a2e1e1d9262e4a2254

SHA1
fdabb761c79c8c6878d5c83c36225bac6beba8b9

SHA256
256a133fff0463b18271be28e780918f720e2653b1217a88a4bf94b054dc4206

SHA512
fcc2fa4fa0c94e95b6232256532794b432e426f7573ac024977939790875018cacc7d9af24a56eb9f38c72e94cfa4b8e998b5e6ecb63285a2a91a7fb52c4c9ad

Download Submit
memory/1144-62-0x0000015A6A330000-0x0000015A6A337000-memory.dmp

Filesize
28KB

Download
memory/1144-68-0x00007FF8D7DF0000-0x00007FF8D7F66000-memory.dmp

Filesize
1.5MB

Download
memory/1144-63-0x00007FF8D7DF0000-0x00007FF8D7F66000-memory.dmp

Filesize
1.5MB

Download
memory/2248-0-0x00007FF8E70C0000-0x00007FF8E71F0000-memory.dmp

Filesize
1.2MB

Download
memory/2248-3-0x000001C6E6E00000-0x000001C6E6E07000-memory.dmp

Filesize
28KB

Download
memory/2248-38-0x00007FF8E70C0000-0x00007FF8E71F0000-memory.dmp

Filesize
1.2MB

Download
memory/2496-45-0x00007FF8D8180000-0x00007FF8D82B1000-memory.dmp

Filesize
1.2MB

Download
memory/2496-51-0x00007FF8D8180000-0x00007FF8D82B1000-memory.dmp

Filesize
1.2MB

Download
memory/2496-48-0x000001E1353D0000-0x000001E1353D7000-memory.dmp

Filesize
28KB

Download
memory/2808-82-0x000001EEDA520000-0x000001EEDA527000-memory.dmp

Filesize
28KB

Download
memory/2808-79-0x00007FF8D7E30000-0x00007FF8D7F61000-memory.dmp

Filesize
1.2MB

Download
memory/2808-85-0x00007FF8D7E30000-0x00007FF8D7F61000-memory.dmp

Filesize
1.2MB

Download
memory/3452-15-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3452-4-0x0000000006E30000-0x0000000006E31000-memory.dmp

Filesize
4KB

Download
memory/3452-6-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3452-7-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3452-8-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3452-11-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3452-12-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3452-10-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3452-14-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3452-13-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3452-23-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3452-27-0x00007FF8F5D3A000-0x00007FF8F5D3B000-memory.dmp

Filesize
4KB

Download
memory/3452-28-0x0000000006E10000-0x0000000006E17000-memory.dmp

Filesize
28KB

Download
memory/3452-35-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3452-29-0x00007FF8F6910000-0x00007FF8F6920000-memory.dmp

Filesize
64KB

Download
memory/3452-9-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download