dridex | 5f809c22a4793c5f79ce37d5621580998d890837537e420d638ef1681964220d

Analysis

max time kernel
149s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
22-08-2024 12:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b79de8bd575fd4c340b9fa4352696533_JaffaCakes118.dll
Size

1.2MB
MD5

b79de8bd575fd4c340b9fa4352696533
SHA1

7e1b2fab1003993cb117cae87b239b42e657a56d
SHA256

5f809c22a4793c5f79ce37d5621580998d890837537e420d638ef1681964220d
SHA512

1d573f55c41b7315076e602eccc5a5830fc284e63df96863350c19cb21f363703759ab404a324298ee9c4731b9399041814c5d53e194f15bc21c486118cf5d0a
SSDEEP

24576:vuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:R9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1392-5-0x0000000002A40000-0x0000000002A41000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

psr.exeslui.exelpksetup.exe

pid	Process
1824	psr.exe
2660	slui.exe
2496	lpksetup.exe

Loads dropped DLL 7 IoCs

Processes:

psr.exeslui.exelpksetup.exe

pid	Process
1392
1824	psr.exe
1392
2660	slui.exe
1392
2496	lpksetup.exe
1392

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wsagbppvydnjcs = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\czyW3\\slui.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exepsr.exeslui.exelpksetup.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	psr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	slui.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lpksetup.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	Process
3048	rundll32.exe
3048	rundll32.exe
3048	rundll32.exe
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392
1392

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	procid_target
PID 1392 wrote to memory of 2944	1392	29
PID 1392 wrote to memory of 2944	1392	29
PID 1392 wrote to memory of 2944	1392	29
PID 1392 wrote to memory of 1824	1392	30
PID 1392 wrote to memory of 1824	1392	30
PID 1392 wrote to memory of 1824	1392	30
PID 1392 wrote to memory of 1696	1392	31
PID 1392 wrote to memory of 1696	1392	31
PID 1392 wrote to memory of 1696	1392	31
PID 1392 wrote to memory of 2660	1392	32
PID 1392 wrote to memory of 2660	1392	32
PID 1392 wrote to memory of 2660	1392	32
PID 1392 wrote to memory of 1204	1392	33
PID 1392 wrote to memory of 1204	1392	33
PID 1392 wrote to memory of 1204	1392	33
PID 1392 wrote to memory of 2496	1392	34
PID 1392 wrote to memory of 2496	1392	34
PID 1392 wrote to memory of 2496	1392	34

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b79de8bd575fd4c340b9fa4352696533_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3048

C:\Windows\system32\psr.exe
C:\Windows\system32\psr.exe
1⤵
PID:2944

C:\Users\Admin\AppData\Local\ZocUg\psr.exe
C:\Users\Admin\AppData\Local\ZocUg\psr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1824

C:\Windows\system32\slui.exe
C:\Windows\system32\slui.exe
1⤵
PID:1696

C:\Users\Admin\AppData\Local\lIPg5BVxZ\slui.exe
C:\Users\Admin\AppData\Local\lIPg5BVxZ\slui.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2660

C:\Windows\system32\lpksetup.exe
C:\Windows\system32\lpksetup.exe
1⤵
PID:1204

C:\Users\Admin\AppData\Local\PXOUBRS5\lpksetup.exe
C:\Users\Admin\AppData\Local\PXOUBRS5\lpksetup.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\PXOUBRS5\dpx.dll

Filesize
1.2MB

MD5
f03bcd741ffb114360bb79b7e6d6c7bc

SHA1
3a968f402cf96d24a22665bf7d5e82f71714a21b

SHA256
428c64e08014e6fbeb733491c22bdef1ef78b54a25cd9f88603b9ef7d723b245

SHA512
a2fad6f77b38033d734fb08f012e0190a273498292bfd60513f6b9b5a08c257c8fd5f3604bda0ab704e9851e2e9aa1aeaea4ed7510fe75af1e1be93ade52e893

Download Submit
C:\Users\Admin\AppData\Local\lIPg5BVxZ\slc.dll

Filesize
1.2MB

MD5
68e21457077a0dfc2ab879c33f1759fc

SHA1
58a1c868e7f885a856f7a7ec108ef5d67c7ab115

SHA256
d3ae0e51d02f691347ca5e6d5b6bcbb6f9f63f7fa1e37b238d0b5783ed55e9f2

SHA512
619a8b50a4e47a9066111ccfe1ec6b71ae0f6ea5275f21806e054abc9d4accc431fc3d9bad2d8be11ceacb4c998e4840a89ef9f76cb4283335093bf4852c122d

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ewnqrlgibmqii.lnk

Filesize
1KB

MD5
7660bc6def89c2f4037ca48994a887d2

SHA1
ad4ebb4e6289b6e8bdaccbb8849cfbc30f75a0ae

SHA256
6716fd6cbab145151eaf9fabc1021a742feabc1ce64d7e27dcf60bf41488260f

SHA512
354de4354dd82031cd597f87cea6f8c0d9d77718812027102529fa97be479366410f5a705b959521165787fcd91a45fe65f0067d73d18cb2df87c24430699971

Download Submit
\Users\Admin\AppData\Local\PXOUBRS5\lpksetup.exe

Filesize
638KB

MD5
50d28f3f8b7c17056520c80a29efe17c

SHA1
1b1e62be0a0bdc9aec2e91842c35381297d8f01e

SHA256
71613ea48467d1a0b00f8bcaed270b7527fc5771f540a8eb0515b3a5fdc8604f

SHA512
92bc60402aacf1a62e47335adf8696a5c0d31637e624628d82b6ec1f17e1ee65ae8edf7e8dcd10933f59c892a4a74d8e461945df0991b706a4a53927c5fd3861

Download Submit
\Users\Admin\AppData\Local\ZocUg\OLEACC.dll

Filesize
1.2MB

MD5
bb874ec7daea6881c785887436fa65f8

SHA1
7e21e31a77b57f4e740914bb72ef8b452d0d73d8

SHA256
e7bac47acd4d031f69d29ab2e519280182f00f4a2e5f8d5431bb83f867fa97a3

SHA512
ac841067321f59aeed5ddd9c5641feb097d26a4d8aabb939ccc39b3393e66f3d36cb56ab378b90df0f1b05f788e31861a8a759d08ddec1c692ea0091b3457242

Download Submit
\Users\Admin\AppData\Local\ZocUg\psr.exe

Filesize
715KB

MD5
a80527109d75cba125d940b007eea151

SHA1
facf32a9ede6abfaa09368bfdfcfec8554107272

SHA256
68910f8aae867e938b6a3b76cdf176898ba275d9ade85b4ce00b03232de4c495

SHA512
77b86a597c33af8d3fbd9711f4abe6e0ca33b86279b1d28a25dcf3545a34b221be1ad7d11004d016203809cead1ebfd4b7e889ee9df2efc100eabf77963c1774

Download Submit
\Users\Admin\AppData\Local\lIPg5BVxZ\slui.exe

Filesize
341KB

MD5
c5ce5ce799387e82b7698a0ee5544a6d

SHA1
ed37fdb169bb539271c117d3e8a5f14fd8df1c0d

SHA256
34aa7ca0ea833263a6883827e161a5c218576c5ad97e0ce386fad4250676b42c

SHA512
79453b45e1f38d164ee3dbc232f774ff121d4394c22783140f5c8c722f184a69f499f2fb9621bdb28f565065b791883526e1a1d4abef9df82289613c2ce97a5c

Download Submit
memory/1392-7-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1392-9-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1392-4-0x0000000077116000-0x0000000077117000-memory.dmp

Filesize
4KB

Download
memory/1392-13-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1392-15-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1392-14-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1392-25-0x0000000002A20000-0x0000000002A27000-memory.dmp

Filesize
28KB

Download
memory/1392-24-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1392-16-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1392-30-0x00000000773B0000-0x00000000773B2000-memory.dmp

Filesize
8KB

Download
memory/1392-29-0x0000000077221000-0x0000000077222000-memory.dmp

Filesize
4KB

Download
memory/1392-36-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1392-37-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1392-5-0x0000000002A40000-0x0000000002A41000-memory.dmp

Filesize
4KB

Download
memory/1392-46-0x0000000077116000-0x0000000077117000-memory.dmp

Filesize
4KB

Download
memory/1392-8-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1392-10-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1392-12-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1392-11-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1824-60-0x000007FEF7570000-0x000007FEF76A1000-memory.dmp

Filesize
1.2MB

Download
memory/1824-55-0x000007FEF7570000-0x000007FEF76A1000-memory.dmp

Filesize
1.2MB

Download
memory/1824-54-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/2496-90-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download
memory/2496-96-0x000007FEF7440000-0x000007FEF7571000-memory.dmp

Filesize
1.2MB

Download
memory/2660-72-0x000007FEF7440000-0x000007FEF7571000-memory.dmp

Filesize
1.2MB

Download
memory/2660-75-0x0000000000120000-0x0000000000127000-memory.dmp

Filesize
28KB

Download
memory/2660-78-0x000007FEF7440000-0x000007FEF7571000-memory.dmp

Filesize
1.2MB

Download
memory/3048-45-0x000007FEF7450000-0x000007FEF7580000-memory.dmp

Filesize
1.2MB

Download
memory/3048-0-0x0000000000530000-0x0000000000537000-memory.dmp

Filesize
28KB

Download
memory/3048-2-0x000007FEF7450000-0x000007FEF7580000-memory.dmp

Filesize
1.2MB

Download