dridex | 57aebefa5e25857379598239bf44620b3cc86347e87215c1f2e08581f5af4d89

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
23-08-2024 00:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b9b6b51144875ab0e2b29256a5de1483_JaffaCakes118.dll
Size

1.2MB
MD5

b9b6b51144875ab0e2b29256a5de1483
SHA1

fa894de7d15f6ea99a125c52fae5a468f51d27a4
SHA256

57aebefa5e25857379598239bf44620b3cc86347e87215c1f2e08581f5af4d89
SHA512

45696f27dbcf76f3656622b43e7c2dc1df5c69f9a4c28122d1a0cab4945a5842f8daac1855d0e143d631a096bec5fe630dc7211b225ede8657a5c61d4a471f63
SSDEEP

24576:KuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9NhOO:S9cKrUqZWLAcU8O

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1068-5-0x0000000002D90000-0x0000000002D91000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

BdeUISrv.exeiexpress.exeiexpress.exe

pid	Process
2940	BdeUISrv.exe
3036	iexpress.exe
2020	iexpress.exe

Loads dropped DLL 7 IoCs

Processes:

BdeUISrv.exeiexpress.exeiexpress.exe

pid	Process
1068
2940	BdeUISrv.exe
1068
3036	iexpress.exe
1068
2020	iexpress.exe
1068

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\Qdgopofbxbljb = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Word\\V2DmrsMIZz\\iexpress.exe"

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

BdeUISrv.exeiexpress.exeiexpress.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BdeUISrv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iexpress.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iexpress.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

regsvr32.exe

pid	Process
2436	regsvr32.exe
2436	regsvr32.exe
2436	regsvr32.exe
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	procid_target
PID 1068 wrote to memory of 2896	1068	31
PID 1068 wrote to memory of 2896	1068	31
PID 1068 wrote to memory of 2896	1068	31
PID 1068 wrote to memory of 2940	1068	32
PID 1068 wrote to memory of 2940	1068	32
PID 1068 wrote to memory of 2940	1068	32
PID 1068 wrote to memory of 2776	1068	33
PID 1068 wrote to memory of 2776	1068	33
PID 1068 wrote to memory of 2776	1068	33
PID 1068 wrote to memory of 3036	1068	34
PID 1068 wrote to memory of 3036	1068	34
PID 1068 wrote to memory of 3036	1068	34
PID 1068 wrote to memory of 2676	1068	35
PID 1068 wrote to memory of 2676	1068	35
PID 1068 wrote to memory of 2676	1068	35
PID 1068 wrote to memory of 2020	1068	36
PID 1068 wrote to memory of 2020	1068	36
PID 1068 wrote to memory of 2020	1068	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\b9b6b51144875ab0e2b29256a5de1483_JaffaCakes118.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2436

C:\Windows\system32\BdeUISrv.exe
C:\Windows\system32\BdeUISrv.exe
1⤵
PID:2896

C:\Users\Admin\AppData\Local\o60Dhux\BdeUISrv.exe
C:\Users\Admin\AppData\Local\o60Dhux\BdeUISrv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2940

C:\Windows\system32\iexpress.exe
C:\Windows\system32\iexpress.exe
1⤵
PID:2776

C:\Users\Admin\AppData\Local\vJM7tyE\iexpress.exe
C:\Users\Admin\AppData\Local\vJM7tyE\iexpress.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3036

C:\Windows\system32\iexpress.exe
C:\Windows\system32\iexpress.exe
1⤵
PID:2676

C:\Users\Admin\AppData\Local\vigOr7\iexpress.exe
C:\Users\Admin\AppData\Local\vigOr7\iexpress.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\o60Dhux\WTSAPI32.dll

Filesize
1.2MB

MD5
7b4bf2c88fa9dfb0ee5111976e8ffccf

SHA1
56c17be18f67e85aad4f9e6a57abfff32e8424d6

SHA256
efa7cdeb0ffabd9eca1d0bd1655011a7c1ac16cd02faa4580c5595fc105b637e

SHA512
8bdca3a5af8adab551a910c3b7ca5b093e2b98d9cae0d061eadc1403e39e3522686150cdf4a7a1cdeb7a8916ee215c4184f4debf270550d28643cb5fcbd2c777

Download Submit
C:\Users\Admin\AppData\Local\vJM7tyE\VERSION.dll

Filesize
1.2MB

MD5
34413851b45841e562c091a9f99ef7a6

SHA1
cbd24ee54c0b338c7286639e8c5de19c48cb12fe

SHA256
dfeb35d44517daacdd4a9f64c7219423355123ad2048dc4d38f221b66904704a

SHA512
9985c721b5e12ccc814b0036742a895268b496ec4fd8c0e912c3b4424f87cb60f514faa8ec9ffab1d651e4896a165c9133bbf0cda4c64cf8653d72d583d88044

Download Submit
C:\Users\Admin\AppData\Local\vigOr7\VERSION.dll

Filesize
1.2MB

MD5
9a0ab14f5fe29fad7d52aeb05f096e1b

SHA1
c67638172aa1f41e284d01858af9d7c8bd749e56

SHA256
d9a6379b8b7051891a630d131a064735922472d023250a2aec34043b4091a046

SHA512
1ea353854dfd27e22c9b91debe776952e8c6112d8e35de46b0b735beedce0588fa005bac6bbf553229c103ec2fb8303b881ac2e3e4d24a4ac848698c35606f7a

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dzyzbjcaevupvd.lnk

Filesize
1KB

MD5
6153b742aed95c5f298c83f0a7137363

SHA1
66a8923f75100322a5c9690573aa61043a3fc488

SHA256
a32a9fbf2f4d82519024c3815bb114eef4c616879b8bb92c3ea3922ffa1434cb

SHA512
f251e624abcc46fdc7ca8a8f3754a86d92582e109adb542875ec085c92864acdcefdfbdb9df26acfb709a1651fde2b256ed4bc70b576755b91225e082276ca69

Download Submit
\Users\Admin\AppData\Local\o60Dhux\BdeUISrv.exe

Filesize
47KB

MD5
1da6b19be5d4949c868a264bc5e74206

SHA1
d5ee86ba03a03ef8c93d93accafe40461084c839

SHA256
00330a0e0eb1dbb6ee84997963f8e15c7c15c1df787f1c7f109609d7b31bd35c

SHA512
9cee858c55eb0852e5bad53a675a094ae591b46b07afe9fb4224cac32e0be577fe36c1ed3e9f6bda4d4eb0c924a773d00e3181cd97f07e24c6c68c70f2b002c6

Download Submit
\Users\Admin\AppData\Local\vJM7tyE\iexpress.exe

Filesize
163KB

MD5
46fd16f9b1924a2ea8cd5c6716cc654f

SHA1
99284bc91cf829e9602b4b95811c1d72977700b6

SHA256
9f993a1f6a133fa8375eab99bf1710471dd13ef177ef713acf8921fb4ff565a3

SHA512
52c91043f514f3f8ce07f8e60357786eb7236fcf6cdcccca0dd76000b9a23d6b138cebcdec53b01823cb2313ec850fc7bece326ec01d44ed33f4052b789b7629

Download Submit
memory/1068-9-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/1068-11-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/1068-29-0x00000000773E1000-0x00000000773E2000-memory.dmp

Filesize
4KB

Download
memory/1068-34-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/1068-33-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/1068-15-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/1068-26-0x0000000002CF0000-0x0000000002CF7000-memory.dmp

Filesize
28KB

Download
memory/1068-25-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/1068-14-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/1068-13-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/1068-12-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/1068-10-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/1068-4-0x00000000772D6000-0x00000000772D7000-memory.dmp

Filesize
4KB

Download
memory/1068-8-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/1068-7-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/1068-5-0x0000000002D90000-0x0000000002D91000-memory.dmp

Filesize
4KB

Download
memory/1068-43-0x00000000772D6000-0x00000000772D7000-memory.dmp

Filesize
4KB

Download
memory/1068-16-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/1068-17-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/1068-30-0x0000000077570000-0x0000000077572000-memory.dmp

Filesize
8KB

Download
memory/2020-87-0x0000000000290000-0x0000000000297000-memory.dmp

Filesize
28KB

Download
memory/2020-93-0x000007FEF6760000-0x000007FEF6898000-memory.dmp

Filesize
1.2MB

Download
memory/2436-42-0x000007FEF72A0000-0x000007FEF73D7000-memory.dmp

Filesize
1.2MB

Download
memory/2436-0-0x000007FEF72A0000-0x000007FEF73D7000-memory.dmp

Filesize
1.2MB

Download
memory/2436-3-0x0000000000140000-0x0000000000147000-memory.dmp

Filesize
28KB

Download
memory/2940-52-0x000007FEF72A0000-0x000007FEF73D8000-memory.dmp

Filesize
1.2MB

Download
memory/2940-57-0x000007FEF72A0000-0x000007FEF73D8000-memory.dmp

Filesize
1.2MB

Download
memory/2940-51-0x0000000001CA0000-0x0000000001CA7000-memory.dmp

Filesize
28KB

Download
memory/3036-69-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/3036-70-0x000007FEF6760000-0x000007FEF6898000-memory.dmp

Filesize
1.2MB

Download
memory/3036-75-0x000007FEF6760000-0x000007FEF6898000-memory.dmp

Filesize
1.2MB

Download