dridex | dc19cb70f3b01ea32e03808948037934c7d98035aa0eb12538c3d2472ac8e452

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
23-08-2024 09:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bb3f80224ccb963c44b6fd5c32407490_JaffaCakes118.dll
Size

1.2MB
MD5

bb3f80224ccb963c44b6fd5c32407490
SHA1

4d1b454fb9b0fa8e0972f2c3b853e2b2daa025ce
SHA256

dc19cb70f3b01ea32e03808948037934c7d98035aa0eb12538c3d2472ac8e452
SHA512

bcd0e1373cef696f182ea97b0b9948e7a28017c7000a96a18bea130ea253c18c2d9a386455bd6ba04e3f5880e0e7844e24e47706b0cf85bfcdf7facb326efb56
SSDEEP

24576:zuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:99cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1204-5-0x0000000002E00000-0x0000000002E01000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

BitLockerWizard.exeSystemPropertiesAdvanced.exeslui.exe

pid	Process
2568	BitLockerWizard.exe
2596	SystemPropertiesAdvanced.exe
1036	slui.exe

Loads dropped DLL 7 IoCs

Processes:

BitLockerWizard.exeSystemPropertiesAdvanced.exeslui.exe

pid	Process
1204
2568	BitLockerWizard.exe
1204
2596	SystemPropertiesAdvanced.exe
1204
1036	slui.exe
1204

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\Tlngny = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\FLASHP~1\\Nl\\SYSTEM~1.EXE"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

slui.exerundll32.exeBitLockerWizard.exeSystemPropertiesAdvanced.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	slui.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BitLockerWizard.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesAdvanced.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	Process
1624	rundll32.exe
1624	rundll32.exe
1624	rundll32.exe
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	procid_target
PID 1204 wrote to memory of 2648	1204	31
PID 1204 wrote to memory of 2648	1204	31
PID 1204 wrote to memory of 2648	1204	31
PID 1204 wrote to memory of 2568	1204	32
PID 1204 wrote to memory of 2568	1204	32
PID 1204 wrote to memory of 2568	1204	32
PID 1204 wrote to memory of 2548	1204	33
PID 1204 wrote to memory of 2548	1204	33
PID 1204 wrote to memory of 2548	1204	33
PID 1204 wrote to memory of 2596	1204	34
PID 1204 wrote to memory of 2596	1204	34
PID 1204 wrote to memory of 2596	1204	34
PID 1204 wrote to memory of 1052	1204	35
PID 1204 wrote to memory of 1052	1204	35
PID 1204 wrote to memory of 1052	1204	35
PID 1204 wrote to memory of 1036	1204	36
PID 1204 wrote to memory of 1036	1204	36
PID 1204 wrote to memory of 1036	1204	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\bb3f80224ccb963c44b6fd5c32407490_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1624

C:\Windows\system32\BitLockerWizard.exe
C:\Windows\system32\BitLockerWizard.exe
1⤵
PID:2648

C:\Users\Admin\AppData\Local\8Vu9BA\BitLockerWizard.exe
C:\Users\Admin\AppData\Local\8Vu9BA\BitLockerWizard.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2568

C:\Windows\system32\SystemPropertiesAdvanced.exe
C:\Windows\system32\SystemPropertiesAdvanced.exe
1⤵
PID:2548

C:\Users\Admin\AppData\Local\AYOOv\SystemPropertiesAdvanced.exe
C:\Users\Admin\AppData\Local\AYOOv\SystemPropertiesAdvanced.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2596

C:\Windows\system32\slui.exe
C:\Windows\system32\slui.exe
1⤵
PID:1052

C:\Users\Admin\AppData\Local\Up4w3ITnM\slui.exe
C:\Users\Admin\AppData\Local\Up4w3ITnM\slui.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\8Vu9BA\FVEWIZ.dll

Filesize
1.2MB

MD5
3506198a1d3936dade2194ef268e4242

SHA1
82f539eeba5dfee9766edcdc7beeda490f7ddd19

SHA256
95b277cd9a71d5aa0e143219d850131c8c86f0a31189b53aab687a6d907e5e05

SHA512
84f3f48e46aca1fba2e9c9120682c6419974d67e1fad0b1a38666a78fbbbac895314b4dce9193bc1614c03733ff120a43179125af73963898fe6bb0cfa14a4ff

Download Submit
C:\Users\Admin\AppData\Local\AYOOv\SYSDM.CPL

Filesize
1.2MB

MD5
00043bdd2f80cadead77e9f5c6adb1e8

SHA1
23fe995cf5e9b862b200f8a83d0ac599b400347a

SHA256
66dfab907e7b35e811892ad7ec19d54a648c97e662a22ec2154a2fa65ed677ed

SHA512
9005c10afb5a0e2d7e30522af5d05c0f8b7279a8d9fd83af2a6da220b7b1181fd15c052ba1a8b2042c3321e73531abdafc0f7d99bf46eb3f67fe98ed458a76f1

Download Submit
C:\Users\Admin\AppData\Local\Up4w3ITnM\WINBRAND.dll

Filesize
1.2MB

MD5
d2617735de3e6ff3573d77b5267a4d0c

SHA1
8a319d1f99cd60235254bdd56bfceabea178a92a

SHA256
06e62936999c06287333ac56e6e306fd0ea9bf75b326cfba6cf8f49c0ae50fd7

SHA512
245500c975b0f0eeed6b02bb0a2166eaac8f62bc9c5c9f41bcb2a7fe7b4536b8c33f1a06c4b7aaf603c2b4b2c5ae2e2dabe7035a33b1241d75d265a9cebc45fe

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Mityoyoyxpr.lnk

Filesize
1KB

MD5
e0610aabf904de81a3dcc395e4b4630b

SHA1
34523b4856046b7015b3171876142f7aaff54678

SHA256
9ed89e4ca569e40801ee0faad5f3f514dedeca7de9f0b1aba28ea74b638f3eb9

SHA512
b594d4e34ec5e2369ca96bba79c193f2a9779fa433c791a61f707c165954012c5f9f7ae29a25689bb6c97103d7d07f4b67b468bf80791317c290257b874f5689

Download Submit
\Users\Admin\AppData\Local\8Vu9BA\BitLockerWizard.exe

Filesize
98KB

MD5
08a761595ad21d152db2417d6fdb239a

SHA1
d84c1bc2e8c9afce9fb79916df9bca169f93a936

SHA256
ec0b9e5f29a43f9db44fa76b85701058f26776ab974044c1d4741591b74d0620

SHA512
8b07828e9c0edf09277f89294b8e1a54816f6f3d1fe132b3eb70370b81feb82d056ec31566793bd6f451725f79c3b4aeedb15a83216115e00943e0c19cab37c9

Download Submit
\Users\Admin\AppData\Local\AYOOv\SystemPropertiesAdvanced.exe

Filesize
80KB

MD5
25dc1e599591871c074a68708206e734

SHA1
27a9dffa92d979d39c07d889fada536c062dac77

SHA256
a13b2ba5892c11c731869410b1e3dd2f250d70ff9efd513a9f260ab506dd42ef

SHA512
f7da9ce4c3e8aea9095fcc977084c042f85df48fca0b58fb136dfd835ce69b5b1e68f3c11eeb14c617ffcec7011ffc7e5d5a948f49dde653a2348b28e10adb72

Download Submit
\Users\Admin\AppData\Local\Up4w3ITnM\slui.exe

Filesize
341KB

MD5
c5ce5ce799387e82b7698a0ee5544a6d

SHA1
ed37fdb169bb539271c117d3e8a5f14fd8df1c0d

SHA256
34aa7ca0ea833263a6883827e161a5c218576c5ad97e0ce386fad4250676b42c

SHA512
79453b45e1f38d164ee3dbc232f774ff121d4394c22783140f5c8c722f184a69f499f2fb9621bdb28f565065b791883526e1a1d4abef9df82289613c2ce97a5c

Download Submit
memory/1036-92-0x000007FEF60C0000-0x000007FEF61F2000-memory.dmp

Filesize
1.2MB

Download
memory/1036-93-0x0000000000120000-0x0000000000127000-memory.dmp

Filesize
28KB

Download
memory/1036-86-0x0000000000120000-0x0000000000127000-memory.dmp

Filesize
28KB

Download
memory/1204-28-0x0000000002610000-0x0000000002617000-memory.dmp

Filesize
28KB

Download
memory/1204-17-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1204-15-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1204-14-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1204-13-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1204-11-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1204-9-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1204-8-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1204-10-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1204-33-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1204-35-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1204-4-0x0000000076F66000-0x0000000076F67000-memory.dmp

Filesize
4KB

Download
memory/1204-43-0x0000000076F66000-0x0000000076F67000-memory.dmp

Filesize
4KB

Download
memory/1204-16-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1204-5-0x0000000002E00000-0x0000000002E01000-memory.dmp

Filesize
4KB

Download
memory/1204-7-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1204-12-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1204-29-0x0000000077171000-0x0000000077172000-memory.dmp

Filesize
4KB

Download
memory/1204-25-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1204-30-0x0000000077300000-0x0000000077302000-memory.dmp

Filesize
8KB

Download
memory/1624-0-0x000007FEF60C0000-0x000007FEF61F1000-memory.dmp

Filesize
1.2MB

Download
memory/1624-42-0x000007FEF60C0000-0x000007FEF61F1000-memory.dmp

Filesize
1.2MB

Download
memory/1624-3-0x00000000001A0000-0x00000000001A7000-memory.dmp

Filesize
28KB

Download
memory/2568-56-0x000007FEF7050000-0x000007FEF7182000-memory.dmp

Filesize
1.2MB

Download
memory/2568-51-0x000007FEF7050000-0x000007FEF7182000-memory.dmp

Filesize
1.2MB

Download
memory/2596-69-0x000007FEF60C0000-0x000007FEF61F2000-memory.dmp

Filesize
1.2MB

Download
memory/2596-74-0x000007FEF60C0000-0x000007FEF61F2000-memory.dmp

Filesize
1.2MB

Download
memory/2596-68-0x00000000000A0000-0x00000000000A7000-memory.dmp

Filesize
28KB

Download