dridex | 5ed7ff55cc5fd11a4ac5a823ff7cebb7e252e0a8d37dc1a1715d4098af9aeedc

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
23-08-2024 16:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc6a7f50f96beb004bcf9c6174e93bbd_JaffaCakes118.dll
Size

1.2MB
MD5

bc6a7f50f96beb004bcf9c6174e93bbd
SHA1

938e569330ff878fcbd597dc60106be24764991b
SHA256

5ed7ff55cc5fd11a4ac5a823ff7cebb7e252e0a8d37dc1a1715d4098af9aeedc
SHA512

b8c02c3651cb233c51420bf357c41fd243582b75fa8223d92fbeeebeb3117bdbd507a93e9349f94c33502dd5f531a4281c6cbceff3bf5fcdc15894fbe23ca8b1
SSDEEP

24576:ouYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:Y9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence privilege_escalation trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1424-5-0x0000000002270000-0x0000000002271000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

slui.exeMagnify.execalc.exe

pid	Process
1300	slui.exe
1032	Magnify.exe
1964	calc.exe

Loads dropped DLL 7 IoCs

Processes:

slui.exeMagnify.execalc.exe

pid	Process
1424
1300	slui.exe
1424
1032	Magnify.exe
1424
1964	calc.exe
1424

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Madzpveq = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Office\\do\\Magnify.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeslui.exeMagnify.execalc.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	slui.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Magnify.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	calc.exe

Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	Process
2684	rundll32.exe
2684	rundll32.exe
2684	rundll32.exe
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	procid_target
PID 1424 wrote to memory of 2488	1424	30
PID 1424 wrote to memory of 2488	1424	30
PID 1424 wrote to memory of 2488	1424	30
PID 1424 wrote to memory of 1300	1424	31
PID 1424 wrote to memory of 1300	1424	31
PID 1424 wrote to memory of 1300	1424	31
PID 1424 wrote to memory of 2240	1424	32
PID 1424 wrote to memory of 2240	1424	32
PID 1424 wrote to memory of 2240	1424	32
PID 1424 wrote to memory of 1032	1424	33
PID 1424 wrote to memory of 1032	1424	33
PID 1424 wrote to memory of 1032	1424	33
PID 1424 wrote to memory of 2400	1424	34
PID 1424 wrote to memory of 2400	1424	34
PID 1424 wrote to memory of 2400	1424	34
PID 1424 wrote to memory of 1964	1424	35
PID 1424 wrote to memory of 1964	1424	35
PID 1424 wrote to memory of 1964	1424	35

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\bc6a7f50f96beb004bcf9c6174e93bbd_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2684

C:\Windows\system32\slui.exe
C:\Windows\system32\slui.exe
1⤵
PID:2488

C:\Users\Admin\AppData\Local\8RBZT\slui.exe
C:\Users\Admin\AppData\Local\8RBZT\slui.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1300

C:\Windows\system32\Magnify.exe
C:\Windows\system32\Magnify.exe
1⤵
PID:2240

C:\Users\Admin\AppData\Local\bLye9\Magnify.exe
C:\Users\Admin\AppData\Local\bLye9\Magnify.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1032

C:\Windows\system32\calc.exe
C:\Windows\system32\calc.exe
1⤵
PID:2400

C:\Users\Admin\AppData\Local\FBC\calc.exe
C:\Users\Admin\AppData\Local\FBC\calc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\8RBZT\WINBRAND.dll

Filesize
1.2MB

MD5
4155f317effb2209d5be1b938bda80a5

SHA1
2bd2d5774c602ff63edd7de0efa926932a806329

SHA256
7686f0b903f8b9a7dfff4ca804724a719271def552e8f63e0bd737ad47f02ba4

SHA512
a5fcd4b5e8924bde67b0047e24e9222dbf88d9c7bc4aa4d6ddc762f5a7333e44b519d6740aeda5aa321f0ab2b9dbbbd8b77e797f1e0b44584171f6ae8f1df2c1

Download Submit
C:\Users\Admin\AppData\Local\FBC\VERSION.dll

Filesize
1.2MB

MD5
77b76e78a451f2242ebba41d551b98f4

SHA1
9db6a958fc384f3fe76d33c32b703fd677019d9f

SHA256
743b241f07db4ad1acaa2458a60c319627d381128d79036aad7a985ddc878ea1

SHA512
8bee0a81ac4416da31fe74a25564f5801b81d9cca0711473531c1251893d0cd6e0b36efe5c8e19681326bed8b6cdf9a347b8009b7b9da33c6ffc76cafb370a49

Download Submit
C:\Users\Admin\AppData\Local\bLye9\DUI70.dll

Filesize
1.4MB

MD5
a82adee16e6e439058f9766e361c9feb

SHA1
5b6c0be6555e83347014924daa2fc7c361cfcf1c

SHA256
1e1b4169f4b033380356b1293f3ed2cae3a3362d2809f26b45837a44708e9274

SHA512
40ac71b62ae1457063e6671d06844869ee7491c3d889bf7218f8f06ef89b5191c4696a029eca79aa439c82fd1b30bc233d6e90d4e5144eec4216eda42d477b00

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Rinzzkcfiw.lnk

Filesize
988B

MD5
babcf21f5da7d9f27acd5146f81bd373

SHA1
948a16037977b39004a9b66be8ae01619af57ef8

SHA256
c9925709417ff705b667bcb851e42435f49cbfb4b3f050854651390d86fab598

SHA512
ab7e94c80c7b3ea454dbe3810c180b95e2b187e48fc62825944f36d4442a9a471ca4a5718fe48b0fabe60ca37e5a13924126bc262ad0ad0cdd6ed6f31d5f4d78

Download Submit
\Users\Admin\AppData\Local\8RBZT\slui.exe

Filesize
341KB

MD5
c5ce5ce799387e82b7698a0ee5544a6d

SHA1
ed37fdb169bb539271c117d3e8a5f14fd8df1c0d

SHA256
34aa7ca0ea833263a6883827e161a5c218576c5ad97e0ce386fad4250676b42c

SHA512
79453b45e1f38d164ee3dbc232f774ff121d4394c22783140f5c8c722f184a69f499f2fb9621bdb28f565065b791883526e1a1d4abef9df82289613c2ce97a5c

Download Submit
\Users\Admin\AppData\Local\FBC\calc.exe

Filesize
897KB

MD5
10e4a1d2132ccb5c6759f038cdb6f3c9

SHA1
42d36eeb2140441b48287b7cd30b38105986d68f

SHA256
c6a91cba00bf87cdb064c49adaac82255cbec6fdd48fd21f9b3b96abf019916b

SHA512
9bd44afb164ab3e09a784c765cd03838d2e5f696c549fc233eb5a69cada47a8e1fb62095568cb272a80da579d9d0e124b1c27cf61bb2ac8cf6e584a722d8864d

Download Submit
\Users\Admin\AppData\Local\bLye9\Magnify.exe

Filesize
637KB

MD5
233b45ddf77bd45e53872881cff1839b

SHA1
d4b8cafce4664bb339859a90a9dd1506f831756d

SHA256
adfd109ec03cd57e44dbd5fd1c4d8c47f8f58f887f690ba3c92f744b670fd75a

SHA512
6fb5f730633bfb2d063e6bc8cf37a7624bdcde2bd1d0c92b6b9a557484e7acf5d3a2be354808cade751f7ac5c5fe936e765f6494ef54b4fdb2725179f0d0fe39

Download Submit
memory/1032-73-0x00000000001A0000-0x00000000001A7000-memory.dmp

Filesize
28KB

Download
memory/1032-74-0x000007FEF7180000-0x000007FEF72E5000-memory.dmp

Filesize
1.4MB

Download
memory/1032-78-0x000007FEF7180000-0x000007FEF72E5000-memory.dmp

Filesize
1.4MB

Download
memory/1300-61-0x000007FEFA9A0000-0x000007FEFAAD2000-memory.dmp

Filesize
1.2MB

Download
memory/1300-57-0x000007FEFA9A0000-0x000007FEFAAD2000-memory.dmp

Filesize
1.2MB

Download
memory/1300-55-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download
memory/1424-17-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1424-16-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1424-10-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1424-9-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1424-8-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1424-28-0x0000000076F60000-0x0000000076F62000-memory.dmp

Filesize
8KB

Download
memory/1424-37-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1424-38-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1424-4-0x0000000076BC6000-0x0000000076BC7000-memory.dmp

Filesize
4KB

Download
memory/1424-47-0x0000000076BC6000-0x0000000076BC7000-memory.dmp

Filesize
4KB

Download
memory/1424-12-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1424-14-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1424-15-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1424-11-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1424-5-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/1424-26-0x0000000002250000-0x0000000002257000-memory.dmp

Filesize
28KB

Download
memory/1424-27-0x0000000076DD1000-0x0000000076DD2000-memory.dmp

Filesize
4KB

Download
memory/1424-25-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1424-13-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1424-7-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1964-88-0x0000000000080000-0x0000000000087000-memory.dmp

Filesize
28KB

Download
memory/1964-89-0x000007FEF71B0000-0x000007FEF72E2000-memory.dmp

Filesize
1.2MB

Download
memory/1964-94-0x000007FEF71B0000-0x000007FEF72E2000-memory.dmp

Filesize
1.2MB

Download
memory/2684-0-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download
memory/2684-46-0x000007FEF71B0000-0x000007FEF72E1000-memory.dmp

Filesize
1.2MB

Download
memory/2684-1-0x000007FEF71B0000-0x000007FEF72E1000-memory.dmp

Filesize
1.2MB

Download