dridex | ff1da268d8bd85b1009b4525397bac1bfa6b6fe374ffe2e30d527c6e2d1acd3e

Analysis

max time kernel
149s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27-08-2024 00:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c41468fe40e62c704e9673588d427a42_JaffaCakes118.dll
Size

1.2MB
MD5

c41468fe40e62c704e9673588d427a42
SHA1

e093530b29fe73210618c713883b1e14cbe05bdd
SHA256

ff1da268d8bd85b1009b4525397bac1bfa6b6fe374ffe2e30d527c6e2d1acd3e
SHA512

6b1b319d4b7540ab2c66c4baa6c373f204b28d3dd7e4fc3fd5344620232581d56a2abba694acc2112a70773fe32894bae44ed77c6fdd6403e8eaa41111d388f1
SSDEEP

24576:buYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:F9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3428-4-0x0000000003150000-0x0000000003151000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

BdeUISrv.exeiexpress.exesystemreset.exe

pid	Process
2068	BdeUISrv.exe
2400	iexpress.exe
2912	systemreset.exe

Loads dropped DLL 3 IoCs

Processes:

BdeUISrv.exeiexpress.exesystemreset.exe

pid	Process
2068	BdeUISrv.exe
2400	iexpress.exe
2912	systemreset.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Vfaxdafbicozcso = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\yjLJxnPi\\iexpress.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeBdeUISrv.exeiexpress.exesystemreset.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BdeUISrv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iexpress.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	systemreset.exe

Modifies registry class 2 IoCs

Processes:

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	Process
4996	rundll32.exe
4996	rundll32.exe
4996	rundll32.exe
4996	rundll32.exe
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428
3428

Suspicious use of AdjustPrivilegeToken 20 IoCs

Processes:

description	pid	Process
Token: SeShutdownPrivilege	3428
Token: SeCreatePagefilePrivilege	3428
Token: SeShutdownPrivilege	3428
Token: SeCreatePagefilePrivilege	3428
Token: SeShutdownPrivilege	3428
Token: SeCreatePagefilePrivilege	3428
Token: SeShutdownPrivilege	3428
Token: SeCreatePagefilePrivilege	3428
Token: SeShutdownPrivilege	3428
Token: SeCreatePagefilePrivilege	3428
Token: SeShutdownPrivilege	3428
Token: SeCreatePagefilePrivilege	3428
Token: SeShutdownPrivilege	3428
Token: SeCreatePagefilePrivilege	3428
Token: SeShutdownPrivilege	3428
Token: SeCreatePagefilePrivilege	3428
Token: SeShutdownPrivilege	3428
Token: SeCreatePagefilePrivilege	3428
Token: SeShutdownPrivilege	3428
Token: SeCreatePagefilePrivilege	3428

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid	Process
3428

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	procid_target
PID 3428 wrote to memory of 4696	3428	86
PID 3428 wrote to memory of 4696	3428	86
PID 3428 wrote to memory of 2068	3428	87
PID 3428 wrote to memory of 2068	3428	87
PID 3428 wrote to memory of 5064	3428	88
PID 3428 wrote to memory of 5064	3428	88
PID 3428 wrote to memory of 2400	3428	89
PID 3428 wrote to memory of 2400	3428	89
PID 3428 wrote to memory of 3016	3428	90
PID 3428 wrote to memory of 3016	3428	90
PID 3428 wrote to memory of 2912	3428	91
PID 3428 wrote to memory of 2912	3428	91

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c41468fe40e62c704e9673588d427a42_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4996

C:\Windows\system32\BdeUISrv.exe
C:\Windows\system32\BdeUISrv.exe
1⤵
PID:4696

C:\Users\Admin\AppData\Local\vBS0\BdeUISrv.exe
C:\Users\Admin\AppData\Local\vBS0\BdeUISrv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2068

C:\Windows\system32\iexpress.exe
C:\Windows\system32\iexpress.exe
1⤵
PID:5064

C:\Users\Admin\AppData\Local\o3Be4rt5\iexpress.exe
C:\Users\Admin\AppData\Local\o3Be4rt5\iexpress.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2400

C:\Windows\system32\systemreset.exe
C:\Windows\system32\systemreset.exe
1⤵
PID:3016

C:\Users\Admin\AppData\Local\qeUJqU\systemreset.exe
C:\Users\Admin\AppData\Local\qeUJqU\systemreset.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\o3Be4rt5\VERSION.dll

Filesize
1.2MB

MD5
a7066a36d3518d4ac6f590309439fbb9

SHA1
bc8e40a44a057a083af2bf111bbec49882b81121

SHA256
264ca2cc9e2185ad01eb3a4230adc78274d5d8b530c860464a422f819a1d8770

SHA512
46169f6b2e1070518926ba3337e721e52b18b80566444d0dca318a61ef7016a200b3d6036f96983ad7c748ecb7f66d95cc27dca4c528e20887bc2ecd31dafb82

Download Submit
C:\Users\Admin\AppData\Local\o3Be4rt5\iexpress.exe

Filesize
166KB

MD5
17b93a43e25d821d01af40ba6babcc8c

SHA1
97c978d78056d995f751dfef1388d7cce4cc404a

SHA256
d070b79fa254c528babb73d607a7a8fd53db89795d751f42fc0a283b61a76fd3

SHA512
6b5743b37a3be8ae9ee2ab84e0749c32c60544298a7cce396470aa40bbd13f2e838d5d98159f21d500d20817c51ebce4b1d2f554e3e05f6c7fc97bc9d70ea391

Download Submit
C:\Users\Admin\AppData\Local\qeUJqU\DUI70.dll

Filesize
1.4MB

MD5
1555d2789e07d6a3564a2427eea1c2c6

SHA1
4f7af3ff5ab87a3b26dfb28232991135e2f0c30f

SHA256
6603b0f292124260d08fefc0785ff7c3479c3147e4417af8d3fbfa4f16c88e05

SHA512
377dd0acded83a67b634d7fc14c1f33dd792e01a0b94c33f5436a99c35dec17021b1ffa3d2e54cb91dc821419a60ed9f6f16e97655f09a39861aacf74824ffff

Download Submit
C:\Users\Admin\AppData\Local\qeUJqU\systemreset.exe

Filesize
508KB

MD5
325ff647506adb89514defdd1c372194

SHA1
84234ff97d6ddc8a4ea21303ea842aa76a74e0ea

SHA256
ebff6159a7627234f94f606afa2e55e98e1548fd197d22779a5fcff24aa477ad

SHA512
8a9758f4af0264be08d684125827ef11efe651138059f6b463c52476f8a8e1bed94d093042f85893cb3e37c5f3ba7b55c6ce9394595001e661bccbc578da3868

Download Submit
C:\Users\Admin\AppData\Local\vBS0\BdeUISrv.exe

Filesize
54KB

MD5
8595075667ff2c9a9f9e2eebc62d8f53

SHA1
c48b54e571f05d4e21d015bb3926c2129f19191a

SHA256
20b05c77f898be08737082e969b39f54fa39753c8c0a06142eb7ad5e0764a2db

SHA512
080dbcdd9234c07efe6cea4919ffa305fdc381ccebed9d1020dd6551b54e20e52387e62a344502fa4a85249defd0f9b506528b8dd34675bc9f51f664b8fc4d88

Download Submit
C:\Users\Admin\AppData\Local\vBS0\WTSAPI32.dll

Filesize
1.2MB

MD5
6ab8e9bd5b7c3f459a95c6d7ee1a70dd

SHA1
b81cf522485096d08060b9581ad137af0d9d5374

SHA256
d4c321e039ad623dcc87ace41838410b93660653eb680fb2cd75b2919e266d94

SHA512
a85452aaa654cb4aaef8bab0e555aab727741348467ebaeb1d57469dfcce144850b87ec11f29c4fe341cc413e542eed82e14e224ffd469947e39ca6178fd0014

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yfsfrqrlkk.lnk

Filesize
1KB

MD5
be326bbb6dc01115f0865e80a8b0f94d

SHA1
3b0ef2198f41400e52e7833c5c5c00f5e0f532b9

SHA256
ef989e449c329c648ff765e746d02ff31751177834b7b3f26a092f9f5f54ea24

SHA512
24f760d9d28a95244ecb6e8074ffa5a573cec078d863145527612452c33d6a9675b137a582ede285d468a264db9268f44f2da4a09cedb1902e52cab5525a2db5

Download Submit
memory/2068-51-0x00007FFC195A0000-0x00007FFC196D1000-memory.dmp

Filesize
1.2MB

Download
memory/2068-46-0x00007FFC195A0000-0x00007FFC196D1000-memory.dmp

Filesize
1.2MB

Download
memory/2068-45-0x0000025410C70000-0x0000025410C77000-memory.dmp

Filesize
28KB

Download
memory/2400-68-0x00007FFC195A0000-0x00007FFC196D1000-memory.dmp

Filesize
1.2MB

Download
memory/2400-62-0x000001A328540000-0x000001A328547000-memory.dmp

Filesize
28KB

Download
memory/2912-79-0x00007FFC19560000-0x00007FFC196D6000-memory.dmp

Filesize
1.5MB

Download
memory/2912-82-0x00000278E9530000-0x00000278E9537000-memory.dmp

Filesize
28KB

Download
memory/2912-85-0x00007FFC19560000-0x00007FFC196D6000-memory.dmp

Filesize
1.5MB

Download
memory/3428-29-0x00007FFC28E30000-0x00007FFC28E40000-memory.dmp

Filesize
64KB

Download
memory/3428-15-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3428-35-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3428-6-0x00007FFC28DAA000-0x00007FFC28DAB000-memory.dmp

Filesize
4KB

Download
memory/3428-8-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3428-10-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3428-11-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3428-12-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3428-13-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3428-16-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3428-28-0x0000000000F90000-0x0000000000F97000-memory.dmp

Filesize
28KB

Download
memory/3428-4-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/3428-24-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3428-14-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3428-7-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3428-9-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/4996-0-0x00007FFC195B0000-0x00007FFC196E0000-memory.dmp

Filesize
1.2MB

Download
memory/4996-38-0x00007FFC195B0000-0x00007FFC196E0000-memory.dmp

Filesize
1.2MB

Download
memory/4996-3-0x0000017B799A0000-0x0000017B799A7000-memory.dmp

Filesize
28KB

Download