dridex | 095248ed3b37a6a13dc0e755bc6480e04b9c6c7f21f05b7c7de8669da2378a91

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
19-05-2024 22:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5bbc3a414ecfee5ef1ad3915de9e7275_JaffaCakes118.dll
Size

990KB
MD5

5bbc3a414ecfee5ef1ad3915de9e7275
SHA1

5d7a2f05e453beca108e0aad77c56716d1aec5c2
SHA256

095248ed3b37a6a13dc0e755bc6480e04b9c6c7f21f05b7c7de8669da2378a91
SHA512

2eeb33941202ca5f5f9b592da09d63e9632c460b35eadd1ace0835439e47c5a92388096dd6cb8afd3aca1a584e7a7215f9f5d7589b990246c60c54c9b03418b5
SSDEEP

24576:iVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:iV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex Shellcode 1 IoCs
Detects Dridex Payload shellcode injected in Explorer process.
botnet payload

Processes:

resource yara_rule

behavioral2/memory/3448-4-0x00000000028F0000-0x00000000028F1000-memory.dmp dridex_stager_shellcode
Executes dropped EXE 3 IoCs

Processes:

sigverif.exeeudcedit.exeSystemPropertiesComputerName.exe

pid process

4280 sigverif.exe
2672 eudcedit.exe
520 SystemPropertiesComputerName.exe
Loads dropped DLL 3 IoCs

Processes:

sigverif.exeeudcedit.exeSystemPropertiesComputerName.exe

pid process

4280 sigverif.exe
2672 eudcedit.exe
520 SystemPropertiesComputerName.exe

resource	yara_rule
behavioral2/memory/3448-4-0x00000000028F0000-0x00000000028F1000-memory.dmp	dridex_stager_shellcode

pid	process
4280	sigverif.exe
2672	eudcedit.exe
520	SystemPropertiesComputerName.exe

pid	process
4280	sigverif.exe
2672	eudcedit.exe
520	SystemPropertiesComputerName.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bhelxfhv = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\Gj9s8rs\\eudcedit.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

sigverif.exeeudcedit.exeSystemPropertiesComputerName.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sigverif.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	eudcedit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesComputerName.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1484	rundll32.exe
1484	rundll32.exe
1484	rundll32.exe
1484	rundll32.exe
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3448 wrote to memory of 3592	3448	sigverif.exe
PID 3448 wrote to memory of 3592	3448	sigverif.exe
PID 3448 wrote to memory of 4280	3448	sigverif.exe
PID 3448 wrote to memory of 4280	3448	sigverif.exe
PID 3448 wrote to memory of 2732	3448	eudcedit.exe
PID 3448 wrote to memory of 2732	3448	eudcedit.exe
PID 3448 wrote to memory of 2672	3448	eudcedit.exe
PID 3448 wrote to memory of 2672	3448	eudcedit.exe
PID 3448 wrote to memory of 2464	3448	SystemPropertiesComputerName.exe
PID 3448 wrote to memory of 2464	3448	SystemPropertiesComputerName.exe
PID 3448 wrote to memory of 520	3448	SystemPropertiesComputerName.exe
PID 3448 wrote to memory of 520	3448	SystemPropertiesComputerName.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5bbc3a414ecfee5ef1ad3915de9e7275_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1484

C:\Windows\system32\sigverif.exe
C:\Windows\system32\sigverif.exe
1⤵
PID:3592

C:\Users\Admin\AppData\Local\57KCMFN2h\sigverif.exe
C:\Users\Admin\AppData\Local\57KCMFN2h\sigverif.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4280

C:\Windows\system32\eudcedit.exe
C:\Windows\system32\eudcedit.exe
1⤵
PID:2732

C:\Users\Admin\AppData\Local\ARU\eudcedit.exe
C:\Users\Admin\AppData\Local\ARU\eudcedit.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2672

C:\Windows\system32\SystemPropertiesComputerName.exe
C:\Windows\system32\SystemPropertiesComputerName.exe
1⤵
PID:2464

C:\Users\Admin\AppData\Local\yO85Kb\SystemPropertiesComputerName.exe
C:\Users\Admin\AppData\Local\yO85Kb\SystemPropertiesComputerName.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:520

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\57KCMFN2h\VERSION.dll
Filesize
991KB

MD5
0cabbf0ab4843f6f32d80dbeaa05a132

SHA1
78c735e93c09dead343779acd228b5f361764018

SHA256
26016b98fefdc552b5f6c93993012309faee0a30eefac362f389561866d45468

SHA512
a3b6e6e4c5642fd8be15225636cba69a1f90ebc6c1493b120d33d57ffc6ea493c7c00bd3aff99bdb023fb626e70c2dcc896bb077972557a9497c2cf25f7b25ef

Download Submit
C:\Users\Admin\AppData\Local\57KCMFN2h\sigverif.exe
Filesize
77KB

MD5
2151a535274b53ba8a728e542cbc07a8

SHA1
a2304c0f2616a7d12298540dce459dd9ccf07443

SHA256
064de47877b00dc35886e829a697e4adb3d3cfdf294ddba13b6009a0f415b1bd

SHA512
e6fd520ee1bd80a5fe8a7c2ae6446dcaabd4e335a602c36356f85305abef751b7dffa7eaac1ec13c105ccd8c3e9070bd32ed4b14bc8a9e52dc5f47b936d69a9f

Download Submit
C:\Users\Admin\AppData\Local\ARU\MFC42u.dll
Filesize
1018KB

MD5
3ac2dbeef4aa0dd21574edc82d70a823

SHA1
76f8c6c2e750b96fcb8a86e9628befd80b22a3af

SHA256
0db1ac77efaf74dbc3fa43aa0420e92ed86d4ca3b30ded0dd484b2b4cf653d49

SHA512
9b496a8a6c0e9423da1b7d3a258ab2aab098ef3897810937e1fffa48c0592a3e21706a35a6b6c44f21a04676f30729c39ac73d9fcec4ece763ea774b847b0d80

Download Submit
C:\Users\Admin\AppData\Local\ARU\eudcedit.exe
Filesize
365KB

MD5
a9de6557179d371938fbe52511b551ce

SHA1
def460b4028788ded82dc55c36cb0df28599fd5f

SHA256
83c8d1a7582b24b4bbc0d453c813487185c2b05c483bd1759ef647a7e7e92dfe

SHA512
5790cac8dae16a785b48f790e6645b137f211c1587fb64ea88e743b846ff3a886324afcfef4bebc61f869023b9a22ba925c461dfb2e12497b70f501e6b79153c

Download Submit
C:\Users\Admin\AppData\Local\yO85Kb\SYSDM.CPL
Filesize
991KB

MD5
c97348d61e88998c10344730a593b11c

SHA1
3ba08275cede19de8fdc9847fe4bacba5c543cb8

SHA256
05c791abedcf601262fc5c865e7d03179d893b6dec528177c50ff293eb86625e

SHA512
9d84bbe4aed90235d2c4b0ae096d695c7c494f7bc258c5282c8cf4d1fc703030279e37f696b7559eb55176d6402ef1d9412322b06f443749af9d6ef05479f9bb

Download Submit
C:\Users\Admin\AppData\Local\yO85Kb\SystemPropertiesComputerName.exe
Filesize
82KB

MD5
6711765f323289f5008a6a2a04b6f264

SHA1
d8116fdf73608b4b254ad83c74f2232584d24144

SHA256
bd3a97327326e2245938ec6099f20059b446ff0fe1c10b9317d15d1a1dd5331e

SHA512
438abd282d9d1c0e7e5db2ce027ff9522c3980278b32b2eae09c595884a8dcbfd5178bc5926b1d15f03174303382e13f5d5ecab9a5d8e31fc07ef39e66c012e8

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Oabtankaq.lnk
Filesize
1KB

MD5
98b9541c641afbcc974fdd549dcd1bdb

SHA1
22718393a3c130023538bbca5ed95c1b3627dffa

SHA256
249dc04875dad875f0f85a4f13bc68862fc3caec916dffbf9496d1b79918d44a

SHA512
b4f90c804733c3def35476b55824a7f0d1e481a6d9a07cf2a9ff5c92b6bdb54507d9f99a7d25fe3d68b03207e22fbcea0b1628c5a5a003e7383511fc4ac1f7ae

Download Submit
memory/520-87-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/520-84-0x0000025452370000-0x0000025452377000-memory.dmp

Filesize
28KB

Download
memory/1484-0-0x000001F0F7F30000-0x000001F0F7F37000-memory.dmp

Filesize
28KB

Download
memory/1484-38-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1484-1-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/2672-65-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/2672-64-0x0000019E84BE0000-0x0000019E84BE7000-memory.dmp

Filesize
28KB

Download
memory/2672-70-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/3448-23-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3448-26-0x00007FF8F6250000-0x00007FF8F6260000-memory.dmp

Filesize
64KB

Download
memory/3448-7-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3448-8-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3448-9-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3448-4-0x00000000028F0000-0x00000000028F1000-memory.dmp

Filesize
4KB

Download
memory/3448-6-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3448-13-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3448-10-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3448-11-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3448-12-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3448-14-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3448-24-0x00007FF8F5A1A000-0x00007FF8F5A1B000-memory.dmp

Filesize
4KB

Download
memory/3448-35-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3448-25-0x00000000008D0000-0x00000000008D7000-memory.dmp

Filesize
28KB

Download
memory/4280-51-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/4280-45-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/4280-48-0x0000027725B70000-0x0000027725B77000-memory.dmp

Filesize
28KB

Download