dridex | 6ee00d8356339095b8dcc714a2b6c5bc438ca13a0b292963918b2702cdd5e75a

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
20-05-2024 05:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5d854e90c9ce59c4a156aa7818aec934_JaffaCakes118.dll
Size

1.4MB
MD5

5d854e90c9ce59c4a156aa7818aec934
SHA1

8ea2082c93e1bd69b654750b324ca6441874231b
SHA256

6ee00d8356339095b8dcc714a2b6c5bc438ca13a0b292963918b2702cdd5e75a
SHA512

7d39f53fa199f5ed6a440d3418b489a268884e355e012b132d25914dbb52d586d048f298a5bde3749661006a050ec1330adb2ecf6819dcb22a640892f7786806
SSDEEP

24576:yuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:a9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex Shellcode 1 IoCs
Detects Dridex Payload shellcode injected in Explorer process.
botnet payload

Processes:

resource yara_rule

behavioral2/memory/3364-4-0x0000000002910000-0x0000000002911000-memory.dmp dridex_stager_shellcode
Executes dropped EXE 3 IoCs

Processes:

EaseOfAccessDialog.exeBitLockerWizardElev.exeDmNotificationBroker.exe

pid process

4944 EaseOfAccessDialog.exe
1716 BitLockerWizardElev.exe
2288 DmNotificationBroker.exe
Loads dropped DLL 3 IoCs

Processes:

EaseOfAccessDialog.exeBitLockerWizardElev.exeDmNotificationBroker.exe

pid process

4944 EaseOfAccessDialog.exe
1716 BitLockerWizardElev.exe
2288 DmNotificationBroker.exe

resource	yara_rule
behavioral2/memory/3364-4-0x0000000002910000-0x0000000002911000-memory.dmp	dridex_stager_shellcode

pid	process
4944	EaseOfAccessDialog.exe
1716	BitLockerWizardElev.exe
2288	DmNotificationBroker.exe

pid	process
4944	EaseOfAccessDialog.exe
1716	BitLockerWizardElev.exe
2288	DmNotificationBroker.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Xcdbzlxvqxxhz = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\Axn8J\\BitLockerWizardElev.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeEaseOfAccessDialog.exeBitLockerWizardElev.exeDmNotificationBroker.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	EaseOfAccessDialog.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BitLockerWizardElev.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DmNotificationBroker.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2928	rundll32.exe
2928	rundll32.exe
2928	rundll32.exe
2928	rundll32.exe
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3364 wrote to memory of 3420	3364	EaseOfAccessDialog.exe
PID 3364 wrote to memory of 3420	3364	EaseOfAccessDialog.exe
PID 3364 wrote to memory of 4944	3364	EaseOfAccessDialog.exe
PID 3364 wrote to memory of 4944	3364	EaseOfAccessDialog.exe
PID 3364 wrote to memory of 3900	3364	BitLockerWizardElev.exe
PID 3364 wrote to memory of 3900	3364	BitLockerWizardElev.exe
PID 3364 wrote to memory of 1716	3364	BitLockerWizardElev.exe
PID 3364 wrote to memory of 1716	3364	BitLockerWizardElev.exe
PID 3364 wrote to memory of 1184	3364	DmNotificationBroker.exe
PID 3364 wrote to memory of 1184	3364	DmNotificationBroker.exe
PID 3364 wrote to memory of 2288	3364	DmNotificationBroker.exe
PID 3364 wrote to memory of 2288	3364	DmNotificationBroker.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5d854e90c9ce59c4a156aa7818aec934_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2928

C:\Windows\system32\EaseOfAccessDialog.exe
C:\Windows\system32\EaseOfAccessDialog.exe
1⤵
PID:3420

C:\Users\Admin\AppData\Local\CeeGDA\EaseOfAccessDialog.exe
C:\Users\Admin\AppData\Local\CeeGDA\EaseOfAccessDialog.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4944

C:\Windows\system32\BitLockerWizardElev.exe
C:\Windows\system32\BitLockerWizardElev.exe
1⤵
PID:3900

C:\Users\Admin\AppData\Local\qbu2EIW\BitLockerWizardElev.exe
C:\Users\Admin\AppData\Local\qbu2EIW\BitLockerWizardElev.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1716

C:\Windows\system32\DmNotificationBroker.exe
C:\Windows\system32\DmNotificationBroker.exe
1⤵
PID:1184

C:\Users\Admin\AppData\Local\tslg0Nw\DmNotificationBroker.exe
C:\Users\Admin\AppData\Local\tslg0Nw\DmNotificationBroker.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1312 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8
1⤵
PID:2120

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\CeeGDA\DUI70.dll
Filesize
1.6MB

MD5
cfc646dee87c0c94843d69dd925b11c2

SHA1
ffdfb7dae2041e92d076f98a46223618c4322815

SHA256
1fbc3dfd4f6a1a574a607a27d54ccf73acfd987e340db834366c578f7e9a4b4b

SHA512
6fb7e4f86f62cbfec29df5a775bc554770baf1ffe42fd7d28fa338d9258d2e8daa3a176bd9c75403af672783e46a151f474022026322874fad1797526d660ecd

Download Submit
C:\Users\Admin\AppData\Local\CeeGDA\EaseOfAccessDialog.exe
Filesize
123KB

MD5
e75ee992c1041341f709a517c8723c87

SHA1
471021260055eac0021f0abffa2d0ba77a2f380e

SHA256
0b1731562413eaa972b373cd7388c644a3059940ce67eb89668e4073f3e068dc

SHA512
48c3a8531df6bcc5077367cdf32af104c94cf7701118a85e8beabba2e9c4f511ae14e47b6d1b57d11a2bc1e8b4f6d5bacae27a8d16fcd09a8f9e0018f5a6370a

Download Submit
C:\Users\Admin\AppData\Local\qbu2EIW\BitLockerWizardElev.exe
Filesize
100KB

MD5
8ac5a3a20cf18ae2308c64fd707eeb81

SHA1
31f2f0bdc2eb3e0d2a6cd626ea8ed71262865544

SHA256
803eb37617d450704766cb167dc9766e82102a94940a26a988ad26ab8be3f2f5

SHA512
85d0e28e4bffec709f26b2f0d20eb76373134af43bcaa70b97a03efa273b77dd4fbd4f6ee026774ce4029ab5a983aea057111efcd234ab1686a9bd0f7202748b

Download Submit
C:\Users\Admin\AppData\Local\qbu2EIW\FVEWIZ.dll
Filesize
1.4MB

MD5
60fc66f0a10c8555ad50d110cc4e9bd8

SHA1
320c5ef0d55f19fda583ff5e6985e4d937bdb7ff

SHA256
be22c70c5169dda8192378703c43a9da8262a5dfcf8cf928d30121ff48c812dd

SHA512
3df5dd8c8317f2a815f4b8a20a9f3e8925daaa32e1551f472dc0e1993c3eb3f4f5b840935bc098113c6e9a251f5e59667b5ee5460a5ee08a77a3e9822b2290c1

Download Submit
C:\Users\Admin\AppData\Local\tslg0Nw\DUI70.dll
Filesize
1.6MB

MD5
05a3600048ec190ed3f57362f32f8afd

SHA1
ed19c2d43b86e4f656d07e097a9e061dac38eaca

SHA256
9299310bbf18cbbef9cf522c4e117f8bf2c7ff9f7bdfdbfc02453fbbfd29e215

SHA512
944f5f62de9c6692fbbfa9935d3b7eefa342b2a6a2b4ddb03621f8cdbf11d39aeba9ef97638a9db29a935db916273c66ac6ebf9489cbc056ee08036d90863c11

Download Submit
C:\Users\Admin\AppData\Local\tslg0Nw\DmNotificationBroker.exe
Filesize
32KB

MD5
f0bdc20540d314a2aad951c7e2c88420

SHA1
4ab344595a4a81ab5f31ed96d72f217b4cee790b

SHA256
f87537e5f26193a2273380f86cc9ac16d977f65b0eff2435e40be830fd99f7b5

SHA512
cb69e35b2954406735264a4ae8fe1eca1bd4575f553ab2178c70749ab997bda3c06496d2fce97872c51215a19093e51eea7cc8971af62ad9d5726f3a0d2730aa

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Axoeay.lnk
Filesize
1KB

MD5
f74dcbb5fba93cecec38cca034978333

SHA1
1e30ea83c36e67ccc05705dd6d97e308b3374732

SHA256
6b80c174510813c0d22ccd79e392f2b191dad31e7363f75d2fe064cf08d33382

SHA512
8944ca843912b89450f0458c73c530c8025bb8bd4ababcf0c3889c5e4673409c8385d88826ae56f5a5c71f5a7354ca649afb8b629160c23215b52f77be216b48

Download Submit
memory/1716-71-0x00007FFE5FAB0000-0x00007FFE5FC18000-memory.dmp

Filesize
1.4MB

Download
memory/1716-66-0x00007FFE5FAB0000-0x00007FFE5FC18000-memory.dmp

Filesize
1.4MB

Download
memory/1716-65-0x00000265363E0000-0x00000265363E7000-memory.dmp

Filesize
28KB

Download
memory/2288-82-0x0000027135880000-0x0000027135887000-memory.dmp

Filesize
28KB

Download
memory/2288-83-0x00007FFE5FA10000-0x00007FFE5FBBD000-memory.dmp

Filesize
1.7MB

Download
memory/2288-88-0x00007FFE5FA10000-0x00007FFE5FBBD000-memory.dmp

Filesize
1.7MB

Download
memory/2928-41-0x00007FFE707D0000-0x00007FFE70937000-memory.dmp

Filesize
1.4MB

Download
memory/2928-0-0x000002B2AE550000-0x000002B2AE557000-memory.dmp

Filesize
28KB

Download
memory/2928-1-0x00007FFE707D0000-0x00007FFE70937000-memory.dmp

Filesize
1.4MB

Download
memory/3364-19-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/3364-13-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/3364-8-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/3364-7-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/3364-38-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/3364-11-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/3364-12-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/3364-14-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/3364-5-0x00007FFE7F2AA000-0x00007FFE7F2AB000-memory.dmp

Filesize
4KB

Download
memory/3364-4-0x0000000002910000-0x0000000002911000-memory.dmp

Filesize
4KB

Download
memory/3364-10-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/3364-9-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/3364-15-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/3364-17-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/3364-18-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/3364-27-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/3364-28-0x00000000009D0000-0x00000000009D7000-memory.dmp

Filesize
28KB

Download
memory/3364-29-0x00007FFE7F3F0000-0x00007FFE7F400000-memory.dmp

Filesize
64KB

Download
memory/3364-16-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/4944-54-0x00007FFE5F9D0000-0x00007FFE5FB7D000-memory.dmp

Filesize
1.7MB

Download
memory/4944-49-0x00007FFE5F9D0000-0x00007FFE5FB7D000-memory.dmp

Filesize
1.7MB

Download
memory/4944-48-0x0000023C17AB0000-0x0000023C17AB7000-memory.dmp

Filesize
28KB

Download