dridex | a4028b0f6604c7aeecc2330ee67997f99ffe70e21215f9aeedf017967be7d9e2

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 18:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6bea9c1a003870ad52df8b2eb97fe986_JaffaCakes118.dll
Size

1.4MB
MD5

6bea9c1a003870ad52df8b2eb97fe986
SHA1

06ba82c8b99a00e35eee2bdda767680958e14cb8
SHA256

a4028b0f6604c7aeecc2330ee67997f99ffe70e21215f9aeedf017967be7d9e2
SHA512

2756a44868022d3706703628aba56cc8b2ce687e0adace62248b33576fed7b7d9d289a33aa3cae5e16120d3504f8d57d770cd503ce3d35674d76fe004c296689
SSDEEP

24576:RVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:RV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex Shellcode 1 IoCs
Detects Dridex Payload shellcode injected in Explorer process.
botnet payload

Processes:

resource yara_rule

behavioral1/memory/1136-5-0x00000000024F0000-0x00000000024F1000-memory.dmp dridex_stager_shellcode
Executes dropped EXE 3 IoCs

Processes:

VaultSysUi.exeSystemPropertiesDataExecutionPrevention.exeStikyNot.exe

pid process

2444 VaultSysUi.exe
1488 SystemPropertiesDataExecutionPrevention.exe
2112 StikyNot.exe
Loads dropped DLL 8 IoCs

Processes:

VaultSysUi.exeSystemPropertiesDataExecutionPrevention.exeStikyNot.exe

pid process

1136
1136
2444 VaultSysUi.exe
1136
1488 SystemPropertiesDataExecutionPrevention.exe
1136
2112 StikyNot.exe
1136

resource	yara_rule
behavioral1/memory/1136-5-0x00000000024F0000-0x00000000024F1000-memory.dmp	dridex_stager_shellcode

pid	process
2444	VaultSysUi.exe
1488	SystemPropertiesDataExecutionPrevention.exe
2112	StikyNot.exe

pid	process
1136
1136
2444	VaultSysUi.exe
1136
1488	SystemPropertiesDataExecutionPrevention.exe
1136
2112	StikyNot.exe
1136

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\Gdussggr = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\kn\\SystemPropertiesDataExecutionPrevention.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeVaultSysUi.exeSystemPropertiesDataExecutionPrevention.exeStikyNot.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	VaultSysUi.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesDataExecutionPrevention.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	StikyNot.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1632	rundll32.exe
1632	rundll32.exe
1632	rundll32.exe
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1136 wrote to memory of 2712	1136	VaultSysUi.exe
PID 1136 wrote to memory of 2712	1136	VaultSysUi.exe
PID 1136 wrote to memory of 2712	1136	VaultSysUi.exe
PID 1136 wrote to memory of 2444	1136	VaultSysUi.exe
PID 1136 wrote to memory of 2444	1136	VaultSysUi.exe
PID 1136 wrote to memory of 2444	1136	VaultSysUi.exe
PID 1136 wrote to memory of 1584	1136	SystemPropertiesDataExecutionPrevention.exe
PID 1136 wrote to memory of 1584	1136	SystemPropertiesDataExecutionPrevention.exe
PID 1136 wrote to memory of 1584	1136	SystemPropertiesDataExecutionPrevention.exe
PID 1136 wrote to memory of 1488	1136	SystemPropertiesDataExecutionPrevention.exe
PID 1136 wrote to memory of 1488	1136	SystemPropertiesDataExecutionPrevention.exe
PID 1136 wrote to memory of 1488	1136	SystemPropertiesDataExecutionPrevention.exe
PID 1136 wrote to memory of 2540	1136	StikyNot.exe
PID 1136 wrote to memory of 2540	1136	StikyNot.exe
PID 1136 wrote to memory of 2540	1136	StikyNot.exe
PID 1136 wrote to memory of 2112	1136	StikyNot.exe
PID 1136 wrote to memory of 2112	1136	StikyNot.exe
PID 1136 wrote to memory of 2112	1136	StikyNot.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6bea9c1a003870ad52df8b2eb97fe986_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1632

C:\Windows\system32\VaultSysUi.exe
C:\Windows\system32\VaultSysUi.exe
1⤵
PID:2712

C:\Users\Admin\AppData\Local\nFRD4N1\VaultSysUi.exe
C:\Users\Admin\AppData\Local\nFRD4N1\VaultSysUi.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2444

C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
1⤵
PID:1584

C:\Users\Admin\AppData\Local\3Db9GhJ7k\SystemPropertiesDataExecutionPrevention.exe
C:\Users\Admin\AppData\Local\3Db9GhJ7k\SystemPropertiesDataExecutionPrevention.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1488

C:\Windows\system32\StikyNot.exe
C:\Windows\system32\StikyNot.exe
1⤵
PID:2540

C:\Users\Admin\AppData\Local\HDSH\StikyNot.exe
C:\Users\Admin\AppData\Local\HDSH\StikyNot.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2112

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\3Db9GhJ7k\SYSDM.CPL
Filesize
1.4MB

MD5
b0d50630eb998f83054a56b2b5e51e35

SHA1
c1d2233964041cc552ba3f904d3f12fc925fae3a

SHA256
9d6e62b32291d4a5ac3fc66902c3fa3df665bb4d315cdf1349abd561457b3f18

SHA512
17a237c51fde5d49e6c1299497c4f7d70e15ca63e954130e1cc3f040407e6add42b4d622344fd67cd0dc6ad8acf70b6f877f85d6cfe1a11a268e372231fd792b

Download Submit
C:\Users\Admin\AppData\Local\HDSH\DUI70.dll
Filesize
1.6MB

MD5
077c0714a1eba8306734ca0f771f58e2

SHA1
590b07bd6db20d31567236d637c52364bea71580

SHA256
aad700a7d3484253f5b37bd4d2ef33708e25c42e40702b9780273474c4a43ecc

SHA512
4f8dfaf8f1a68022af62b256e0ec2e9f6071eba1a6c617aa9ed0fac5685bc40fbc5ccb86b8730f49899323faebbf771d872b6ebbd0a47ed9e72861a6d7c042b8

Download Submit
C:\Users\Admin\AppData\Local\nFRD4N1\credui.dll
Filesize
1.4MB

MD5
a549ba68efd613cf2dfe6efb32ec8e91

SHA1
fa12657d92a8db89fda71361c6d0475d921bb0cc

SHA256
88c68adeebafd26421d575071470b961b936d9406db60d9ee5fc020f63a49d42

SHA512
44dac0ec822bc8538b886d63c3854a453c78037216df2ccd2923d35e317e437cbb59e1208f4f01dd6bce60ab147496d00b417871647743e283fc8adc3e9d3cb7

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Smfbypnq.lnk
Filesize
1KB

MD5
3dbf3b8b6098b4d1f1b44690ea9e8631

SHA1
87045fc80581b807ff16a96b1c6d87be66763424

SHA256
19b9c0218a2d7064807ad00a64b73e307e1d03095305a15ac9309bc6e5db55c7

SHA512
79fe91b42114aa36659e82ced011ed8a65933dde377ccd94192fbe5e4450bfc67bdb39e60d1c35ec140d0cfdc2e5e4adf022fb53b5f2e2af7702c432a9612b1f

Download Submit
\Users\Admin\AppData\Local\3Db9GhJ7k\SystemPropertiesDataExecutionPrevention.exe
Filesize
80KB

MD5
e43ff7785fac643093b3b16a9300e133

SHA1
a30688e84c0b0a22669148fe87680b34fcca2fba

SHA256
c8e1b3ecce673035a934d65b25c43ec23416f5bbf52d772e24e48e6fd3e77e9b

SHA512
61260999bb57817dea2d404bcf093820679e597298c752d38db181fe9963b5fa47e070d6a3c7c970905035b396389bb02946b44869dc8b9560acc419b065999a

Download Submit
\Users\Admin\AppData\Local\HDSH\StikyNot.exe
Filesize
417KB

MD5
b22cb67919ebad88b0e8bb9cda446010

SHA1
423a794d26d96d9f812d76d75fa89bffdc07d468

SHA256
2f744feac48ede7d6b6d2727f7ddfa80b26d9e3b0009741b00992b19ad85e128

SHA512
f40aad2a381b766aae0a353fae3ab759d5c536b2d00d135527bba37b601d2f24323f079bd09600355d79404d574ac59201d415ef64c1568877ad0ce0da2dd1d5

Download Submit
\Users\Admin\AppData\Local\nFRD4N1\VaultSysUi.exe
Filesize
39KB

MD5
f40ef105d94350d36c799ee23f7fec0f

SHA1
ee3a5cfe8b807e1c1718a27eb97fa134360816e3

SHA256
eeb3f79be414b81f4eb8167390641787f14a033414533fb8de651c2247d054b2

SHA512
f16bcca6f6cecbdae117d5a41de7e86a6d9dfdfa2ce8c75ebff10d097083c106e7f9d030debed8cb20fdd71815a8aa7723a1d3c68b38ec382e55370331c594a1

Download Submit
memory/1136-24-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/1136-27-0x0000000077930000-0x0000000077932000-memory.dmp

Filesize
8KB

Download
memory/1136-4-0x0000000077596000-0x0000000077597000-memory.dmp

Filesize
4KB

Download
memory/1136-15-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/1136-26-0x00000000777A1000-0x00000000777A2000-memory.dmp

Filesize
4KB

Download
memory/1136-14-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/1136-13-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/1136-11-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/1136-9-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/1136-67-0x0000000077596000-0x0000000077597000-memory.dmp

Filesize
4KB

Download
memory/1136-36-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/1136-38-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/1136-5-0x00000000024F0000-0x00000000024F1000-memory.dmp

Filesize
4KB

Download
memory/1136-10-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/1136-12-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/1136-25-0x00000000024D0000-0x00000000024D7000-memory.dmp

Filesize
28KB

Download
memory/1136-8-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/1136-7-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/1488-80-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/1488-75-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download
memory/1632-45-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/1632-0-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/1632-3-0x0000000000120000-0x0000000000127000-memory.dmp

Filesize
28KB

Download
memory/2112-95-0x0000000000290000-0x0000000000297000-memory.dmp

Filesize
28KB

Download
memory/2112-92-0x0000000140000000-0x00000001401A9000-memory.dmp

Filesize
1.7MB

Download
memory/2112-98-0x0000000140000000-0x00000001401A9000-memory.dmp

Filesize
1.7MB

Download
memory/2444-62-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/2444-58-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/2444-56-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads