dridex | 4100a58079b73e51c495845a7487c862572cb7b5a18c12c7585913916248a613

Analysis

max time kernel
149s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25-05-2024 14:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

723f0ca6ef1d9014e4e4a906929ff499_JaffaCakes118.dll
Size

1.4MB
MD5

723f0ca6ef1d9014e4e4a906929ff499
SHA1

fa0cf042250a80f3933e8243b8e99634baccb9f7
SHA256

4100a58079b73e51c495845a7487c862572cb7b5a18c12c7585913916248a613
SHA512

3e5ac2fde79fa319b807067b5014049b610d8a3d555092e04acf6ed082fd0599089f6ecfad8652868a5ed4c61fb91ae179addb60fefad96fc3372dd7d1b0c425
SSDEEP

24576:VuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9NP:v9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex Shellcode 1 IoCs
Detects Dridex Payload shellcode injected in Explorer process.
botnet payload

Processes:

resource yara_rule

behavioral2/memory/3364-4-0x0000000002DC0000-0x0000000002DC1000-memory.dmp dridex_stager_shellcode
Executes dropped EXE 3 IoCs

Processes:

BdeUISrv.exerstrui.exeperfmon.exe

pid process

4068 BdeUISrv.exe
2156 rstrui.exe
1900 perfmon.exe
Loads dropped DLL 3 IoCs

Processes:

BdeUISrv.exerstrui.exeperfmon.exe

pid process

4068 BdeUISrv.exe
2156 rstrui.exe
1900 perfmon.exe

resource	yara_rule
behavioral2/memory/3364-4-0x0000000002DC0000-0x0000000002DC1000-memory.dmp	dridex_stager_shellcode

pid	process
4068	BdeUISrv.exe
2156	rstrui.exe
1900	perfmon.exe

pid	process
4068	BdeUISrv.exe
2156	rstrui.exe
1900	perfmon.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Zyaxxifxvt = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\uukB4s\\rstrui.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

BdeUISrv.exerstrui.exeperfmon.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BdeUISrv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rstrui.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	perfmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
4536	rundll32.exe
4536	rundll32.exe
4536	rundll32.exe
4536	rundll32.exe
4536	rundll32.exe
4536	rundll32.exe
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3364

pid	process
3364

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3364 wrote to memory of 1736	3364	BdeUISrv.exe
PID 3364 wrote to memory of 1736	3364	BdeUISrv.exe
PID 3364 wrote to memory of 4068	3364	BdeUISrv.exe
PID 3364 wrote to memory of 4068	3364	BdeUISrv.exe
PID 3364 wrote to memory of 4676	3364	rstrui.exe
PID 3364 wrote to memory of 4676	3364	rstrui.exe
PID 3364 wrote to memory of 2156	3364	rstrui.exe
PID 3364 wrote to memory of 2156	3364	rstrui.exe
PID 3364 wrote to memory of 2936	3364	perfmon.exe
PID 3364 wrote to memory of 2936	3364	perfmon.exe
PID 3364 wrote to memory of 1900	3364	perfmon.exe
PID 3364 wrote to memory of 1900	3364	perfmon.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\723f0ca6ef1d9014e4e4a906929ff499_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4536

C:\Windows\system32\BdeUISrv.exe
C:\Windows\system32\BdeUISrv.exe
1⤵
PID:1736

C:\Users\Admin\AppData\Local\5UWMfFbU\BdeUISrv.exe
C:\Users\Admin\AppData\Local\5UWMfFbU\BdeUISrv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4068

C:\Windows\system32\rstrui.exe
C:\Windows\system32\rstrui.exe
1⤵
PID:4676

C:\Users\Admin\AppData\Local\QCAaCOHj\rstrui.exe
C:\Users\Admin\AppData\Local\QCAaCOHj\rstrui.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2156

C:\Windows\system32\perfmon.exe
C:\Windows\system32\perfmon.exe
1⤵
PID:2936

C:\Users\Admin\AppData\Local\2WYy\perfmon.exe
C:\Users\Admin\AppData\Local\2WYy\perfmon.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1900

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\2WYy\credui.dll
Filesize
1.4MB

MD5
c19ac0201e5248635177f671b98c7c6b

SHA1
2aeafa97a1187536d748d61f0ec239ed7d719bdf

SHA256
4a81bc56993f6daff3214cc1b5b735821f4c5a803fd47cbc4a9f45beb9e9046d

SHA512
c1913626ca1556dfba1ddd00935e16d92bc8f5b6fef9384bc57e167f0db0788f8b3a92868f5c74af67d50945a072e8424b746f31a16209cd6014dd46e86ee8c6

Download Submit
C:\Users\Admin\AppData\Local\2WYy\perfmon.exe
Filesize
177KB

MD5
d38aa59c3bea5456bd6f95c73ad3c964

SHA1
40170eab389a6ba35e949f9c92962646a302d9ef

SHA256
5f041cff346fb37e5c5c9dab3c1272c76f8b5f579205170e97d2248d04a4ea0c

SHA512
59fa552a46e5d6237c7244b03d09d60e9489217b4319a212e822c73fe1f31a81837cb906ae7da92072bd3d9263fe0b967e073110ba81da3a90126f25115fff68

Download Submit
C:\Users\Admin\AppData\Local\5UWMfFbU\BdeUISrv.exe
Filesize
54KB

MD5
8595075667ff2c9a9f9e2eebc62d8f53

SHA1
c48b54e571f05d4e21d015bb3926c2129f19191a

SHA256
20b05c77f898be08737082e969b39f54fa39753c8c0a06142eb7ad5e0764a2db

SHA512
080dbcdd9234c07efe6cea4919ffa305fdc381ccebed9d1020dd6551b54e20e52387e62a344502fa4a85249defd0f9b506528b8dd34675bc9f51f664b8fc4d88

Download Submit
C:\Users\Admin\AppData\Local\5UWMfFbU\WTSAPI32.dll
Filesize
1.4MB

MD5
9d5f40ce8fd72060398a12450653f58b

SHA1
9d0050200b5d51dab6e64ccdbde39cc88ad50d47

SHA256
5c9a10d754af4cd9ee2977a1ed0ac9785b440250500d25b87738646dd3ddbf16

SHA512
f25f84326628f1f7885625e76d3f6b24dfcda9e80ac6b2e0112cefa45587661623d7b0989c993c8b6409e32b73b689e114d3180c9787f9bbc2f398b84842b9dc

Download Submit
C:\Users\Admin\AppData\Local\QCAaCOHj\SPP.dll
Filesize
1.4MB

MD5
49076c8fc79dc6e4ab226cce27bfcaba

SHA1
9671bfc682c2790a5274d7034038dabdf68b5fe1

SHA256
21ba2c4e94759d140164da221b8f2910d00d403c3ab110046ce1c999a4e3af5e

SHA512
f889417f687c579a48ce40579ea072443100e16afeb153a6506f0fce2a12eafdac43501972dc336964b2bec287f5c9170246ec788e42108877586f0255049ee2

Download Submit
C:\Users\Admin\AppData\Local\QCAaCOHj\rstrui.exe
Filesize
268KB

MD5
4cad10846e93e85790865d5c0ab6ffd9

SHA1
8a223f4bab28afa4c7ed630f29325563c5dcda1a

SHA256
9ddcfcaf2ebc810cc2e593446681bc4ccbad39756b1712cf045db8dee6310b4b

SHA512
c0db44de0d35a70277f8621a318c5099378da675376e47545cfbfa7412e70a870fd05c92e0d6523ea2e0139d54d9eeaed14973762341fa3154406ae36f4ce7c6

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Kscubvdexgimjec.lnk
Filesize
1KB

MD5
5bad107a1e64adc5a36b3437b9c6d02b

SHA1
e0f4dda64c13f8f83dce7c1e4553f290731feae7

SHA256
ce67c388d481bfa9b9b94f33244ad90157a14e8460c4de005629c96887624d57

SHA512
156e3cf7d24158733f89114aed9e438de37f8915106e51aa577a72b835a5e6b5fec2dc9bcb4407fd51f078005e00b51538d7a7b605b0d5881bb80e0d0267dfd1

Download Submit
memory/1900-88-0x00007FFA18F40000-0x00007FFA190A8000-memory.dmp

Filesize
1.4MB

Download
memory/1900-82-0x00000161EA240000-0x00000161EA247000-memory.dmp

Filesize
28KB

Download
memory/2156-71-0x00007FFA18F40000-0x00007FFA190A8000-memory.dmp

Filesize
1.4MB

Download
memory/2156-68-0x0000023C606B0000-0x0000023C606B7000-memory.dmp

Filesize
28KB

Download
memory/3364-37-0x00007FFA37870000-0x00007FFA37880000-memory.dmp

Filesize
64KB

Download
memory/3364-15-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/3364-17-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/3364-16-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/3364-14-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/3364-12-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/3364-13-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/3364-10-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/3364-9-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/3364-8-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/3364-6-0x00007FFA3611A000-0x00007FFA3611B000-memory.dmp

Filesize
4KB

Download
memory/3364-18-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/3364-36-0x0000000000D70000-0x0000000000D77000-memory.dmp

Filesize
28KB

Download
memory/3364-4-0x0000000002DC0000-0x0000000002DC1000-memory.dmp

Filesize
4KB

Download
memory/3364-11-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/3364-7-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/3364-19-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/3364-38-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/3364-27-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/4068-54-0x00007FFA18F40000-0x00007FFA190A8000-memory.dmp

Filesize
1.4MB

Download
memory/4068-48-0x00007FFA18F40000-0x00007FFA190A8000-memory.dmp

Filesize
1.4MB

Download
memory/4068-51-0x000002BC16ED0000-0x000002BC16ED7000-memory.dmp

Filesize
28KB

Download
memory/4536-3-0x000001DEFBC10000-0x000001DEFBC17000-memory.dmp

Filesize
28KB

Download
memory/4536-41-0x00007FFA29140000-0x00007FFA292A7000-memory.dmp

Filesize
1.4MB

Download
memory/4536-0-0x00007FFA29140000-0x00007FFA292A7000-memory.dmp

Filesize
1.4MB

Download