dridex | 61d82c261caf4346ce16385a69192ff356f9bb1455d34802d362f6efdfc199e1

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27-05-2024 12:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

791ccdb6ee9aec99c283d3aa5abaf42c_JaffaCakes118.dll
Size

990KB
MD5

791ccdb6ee9aec99c283d3aa5abaf42c
SHA1

aa96e92baa5a5fc4cfb9963bebd1c32ed0b1969b
SHA256

61d82c261caf4346ce16385a69192ff356f9bb1455d34802d362f6efdfc199e1
SHA512

55b4a90eeec621f460b46f91ce478d22f7d9808f2c8e7f18cc89a9af77ee3173a176f3b6e6538a7618b52e74a0879615db9fd54209ff8b584e0884256d8f64db
SSDEEP

24576:SVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:SV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex Shellcode 1 IoCs
Detects Dridex Payload shellcode injected in Explorer process.
botnet payload

Processes:

resource yara_rule

behavioral1/memory/1196-5-0x0000000002E20000-0x0000000002E21000-memory.dmp dridex_stager_shellcode
Executes dropped EXE 3 IoCs

Processes:

SoundRecorder.exeStikyNot.exeBitLockerWizardElev.exe

pid process

2724 SoundRecorder.exe
2680 StikyNot.exe
1676 BitLockerWizardElev.exe
Loads dropped DLL 7 IoCs

Processes:

SoundRecorder.exeStikyNot.exeBitLockerWizardElev.exe

pid process

1196
2724 SoundRecorder.exe
1196
2680 StikyNot.exe
1196
1676 BitLockerWizardElev.exe
1196

resource	yara_rule
behavioral1/memory/1196-5-0x0000000002E20000-0x0000000002E21000-memory.dmp	dridex_stager_shellcode

pid	process
2724	SoundRecorder.exe
2680	StikyNot.exe
1676	BitLockerWizardElev.exe

pid	process
1196
2724	SoundRecorder.exe
1196
2680	StikyNot.exe
1196
1676	BitLockerWizardElev.exe
1196

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Yyeybzteybdsbj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1298544033-3225604241-2703760938-1000\\3BYyyL\\StikyNot.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeSoundRecorder.exeStikyNot.exeBitLockerWizardElev.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SoundRecorder.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	StikyNot.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BitLockerWizardElev.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2756	rundll32.exe
2756	rundll32.exe
2756	rundll32.exe
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1196 wrote to memory of 2608	1196	SoundRecorder.exe
PID 1196 wrote to memory of 2608	1196	SoundRecorder.exe
PID 1196 wrote to memory of 2608	1196	SoundRecorder.exe
PID 1196 wrote to memory of 2724	1196	SoundRecorder.exe
PID 1196 wrote to memory of 2724	1196	SoundRecorder.exe
PID 1196 wrote to memory of 2724	1196	SoundRecorder.exe
PID 1196 wrote to memory of 1856	1196	StikyNot.exe
PID 1196 wrote to memory of 1856	1196	StikyNot.exe
PID 1196 wrote to memory of 1856	1196	StikyNot.exe
PID 1196 wrote to memory of 2680	1196	StikyNot.exe
PID 1196 wrote to memory of 2680	1196	StikyNot.exe
PID 1196 wrote to memory of 2680	1196	StikyNot.exe
PID 1196 wrote to memory of 1976	1196	BitLockerWizardElev.exe
PID 1196 wrote to memory of 1976	1196	BitLockerWizardElev.exe
PID 1196 wrote to memory of 1976	1196	BitLockerWizardElev.exe
PID 1196 wrote to memory of 1676	1196	BitLockerWizardElev.exe
PID 1196 wrote to memory of 1676	1196	BitLockerWizardElev.exe
PID 1196 wrote to memory of 1676	1196	BitLockerWizardElev.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\791ccdb6ee9aec99c283d3aa5abaf42c_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2756

C:\Windows\system32\SoundRecorder.exe
C:\Windows\system32\SoundRecorder.exe
1⤵
PID:2608

C:\Users\Admin\AppData\Local\w8f\SoundRecorder.exe
C:\Users\Admin\AppData\Local\w8f\SoundRecorder.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2724

C:\Windows\system32\StikyNot.exe
C:\Windows\system32\StikyNot.exe
1⤵
PID:1856

C:\Users\Admin\AppData\Local\pphG\StikyNot.exe
C:\Users\Admin\AppData\Local\pphG\StikyNot.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2680

C:\Windows\system32\BitLockerWizardElev.exe
C:\Windows\system32\BitLockerWizardElev.exe
1⤵
PID:1976

C:\Users\Admin\AppData\Local\DE3\BitLockerWizardElev.exe
C:\Users\Admin\AppData\Local\DE3\BitLockerWizardElev.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1676

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\DE3\FVEWIZ.dll
Filesize
992KB

MD5
d3a1a091620e8a708cac80b89e3f868a

SHA1
06da90c2236876f92c2accecf41878bfdf923628

SHA256
474b5bbdc67a0ab99a9d04cb417911daa6f164889ccf34532845f71dc6ca34a5

SHA512
c1af35a2710274b178f1ed23c20ac88d6347840555ca74f9582167816f2e682147eb68e14a30c0f491b07430d0855df5b1671b944e3d2b5abedd399b739c4755

Download Submit
C:\Users\Admin\AppData\Local\pphG\slc.dll
Filesize
991KB

MD5
6b79fed2f21e9406a55dbec0b9861785

SHA1
32b6814234f18ca71f16cb3aa34522bfcbc44f75

SHA256
5e76802ec6acad0f576e2fe0409a6e1f5d226ea9128d93b4aa721a9627025a21

SHA512
4d01850e51d777de7795ed693ef0373198ab809d97a86be10c802bdec4bfcbfb16c3fbc77a3439407ebac0147fa2a72aa6814439bd4fb5094325feaa4ce7bfe7

Download Submit
C:\Users\Admin\AppData\Local\w8f\WINMM.dll
Filesize
995KB

MD5
d88056340eb1a98eec3e3fcc0a20959b

SHA1
7de8c303b5a33bacd4626d1cfb69f800ac86ac6a

SHA256
87871aa9f473c0d1c7bd7976785df454d5718a89de403263d1be423ab0786b70

SHA512
be3c16cfd9f21061f978286cbdedd3b7b7be7d9bf91be403ad84f8ff4279d2b5b5f0f125c61b8fe7b10fb6480b27f48b8e6460b43fe49a12a977cff99bc076fe

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Omdqupblcei.lnk
Filesize
1KB

MD5
f226388646720cdd05aada005d1577e1

SHA1
c16b30565effa3f6c95ec6e3e9b5a90b0cf36575

SHA256
d12b5f87e4fe9335b4b03d04cd7fe873595cf2b32c6d5a659c210b0fb2f77573

SHA512
6a8ccfd5ef0f9b700887f4f000c7ce42b7a973120801c7585bb19e050eebe8d0877de4a0960112e2e0c7c09b00552c5dc163d7e64dfa701290cf9ded641903a5

Download Submit
\Users\Admin\AppData\Local\DE3\BitLockerWizardElev.exe
Filesize
98KB

MD5
73f13d791e36d3486743244f16875239

SHA1
ed5ec55dbc6b3bda505f0a4c699c257c90c02020

SHA256
2483d2f0ad481005cca081a86a07be9060bc6d4769c4570f92ad96fa325be9b8

SHA512
911a7b532312d50cc5e7f6a046d46ab5b322aa17ce59a40477173ea50f000a95db45f169f4ea3574e3e00ae4234b9f8363ac79329d683c14ebee1d423e6e43af

Download Submit
\Users\Admin\AppData\Local\pphG\StikyNot.exe
Filesize
417KB

MD5
b22cb67919ebad88b0e8bb9cda446010

SHA1
423a794d26d96d9f812d76d75fa89bffdc07d468

SHA256
2f744feac48ede7d6b6d2727f7ddfa80b26d9e3b0009741b00992b19ad85e128

SHA512
f40aad2a381b766aae0a353fae3ab759d5c536b2d00d135527bba37b601d2f24323f079bd09600355d79404d574ac59201d415ef64c1568877ad0ce0da2dd1d5

Download Submit
\Users\Admin\AppData\Local\w8f\SoundRecorder.exe
Filesize
139KB

MD5
47f0f526ad4982806c54b845b3289de1

SHA1
8420ea488a2e187fe1b7fcfb53040d10d5497236

SHA256
e81b11fe30b16fa4e3f08810513c245248adce8566355a8f2a19c63b1143ff5b

SHA512
4c9a1aa5ed55087538c91a77d7420932263b69e59dc57b1db738e59624265b734bf29e2b6ed8d0adb2e0dec5763bfbf86876fd7d1139c21e829001c7868d515d

Download Submit
memory/1196-13-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1196-8-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1196-14-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1196-26-0x0000000077800000-0x0000000077802000-memory.dmp

Filesize
8KB

Download
memory/1196-25-0x0000000077671000-0x0000000077672000-memory.dmp

Filesize
4KB

Download
memory/1196-24-0x0000000002E00000-0x0000000002E07000-memory.dmp

Filesize
28KB

Download
memory/1196-23-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1196-12-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1196-11-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1196-36-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1196-35-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1196-4-0x0000000077466000-0x0000000077467000-memory.dmp

Filesize
4KB

Download
memory/1196-7-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1196-5-0x0000000002E20000-0x0000000002E21000-memory.dmp

Filesize
4KB

Download
memory/1196-72-0x0000000077466000-0x0000000077467000-memory.dmp

Filesize
4KB

Download
memory/1196-10-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1196-9-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1676-89-0x0000000001AC0000-0x0000000001AC7000-memory.dmp

Filesize
28KB

Download
memory/1676-95-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/2680-70-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/2680-74-0x00000000002A0000-0x00000000002A7000-memory.dmp

Filesize
28KB

Download
memory/2680-77-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/2724-58-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/2724-55-0x00000000001A0000-0x00000000001A7000-memory.dmp

Filesize
28KB

Download
memory/2724-52-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/2756-3-0x0000000000130000-0x0000000000137000-memory.dmp

Filesize
28KB

Download
memory/2756-44-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/2756-0-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads