dridex | 69410188e366c90d44d0f848b78601bd6174f0fb9825fb449368fc37aa6fb0ef

Analysis

max time kernel
149s
max time network
108s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
31-05-2024 17:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

87c3545cdce9ac4de4d6b4b059dc87ba_JaffaCakes118.dll
Size

1.2MB
MD5

87c3545cdce9ac4de4d6b4b059dc87ba
SHA1

59faa155317c706c9cd0898511a9b55266db63d3
SHA256

69410188e366c90d44d0f848b78601bd6174f0fb9825fb449368fc37aa6fb0ef
SHA512

7f9dff0546abea7fb00682599d467f7c37acc4e6cadb59a814d12023eb33e5586a485d2657c6c47a2777198a63083855d5f10a08bbf19b519c93c826d94299ef
SSDEEP

24576:xVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:xV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex Shellcode 1 IoCs
Detects Dridex Payload shellcode injected in Explorer process.
botnet payload

Processes:

resource yara_rule

behavioral2/memory/3384-4-0x00000000077B0000-0x00000000077B1000-memory.dmp dridex_stager_shellcode
Executes dropped EXE 3 IoCs

Processes:

RdpSa.exeBdeUISrv.exetcmsetup.exe

pid process

2148 RdpSa.exe
948 BdeUISrv.exe
1488 tcmsetup.exe
Loads dropped DLL 3 IoCs

Processes:

RdpSa.exeBdeUISrv.exetcmsetup.exe

pid process

2148 RdpSa.exe
948 BdeUISrv.exe
1488 tcmsetup.exe

resource	yara_rule
behavioral2/memory/3384-4-0x00000000077B0000-0x00000000077B1000-memory.dmp	dridex_stager_shellcode

pid	process
2148	RdpSa.exe
948	BdeUISrv.exe
1488	tcmsetup.exe

pid	process
2148	RdpSa.exe
948	BdeUISrv.exe
1488	tcmsetup.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Pruztwesow = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Word\\DQGJ4idNAgH\\BdeUISrv.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

BdeUISrv.exetcmsetup.exerundll32.exeRdpSa.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BdeUISrv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	tcmsetup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RdpSa.exe

Modifies registry class 1 IoCs

Processes:

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
5780	rundll32.exe
5780	rundll32.exe
5780	rundll32.exe
5780	rundll32.exe
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

description pid process

Token: SeShutdownPrivilege 3384
Token: SeCreatePagefilePrivilege 3384
Token: SeShutdownPrivilege 3384
Token: SeCreatePagefilePrivilege 3384
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

3384
3384
Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3384

description	pid	process
Token: SeShutdownPrivilege	3384
Token: SeCreatePagefilePrivilege	3384
Token: SeShutdownPrivilege	3384
Token: SeCreatePagefilePrivilege	3384

pid	process
3384
3384

pid	process
3384

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3384 wrote to memory of 1584	3384	RdpSa.exe
PID 3384 wrote to memory of 1584	3384	RdpSa.exe
PID 3384 wrote to memory of 2148	3384	RdpSa.exe
PID 3384 wrote to memory of 2148	3384	RdpSa.exe
PID 3384 wrote to memory of 2080	3384	BdeUISrv.exe
PID 3384 wrote to memory of 2080	3384	BdeUISrv.exe
PID 3384 wrote to memory of 948	3384	BdeUISrv.exe
PID 3384 wrote to memory of 948	3384	BdeUISrv.exe
PID 3384 wrote to memory of 5900	3384	tcmsetup.exe
PID 3384 wrote to memory of 5900	3384	tcmsetup.exe
PID 3384 wrote to memory of 1488	3384	tcmsetup.exe
PID 3384 wrote to memory of 1488	3384	tcmsetup.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\87c3545cdce9ac4de4d6b4b059dc87ba_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:5780

C:\Windows\system32\RdpSa.exe
C:\Windows\system32\RdpSa.exe
1⤵
PID:1584

C:\Users\Admin\AppData\Local\Zez\RdpSa.exe
C:\Users\Admin\AppData\Local\Zez\RdpSa.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2148

C:\Windows\system32\BdeUISrv.exe
C:\Windows\system32\BdeUISrv.exe
1⤵
PID:2080

C:\Users\Admin\AppData\Local\8xCh\BdeUISrv.exe
C:\Users\Admin\AppData\Local\8xCh\BdeUISrv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:948

C:\Windows\system32\tcmsetup.exe
C:\Windows\system32\tcmsetup.exe
1⤵
PID:5900

C:\Users\Admin\AppData\Local\IuBp\tcmsetup.exe
C:\Users\Admin\AppData\Local\IuBp\tcmsetup.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1488

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\8xCh\BdeUISrv.exe
Filesize
54KB

MD5
8595075667ff2c9a9f9e2eebc62d8f53

SHA1
c48b54e571f05d4e21d015bb3926c2129f19191a

SHA256
20b05c77f898be08737082e969b39f54fa39753c8c0a06142eb7ad5e0764a2db

SHA512
080dbcdd9234c07efe6cea4919ffa305fdc381ccebed9d1020dd6551b54e20e52387e62a344502fa4a85249defd0f9b506528b8dd34675bc9f51f664b8fc4d88

Download Submit
C:\Users\Admin\AppData\Local\8xCh\WTSAPI32.dll
Filesize
1.2MB

MD5
115ce9e43b254fa1a1cf2f28861ed775

SHA1
ff2d81d910885c7671d63a04fc2c104e3dcc34da

SHA256
3d2a06d6d43307b25dc6500575fa72737ce18d85eaeac33358c364d0d3fe04d1

SHA512
e7ae7cb4c8c797e3892763c99dda97ba575a252c9ec9f7dbd94d18754de88dc40b0c865394fab8530dcdcfba19dd58aa3f4a6ff1076beb4b2c342f9140f92279

Download Submit
C:\Users\Admin\AppData\Local\IuBp\TAPI32.dll
Filesize
1.2MB

MD5
a8aa52d0d428a459dd0492601e090793

SHA1
151dd865244776839a48c3cf884e3e618b8f9625

SHA256
3b8a82c2c6fb7ec57138a76f1cec2f054335df931b65eb73a4c0d273b181d1dc

SHA512
505da7688165e787cd9d3361dace482785ef90afa82fbdc6ab93c973e5d1172f5f76fed1dd5c14ebc28db14a086894c997008516fa7aaa5904727d28e14f05b7

Download Submit
C:\Users\Admin\AppData\Local\IuBp\tcmsetup.exe
Filesize
16KB

MD5
58f3b915b9ae7d63431772c2616b0945

SHA1
6346e837da3b0f551becb7cac6d160e3063696e9

SHA256
e243501ba2ef7a6f04f51410bb916faffe0ec23450a4d030ce6bfe747e544b39

SHA512
7b09192af460c502d1a94989a0d06191c8c7a058ce3a4541e3f45960a1e12529d0cdaff9da3d5bacfdceed57aeb6dc9a159c6c0a95675c438f99bf7e418c6dc5

Download Submit
C:\Users\Admin\AppData\Local\Zez\RdpSa.exe
Filesize
56KB

MD5
5992f5b5d0b296b83877da15b54dd1b4

SHA1
0d87be8d4b7aeada4b55d1d05c0539df892f8f82

SHA256
32f60eabe54c4d0cd0f0ec29f48f55ca1ad097bf35097247b186fd70426f847c

SHA512
4f6da913af530301da1d0638aa2635ada446ebee6e27b5059db5c2b7fe439162ac3b1a595ecf4163a093890df9ac94d9085a53d8c991e48703f9d2691326e7e6

Download Submit
C:\Users\Admin\AppData\Local\Zez\WINSTA.dll
Filesize
1.2MB

MD5
e8bb099506f40f12e19fb512493e209b

SHA1
3364370ea5f454e3a8258f545b6a99aac30def73

SHA256
d53a3c5a840ed606e8816f54cea93cbe73ca2acad851241fda629ecb597fd150

SHA512
7e94d50571721c4631c91a3895ecc693ca39b8c18d3420c97ecd634c63c6e272cdf9891e79e4085b523663a73b8b679c40b634a98e7818bd5e1a59c7270e29f2

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Arcabpqqvo.lnk
Filesize
1KB

MD5
a33d50199fc8a49e3a5382bf1cf7cd87

SHA1
d0dfbc5c700eccea6d4215d32187b69d3d673fa9

SHA256
641568dab044ee273fdb6b0ebd7c2ceb700a4e7c1e932abf40b06e24351be145

SHA512
bcc02823eebbabf5c19d73f48a976a8309bc31409688d542faf42ae3d1c2ceb9eade41c5daad6d55cb12fbc73cfbce050e85e91e5c44784f62674bc084ef3a59

Download Submit
memory/948-69-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/948-66-0x000001C76EBB0000-0x000001C76EBB7000-memory.dmp

Filesize
28KB

Download
memory/948-63-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/1488-85-0x0000024EAFAC0000-0x0000024EAFAC7000-memory.dmp

Filesize
28KB

Download
memory/1488-88-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2148-52-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2148-49-0x0000029154620000-0x0000029154627000-memory.dmp

Filesize
28KB

Download
memory/2148-47-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/3384-15-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3384-13-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3384-9-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3384-4-0x00000000077B0000-0x00000000077B1000-memory.dmp

Filesize
4KB

Download
memory/3384-8-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3384-7-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3384-10-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3384-11-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3384-12-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3384-6-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3384-14-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3384-24-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3384-28-0x00007FFA208BA000-0x00007FFA208BB000-memory.dmp

Filesize
4KB

Download
memory/3384-29-0x00000000077D0000-0x00000000077D7000-memory.dmp

Filesize
28KB

Download
memory/3384-30-0x00007FFA21790000-0x00007FFA217A0000-memory.dmp

Filesize
64KB

Download
memory/3384-36-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/5780-3-0x0000018414BB0000-0x0000018414BB7000-memory.dmp

Filesize
28KB

Download
memory/5780-39-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/5780-0-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download