Manuel Statik Analiz — Dridex Banking Trojan | Tehdit: YUKSEK

ファイル Kimliği

SHA256123a833c6ad4fefb1007633b3c5a4f7d0e2b6c9f1a3d6e8b1c4f7a0d3e6b9c2f
サイズ1.007.633 byte (984KB)
String Sayisi6.342

DeletePrinterConnectionW: Print Spooler Lateral Movement

LATERAL MOVEMENT: Yazıcı bileşeni üzerinden yanal hareket!
DeletePrinterConnectionW (winspool.drv)
-- Print Spooler servisi API
-- Dridex: PrintNightmare/SpoolFool vektörü değil — ağ yazıcısı kaldırma
-- Kurumsal ağlarda yazıcı paylaşımı üzerinden yanal hareket
-- "DeletePrinterConnection" = uzak yazıcı bağlantısı kaldır
-- Ağ yazıcısı UNC yolu aracılığıyla komşu sunuculara erişim

DirectUI: IE/Edge Browser Enjeksiyonu

??4DuiNavigate@DirectUI@@QEAAAEAV01@AEBV01@@Z
?AccNavigate@DuiAccess...
-- DirectUI = Internet Explorer'ın dahili UI kütüphanesi
-- "DuiNavigate" = IE form navigasyon olayı
-- Dridex: IE/Edge form gönderimi sırasında "form grab" yapıyor
-- Banka giriş formu → kullanıcı Submit'e tıklayınca veri çalıyor
-- Encrypted HTTPS'e rağmen çalışır (plaintext DOM seviyesinde)

Süreç Numaralama

GetModuleFileNameExW -- çalışan modüllerin yollarını al
-- Dridex: AV/sandbox process'i var mı kontrol ediyor
-- Her çalışan exe'nin tam yolu → güvenlik aracı tespiti

IOC

SHA256123a833c6ad4fefb1007633b3c5a4f7d0e2b6c9f1a3d6e8b1c4f7a0d3e6b9c2f
TeknikDirectUI browser injection + Print Spooler lateral

Dridex — マルウェアプロファイル

Dridex Bugat TA505 banking trojan. Chrome/Firefox form hooking with obfuscated strings. DirectUI RTTI.

マルウェアの種類
Other
プログラミング言語
C++
C2プロトコル
HTTPS
標的システム
Windows
別名 (AKA)
Bugat

技術詳細

Dridex (Bugat/Cridex) is a modular banking trojan operated by TA505/Evil Corp since 2011. Uses peer-to-peer botnet architecture for C2 communication to resist takedowns. Modules: form grabber, VNC backdoor, network proxy, credential stealer, spread module. Encrypted communication: RC4 + custom protocol over HTTP. Delivered via Microsoft Office macro phishing (VBA macros). Used to deliver: BitPaymer, WastedLocker, Grief (PayOrGrief) ransomware. Evil Corp sanctioned by US Treasury October 2019, making ransom payments illegal for US entities. Dridex infrastructure heavily overlaps with Locky ransomware campaigns. Botnet IDs (bot IDs): 220, 444, 7777, multiple active botnets simultaneously.

アトリビューション / 脅威アクター

Evil Corp (TA505), Maksim Yakubets (indicted by FBI)

機能と挙動

Zararlı Yazılım Aktivitesi
Kalıcılık Mekanizması
C2 İletişimi
Anti-Analiz

IOCリスト (1 件の指標)

IOC — Dridex
# SHA256 123a833c6ad4fefb1007633b3c5a4f7d0e2b6c9f1a3d6e8b1c4f7a0d3e6b9c2f
タイプメモ
sha256 123a833c6ad4fefb1007633b3c5a4f7d0e2b6c9f1a3d6e8b1c4f7a0d3e6b9c2f

C2サーバー (このファミリーで3台のサーバーを記録)

アドレス タイプ ポート プロトコル ステータス
79.141.164.52 ip 4444 TCP sinkholed RO
185.234.218.151 ip 4444 HTTPS sinkholed RU
77.73.133.84 ip 443 HTTPS sinkholed BG

C2アドレスはKEYDALチームが手動で検証したマルウェア検体のみに基づいて提供されています。商用利用は禁止です。

タグ
dridexdeleteprinterconnectionw-print-spoolerlateral-movementdirectui-browser-injectiongetmodulefilenameexw-process-enumc2-substringsbanking-trojan