dridex | 0ca6eeb34b2c72f00949a770e57661c268118f3b6482018be4dd6c6a1fd07719

General

Target

f1a67e05914164352d275e66cccaf7bb_JaffaCakes118.dll
Size

1.8MB
MD5

f1a67e05914164352d275e66cccaf7bb
SHA1

14e733c9a5377403784b6d76e5f47a726792d46c
SHA256

0ca6eeb34b2c72f00949a770e57661c268118f3b6482018be4dd6c6a1fd07719
SHA512

ab13de1f87b73136b73360f7adb5349982f92e5a084005250d62c0555289fde65a34fa34f33e62cbf220864ab737c519208413bebf998057af409e5d62b62fa7
SSDEEP

12288:yVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:vfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1264-5-0x0000000002220000-0x0000000002221000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

wisptis.exeslui.execttune.exe

pid process

2496 wisptis.exe
840 slui.exe
2836 cttune.exe
Loads dropped DLL 7 IoCs

Processes:

wisptis.exeslui.execttune.exe

pid process

1264
2496 wisptis.exe
1264
840 slui.exe
1264
2836 cttune.exe
1264

pid	process
2496	wisptis.exe
840	slui.exe
2836	cttune.exe

pid	process
1264
2496	wisptis.exe
1264
840	slui.exe
1264
2836	cttune.exe
1264

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Uxhwu = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\eLwNK\\slui.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exewisptis.exeslui.execttune.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wisptis.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	slui.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cttune.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1728	rundll32.exe
1728	rundll32.exe
1728	rundll32.exe
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1264 wrote to memory of 2456	1264	wisptis.exe
PID 1264 wrote to memory of 2456	1264	wisptis.exe
PID 1264 wrote to memory of 2456	1264	wisptis.exe
PID 1264 wrote to memory of 2496	1264	wisptis.exe
PID 1264 wrote to memory of 2496	1264	wisptis.exe
PID 1264 wrote to memory of 2496	1264	wisptis.exe
PID 1264 wrote to memory of 1148	1264	slui.exe
PID 1264 wrote to memory of 1148	1264	slui.exe
PID 1264 wrote to memory of 1148	1264	slui.exe
PID 1264 wrote to memory of 840	1264	slui.exe
PID 1264 wrote to memory of 840	1264	slui.exe
PID 1264 wrote to memory of 840	1264	slui.exe
PID 1264 wrote to memory of 2764	1264	cttune.exe
PID 1264 wrote to memory of 2764	1264	cttune.exe
PID 1264 wrote to memory of 2764	1264	cttune.exe
PID 1264 wrote to memory of 2836	1264	cttune.exe
PID 1264 wrote to memory of 2836	1264	cttune.exe
PID 1264 wrote to memory of 2836	1264	cttune.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f1a67e05914164352d275e66cccaf7bb_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1728

C:\Windows\system32\wisptis.exe
C:\Windows\system32\wisptis.exe
1⤵
PID:2456

C:\Users\Admin\AppData\Local\dx3mInmww\wisptis.exe
C:\Users\Admin\AppData\Local\dx3mInmww\wisptis.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2496

C:\Windows\system32\slui.exe
C:\Windows\system32\slui.exe
1⤵
PID:1148

C:\Users\Admin\AppData\Local\SYL3B\slui.exe
C:\Users\Admin\AppData\Local\SYL3B\slui.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:840

C:\Windows\system32\cttune.exe
C:\Windows\system32\cttune.exe
1⤵
PID:2764

C:\Users\Admin\AppData\Local\b2K\cttune.exe
C:\Users\Admin\AppData\Local\b2K\cttune.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2836

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\b2K\OLEACC.dll
Filesize
1.8MB

MD5
3a5377ef226d414132e4bee68ce26039

SHA1
0a635bbf8741f9a751d36b17cafc9dfe647f765e

SHA256
467f28ea9826d4d3b56a646a3e01b972014e472795ff199718fa0cb627a12b01

SHA512
b6417def2b72c8d31456b7b724162cb4ee200ec7c4a05ff2b14c5905939f1910a095c5e7815f87b3153900bb140e90b62222043dbf1761ffefef4dff0681d431

Download Submit
C:\Users\Admin\AppData\Local\dx3mInmww\WTSAPI32.dll
Filesize
1.8MB

MD5
6c63fde341afd03590ffe734613f6f6d

SHA1
ae836935d16de0cbca4b508f423f19ef45b5f712

SHA256
fde9c0c8e221929411841a15f348d0be8a3a7e5e6886af5a90f0140fd6db3509

SHA512
ae9165580443f2487a5a2252ba1aab6426341bc65729212e1cfe2b468a7c5bb53c0b46c5d00654651e440895c4b3edc9d3da64581564176a81417d1bbd917624

Download Submit
C:\Users\Admin\AppData\Local\dx3mInmww\wisptis.exe
Filesize
396KB

MD5
02e20372d9d6d28e37ba9704edc90b67

SHA1
d7d18ba0df95c3507bf20be8d72e25c5d11ab40c

SHA256
3338129ddf6fb53d6e743c10bc39ec372d9b2c39c607cbe8a71cff929f854144

SHA512
bcad8894614dcfc1429be04829c217e7c8ac3c40ea3927073de3421d96d9815739ee1b84f0200eb18b3b8406b972bd934204b7b31638c9fe7c297fb201ed4200

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dgsmy.lnk
Filesize
1KB

MD5
66b3edf23d4ce9b76b427b41ce612585

SHA1
9c1be7840e82592666748ba61df91ebabb955a2d

SHA256
d9e7c5af97c95a28ffd8d3efbb7e137bbfc39750fb431c911cbdceae6ab1533a

SHA512
9d879ee65b9db92d3df107cdfcbb6c5b48347cc921a51b26d136210dbd5fddbc0577f14437383536c4d4d483fc68dcd404015026e84e878bc315310a5040ef9e

Download Submit
\Users\Admin\AppData\Local\SYL3B\WINBRAND.dll
Filesize
1.8MB

MD5
85f5b48293a9c57e03464dd02bc8a119

SHA1
1c96749f4899e3f65628dca4173cd4cadd2a84ac

SHA256
c7bf5a05d7b8a775e0f702e600282816a867b49330422682849b70a755bcba14

SHA512
a02c7f445dab2c758d3df23d3361145bcb7d9f2423ef576815776c773164bd1cd31086ec79cce9d2028167132ddb2fda9328b80e1d0a9acb7030c1bacd7c5d4c

Download Submit
\Users\Admin\AppData\Local\SYL3B\slui.exe
Filesize
341KB

MD5
c5ce5ce799387e82b7698a0ee5544a6d

SHA1
ed37fdb169bb539271c117d3e8a5f14fd8df1c0d

SHA256
34aa7ca0ea833263a6883827e161a5c218576c5ad97e0ce386fad4250676b42c

SHA512
79453b45e1f38d164ee3dbc232f774ff121d4394c22783140f5c8c722f184a69f499f2fb9621bdb28f565065b791883526e1a1d4abef9df82289613c2ce97a5c

Download Submit
\Users\Admin\AppData\Local\b2K\cttune.exe
Filesize
314KB

MD5
7116848fd23e6195fcbbccdf83ce9af4

SHA1
35fb16a0b68f8a84d5dfac8c110ef5972f1bee93

SHA256
39937665f72725bdb3b82389a5dbd906c63f4c14208312d7f7a59d6067e1cfa6

SHA512
e38bf57eee5836b8598dd88dc3d266f497d911419a8426f73df6dcaa503611a965aabbd746181cb19bc38eebdb48db778a17f781a8f9e706cbd7a6ebec38f894

Download Submit
memory/840-100-0x00000000001C0000-0x00000000001C7000-memory.dmp

Filesize
28KB

Download
memory/1264-36-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/1264-42-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/1264-17-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/1264-16-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/1264-18-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/1264-22-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/1264-21-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/1264-20-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/1264-19-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/1264-23-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/1264-33-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/1264-32-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/1264-31-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/1264-30-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/1264-29-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/1264-28-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/1264-27-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/1264-26-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/1264-25-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/1264-24-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/1264-35-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/1264-34-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/1264-4-0x0000000076B46000-0x0000000076B47000-memory.dmp

Filesize
4KB

Download
memory/1264-40-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/1264-39-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/1264-38-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/1264-37-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/1264-11-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/1264-43-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/1264-41-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/1264-44-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/1264-46-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/1264-45-0x00000000021F0000-0x00000000021F7000-memory.dmp

Filesize
28KB

Download
memory/1264-53-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/1264-55-0x0000000076EB0000-0x0000000076EB2000-memory.dmp

Filesize
8KB

Download
memory/1264-54-0x0000000076D51000-0x0000000076D52000-memory.dmp

Filesize
4KB

Download
memory/1264-64-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/1264-70-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/1264-69-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/1264-74-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/1264-12-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/1264-13-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/1264-5-0x0000000002220000-0x0000000002221000-memory.dmp

Filesize
4KB

Download
memory/1264-142-0x0000000076B46000-0x0000000076B47000-memory.dmp

Filesize
4KB

Download
memory/1264-10-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/1264-9-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/1264-7-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/1264-14-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/1264-15-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/1728-8-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/1728-1-0x00000000000A0000-0x00000000000A7000-memory.dmp

Filesize
28KB

Download
memory/1728-0-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/2496-82-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/2496-83-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download
memory/2836-120-0x00000000000F0000-0x00000000000F7000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads