dridex | 85276985d1a45e22149784e2fcf0064ca7c158e5f4dd629389f759fb82727bb1

General

Target

f1ef2c7b7bd2a2324eb6f6a7000904d2_JaffaCakes118.dll
Size

848KB
MD5

f1ef2c7b7bd2a2324eb6f6a7000904d2
SHA1

80e394b16376c0c80be9fcdb45e1fced3a0a3a71
SHA256

85276985d1a45e22149784e2fcf0064ca7c158e5f4dd629389f759fb82727bb1
SHA512

260146941bb9076c38a433d281921b22b4196001b57c7ad9c6b64fc9c3ad59b87b1d51f70a6e6917e9f270078aa48b29063c20630b02f2565fa02a04d2042b65
SSDEEP

12288:zkbQEkWqv+157EYfxarhwLNuR7ek1tHffB/HzTyNQ6NIeGYr/R:zkbHkWfzZ5adwLNGeStHntqN7v

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3628-3-0x0000000002FF0000-0x0000000002FF1000-memory.dmp	dridex_stager_shellcode

Dridex payload 11 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/4796-0-0x00007FF9CEDC0000-0x00007FF9CEE94000-memory.dmp	dridex_payload
behavioral2/memory/3628-20-0x0000000140000000-0x00000001400D4000-memory.dmp	dridex_payload
behavioral2/memory/3628-27-0x0000000140000000-0x00000001400D4000-memory.dmp	dridex_payload
behavioral2/memory/3628-38-0x0000000140000000-0x00000001400D4000-memory.dmp	dridex_payload
behavioral2/memory/4796-41-0x00007FF9CEDC0000-0x00007FF9CEE94000-memory.dmp	dridex_payload
behavioral2/memory/4148-49-0x00007FF9BFC70000-0x00007FF9BFD8A000-memory.dmp	dridex_payload
behavioral2/memory/4148-53-0x00007FF9BFC70000-0x00007FF9BFD8A000-memory.dmp	dridex_payload
behavioral2/memory/4840-65-0x00007FF9CEDC0000-0x00007FF9CEE95000-memory.dmp	dridex_payload
behavioral2/memory/4840-70-0x00007FF9CEDC0000-0x00007FF9CEE95000-memory.dmp	dridex_payload
behavioral2/memory/2464-82-0x00007FF9BFCB0000-0x00007FF9BFD85000-memory.dmp	dridex_payload
behavioral2/memory/2464-86-0x00007FF9BFCB0000-0x00007FF9BFD85000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

sessionmsg.exedxgiadaptercache.exeMusNotifyIcon.exe

pid process

4148 sessionmsg.exe
4840 dxgiadaptercache.exe
2464 MusNotifyIcon.exe
Loads dropped DLL 4 IoCs

Processes:

sessionmsg.exedxgiadaptercache.exeMusNotifyIcon.exe

pid process

4148 sessionmsg.exe
4840 dxgiadaptercache.exe
4840 dxgiadaptercache.exe
2464 MusNotifyIcon.exe

pid	process
4148	sessionmsg.exe
4840	dxgiadaptercache.exe
2464	MusNotifyIcon.exe

pid	process
4148	sessionmsg.exe
4840	dxgiadaptercache.exe
4840	dxgiadaptercache.exe
2464	MusNotifyIcon.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Xmqiszjymzcq = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\CloudStore\\eovsbtl6Uq\\dxgiadaptercache.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

MusNotifyIcon.exerundll32.exesessionmsg.exedxgiadaptercache.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MusNotifyIcon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sessionmsg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dxgiadaptercache.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
4796	rundll32.exe
4796	rundll32.exe
4796	rundll32.exe
4796	rundll32.exe
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628
3628

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3628

pid	process
3628

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3628 wrote to memory of 4648	3628	sessionmsg.exe
PID 3628 wrote to memory of 4648	3628	sessionmsg.exe
PID 3628 wrote to memory of 4148	3628	sessionmsg.exe
PID 3628 wrote to memory of 4148	3628	sessionmsg.exe
PID 3628 wrote to memory of 4984	3628	dxgiadaptercache.exe
PID 3628 wrote to memory of 4984	3628	dxgiadaptercache.exe
PID 3628 wrote to memory of 4840	3628	dxgiadaptercache.exe
PID 3628 wrote to memory of 4840	3628	dxgiadaptercache.exe
PID 3628 wrote to memory of 4596	3628	MusNotifyIcon.exe
PID 3628 wrote to memory of 4596	3628	MusNotifyIcon.exe
PID 3628 wrote to memory of 2464	3628	MusNotifyIcon.exe
PID 3628 wrote to memory of 2464	3628	MusNotifyIcon.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f1ef2c7b7bd2a2324eb6f6a7000904d2_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4796

C:\Windows\system32\sessionmsg.exe
C:\Windows\system32\sessionmsg.exe
1⤵
PID:4648

C:\Users\Admin\AppData\Local\Zhn8\sessionmsg.exe
C:\Users\Admin\AppData\Local\Zhn8\sessionmsg.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4148

C:\Windows\system32\dxgiadaptercache.exe
C:\Windows\system32\dxgiadaptercache.exe
1⤵
PID:4984

C:\Users\Admin\AppData\Local\lgf4mZO9\dxgiadaptercache.exe
C:\Users\Admin\AppData\Local\lgf4mZO9\dxgiadaptercache.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4840

C:\Windows\system32\MusNotifyIcon.exe
C:\Windows\system32\MusNotifyIcon.exe
1⤵
PID:4596

C:\Users\Admin\AppData\Local\aFRhPJ\MusNotifyIcon.exe
C:\Users\Admin\AppData\Local\aFRhPJ\MusNotifyIcon.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Zhn8\DUI70.dll

Filesize
1.1MB

MD5
2f428e34dd2d6268c3ae1aa2a9f2512b

SHA1
f0d6c42943eff9a96643cd400273448a52e5571f

SHA256
e75beec98ba0b94b40f249620ef86ec7337de45ebe3e8214cab260d512d3910c

SHA512
bd8da45e8bc47ca5d89d22c3089e1ede7fda9533144c955450ac35e9728c0ee25f6c7142819b327b4e58770bbe658fe3b53bcf0d1b607361ac4b0b43714b0baf

Download Submit
C:\Users\Admin\AppData\Local\Zhn8\sessionmsg.exe

Filesize
85KB

MD5
480f710806b68dfe478ca1ec7d7e79cc

SHA1
b4fc97fed2dbff9c4874cb65ede7b50699db37cd

SHA256
2416cd4aa577dbb2f8790a61e36fbab2b30bff81a4e1f67a5151c2fec29585bc

SHA512
29d3d234ebc45049a533b6a91b246ac043a56b9af67276aaf493b014ae34d73000f99a6b0c0b85d2dfb7fba54811cf8bbdfd167a9eed01a8617b7f05bf2971db

Download Submit
C:\Users\Admin\AppData\Local\aFRhPJ\MusNotifyIcon.exe

Filesize
629KB

MD5
c54b1a69a21e03b83ebb0aeb3758b6f7

SHA1
b32ee7e5b813554c4b8e8f96f176570e0f6e8b6c

SHA256
ac3e12011b70144cc84539bbccacdfae35bd4ea3ee61b4a9fca5f082d044d8bf

SHA512
2680ab501ffe7d40fed28eb207d812880c8a71d71a29d59ba3da27c0bae98c74893e04807d93fba7b5e673c3e13a1ad21bfaab10bdb871d83349ff4e7c614b19

Download Submit
C:\Users\Admin\AppData\Local\aFRhPJ\XmlLite.dll

Filesize
852KB

MD5
58dd9d30edd14ec2a7e497187f0e175e

SHA1
afd5d789854193dd487d62a0c072b1c4f8697a35

SHA256
d3f30db4c5f252b968fcb6f3398cd240507f1c1f30f9d27de83677196b040b7c

SHA512
36de0a29eaf2339d12b71549e5c16689dfa82ecb36bb0e33de1e8dda44b1c1633d4657231fcd2fba5a111fc908a091cca5cb4fd8b7f86ed5d96e81d58f314d91

Download Submit
C:\Users\Admin\AppData\Local\lgf4mZO9\dxgi.dll

Filesize
852KB

MD5
ec1743007fe6f4aadf5b44b87bc1072d

SHA1
2009be1571bbe2a93f71d915908d5ac7f0957ed9

SHA256
d26218e4d7c341a3bdbadff41760e126b48fdda614c66133c84188600b8fc1a0

SHA512
beec265d13576cc25c644342e66eb9b2c18e0ded9b92abdff13611001d9a0f57cee16521c063025e6ffdec1fd059b3b89342dafe7d3614593bab8b44984dda0a

Download Submit
C:\Users\Admin\AppData\Local\lgf4mZO9\dxgiadaptercache.exe

Filesize
230KB

MD5
e62f89130b7253f7780a862ed9aff294

SHA1
b031e64a36e93f95f2061be5b0383069efac2070

SHA256
4bea9f741fe4ca9d6262477849896b9fa6377326d11af044561c31bde2d994b5

SHA512
05649d38a0b5d825bb8442549427b0ff77b139c9dd297b04d6c0fb1415504c95ed750cd79efea2ff514abfc5d1003e6251a3cd871d352dcea06be0cdeb0304f7

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Uajflgomesic.lnk

Filesize
1KB

MD5
759762b811a52db62e574789e72b96d5

SHA1
565e5c51b13ffbe0e59b8fca1e2537150d73ff18

SHA256
91bb626d9f47a0cd70fd97206e625d987a9ab4021db722e0fe1e803b9d439f99

SHA512
10c2bb4f0f87e7837b55af72de4faf5721417b19aad824f70b8640e0e0c540207ec9a702cebc8a42b3ebddf074127a334389accfdd27e2f1e7139d10b726e48c

Download Submit
memory/2464-86-0x00007FF9BFCB0000-0x00007FF9BFD85000-memory.dmp

Filesize
852KB

Download
memory/2464-81-0x000002A4E3130000-0x000002A4E3137000-memory.dmp

Filesize
28KB

Download
memory/2464-82-0x00007FF9BFCB0000-0x00007FF9BFD85000-memory.dmp

Filesize
852KB

Download
memory/3628-12-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/3628-11-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/3628-14-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/3628-15-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/3628-16-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/3628-17-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/3628-19-0x0000000002FB0000-0x0000000002FB7000-memory.dmp

Filesize
28KB

Download
memory/3628-18-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/3628-20-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/3628-27-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/3628-28-0x00007FF9DD4C0000-0x00007FF9DD4D0000-memory.dmp

Filesize
64KB

Download
memory/3628-29-0x00007FF9DD4B0000-0x00007FF9DD4C0000-memory.dmp

Filesize
64KB

Download
memory/3628-38-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/3628-3-0x0000000002FF0000-0x0000000002FF1000-memory.dmp

Filesize
4KB

Download
memory/3628-5-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/3628-13-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/3628-6-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/3628-8-0x00007FF9DC1AA000-0x00007FF9DC1AB000-memory.dmp

Filesize
4KB

Download
memory/3628-9-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/3628-10-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/3628-7-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/4148-53-0x00007FF9BFC70000-0x00007FF9BFD8A000-memory.dmp

Filesize
1.1MB

Download
memory/4148-49-0x00007FF9BFC70000-0x00007FF9BFD8A000-memory.dmp

Filesize
1.1MB

Download
memory/4148-48-0x00000201D1BE0000-0x00000201D1BE7000-memory.dmp

Filesize
28KB

Download
memory/4796-1-0x000001B756F80000-0x000001B756F87000-memory.dmp

Filesize
28KB

Download
memory/4796-41-0x00007FF9CEDC0000-0x00007FF9CEE94000-memory.dmp

Filesize
848KB

Download
memory/4796-0-0x00007FF9CEDC0000-0x00007FF9CEE94000-memory.dmp

Filesize
848KB

Download
memory/4840-65-0x00007FF9CEDC0000-0x00007FF9CEE95000-memory.dmp

Filesize
852KB

Download
memory/4840-66-0x000002A4A2A90000-0x000002A4A2A97000-memory.dmp

Filesize
28KB

Download
memory/4840-70-0x00007FF9CEDC0000-0x00007FF9CEE95000-memory.dmp

Filesize
852KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads