dridex | 628e978c046d3a32250b53b7e1def33ecc6760d5931c4ecb6ccf065aa653b999

General

Target

f27722c012801df191a6ae5a86d225c3_JaffaCakes118.dll
Size

2.2MB
MD5

f27722c012801df191a6ae5a86d225c3
SHA1

fac0410dd94867b2b78fe895cd98f969123476f6
SHA256

628e978c046d3a32250b53b7e1def33ecc6760d5931c4ecb6ccf065aa653b999
SHA512

bbbc629ab6ab89c75a40c57ebeb0b02c72fa1ca176172f593b34611e2418f5bd64bfa120deda66921331cdb892649c397bf2411a567e87f8f90ef7a27088b2eb
SSDEEP

12288:2VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:rfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1200-5-0x0000000002DA0000-0x0000000002DA1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

osk.exesethc.exemsdt.exe

pid process

2960 osk.exe
2812 sethc.exe
1656 msdt.exe
Loads dropped DLL 7 IoCs

Processes:

osk.exesethc.exemsdt.exe

pid process

1200
2960 osk.exe
1200
2812 sethc.exe
1200
1656 msdt.exe
1200

pid	process
2960	osk.exe
2812	sethc.exe
1656	msdt.exe

pid	process
1200
2960	osk.exe
1200
2812	sethc.exe
1200
1656	msdt.exe
1200

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ybhspkdtbke = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\ACCESS~1\\SYSTEM~1\\K01F2G~1\\sethc.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeosk.exesethc.exemsdt.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	osk.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sethc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msdt.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2228	rundll32.exe
2228	rundll32.exe
2228	rundll32.exe
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1200 wrote to memory of 2340	1200	osk.exe
PID 1200 wrote to memory of 2340	1200	osk.exe
PID 1200 wrote to memory of 2340	1200	osk.exe
PID 1200 wrote to memory of 2960	1200	osk.exe
PID 1200 wrote to memory of 2960	1200	osk.exe
PID 1200 wrote to memory of 2960	1200	osk.exe
PID 1200 wrote to memory of 2788	1200	sethc.exe
PID 1200 wrote to memory of 2788	1200	sethc.exe
PID 1200 wrote to memory of 2788	1200	sethc.exe
PID 1200 wrote to memory of 2812	1200	sethc.exe
PID 1200 wrote to memory of 2812	1200	sethc.exe
PID 1200 wrote to memory of 2812	1200	sethc.exe
PID 1200 wrote to memory of 908	1200	msdt.exe
PID 1200 wrote to memory of 908	1200	msdt.exe
PID 1200 wrote to memory of 908	1200	msdt.exe
PID 1200 wrote to memory of 1656	1200	msdt.exe
PID 1200 wrote to memory of 1656	1200	msdt.exe
PID 1200 wrote to memory of 1656	1200	msdt.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f27722c012801df191a6ae5a86d225c3_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2228

C:\Windows\system32\osk.exe
C:\Windows\system32\osk.exe
1⤵
PID:2340

C:\Users\Admin\AppData\Local\0GWlR\osk.exe
C:\Users\Admin\AppData\Local\0GWlR\osk.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2960

C:\Windows\system32\sethc.exe
C:\Windows\system32\sethc.exe
1⤵
PID:2788

C:\Users\Admin\AppData\Local\Q1YtX\sethc.exe
C:\Users\Admin\AppData\Local\Q1YtX\sethc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2812

C:\Windows\system32\msdt.exe
C:\Windows\system32\msdt.exe
1⤵
PID:908

C:\Users\Admin\AppData\Local\cHuDBE\msdt.exe
C:\Users\Admin\AppData\Local\cHuDBE\msdt.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1656

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\0GWlR\OLEACC.dll
Filesize
2.2MB

MD5
9470002336f030d2c150772787628454

SHA1
ed32b3915a1797449868e4f92c2d01d062bf8f67

SHA256
67dc8383107a3ce8c09e24d679bbaf48563b64b7f567db5b78c73c4ad3fcc2bd

SHA512
6af3b366a388d441a3599e750b0c26383f7425532b7c5862d506106230506a392a1f48031ce2538b2bf63de5f14dcbd66ecda843348a84e9fd49447721d522a8

Download Submit
C:\Users\Admin\AppData\Local\Q1YtX\OLEACC.dll
Filesize
2.2MB

MD5
5e0e2f7ad2718f9ad77c37790f4aeb2a

SHA1
b4fc38925e41c8238afe725ffc805b2927cef19b

SHA256
11b79102de27977ead29c25d702ac543a442f9392b9aa4a948ca4adee24d07c8

SHA512
862148e4d4224f3de07809b2257e266f457de01349bb69ad55dc29241cda590838a17a8cb9316deda0573fb48c946af63b4fe365dd7e37bbd907808c9c520dfc

Download Submit
C:\Users\Admin\AppData\Local\cHuDBE\Secur32.dll
Filesize
2.2MB

MD5
7b08c542ceaf5eba4afca41a7e39399c

SHA1
1a5fa15ce0ad6bed09508543adac2e3416215b86

SHA256
ca8b84b8194f15bfa19e9c6e124e792d91d53b638ff84e88957a734b9110d9e7

SHA512
2ca4ab610905452f13e983bb1a283796fba8238ff581735de18b4e8d4d81e0450f991a82ffd96aa1ab557dd9c30c9c55461f9c06cf8f5e7b521f7ab9e0facc90

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Tkjddllshxzvy.lnk
Filesize
1KB

MD5
dbd59c1538e95cd08b119ac787251d4b

SHA1
28a8be2df416b11ee5790e435d3358b7e6d6f141

SHA256
8597a29a242cefb09f0dbbd235725224dc5cddf613b3ef88778db5be21fd7cbb

SHA512
1860e82be5fea87868da4cc545e30616560dfe64b272d50dcd5c89f0623e93465c4f2e07b7e0c3c81ad74bd55eb1a7ed9fe9ac22530c5acd69028721c984b3ec

Download Submit
\Users\Admin\AppData\Local\0GWlR\osk.exe
Filesize
676KB

MD5
b918311a8e59fb8ccf613a110024deba

SHA1
a9a64a53d2d1c023d058cfe23db4c9b4fbe59d1b

SHA256
e1f7612086c2d01f15f2e74f1c22bc6abeb56f18e6bda058edce8d780aebb353

SHA512
e3a2480e546bf31509d6e0ffb5ce9dc5da3eb93a1a06d8e89b68165f2dd9ad520edac52af4c485c93fe6028dffaf7fcaadaafb04e524954dd117551afff87cf1

Download Submit
\Users\Admin\AppData\Local\Q1YtX\sethc.exe
Filesize
272KB

MD5
3bcb70da9b5a2011e01e35ed29a3f3f3

SHA1
9daecb1ee5d7cbcf46ee154dd642fcd993723a9b

SHA256
dd94bf73f0e3652b76cfb774b419ceaa2082bc7f30cc34e28dfa51952fa9ccb5

SHA512
69d231132f488fd7033349f232db1207f88f1d5cb84f5422adf0dd5fb7b373dada8fdfac7760b8845e5aab00a7ae56f24d66bbb8aa70c3c8de6ec5c31982b4df

Download Submit
\Users\Admin\AppData\Local\cHuDBE\msdt.exe
Filesize
1.0MB

MD5
aecb7b09566b1f83f61d5a4b44ae9c7e

SHA1
3a4a2338c6b5ac833dc87497e04fe89c5481e289

SHA256
fbdbe7a2027cab237c4635ef71c1a93cf7afc4b79d56b63a119b7f8e3029ccf5

SHA512
6e14200262e0729ebcab2226c3eac729ab5af2a4c6f4f9c3e2950cc203387d9a0a447cf38665c724d4397353931fd10064dc067e043a3579538a6144e33e4746

Download Submit
memory/1200-32-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1200-33-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1200-26-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1200-31-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1200-25-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1200-35-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1200-37-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1200-39-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1200-41-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1200-42-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1200-44-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1200-46-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1200-48-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1200-49-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1200-51-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1200-53-0x0000000002D80000-0x0000000002D87000-memory.dmp

Filesize
28KB

Download
memory/1200-50-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1200-59-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1200-47-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1200-45-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1200-43-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1200-40-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1200-38-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1200-36-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1200-22-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1200-4-0x0000000077846000-0x0000000077847000-memory.dmp

Filesize
4KB

Download
memory/1200-30-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1200-29-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1200-28-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1200-27-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1200-34-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1200-20-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1200-19-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1200-17-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1200-16-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1200-60-0x0000000077951000-0x0000000077952000-memory.dmp

Filesize
4KB

Download
memory/1200-14-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1200-13-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1200-11-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1200-10-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1200-9-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1200-7-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1200-61-0x0000000077AB0000-0x0000000077AB2000-memory.dmp

Filesize
8KB

Download
memory/1200-70-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1200-74-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1200-24-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1200-23-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1200-5-0x0000000002DA0000-0x0000000002DA1000-memory.dmp

Filesize
4KB

Download
memory/1200-145-0x0000000077846000-0x0000000077847000-memory.dmp

Filesize
4KB

Download
memory/1200-12-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1200-15-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1200-21-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1200-18-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2228-8-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2228-1-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download
memory/2228-0-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2812-108-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/2960-90-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads