dridex | bf69701383654649697c0a1b2ff900751ffd006daad2d58b688913fcf360f5a7

General

Target

f579600a6574f3180a38366e521e062d_JaffaCakes118.dll
Size

1.5MB
MD5

f579600a6574f3180a38366e521e062d
SHA1

cc123d182933a36f5989fc689bc537f9bf7f89c2
SHA256

bf69701383654649697c0a1b2ff900751ffd006daad2d58b688913fcf360f5a7
SHA512

51bf19b830c2a7254f9b75ea1fb81d89924f24bc111fe69eeedfdcca716bcf13599849bc4db933b2a79d79f26a24064f8368e0f79af1448294fd9f93fb40c910
SSDEEP

12288:ZVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:YfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1232-5-0x0000000002A90000-0x0000000002A91000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

recdisc.exeMpSigStub.execmstp.exe

pid process

1472 recdisc.exe
2196 MpSigStub.exe
2620 cmstp.exe
Loads dropped DLL 7 IoCs

Processes:

recdisc.exeMpSigStub.execmstp.exe

pid process

1232
1472 recdisc.exe
1232
2196 MpSigStub.exe
1232
2620 cmstp.exe
1232

pid	process
1472	recdisc.exe
2196	MpSigStub.exe
2620	cmstp.exe

pid	process
1232
1472	recdisc.exe
1232
2196	MpSigStub.exe
1232
2620	cmstp.exe
1232

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Dbbbckkcyxuv = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\UserData\\Low\\Vl4ygQlA\\MPSIGS~1.EXE"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exerecdisc.exeMpSigStub.execmstp.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	recdisc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MpSigStub.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmstp.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2184	rundll32.exe
2184	rundll32.exe
2184	rundll32.exe
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1232 wrote to memory of 2912	1232	recdisc.exe
PID 1232 wrote to memory of 2912	1232	recdisc.exe
PID 1232 wrote to memory of 2912	1232	recdisc.exe
PID 1232 wrote to memory of 1472	1232	recdisc.exe
PID 1232 wrote to memory of 1472	1232	recdisc.exe
PID 1232 wrote to memory of 1472	1232	recdisc.exe
PID 1232 wrote to memory of 2052	1232	MpSigStub.exe
PID 1232 wrote to memory of 2052	1232	MpSigStub.exe
PID 1232 wrote to memory of 2052	1232	MpSigStub.exe
PID 1232 wrote to memory of 2196	1232	MpSigStub.exe
PID 1232 wrote to memory of 2196	1232	MpSigStub.exe
PID 1232 wrote to memory of 2196	1232	MpSigStub.exe
PID 1232 wrote to memory of 2472	1232	cmstp.exe
PID 1232 wrote to memory of 2472	1232	cmstp.exe
PID 1232 wrote to memory of 2472	1232	cmstp.exe
PID 1232 wrote to memory of 2620	1232	cmstp.exe
PID 1232 wrote to memory of 2620	1232	cmstp.exe
PID 1232 wrote to memory of 2620	1232	cmstp.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f579600a6574f3180a38366e521e062d_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2184

C:\Windows\system32\recdisc.exe
C:\Windows\system32\recdisc.exe
1⤵
PID:2912

C:\Users\Admin\AppData\Local\m8sRKTq\recdisc.exe
C:\Users\Admin\AppData\Local\m8sRKTq\recdisc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1472

C:\Windows\system32\MpSigStub.exe
C:\Windows\system32\MpSigStub.exe
1⤵
PID:2052

C:\Users\Admin\AppData\Local\7on\MpSigStub.exe
C:\Users\Admin\AppData\Local\7on\MpSigStub.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2196

C:\Windows\system32\cmstp.exe
C:\Windows\system32\cmstp.exe
1⤵
PID:2472

C:\Users\Admin\AppData\Local\cSEVtE4U\cmstp.exe
C:\Users\Admin\AppData\Local\cSEVtE4U\cmstp.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2620

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\7on\VERSION.dll
Filesize
1.5MB

MD5
59437a08d7df3c3c4fbc182e96e4f704

SHA1
c966a2d2b4fb621805bbe80d3544a7a8b715cebf

SHA256
fac0f9d40e6dcfdd94addc4aea49e8152e44c56f458c1d9b37ece06a104a1e5e

SHA512
b6633f343751ac88d4595f6457512b8b01da136a797623232df718f9d13de74585140cd225803ac3592594e643b95ef2bdfe9b7071e5cb7e82ca45a1d1fa9881

Download Submit
C:\Users\Admin\AppData\Local\cSEVtE4U\VERSION.dll
Filesize
1.5MB

MD5
d3890b2c0d15c847d9e694f49aa3a95e

SHA1
478ada4247d969bfce6e5c957403090e75921040

SHA256
489853a670c3bfd936680d8e5bd7e1159a822a3d6392674a7e208307bd483fc8

SHA512
d39b672a8a3d698b20de1352394a98a2ca5a546af5b434e9a43b0d604f712881921fee3027deddce531f019b344a12d897eb327fb4409f708ac01c59939a63ed

Download Submit
C:\Users\Admin\AppData\Local\m8sRKTq\SPP.dll
Filesize
1.5MB

MD5
28984220bbd661d540b5c12bb49f57b4

SHA1
81af42ca429679764ebc04e6a3013c22d4c9a450

SHA256
bb571a49c7321be2a4be852b7031c4b3a61e60522b99cf58370d2409bf96aac3

SHA512
9c8f4ec4bd5eb8e782306835a4e7228a173a18c49be557ba9f47f6d866fa35fc54c7636ae3a554e4f4c07fec370601020353564bf2a01f997a54072182ef6347

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Hvvcxfz.lnk
Filesize
1KB

MD5
1de1b3f9a7be1c894144de3a7936bb6c

SHA1
1b708bf76d9e4d1ff743e46f29f1dd2c959bb60e

SHA256
09660fc68fe30ff821ddad2d5e92c76615d5fc8830d9270ea199f8ee2b952198

SHA512
d9908065b867d3dd6a933570dc04bc897ba40966c3c3f13c48c01ae9a68ce51d07498aa52da3767fbcd35eb13e2dbf9ba7bcc34379b9b71c7192d62147a9deba

Download Submit
\Users\Admin\AppData\Local\7on\MpSigStub.exe
Filesize
264KB

MD5
2e6bd16aa62e5e95c7b256b10d637f8f

SHA1
350be084477b1fe581af83ca79eb58d4defe260f

SHA256
d795968b8067bb610033fa4a5b21eb2f96cef61513aba62912b8eb5c6a5ff7b3

SHA512
1f37150f6bcbe0df54bb85a5ad585824cea9332baa9be1649a95c1dfb41723de85c09d98fb2ca8261a49c2184d3bda638b84b2b7b60b97fe42a15ab1620a2542

Download Submit
\Users\Admin\AppData\Local\cSEVtE4U\cmstp.exe
Filesize
90KB

MD5
74c6da5522f420c394ae34b2d3d677e3

SHA1
ba135738ef1fb2f4c2c6c610be2c4e855a526668

SHA256
51d298b1a8a2d00d5c608c52dba0655565d021e9798ee171d7fa92cc0de729a6

SHA512
bfd76b1c3e677292748f88bf595bfef0b536eb22f2583b028cbf08f6ae4eda1aa3787c4e892aad12b7681fc2363f99250430a0e7019a7498e24db391868e787a

Download Submit
\Users\Admin\AppData\Local\m8sRKTq\recdisc.exe
Filesize
232KB

MD5
f3b306179f1840c0813dc6771b018358

SHA1
dec7ce3c13f7a684cb52ae6007c99cf03afef005

SHA256
dcaeb590394b42d180e23e3cef4dd135513395b026e0ed489aec49848b85b8f0

SHA512
9f9ec4c2ca6373bd738bf415d059f3536390e46e5b0a560e9ee1b190407a6d0f481c38664c51b834a9e72d8878f71c3c19e427e3a6b5ca4ec6b02d1156eb9ef4

Download Submit
memory/1232-34-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/1232-38-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/1232-15-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/1232-16-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/1232-17-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/1232-19-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/1232-18-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/1232-20-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/1232-21-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/1232-22-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/1232-23-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/1232-24-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/1232-25-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/1232-27-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/1232-28-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/1232-29-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/1232-26-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/1232-30-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/1232-31-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/1232-32-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/1232-33-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/1232-4-0x0000000076E66000-0x0000000076E67000-memory.dmp

Filesize
4KB

Download
memory/1232-35-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/1232-36-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/1232-37-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/1232-14-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/1232-39-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/1232-40-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/1232-41-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/1232-42-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/1232-44-0x0000000002A60000-0x0000000002A67000-memory.dmp

Filesize
28KB

Download
memory/1232-43-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/1232-51-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/1232-52-0x0000000077071000-0x0000000077072000-memory.dmp

Filesize
4KB

Download
memory/1232-53-0x00000000771D0000-0x00000000771D2000-memory.dmp

Filesize
8KB

Download
memory/1232-62-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/1232-66-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/1232-74-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/1232-13-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/1232-12-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/1232-5-0x0000000002A90000-0x0000000002A91000-memory.dmp

Filesize
4KB

Download
memory/1232-134-0x0000000076E66000-0x0000000076E67000-memory.dmp

Filesize
4KB

Download
memory/1232-11-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/1232-10-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/1232-7-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/1232-9-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/1472-85-0x0000000140000000-0x0000000140180000-memory.dmp

Filesize
1.5MB

Download
memory/1472-80-0x0000000140000000-0x0000000140180000-memory.dmp

Filesize
1.5MB

Download
memory/2184-8-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/2184-1-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/2184-0-0x0000000000120000-0x0000000000127000-memory.dmp

Filesize
28KB

Download
memory/2196-97-0x00000000000F0000-0x00000000000F7000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads