dridex | c1e2fd72330519fbc4f7d2780814857073c4974cd69502931893a570d83d00fa

General

Target

fa3db9f8a47e7a349c2f63a26d256792_JaffaCakes118.dll
Size

1.4MB
MD5

fa3db9f8a47e7a349c2f63a26d256792
SHA1

f566a2771def56bd7d8227aa581eacc1252c2ef3
SHA256

c1e2fd72330519fbc4f7d2780814857073c4974cd69502931893a570d83d00fa
SHA512

a24d5ca21aa9a420d7f23f35da54ecef924aa374bc3459a18bb5af9cdcc1e31e2d9e648afdcb2d3dd91e007f4065598a113c55d01756c4fea4426093493b9efe
SSDEEP

12288:TVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:CfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3424-4-0x00000000024A0000-0x00000000024A1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

ApplySettingsTemplateCatalog.exemsconfig.exePresentationHost.exe

pid process

1000 ApplySettingsTemplateCatalog.exe
2720 msconfig.exe
3520 PresentationHost.exe
Loads dropped DLL 4 IoCs

Processes:

ApplySettingsTemplateCatalog.exemsconfig.exePresentationHost.exe

pid process

1000 ApplySettingsTemplateCatalog.exe
2720 msconfig.exe
3520 PresentationHost.exe
3520 PresentationHost.exe

pid	process
1000	ApplySettingsTemplateCatalog.exe
2720	msconfig.exe
3520	PresentationHost.exe

pid	process
1000	ApplySettingsTemplateCatalog.exe
2720	msconfig.exe
3520	PresentationHost.exe
3520	PresentationHost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ofbulpzrz = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Templates\\LPC6gGT\\msconfig.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeApplySettingsTemplateCatalog.exemsconfig.exePresentationHost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ApplySettingsTemplateCatalog.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msconfig.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	PresentationHost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
632	rundll32.exe
632	rundll32.exe
632	rundll32.exe
632	rundll32.exe
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3424 wrote to memory of 2468	3424	ApplySettingsTemplateCatalog.exe
PID 3424 wrote to memory of 2468	3424	ApplySettingsTemplateCatalog.exe
PID 3424 wrote to memory of 1000	3424	ApplySettingsTemplateCatalog.exe
PID 3424 wrote to memory of 1000	3424	ApplySettingsTemplateCatalog.exe
PID 3424 wrote to memory of 2588	3424	msconfig.exe
PID 3424 wrote to memory of 2588	3424	msconfig.exe
PID 3424 wrote to memory of 2720	3424	msconfig.exe
PID 3424 wrote to memory of 2720	3424	msconfig.exe
PID 3424 wrote to memory of 3420	3424	PresentationHost.exe
PID 3424 wrote to memory of 3420	3424	PresentationHost.exe
PID 3424 wrote to memory of 3520	3424	PresentationHost.exe
PID 3424 wrote to memory of 3520	3424	PresentationHost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\fa3db9f8a47e7a349c2f63a26d256792_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:632

C:\Windows\system32\ApplySettingsTemplateCatalog.exe
C:\Windows\system32\ApplySettingsTemplateCatalog.exe
1⤵
PID:2468

C:\Users\Admin\AppData\Local\s3hnRP\ApplySettingsTemplateCatalog.exe
C:\Users\Admin\AppData\Local\s3hnRP\ApplySettingsTemplateCatalog.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1000

C:\Windows\system32\msconfig.exe
C:\Windows\system32\msconfig.exe
1⤵
PID:2588

C:\Users\Admin\AppData\Local\2ogV\msconfig.exe
C:\Users\Admin\AppData\Local\2ogV\msconfig.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2720

C:\Windows\system32\PresentationHost.exe
C:\Windows\system32\PresentationHost.exe
1⤵
PID:3420

C:\Users\Admin\AppData\Local\zf4Dt1p\PresentationHost.exe
C:\Users\Admin\AppData\Local\zf4Dt1p\PresentationHost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3520

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\2ogV\VERSION.dll
Filesize
1.4MB

MD5
c134d6bf76a60e4b0ac0b1e6e2ccc218

SHA1
88f31212ba962d8d6cc5d7781cdf2955e6b810c8

SHA256
07b796e9d8a2520a2978f36662aa18c796ee31b4a24a3fc87c3755662912bd06

SHA512
e503e2056936a8997b6e59fd2d6d1c73f7a55887f1c602d90be1cd4a7e09ffdf2f82bf28d2c727367808d517a76087e74f7b4b06754b252c92b8772455b53fc7

Download Submit
C:\Users\Admin\AppData\Local\2ogV\msconfig.exe
Filesize
193KB

MD5
39009536cafe30c6ef2501fe46c9df5e

SHA1
6ff7b4d30f31186de899665c704a105227704b72

SHA256
93d2604f7fdf7f014ac5bef63ab177b6107f3cfc26da6cbd9a7ab50c96564a04

SHA512
95c9a8bc61c79108634f5578825544323e3d980ae97a105a325c58bc0e44b1d500637459969602f08d6d23d346baec6acd07d8351803981000c797190d48f03a

Download Submit
C:\Users\Admin\AppData\Local\s3hnRP\ACTIVEDS.dll
Filesize
1.4MB

MD5
a956d55dae9a117767a374a263eace1f

SHA1
6b6e9eab5c67e831b45637add4426ce2003f7407

SHA256
386fc8318659cfeeabddd7ffa083702512cbb58c4eddb28f8041a154934c418e

SHA512
e3344f5e312da8023205f422f9e5ac7e32623b5fd5cdba7bd21e3d93389b277ff1b72da92444a4326028ff6a06884778da0661df4865dfd8752d2b3eb2f23c25

Download Submit
C:\Users\Admin\AppData\Local\s3hnRP\ApplySettingsTemplateCatalog.exe
Filesize
1.1MB

MD5
13af41b1c1c53c7360cd582a82ec2093

SHA1
7425f893d1245e351483ab4a20a5f59d114df4e1

SHA256
a462f29efaaa3c30411e76f32608a2ba5b7d21af3b9804e5dda99e342ba8c429

SHA512
c7c82acef623d964c520f1a458dbfe34099981de0b781fb56e14b1f82632e3a8437db6434e7c20988aa3b39efde47aab8d188e80845e841a13e74b079285706a

Download Submit
C:\Users\Admin\AppData\Local\zf4Dt1p\PresentationHost.exe
Filesize
276KB

MD5
ef27d65b92d89e8175e6751a57ed9d93

SHA1
7279b58e711b459434f047e9098f9131391c3778

SHA256
17d6dcfaced6873a4ac0361ff14f48313f270ac9c465e9f02b5c12b5a5274c48

SHA512
40f46c3a131bb0388b8a3f7aee422936f6e2aa8d2cda547c43c4e7979c163d06c5aa20033a5156d3eeee5d455eeb929cbce89bcc8bb1766cbb65d7f03dd23e2e

Download Submit
C:\Users\Admin\AppData\Local\zf4Dt1p\VERSION.dll
Filesize
1.4MB

MD5
5dfa453d34818209004aabc840ec53eb

SHA1
10345f929d3d94809e782049805f8c94e46c7616

SHA256
dca3d9512a264a99329c7ff7d5d132af2bd58210db26edb834549d551214ce6b

SHA512
091035ccc4a83dc256cd3e99cb3f7c73875506d59120ef34f5197de8863b254bebf738b0a335b588b36ea401bbe5dec66bd07423ce63f7d0362a57e4cbf96765

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Hsqdjhworldfy.lnk
Filesize
1KB

MD5
7b7956c13bcaa327f124948fa932f873

SHA1
c8e67523a2ac88c11ff3e7086c81c2e4945b0609

SHA256
89cb90ba01223f4cc6540896d68e0959473c3866a3d32230224750c56f9bc567

SHA512
5015e6ba496f3c904c12e4869d3d1d238eefaa4b5dacbc03bc2508c6e47ed4cc21e578ddc2d12062d844b201a031e5eda46184b5ebcc0db84edde9a9b0a9a77b

Download Submit
memory/632-9-0x0000000140000000-0x0000000140162000-memory.dmp

Filesize
1.4MB

Download
memory/632-1-0x0000000140000000-0x0000000140162000-memory.dmp

Filesize
1.4MB

Download
memory/632-0-0x00000270252B0000-0x00000270252B7000-memory.dmp

Filesize
28KB

Download
memory/1000-61-0x0000000140000000-0x0000000140163000-memory.dmp

Filesize
1.4MB

Download
memory/1000-58-0x0000000140000000-0x0000000140163000-memory.dmp

Filesize
1.4MB

Download
memory/1000-57-0x000001D699C30000-0x000001D699C37000-memory.dmp

Filesize
28KB

Download
memory/2720-80-0x0000000140000000-0x0000000140163000-memory.dmp

Filesize
1.4MB

Download
memory/2720-74-0x000002286F0F0000-0x000002286F0F7000-memory.dmp

Filesize
28KB

Download
memory/3424-14-0x0000000140000000-0x0000000140162000-memory.dmp

Filesize
1.4MB

Download
memory/3424-48-0x0000000140000000-0x0000000140162000-memory.dmp

Filesize
1.4MB

Download
memory/3424-21-0x0000000140000000-0x0000000140162000-memory.dmp

Filesize
1.4MB

Download
memory/3424-18-0x0000000140000000-0x0000000140162000-memory.dmp

Filesize
1.4MB

Download
memory/3424-22-0x0000000140000000-0x0000000140162000-memory.dmp

Filesize
1.4MB

Download
memory/3424-24-0x0000000140000000-0x0000000140162000-memory.dmp

Filesize
1.4MB

Download
memory/3424-23-0x0000000140000000-0x0000000140162000-memory.dmp

Filesize
1.4MB

Download
memory/3424-26-0x0000000140000000-0x0000000140162000-memory.dmp

Filesize
1.4MB

Download
memory/3424-25-0x0000000140000000-0x0000000140162000-memory.dmp

Filesize
1.4MB

Download
memory/3424-27-0x0000000140000000-0x0000000140162000-memory.dmp

Filesize
1.4MB

Download
memory/3424-28-0x0000000140000000-0x0000000140162000-memory.dmp

Filesize
1.4MB

Download
memory/3424-29-0x0000000000620000-0x0000000000627000-memory.dmp

Filesize
28KB

Download
memory/3424-36-0x0000000140000000-0x0000000140162000-memory.dmp

Filesize
1.4MB

Download
memory/3424-39-0x00007FFBA2C00000-0x00007FFBA2C10000-memory.dmp

Filesize
64KB

Download
memory/3424-46-0x0000000140000000-0x0000000140162000-memory.dmp

Filesize
1.4MB

Download
memory/3424-20-0x0000000140000000-0x0000000140162000-memory.dmp

Filesize
1.4MB

Download
memory/3424-19-0x0000000140000000-0x0000000140162000-memory.dmp

Filesize
1.4MB

Download
memory/3424-17-0x0000000140000000-0x0000000140162000-memory.dmp

Filesize
1.4MB

Download
memory/3424-16-0x0000000140000000-0x0000000140162000-memory.dmp

Filesize
1.4MB

Download
memory/3424-15-0x0000000140000000-0x0000000140162000-memory.dmp

Filesize
1.4MB

Download
memory/3424-13-0x0000000140000000-0x0000000140162000-memory.dmp

Filesize
1.4MB

Download
memory/3424-12-0x0000000140000000-0x0000000140162000-memory.dmp

Filesize
1.4MB

Download
memory/3424-4-0x00000000024A0000-0x00000000024A1000-memory.dmp

Filesize
4KB

Download
memory/3424-10-0x0000000140000000-0x0000000140162000-memory.dmp

Filesize
1.4MB

Download
memory/3424-11-0x0000000140000000-0x0000000140162000-memory.dmp

Filesize
1.4MB

Download
memory/3424-8-0x0000000140000000-0x0000000140162000-memory.dmp

Filesize
1.4MB

Download
memory/3424-7-0x0000000140000000-0x0000000140162000-memory.dmp

Filesize
1.4MB

Download
memory/3424-5-0x00007FFBA205A000-0x00007FFBA205B000-memory.dmp

Filesize
4KB

Download
memory/3520-94-0x00000271F62D0000-0x00000271F6433000-memory.dmp

Filesize
1.4MB

Download
memory/3520-100-0x00000271F62D0000-0x00000271F6433000-memory.dmp

Filesize
1.4MB

Download
memory/3520-95-0x00000271F7CE0000-0x00000271F7CE7000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads