dridex | 839c36c310b8efbe6c9519e235331c0f8c92b711dd400cf9724245a9ee70e0d0

General

Target

fedc338550b9e9edb5fb38d72531f369_JaffaCakes118.dll
Size

2.2MB
MD5

fedc338550b9e9edb5fb38d72531f369
SHA1

139da1812572278281cf5c72668af182c6703af0
SHA256

839c36c310b8efbe6c9519e235331c0f8c92b711dd400cf9724245a9ee70e0d0
SHA512

1a1e4c354386772e71cd84055bfce973b0278fc03a3151c502231de0f61a702de4bea80aed84e0eb824ebe07f0d7e70c07133165c4b420266a8581679025cc37
SSDEEP

12288:dVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:EfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3448-4-0x0000000002170000-0x0000000002171000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

CustomShellHost.exemstsc.exebdechangepin.exe

pid process

4652 CustomShellHost.exe
1584 mstsc.exe
2504 bdechangepin.exe
Loads dropped DLL 3 IoCs

Processes:

CustomShellHost.exemstsc.exebdechangepin.exe

pid process

4652 CustomShellHost.exe
1584 mstsc.exe
2504 bdechangepin.exe

pid	process
4652	CustomShellHost.exe
1584	mstsc.exe
2504	bdechangepin.exe

pid	process
4652	CustomShellHost.exe
1584	mstsc.exe
2504	bdechangepin.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qepeviktqrkcxrd = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\BkCh5R\\mstsc.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeCustomShellHost.exemstsc.exebdechangepin.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	CustomShellHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mstsc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bdechangepin.exe

Modifies registry class 2 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2500	rundll32.exe
2500	rundll32.exe
2500	rundll32.exe
2500	rundll32.exe
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3448
Token: SeCreatePagefilePrivilege	3448
Token: SeShutdownPrivilege	3448
Token: SeCreatePagefilePrivilege	3448
Token: SeShutdownPrivilege	3448
Token: SeCreatePagefilePrivilege	3448
Token: SeShutdownPrivilege	3448
Token: SeCreatePagefilePrivilege	3448
Token: SeShutdownPrivilege	3448
Token: SeCreatePagefilePrivilege	3448
Token: SeShutdownPrivilege	3448
Token: SeCreatePagefilePrivilege	3448
Token: SeShutdownPrivilege	3448
Token: SeCreatePagefilePrivilege	3448
Token: SeShutdownPrivilege	3448
Token: SeCreatePagefilePrivilege	3448

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

pid process

3448
3448
3448
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

pid process

3448
3448
3448
Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3448

pid	process
3448
3448
3448

pid	process
3448
3448
3448

pid	process
3448

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3448 wrote to memory of 2824	3448	CustomShellHost.exe
PID 3448 wrote to memory of 2824	3448	CustomShellHost.exe
PID 3448 wrote to memory of 4652	3448	CustomShellHost.exe
PID 3448 wrote to memory of 4652	3448	CustomShellHost.exe
PID 3448 wrote to memory of 1244	3448	mstsc.exe
PID 3448 wrote to memory of 1244	3448	mstsc.exe
PID 3448 wrote to memory of 1584	3448	mstsc.exe
PID 3448 wrote to memory of 1584	3448	mstsc.exe
PID 3448 wrote to memory of 3080	3448	bdechangepin.exe
PID 3448 wrote to memory of 3080	3448	bdechangepin.exe
PID 3448 wrote to memory of 2504	3448	bdechangepin.exe
PID 3448 wrote to memory of 2504	3448	bdechangepin.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\fedc338550b9e9edb5fb38d72531f369_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2500

C:\Windows\system32\CustomShellHost.exe
C:\Windows\system32\CustomShellHost.exe
1⤵
PID:2824

C:\Users\Admin\AppData\Local\ilSwhNJXR\CustomShellHost.exe
C:\Users\Admin\AppData\Local\ilSwhNJXR\CustomShellHost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4652

C:\Windows\system32\mstsc.exe
C:\Windows\system32\mstsc.exe
1⤵
PID:1244

C:\Users\Admin\AppData\Local\1lX\mstsc.exe
C:\Users\Admin\AppData\Local\1lX\mstsc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1584

C:\Windows\system32\bdechangepin.exe
C:\Windows\system32\bdechangepin.exe
1⤵
PID:3080

C:\Users\Admin\AppData\Local\xfW\bdechangepin.exe
C:\Users\Admin\AppData\Local\xfW\bdechangepin.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2504

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\1lX\WINMM.dll
Filesize
2.2MB

MD5
74c33d437fd9f668d27a4a92c3408b62

SHA1
883f16879014bfd93a7efa70e832c9769b16daa1

SHA256
351535be554cf64985f66eabd2ada8a9213aa35cc40a62241bb4c441a7beb84a

SHA512
c130c0b38e58c63131dbe8cd06946e7e82cece8ac9e5c5b63776cb3b464ca9f7e5f6824dc5dc725ddb032ca4e8b6d29e058c0acc88b913f804df0256be8f4fe1

Download Submit
C:\Users\Admin\AppData\Local\1lX\mstsc.exe
Filesize
1.5MB

MD5
3a26640414cee37ff5b36154b1a0b261

SHA1
e0c28b5fdf53a202a7543b67bbc97214bad490ed

SHA256
1d1b6b2edac7ac6494c9eecda3afb804f679d7190f4d1a80929380e85743823f

SHA512
76fc70ead57ddacd3dbcec1a4772bd46924d30b30018a36b13052d2f7272cc86b63bf85d5e4ec04aac08630d4b2637ca6e7d35c08ce6b675d63ed011f7d95ba2

Download Submit
C:\Users\Admin\AppData\Local\ilSwhNJXR\CustomShellHost.exe
Filesize
835KB

MD5
70400e78b71bc8efdd063570428ae531

SHA1
cd86ecd008914fdd0389ac2dc00fe92d87746096

SHA256
91333f3282a2420359ae9d3adf537688741d21e964f021e2b152ab293447f289

SHA512
53005dda237fb23af79f54779c74a09835ad4cad3ca7b9dcec80e3793a60dd262f45b910bef96ab9c8e69d0c6990fea6ca5fee85d7f8425db523ae658372959e

Download Submit
C:\Users\Admin\AppData\Local\ilSwhNJXR\WTSAPI32.dll
Filesize
2.2MB

MD5
eb5795a834af93928a99343c5c962fc6

SHA1
6f31fc587dba8d4258d1f3efe951923934998b8a

SHA256
060ab47130d3146822f83b078abd661b7f7526084b8696854721734256b589ea

SHA512
c8b7f2aaa5c958ac054c8a0ff6beaf765fbf283428c13d4c07fcdb7351e8a580b4214af3b8a8790131005f33313334bbd8c641f8136db55fe98f641e598e5060

Download Submit
C:\Users\Admin\AppData\Local\xfW\DUI70.dll
Filesize
2.5MB

MD5
0363c44e066b23891edbe3621f5a854c

SHA1
32711550fdddd71e33bb9df9cc10411010df7f7e

SHA256
bb280fa23cc1ad0e228cb8eba83b5e83a29778a7a9a8dc2ea0819841c706dd00

SHA512
1b8e7d8de2b1f13d102e902e5960552904831e2e46004b50aacdf75cfb94af2dae635e9fd33289242c9080fbf4d227ae952e224431a54426cb9ed0d9199840a3

Download Submit
C:\Users\Admin\AppData\Local\xfW\bdechangepin.exe
Filesize
373KB

MD5
601a28eb2d845d729ddd7330cbae6fd6

SHA1
5cf9f6f9135c903d42a7756c638333db8621e642

SHA256
4d43f37576a0ebbaf97024cd5597d968ffe59c871b483554aea302dccb7253f6

SHA512
1687044612ceb705f79c806b176f885fd01449251b0097c2df70280b7d10a2b830ee30ac0f645a7e8d8067892f6562d933624de694295e22318863260222859d

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Vqslomum.lnk
Filesize
777B

MD5
57d7fac35597f5d62681fd83859e8b2c

SHA1
2d4c5b0c0a1a2a7251079b7e463e737f2d379446

SHA256
e8f0012338f22eb07c572a9f03b1c114f1067ee5a4d056b6d6b88a93f790ebc9

SHA512
f57c9ef284e7787b92b7e1f354f4c93e2570e253622c8849bed4c864df823fb547ccf5b7ac9c9d857a269508f1ecbc978d258053a3a87c833f226513fe4ba18e

Download Submit
memory/1584-95-0x000001D7436B0000-0x000001D7436B7000-memory.dmp

Filesize
28KB

Download
memory/1584-94-0x0000000140000000-0x000000014023C000-memory.dmp

Filesize
2.2MB

Download
memory/2500-2-0x0000024E59F90000-0x0000024E59F97000-memory.dmp

Filesize
28KB

Download
memory/2500-8-0x0000000140000000-0x000000014023A000-memory.dmp

Filesize
2.2MB

Download
memory/2500-0-0x0000000140000000-0x000000014023A000-memory.dmp

Filesize
2.2MB

Download
memory/2504-113-0x0000023AB94E0000-0x0000023AB94E7000-memory.dmp

Filesize
28KB

Download
memory/3448-32-0x0000000140000000-0x000000014023A000-memory.dmp

Filesize
2.2MB

Download
memory/3448-38-0x0000000140000000-0x000000014023A000-memory.dmp

Filesize
2.2MB

Download
memory/3448-15-0x0000000140000000-0x000000014023A000-memory.dmp

Filesize
2.2MB

Download
memory/3448-16-0x0000000140000000-0x000000014023A000-memory.dmp

Filesize
2.2MB

Download
memory/3448-13-0x0000000140000000-0x000000014023A000-memory.dmp

Filesize
2.2MB

Download
memory/3448-17-0x0000000140000000-0x000000014023A000-memory.dmp

Filesize
2.2MB

Download
memory/3448-18-0x0000000140000000-0x000000014023A000-memory.dmp

Filesize
2.2MB

Download
memory/3448-19-0x0000000140000000-0x000000014023A000-memory.dmp

Filesize
2.2MB

Download
memory/3448-20-0x0000000140000000-0x000000014023A000-memory.dmp

Filesize
2.2MB

Download
memory/3448-21-0x0000000140000000-0x000000014023A000-memory.dmp

Filesize
2.2MB

Download
memory/3448-22-0x0000000140000000-0x000000014023A000-memory.dmp

Filesize
2.2MB

Download
memory/3448-23-0x0000000140000000-0x000000014023A000-memory.dmp

Filesize
2.2MB

Download
memory/3448-25-0x0000000140000000-0x000000014023A000-memory.dmp

Filesize
2.2MB

Download
memory/3448-24-0x0000000140000000-0x000000014023A000-memory.dmp

Filesize
2.2MB

Download
memory/3448-26-0x0000000140000000-0x000000014023A000-memory.dmp

Filesize
2.2MB

Download
memory/3448-27-0x0000000140000000-0x000000014023A000-memory.dmp

Filesize
2.2MB

Download
memory/3448-28-0x0000000140000000-0x000000014023A000-memory.dmp

Filesize
2.2MB

Download
memory/3448-29-0x0000000140000000-0x000000014023A000-memory.dmp

Filesize
2.2MB

Download
memory/3448-30-0x0000000140000000-0x000000014023A000-memory.dmp

Filesize
2.2MB

Download
memory/3448-7-0x0000000140000000-0x000000014023A000-memory.dmp

Filesize
2.2MB

Download
memory/3448-31-0x0000000140000000-0x000000014023A000-memory.dmp

Filesize
2.2MB

Download
memory/3448-33-0x0000000140000000-0x000000014023A000-memory.dmp

Filesize
2.2MB

Download
memory/3448-34-0x0000000140000000-0x000000014023A000-memory.dmp

Filesize
2.2MB

Download
memory/3448-35-0x0000000140000000-0x000000014023A000-memory.dmp

Filesize
2.2MB

Download
memory/3448-36-0x0000000140000000-0x000000014023A000-memory.dmp

Filesize
2.2MB

Download
memory/3448-14-0x0000000140000000-0x000000014023A000-memory.dmp

Filesize
2.2MB

Download
memory/3448-37-0x0000000140000000-0x000000014023A000-memory.dmp

Filesize
2.2MB

Download
memory/3448-39-0x0000000140000000-0x000000014023A000-memory.dmp

Filesize
2.2MB

Download
memory/3448-40-0x0000000140000000-0x000000014023A000-memory.dmp

Filesize
2.2MB

Download
memory/3448-41-0x0000000140000000-0x000000014023A000-memory.dmp

Filesize
2.2MB

Download
memory/3448-42-0x0000000140000000-0x000000014023A000-memory.dmp

Filesize
2.2MB

Download
memory/3448-44-0x0000000140000000-0x000000014023A000-memory.dmp

Filesize
2.2MB

Download
memory/3448-43-0x0000000140000000-0x000000014023A000-memory.dmp

Filesize
2.2MB

Download
memory/3448-45-0x0000000140000000-0x000000014023A000-memory.dmp

Filesize
2.2MB

Download
memory/3448-46-0x0000000140000000-0x000000014023A000-memory.dmp

Filesize
2.2MB

Download
memory/3448-48-0x0000000140000000-0x000000014023A000-memory.dmp

Filesize
2.2MB

Download
memory/3448-47-0x0000000140000000-0x000000014023A000-memory.dmp

Filesize
2.2MB

Download
memory/3448-49-0x0000000002570000-0x0000000002577000-memory.dmp

Filesize
28KB

Download
memory/3448-56-0x0000000140000000-0x000000014023A000-memory.dmp

Filesize
2.2MB

Download
memory/3448-57-0x00007FFE268C0000-0x00007FFE268D0000-memory.dmp

Filesize
64KB

Download
memory/3448-66-0x0000000140000000-0x000000014023A000-memory.dmp

Filesize
2.2MB

Download
memory/3448-68-0x0000000140000000-0x000000014023A000-memory.dmp

Filesize
2.2MB

Download
memory/3448-5-0x00007FFE2592A000-0x00007FFE2592B000-memory.dmp

Filesize
4KB

Download
memory/3448-12-0x0000000140000000-0x000000014023A000-memory.dmp

Filesize
2.2MB

Download
memory/3448-11-0x0000000140000000-0x000000014023A000-memory.dmp

Filesize
2.2MB

Download
memory/3448-10-0x0000000140000000-0x000000014023A000-memory.dmp

Filesize
2.2MB

Download
memory/3448-9-0x0000000140000000-0x000000014023A000-memory.dmp

Filesize
2.2MB

Download
memory/3448-4-0x0000000002170000-0x0000000002171000-memory.dmp

Filesize
4KB

Download
memory/4652-77-0x0000000140000000-0x000000014023B000-memory.dmp

Filesize
2.2MB

Download
memory/4652-79-0x0000014CC84E0000-0x0000014CC84E7000-memory.dmp

Filesize
28KB

Download
memory/4652-83-0x0000000140000000-0x000000014023B000-memory.dmp

Filesize
2.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads