dridex | 51676b3254a014834afdaba33bdff2911b7d87613f0f23201ba14f9d78e2cf99

General

Target

ff6cd31f07d94bb47ea90f53731a97ca_JaffaCakes118.dll
Size

1.9MB
MD5

ff6cd31f07d94bb47ea90f53731a97ca
SHA1

254860df90ab5c6c2e7d8faba7ef4df7e085f3bd
SHA256

51676b3254a014834afdaba33bdff2911b7d87613f0f23201ba14f9d78e2cf99
SHA512

f8eb53555945d2b56030ad281dd04e861ff3183008dd18870ac7fe9623ef76b0679b129e2c925e4bb325675e3467194e888e8079e199df193d9e3974ded25f05
SSDEEP

12288:EVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:hfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3500-4-0x00000000025E0000-0x00000000025E1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

SystemPropertiesDataExecutionPrevention.exemsconfig.exeBdeUISrv.exe

pid process

3956 SystemPropertiesDataExecutionPrevention.exe
1336 msconfig.exe
3192 BdeUISrv.exe
Loads dropped DLL 3 IoCs

Processes:

SystemPropertiesDataExecutionPrevention.exemsconfig.exeBdeUISrv.exe

pid process

3956 SystemPropertiesDataExecutionPrevention.exe
1336 msconfig.exe
3192 BdeUISrv.exe

pid	process
3956	SystemPropertiesDataExecutionPrevention.exe
1336	msconfig.exe
3192	BdeUISrv.exe

pid	process
3956	SystemPropertiesDataExecutionPrevention.exe
1336	msconfig.exe
3192	BdeUISrv.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Yqyvrmzmpvckvj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\UProof\\KY824RK9Wp5\\msconfig.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeSystemPropertiesDataExecutionPrevention.exemsconfig.exeBdeUISrv.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesDataExecutionPrevention.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msconfig.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BdeUISrv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2516	rundll32.exe
2516	rundll32.exe
2516	rundll32.exe
2516	rundll32.exe
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3500 wrote to memory of 5060	3500	SystemPropertiesDataExecutionPrevention.exe
PID 3500 wrote to memory of 5060	3500	SystemPropertiesDataExecutionPrevention.exe
PID 3500 wrote to memory of 3956	3500	SystemPropertiesDataExecutionPrevention.exe
PID 3500 wrote to memory of 3956	3500	SystemPropertiesDataExecutionPrevention.exe
PID 3500 wrote to memory of 5032	3500	msconfig.exe
PID 3500 wrote to memory of 5032	3500	msconfig.exe
PID 3500 wrote to memory of 1336	3500	msconfig.exe
PID 3500 wrote to memory of 1336	3500	msconfig.exe
PID 3500 wrote to memory of 2008	3500	BdeUISrv.exe
PID 3500 wrote to memory of 2008	3500	BdeUISrv.exe
PID 3500 wrote to memory of 3192	3500	BdeUISrv.exe
PID 3500 wrote to memory of 3192	3500	BdeUISrv.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ff6cd31f07d94bb47ea90f53731a97ca_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2516

C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
1⤵
PID:5060

C:\Users\Admin\AppData\Local\NvuFqRBip\SystemPropertiesDataExecutionPrevention.exe
C:\Users\Admin\AppData\Local\NvuFqRBip\SystemPropertiesDataExecutionPrevention.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3956

C:\Windows\system32\msconfig.exe
C:\Windows\system32\msconfig.exe
1⤵
PID:5032

C:\Users\Admin\AppData\Local\Dy1g1OLi6\msconfig.exe
C:\Users\Admin\AppData\Local\Dy1g1OLi6\msconfig.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1336

C:\Windows\system32\BdeUISrv.exe
C:\Windows\system32\BdeUISrv.exe
1⤵
PID:2008

C:\Users\Admin\AppData\Local\2y6PRowQ\BdeUISrv.exe
C:\Users\Admin\AppData\Local\2y6PRowQ\BdeUISrv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3192

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\2y6PRowQ\BdeUISrv.exe
Filesize
54KB

MD5
8595075667ff2c9a9f9e2eebc62d8f53

SHA1
c48b54e571f05d4e21d015bb3926c2129f19191a

SHA256
20b05c77f898be08737082e969b39f54fa39753c8c0a06142eb7ad5e0764a2db

SHA512
080dbcdd9234c07efe6cea4919ffa305fdc381ccebed9d1020dd6551b54e20e52387e62a344502fa4a85249defd0f9b506528b8dd34675bc9f51f664b8fc4d88

Download Submit
C:\Users\Admin\AppData\Local\2y6PRowQ\WTSAPI32.dll
Filesize
1.9MB

MD5
732e495dda5676f15b15067ef59f4abd

SHA1
7e4cb39fff5579978a6154e170d8126e5af289c5

SHA256
456d5e7fba75f8d88de9afab25bf43d7bf4c09d6481a932e7d219e908133ace4

SHA512
81a18858f6a2f1fb781e9c4239b369dc95741d2e57689477e6a80f7c81a7bf45b5d580acc72f5d06d99ed31f3476123a6a880e9daef852f1cd97dbdf0043d55b

Download Submit
C:\Users\Admin\AppData\Local\Dy1g1OLi6\VERSION.dll
Filesize
1.9MB

MD5
7423031fa3489372a5218fb8fc4dcbe1

SHA1
e1b7bc0620e401d16d0c92c8675e01affd7ca8a3

SHA256
6856ea53ea2d226a6d8351ce15707b6516f3425922fd395d430665c271cd1a82

SHA512
70d61e1f381219086d275a32e95cb2c5527f3e8765f69e92b491d140d1227c27ceffceb3dc47a62843faf88be3b9d2e940a6c72b619021aadc686c95d2f7f84b

Download Submit
C:\Users\Admin\AppData\Local\Dy1g1OLi6\msconfig.exe
Filesize
193KB

MD5
39009536cafe30c6ef2501fe46c9df5e

SHA1
6ff7b4d30f31186de899665c704a105227704b72

SHA256
93d2604f7fdf7f014ac5bef63ab177b6107f3cfc26da6cbd9a7ab50c96564a04

SHA512
95c9a8bc61c79108634f5578825544323e3d980ae97a105a325c58bc0e44b1d500637459969602f08d6d23d346baec6acd07d8351803981000c797190d48f03a

Download Submit
C:\Users\Admin\AppData\Local\NvuFqRBip\SYSDM.CPL
Filesize
1.9MB

MD5
8e529d0507f933d85d6e1f3c22300894

SHA1
78c8350891c2fd4af0af06fc4d42af81b22cb835

SHA256
877f0feebcba12ce3283fb3acae87c1d95d420588fed12742a8882e824c912ec

SHA512
74297de3c8383c6a6c650bd5969ada674138cf3bb0fd1974d9f3c34441a3d1b309280304f123dca9840f048dcf8291587fd2039a529f0571071d68569971c952

Download Submit
C:\Users\Admin\AppData\Local\NvuFqRBip\SystemPropertiesDataExecutionPrevention.exe
Filesize
82KB

MD5
de58532954c2704f2b2309ffc320651d

SHA1
0a9fc98f4d47dccb0b231edf9a63309314f68e3b

SHA256
1f810658969560f6e7d7a14f71d1196382e53b984ca190fa9b178ac4a32acfb3

SHA512
d4d57cc30d9079f4e9193ba42631e8e53d86b22e9c655d7a8c25e5be0e5e1d6dfff4714ddc23e3e392809d623b4f8d43c63893f74c325fc77459ac03c7a451ed

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Qbfswxgeo.lnk
Filesize
1KB

MD5
e3d5136818e643039ee231bf1f5a1a3d

SHA1
390b8ad58ce3aad741ea43426f480840511d8d65

SHA256
2089cb4af41e4f9e2f2acedac445364430bb11c33559495ba9b88e647f687da4

SHA512
2a00f254d07cf02267d92b40e45cfee98c50dd2242c2e03b9defd2020995636f59616820ea992556f6521cb090e7e4bf3929a15d20138eaa5ee7c3ff293fbbbf

Download Submit
memory/1336-82-0x0000026D4EFE0000-0x0000026D4EFE7000-memory.dmp

Filesize
28KB

Download
memory/1336-86-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2516-7-0x0000000140000000-0x00000001401E1000-memory.dmp

Filesize
1.9MB

Download
memory/2516-1-0x0000000140000000-0x00000001401E1000-memory.dmp

Filesize
1.9MB

Download
memory/2516-0-0x0000023FF95A0000-0x0000023FF95A7000-memory.dmp

Filesize
28KB

Download
memory/3192-97-0x000001F35B8B0000-0x000001F35B8B7000-memory.dmp

Filesize
28KB

Download
memory/3192-103-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/3500-28-0x0000000140000000-0x00000001401E1000-memory.dmp

Filesize
1.9MB

Download
memory/3500-42-0x0000000140000000-0x00000001401E1000-memory.dmp

Filesize
1.9MB

Download
memory/3500-20-0x0000000140000000-0x00000001401E1000-memory.dmp

Filesize
1.9MB

Download
memory/3500-21-0x0000000140000000-0x00000001401E1000-memory.dmp

Filesize
1.9MB

Download
memory/3500-19-0x0000000140000000-0x00000001401E1000-memory.dmp

Filesize
1.9MB

Download
memory/3500-22-0x0000000140000000-0x00000001401E1000-memory.dmp

Filesize
1.9MB

Download
memory/3500-23-0x0000000140000000-0x00000001401E1000-memory.dmp

Filesize
1.9MB

Download
memory/3500-24-0x0000000140000000-0x00000001401E1000-memory.dmp

Filesize
1.9MB

Download
memory/3500-26-0x0000000140000000-0x00000001401E1000-memory.dmp

Filesize
1.9MB

Download
memory/3500-27-0x0000000140000000-0x00000001401E1000-memory.dmp

Filesize
1.9MB

Download
memory/3500-17-0x0000000140000000-0x00000001401E1000-memory.dmp

Filesize
1.9MB

Download
memory/3500-30-0x0000000140000000-0x00000001401E1000-memory.dmp

Filesize
1.9MB

Download
memory/3500-31-0x0000000140000000-0x00000001401E1000-memory.dmp

Filesize
1.9MB

Download
memory/3500-29-0x0000000140000000-0x00000001401E1000-memory.dmp

Filesize
1.9MB

Download
memory/3500-25-0x0000000140000000-0x00000001401E1000-memory.dmp

Filesize
1.9MB

Download
memory/3500-32-0x0000000140000000-0x00000001401E1000-memory.dmp

Filesize
1.9MB

Download
memory/3500-33-0x0000000140000000-0x00000001401E1000-memory.dmp

Filesize
1.9MB

Download
memory/3500-35-0x00000000006B0000-0x00000000006B7000-memory.dmp

Filesize
28KB

Download
memory/3500-34-0x0000000140000000-0x00000001401E1000-memory.dmp

Filesize
1.9MB

Download
memory/3500-18-0x0000000140000000-0x00000001401E1000-memory.dmp

Filesize
1.9MB

Download
memory/3500-43-0x00007FFFBF720000-0x00007FFFBF730000-memory.dmp

Filesize
64KB

Download
memory/3500-52-0x0000000140000000-0x00000001401E1000-memory.dmp

Filesize
1.9MB

Download
memory/3500-54-0x0000000140000000-0x00000001401E1000-memory.dmp

Filesize
1.9MB

Download
memory/3500-16-0x0000000140000000-0x00000001401E1000-memory.dmp

Filesize
1.9MB

Download
memory/3500-15-0x0000000140000000-0x00000001401E1000-memory.dmp

Filesize
1.9MB

Download
memory/3500-4-0x00000000025E0000-0x00000000025E1000-memory.dmp

Filesize
4KB

Download
memory/3500-8-0x0000000140000000-0x00000001401E1000-memory.dmp

Filesize
1.9MB

Download
memory/3500-10-0x0000000140000000-0x00000001401E1000-memory.dmp

Filesize
1.9MB

Download
memory/3500-14-0x0000000140000000-0x00000001401E1000-memory.dmp

Filesize
1.9MB

Download
memory/3500-13-0x0000000140000000-0x00000001401E1000-memory.dmp

Filesize
1.9MB

Download
memory/3500-6-0x0000000140000000-0x00000001401E1000-memory.dmp

Filesize
1.9MB

Download
memory/3500-9-0x00007FFFBE8EA000-0x00007FFFBE8EB000-memory.dmp

Filesize
4KB

Download
memory/3500-12-0x0000000140000000-0x00000001401E1000-memory.dmp

Filesize
1.9MB

Download
memory/3500-11-0x0000000140000000-0x00000001401E1000-memory.dmp

Filesize
1.9MB

Download
memory/3956-69-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/3956-64-0x0000020664C30000-0x0000020664C37000-memory.dmp

Filesize
28KB

Download
memory/3956-63-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads