dridex | 52e2ae912b63b153967d52ed2143a65a0a9c1e68a4b7cf41a3415357e2c09268

General

Target

ff98700ae6d01f626f5f2de18cd15d0f_JaffaCakes118.dll
Size

2.0MB
MD5

ff98700ae6d01f626f5f2de18cd15d0f
SHA1

bc88164f8e819791e76f092d26c1541276f8077a
SHA256

52e2ae912b63b153967d52ed2143a65a0a9c1e68a4b7cf41a3415357e2c09268
SHA512

02161626e5154443b13a12bd3e49c9e8cb11fbd9237da68a8821829cab4481841d7d4b4bd48c6af2d08a70b6116cff0565e7466db3d69419dbf553e860ceb2b6
SSDEEP

12288:oVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:9fP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1136-5-0x0000000002D20000-0x0000000002D21000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

DisplaySwitch.exemsinfo32.exedialer.exe

pid process

2968 DisplaySwitch.exe
2828 msinfo32.exe
1528 dialer.exe
Loads dropped DLL 7 IoCs

Processes:

DisplaySwitch.exemsinfo32.exedialer.exe

pid process

1136
2968 DisplaySwitch.exe
1136
2828 msinfo32.exe
1136
1528 dialer.exe
1136

pid	process
2968	DisplaySwitch.exe
2828	msinfo32.exe
1528	dialer.exe

pid	process
1136
2968	DisplaySwitch.exe
1136
2828	msinfo32.exe
1136
1528	dialer.exe
1136

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Javhf = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\xLk1xHe\\msinfo32.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeDisplaySwitch.exemsinfo32.exedialer.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DisplaySwitch.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dialer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1584	rundll32.exe
1584	rundll32.exe
1584	rundll32.exe
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136
1136

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1136 wrote to memory of 1968	1136	DisplaySwitch.exe
PID 1136 wrote to memory of 1968	1136	DisplaySwitch.exe
PID 1136 wrote to memory of 1968	1136	DisplaySwitch.exe
PID 1136 wrote to memory of 2968	1136	DisplaySwitch.exe
PID 1136 wrote to memory of 2968	1136	DisplaySwitch.exe
PID 1136 wrote to memory of 2968	1136	DisplaySwitch.exe
PID 1136 wrote to memory of 2792	1136	msinfo32.exe
PID 1136 wrote to memory of 2792	1136	msinfo32.exe
PID 1136 wrote to memory of 2792	1136	msinfo32.exe
PID 1136 wrote to memory of 2828	1136	msinfo32.exe
PID 1136 wrote to memory of 2828	1136	msinfo32.exe
PID 1136 wrote to memory of 2828	1136	msinfo32.exe
PID 1136 wrote to memory of 776	1136	dialer.exe
PID 1136 wrote to memory of 776	1136	dialer.exe
PID 1136 wrote to memory of 776	1136	dialer.exe
PID 1136 wrote to memory of 1528	1136	dialer.exe
PID 1136 wrote to memory of 1528	1136	dialer.exe
PID 1136 wrote to memory of 1528	1136	dialer.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ff98700ae6d01f626f5f2de18cd15d0f_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1584

C:\Windows\system32\DisplaySwitch.exe
C:\Windows\system32\DisplaySwitch.exe
1⤵
PID:1968

C:\Users\Admin\AppData\Local\mm5u\DisplaySwitch.exe
C:\Users\Admin\AppData\Local\mm5u\DisplaySwitch.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2968

C:\Windows\system32\msinfo32.exe
C:\Windows\system32\msinfo32.exe
1⤵
PID:2792

C:\Users\Admin\AppData\Local\ipLJN7OEN\msinfo32.exe
C:\Users\Admin\AppData\Local\ipLJN7OEN\msinfo32.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2828

C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
1⤵
PID:776

C:\Users\Admin\AppData\Local\2N2ftiD\dialer.exe
C:\Users\Admin\AppData\Local\2N2ftiD\dialer.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1528

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\2N2ftiD\TAPI32.dll
Filesize
2.0MB

MD5
be96b7169eddd006ed658863965ac243

SHA1
a8514fd7d87366df08e83d1ff64c57c154f0cf50

SHA256
8203ec958cd43268dd655c187664838b59689d12ab475c2435df1a4573fb160e

SHA512
a00b01f8e11515377537701ffd7e89e12f946d4686aec7dc2925270d710e1d5b31bfe2d58a1eef2a89738fd9def26b6f2314ce4acdfa63398571cf9445f81238

Download Submit
C:\Users\Admin\AppData\Local\2N2ftiD\dialer.exe
Filesize
34KB

MD5
46523e17ee0f6837746924eda7e9bac9

SHA1
d6b2a9cc6bd3588fa9804ada5197afda6a9e034b

SHA256
23d8a6a1d847a324c556c30e10c8f63c2004aeb42ac3f5a5ca362077f1517382

SHA512
c7117c3778650864e685bd89df599d7cdd9319d757344ddc7cfd9403d6673964127f6ff0c5ac48455fd3097af31a6ff09173f85dfa7be2d25f395cdf3692bb9a

Download Submit
C:\Users\Admin\AppData\Local\ipLJN7OEN\MFC42u.dll
Filesize
2.0MB

MD5
4c8a9d507e28ff38ff531be551eb66a3

SHA1
9de8c4442b7fcbfa1db0a4a7b224d6f17a959b0c

SHA256
f2e7ee87d51163e9dc26be666b987dc83c9c78bb6eecff52cd77ba96da642437

SHA512
ca085ef12dceee9f6f09c75678d51db16023263ae127ec665159f59f049295f90d3cacb4e4d49c2739c695e7325944d21bc85e82c5a2c2e2ea4e5c7404af9b84

Download Submit
C:\Users\Admin\AppData\Local\mm5u\DisplaySwitch.exe
Filesize
517KB

MD5
b795e6138e29a37508285fc31e92bd78

SHA1
d0fe0c38c7c61adbb77e58d48b96cd4bf98ecd4a

SHA256
01a9733871baa8518092bade3fce62dcca14cdf6fc55b98218253580b38d7659

SHA512
8312174a77bab5fef7c4e9efff66c43d3515b02f5766ed1d3b9bd0abb3d7344a9a22cbac228132098428c122293d2b1898b3a2d75f5e4247b1dcb9aa9c7913b1

Download Submit
C:\Users\Admin\AppData\Local\mm5u\slc.dll
Filesize
2.0MB

MD5
5ebfabbb45a393e1d075da9bf67fadc6

SHA1
2dd90ce4810fb0e5a81995293ec403753b5aee89

SHA256
2bc7202667f44a49ac5896f4764be8e033122c99f23b90073fdce35b5aee1c67

SHA512
37c49dd11c19026ceea50b54dbcc3e3aba29bfab386c299de6a2a60bab83b555fb3f98ba61f66eb756bdfa9fe276a11802220e845f05f7ed50a0b0fe4d0fbe06

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Xwtifesqpwfy.lnk
Filesize
1KB

MD5
19c2e9aacd398bea71238b4ce623447e

SHA1
ede166107ffc14c9c76cdc91d309067354e985d1

SHA256
765627c5a913f150ade6cf4f389cd9ca95c85cf2cbf835022297521ef89b4948

SHA512
34152da1f6b9f6e0b936f0fe2cc2e2d6195728681bbd00469e617ae79019acba4cc86e0019c10531629337b6a235c39020e97d7437e56fb7c845abf7684ebdd3

Download Submit
\Users\Admin\AppData\Local\ipLJN7OEN\msinfo32.exe
Filesize
370KB

MD5
d291620d4c51c5f5ffa62ccdc52c5c13

SHA1
2081c97f15b1c2a2eadce366baf3c510da553cc7

SHA256
76e959dd7db31726c040d46cfa86b681479967aea36db5f625e80bd36422e8ae

SHA512
75f9bcce4c596dae1f4d78e13d9d53b0c31988d2170c3d9f5db352b8c8a1c8ca58f4a002b30a4b328b8f4769008b750b8a1c9fda44a582e11c3adc38345c334b

Download Submit
memory/1136-39-0x0000000140000000-0x00000001401FF000-memory.dmp

Filesize
2.0MB

Download
memory/1136-42-0x0000000140000000-0x00000001401FF000-memory.dmp

Filesize
2.0MB

Download
memory/1136-7-0x0000000140000000-0x00000001401FF000-memory.dmp

Filesize
2.0MB

Download
memory/1136-18-0x0000000140000000-0x00000001401FF000-memory.dmp

Filesize
2.0MB

Download
memory/1136-17-0x0000000140000000-0x00000001401FF000-memory.dmp

Filesize
2.0MB

Download
memory/1136-16-0x0000000140000000-0x00000001401FF000-memory.dmp

Filesize
2.0MB

Download
memory/1136-19-0x0000000140000000-0x00000001401FF000-memory.dmp

Filesize
2.0MB

Download
memory/1136-20-0x0000000140000000-0x00000001401FF000-memory.dmp

Filesize
2.0MB

Download
memory/1136-21-0x0000000140000000-0x00000001401FF000-memory.dmp

Filesize
2.0MB

Download
memory/1136-25-0x0000000140000000-0x00000001401FF000-memory.dmp

Filesize
2.0MB

Download
memory/1136-24-0x0000000140000000-0x00000001401FF000-memory.dmp

Filesize
2.0MB

Download
memory/1136-23-0x0000000140000000-0x00000001401FF000-memory.dmp

Filesize
2.0MB

Download
memory/1136-22-0x0000000140000000-0x00000001401FF000-memory.dmp

Filesize
2.0MB

Download
memory/1136-27-0x0000000140000000-0x00000001401FF000-memory.dmp

Filesize
2.0MB

Download
memory/1136-26-0x0000000140000000-0x00000001401FF000-memory.dmp

Filesize
2.0MB

Download
memory/1136-28-0x0000000140000000-0x00000001401FF000-memory.dmp

Filesize
2.0MB

Download
memory/1136-29-0x0000000140000000-0x00000001401FF000-memory.dmp

Filesize
2.0MB

Download
memory/1136-32-0x0000000140000000-0x00000001401FF000-memory.dmp

Filesize
2.0MB

Download
memory/1136-33-0x0000000140000000-0x00000001401FF000-memory.dmp

Filesize
2.0MB

Download
memory/1136-31-0x0000000140000000-0x00000001401FF000-memory.dmp

Filesize
2.0MB

Download
memory/1136-30-0x0000000140000000-0x00000001401FF000-memory.dmp

Filesize
2.0MB

Download
memory/1136-34-0x0000000140000000-0x00000001401FF000-memory.dmp

Filesize
2.0MB

Download
memory/1136-40-0x0000000140000000-0x00000001401FF000-memory.dmp

Filesize
2.0MB

Download
memory/1136-4-0x0000000077376000-0x0000000077377000-memory.dmp

Filesize
4KB

Download
memory/1136-38-0x0000000140000000-0x00000001401FF000-memory.dmp

Filesize
2.0MB

Download
memory/1136-37-0x0000000140000000-0x00000001401FF000-memory.dmp

Filesize
2.0MB

Download
memory/1136-43-0x0000000140000000-0x00000001401FF000-memory.dmp

Filesize
2.0MB

Download
memory/1136-9-0x0000000140000000-0x00000001401FF000-memory.dmp

Filesize
2.0MB

Download
memory/1136-41-0x0000000140000000-0x00000001401FF000-memory.dmp

Filesize
2.0MB

Download
memory/1136-36-0x0000000140000000-0x00000001401FF000-memory.dmp

Filesize
2.0MB

Download
memory/1136-35-0x0000000140000000-0x00000001401FF000-memory.dmp

Filesize
2.0MB

Download
memory/1136-44-0x0000000140000000-0x00000001401FF000-memory.dmp

Filesize
2.0MB

Download
memory/1136-45-0x0000000002D00000-0x0000000002D07000-memory.dmp

Filesize
28KB

Download
memory/1136-52-0x0000000140000000-0x00000001401FF000-memory.dmp

Filesize
2.0MB

Download
memory/1136-53-0x0000000077581000-0x0000000077582000-memory.dmp

Filesize
4KB

Download
memory/1136-54-0x00000000776E0000-0x00000000776E2000-memory.dmp

Filesize
8KB

Download
memory/1136-63-0x0000000140000000-0x00000001401FF000-memory.dmp

Filesize
2.0MB

Download
memory/1136-69-0x0000000140000000-0x00000001401FF000-memory.dmp

Filesize
2.0MB

Download
memory/1136-70-0x0000000140000000-0x00000001401FF000-memory.dmp

Filesize
2.0MB

Download
memory/1136-10-0x0000000140000000-0x00000001401FF000-memory.dmp

Filesize
2.0MB

Download
memory/1136-11-0x0000000140000000-0x00000001401FF000-memory.dmp

Filesize
2.0MB

Download
memory/1136-142-0x0000000077376000-0x0000000077377000-memory.dmp

Filesize
4KB

Download
memory/1136-5-0x0000000002D20000-0x0000000002D21000-memory.dmp

Filesize
4KB

Download
memory/1136-15-0x0000000140000000-0x00000001401FF000-memory.dmp

Filesize
2.0MB

Download
memory/1136-14-0x0000000140000000-0x00000001401FF000-memory.dmp

Filesize
2.0MB

Download
memory/1136-13-0x0000000140000000-0x00000001401FF000-memory.dmp

Filesize
2.0MB

Download
memory/1136-12-0x0000000140000000-0x00000001401FF000-memory.dmp

Filesize
2.0MB

Download
memory/1528-118-0x0000000000200000-0x0000000000207000-memory.dmp

Filesize
28KB

Download
memory/1584-8-0x0000000140000000-0x00000001401FF000-memory.dmp

Filesize
2.0MB

Download
memory/1584-1-0x0000000000340000-0x0000000000347000-memory.dmp

Filesize
28KB

Download
memory/1584-0-0x0000000140000000-0x00000001401FF000-memory.dmp

Filesize
2.0MB

Download
memory/2828-100-0x0000000000230000-0x0000000000237000-memory.dmp

Filesize
28KB

Download
memory/2968-81-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/2968-82-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads