dridex | 52e2ae912b63b153967d52ed2143a65a0a9c1e68a4b7cf41a3415357e2c09268

General

Target

ff98700ae6d01f626f5f2de18cd15d0f_JaffaCakes118.dll
Size

2.0MB
MD5

ff98700ae6d01f626f5f2de18cd15d0f
SHA1

bc88164f8e819791e76f092d26c1541276f8077a
SHA256

52e2ae912b63b153967d52ed2143a65a0a9c1e68a4b7cf41a3415357e2c09268
SHA512

02161626e5154443b13a12bd3e49c9e8cb11fbd9237da68a8821829cab4481841d7d4b4bd48c6af2d08a70b6116cff0565e7466db3d69419dbf553e860ceb2b6
SSDEEP

12288:oVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:9fP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3188-4-0x0000000002DC0000-0x0000000002DC1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

SystemPropertiesProtection.exeSystemSettingsAdminFlows.exewlrmdr.exe

pid process

2084 SystemPropertiesProtection.exe
900 SystemSettingsAdminFlows.exe
788 wlrmdr.exe
Loads dropped DLL 3 IoCs

Processes:

SystemPropertiesProtection.exeSystemSettingsAdminFlows.exewlrmdr.exe

pid process

2084 SystemPropertiesProtection.exe
900 SystemSettingsAdminFlows.exe
788 wlrmdr.exe

pid	process
2084	SystemPropertiesProtection.exe
900	SystemSettingsAdminFlows.exe
788	wlrmdr.exe

pid	process
2084	SystemPropertiesProtection.exe
900	SystemSettingsAdminFlows.exe
788	wlrmdr.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Xcdbzlxvqxxhz = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\8fw70TvmqXq\\SystemSettingsAdminFlows.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeSystemPropertiesProtection.exeSystemSettingsAdminFlows.exewlrmdr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesProtection.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemSettingsAdminFlows.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wlrmdr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
4848	rundll32.exe
4848	rundll32.exe
4848	rundll32.exe
4848	rundll32.exe
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3188 wrote to memory of 4220	3188	SystemPropertiesProtection.exe
PID 3188 wrote to memory of 4220	3188	SystemPropertiesProtection.exe
PID 3188 wrote to memory of 2084	3188	SystemPropertiesProtection.exe
PID 3188 wrote to memory of 2084	3188	SystemPropertiesProtection.exe
PID 3188 wrote to memory of 692	3188	SystemSettingsAdminFlows.exe
PID 3188 wrote to memory of 692	3188	SystemSettingsAdminFlows.exe
PID 3188 wrote to memory of 900	3188	SystemSettingsAdminFlows.exe
PID 3188 wrote to memory of 900	3188	SystemSettingsAdminFlows.exe
PID 3188 wrote to memory of 5116	3188	wlrmdr.exe
PID 3188 wrote to memory of 5116	3188	wlrmdr.exe
PID 3188 wrote to memory of 788	3188	wlrmdr.exe
PID 3188 wrote to memory of 788	3188	wlrmdr.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ff98700ae6d01f626f5f2de18cd15d0f_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4848

C:\Windows\system32\SystemPropertiesProtection.exe
C:\Windows\system32\SystemPropertiesProtection.exe
1⤵
PID:4220

C:\Users\Admin\AppData\Local\C1x70Hk5\SystemPropertiesProtection.exe
C:\Users\Admin\AppData\Local\C1x70Hk5\SystemPropertiesProtection.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2084

C:\Windows\system32\SystemSettingsAdminFlows.exe
C:\Windows\system32\SystemSettingsAdminFlows.exe
1⤵
PID:692

C:\Users\Admin\AppData\Local\oMJ\SystemSettingsAdminFlows.exe
C:\Users\Admin\AppData\Local\oMJ\SystemSettingsAdminFlows.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:900

C:\Windows\system32\wlrmdr.exe
C:\Windows\system32\wlrmdr.exe
1⤵
PID:5116

C:\Users\Admin\AppData\Local\4XvdaAVhS\wlrmdr.exe
C:\Users\Admin\AppData\Local\4XvdaAVhS\wlrmdr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:788

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3804 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8
1⤵
PID:1252

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\4XvdaAVhS\DUI70.dll
Filesize
2.3MB

MD5
86ee697f8ee465184c85c7718c76cd5d

SHA1
110af582dd398d7bd274cef813317af47b35e3ab

SHA256
acc246723eb844915a3ae552c3aebb23e070db700a47f5d6155c2a1fe347530f

SHA512
c0c3ad75a945c34703cea84897ed5f668ececcce98a591d01ade8bb9838117c3c1d625a0fa94161b6678d6cee737d63256ef298ce8a217122d3ec66d8aec8faa

Download Submit
C:\Users\Admin\AppData\Local\4XvdaAVhS\wlrmdr.exe
Filesize
66KB

MD5
ef9bba7a637a11b224a90bf90a8943ac

SHA1
4747ec6efd2d41e049159249c2d888189bb33d1d

SHA256
2fda95aafb2e9284c730bf912b93f60a75b151941adc14445ed1e056140325b1

SHA512
4c1fdb8e4bf25546a2a33c95268593746f5ae2666ce36c6d9ba5833357f13720c4722231224e82308af8c156485a2c86ffd97e3093717a28d1300d3787ef1831

Download Submit
C:\Users\Admin\AppData\Local\C1x70Hk5\SYSDM.CPL
Filesize
2.0MB

MD5
b6a6162471c70d0b49db94fa57d646e7

SHA1
18c2022423f0ec044fa02423b727459696a13274

SHA256
5b6796bfc57545be8e27775cb675dcab7e248bac20d29537ffdf3a95b4dfeab4

SHA512
729d30ea7302a45ba5921203c5f912d716a1ecab3754ff7b7727353857e069720bd758e32fa969699258d0a6a10aec69241045408a9d0d129aac86fb55ff4cad

Download Submit
C:\Users\Admin\AppData\Local\C1x70Hk5\SystemPropertiesProtection.exe
Filesize
82KB

MD5
26640d2d4fa912fc9a354ef6cfe500ff

SHA1
a343fd82659ce2d8de3beb587088867cf2ab8857

SHA256
a8ddf1b17b0cbc96a7eaedb0003aa7b1631da09ebfe85b387f8f630222511b37

SHA512
26162a3d9d4a8e3290dbcf6fe387b5c48ab1d9552aa02a38954649d877f408cb282e57580f81e15128e3a41da0eb58328d1d6253e1b57232f9a8cecdd99991dc

Download Submit
C:\Users\Admin\AppData\Local\oMJ\DUI70.dll
Filesize
2.3MB

MD5
072f1a3689d3140a523bd11f6efb04c6

SHA1
a9c0afd74a0c6d83eb09c06541aedaf0cc15aa77

SHA256
18bf9ec8961808ab11e339b5c6adac9e6cb6f222d03f0a00eb813094dcadeb1b

SHA512
1949faaa54fa4a5192503b60f7646b4f6196e8c07faac478da318e82cc4b2e45cdfc71507f5571f25eabcb5f6d8fcdb04138356f61852a37456e8aff5bf0acb7

Download Submit
C:\Users\Admin\AppData\Local\oMJ\SystemSettingsAdminFlows.exe
Filesize
506KB

MD5
50adb2c7c145c729b9de8b7cf967dd24

SHA1
a31757f08da6f95156777c1132b6d5f1db3d8f30

SHA256
a7a2e7122d27308df37b7ab718ef3ac239e4216669f51331e34e205f59fb0aec

SHA512
715b4c93e79e896da1cf86cf4455a84cba1aeac34b6fd72d2afdf203a2034f6f8fac1d6501f0dd277a17bd1d7ab73ddd1887e01a99f2d26f39efeb94d0aac9b0

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Axoeay.lnk
Filesize
1KB

MD5
dcab6dae666c468c495b3b71a1cfa7fd

SHA1
2c201800aa47d074cf493779b7ac0a0021f7bca9

SHA256
2cf5b69128581ffac460566aae71abeef049630867bf2d0bee3be87b86a2e0ab

SHA512
b5469d62ac182b0a1ff1921d9503b65cd76ac3d2f83043eaec593ffca0cdf2dbe9e0bae88ed0b17d0a1f0da5f9338bd47afcbeb6c3f947626fe4a5ed6b9f26bc

Download Submit
memory/788-107-0x00000265FEF70000-0x00000265FEF77000-memory.dmp

Filesize
28KB

Download
memory/900-91-0x000001EB4D9F0000-0x000001EB4D9F7000-memory.dmp

Filesize
28KB

Download
memory/900-90-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/900-96-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/2084-78-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/2084-74-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/2084-73-0x0000025C2F290000-0x0000025C2F297000-memory.dmp

Filesize
28KB

Download
memory/3188-37-0x0000000140000000-0x00000001401FF000-memory.dmp

Filesize
2.0MB

Download
memory/3188-45-0x0000000140000000-0x00000001401FF000-memory.dmp

Filesize
2.0MB

Download
memory/3188-22-0x0000000140000000-0x00000001401FF000-memory.dmp

Filesize
2.0MB

Download
memory/3188-23-0x0000000140000000-0x00000001401FF000-memory.dmp

Filesize
2.0MB

Download
memory/3188-25-0x0000000140000000-0x00000001401FF000-memory.dmp

Filesize
2.0MB

Download
memory/3188-26-0x0000000140000000-0x00000001401FF000-memory.dmp

Filesize
2.0MB

Download
memory/3188-27-0x0000000140000000-0x00000001401FF000-memory.dmp

Filesize
2.0MB

Download
memory/3188-28-0x0000000140000000-0x00000001401FF000-memory.dmp

Filesize
2.0MB

Download
memory/3188-29-0x0000000140000000-0x00000001401FF000-memory.dmp

Filesize
2.0MB

Download
memory/3188-24-0x0000000140000000-0x00000001401FF000-memory.dmp

Filesize
2.0MB

Download
memory/3188-30-0x0000000140000000-0x00000001401FF000-memory.dmp

Filesize
2.0MB

Download
memory/3188-31-0x0000000140000000-0x00000001401FF000-memory.dmp

Filesize
2.0MB

Download
memory/3188-32-0x0000000140000000-0x00000001401FF000-memory.dmp

Filesize
2.0MB

Download
memory/3188-33-0x0000000140000000-0x00000001401FF000-memory.dmp

Filesize
2.0MB

Download
memory/3188-35-0x0000000140000000-0x00000001401FF000-memory.dmp

Filesize
2.0MB

Download
memory/3188-36-0x0000000140000000-0x00000001401FF000-memory.dmp

Filesize
2.0MB

Download
memory/3188-4-0x0000000002DC0000-0x0000000002DC1000-memory.dmp

Filesize
4KB

Download
memory/3188-34-0x0000000140000000-0x00000001401FF000-memory.dmp

Filesize
2.0MB

Download
memory/3188-39-0x0000000140000000-0x00000001401FF000-memory.dmp

Filesize
2.0MB

Download
memory/3188-38-0x0000000140000000-0x00000001401FF000-memory.dmp

Filesize
2.0MB

Download
memory/3188-40-0x0000000140000000-0x00000001401FF000-memory.dmp

Filesize
2.0MB

Download
memory/3188-41-0x0000000140000000-0x00000001401FF000-memory.dmp

Filesize
2.0MB

Download
memory/3188-43-0x0000000140000000-0x00000001401FF000-memory.dmp

Filesize
2.0MB

Download
memory/3188-21-0x0000000140000000-0x00000001401FF000-memory.dmp

Filesize
2.0MB

Download
memory/3188-44-0x0000000001270000-0x0000000001277000-memory.dmp

Filesize
28KB

Download
memory/3188-42-0x0000000140000000-0x00000001401FF000-memory.dmp

Filesize
2.0MB

Download
memory/3188-52-0x0000000140000000-0x00000001401FF000-memory.dmp

Filesize
2.0MB

Download
memory/3188-53-0x00007FFE8D4C0000-0x00007FFE8D4D0000-memory.dmp

Filesize
64KB

Download
memory/3188-62-0x0000000140000000-0x00000001401FF000-memory.dmp

Filesize
2.0MB

Download
memory/3188-64-0x0000000140000000-0x00000001401FF000-memory.dmp

Filesize
2.0MB

Download
memory/3188-20-0x0000000140000000-0x00000001401FF000-memory.dmp

Filesize
2.0MB

Download
memory/3188-18-0x0000000140000000-0x00000001401FF000-memory.dmp

Filesize
2.0MB

Download
memory/3188-19-0x0000000140000000-0x00000001401FF000-memory.dmp

Filesize
2.0MB

Download
memory/3188-17-0x0000000140000000-0x00000001401FF000-memory.dmp

Filesize
2.0MB

Download
memory/3188-16-0x0000000140000000-0x00000001401FF000-memory.dmp

Filesize
2.0MB

Download
memory/3188-15-0x0000000140000000-0x00000001401FF000-memory.dmp

Filesize
2.0MB

Download
memory/3188-7-0x00007FFE8BBEA000-0x00007FFE8BBEB000-memory.dmp

Filesize
4KB

Download
memory/3188-13-0x0000000140000000-0x00000001401FF000-memory.dmp

Filesize
2.0MB

Download
memory/3188-12-0x0000000140000000-0x00000001401FF000-memory.dmp

Filesize
2.0MB

Download
memory/3188-11-0x0000000140000000-0x00000001401FF000-memory.dmp

Filesize
2.0MB

Download
memory/3188-10-0x0000000140000000-0x00000001401FF000-memory.dmp

Filesize
2.0MB

Download
memory/3188-9-0x0000000140000000-0x00000001401FF000-memory.dmp

Filesize
2.0MB

Download
memory/3188-8-0x0000000140000000-0x00000001401FF000-memory.dmp

Filesize
2.0MB

Download
memory/3188-6-0x0000000140000000-0x00000001401FF000-memory.dmp

Filesize
2.0MB

Download
memory/4848-0-0x0000021E5F280000-0x0000021E5F287000-memory.dmp

Filesize
28KB

Download
memory/4848-1-0x0000000140000000-0x00000001401FF000-memory.dmp

Filesize
2.0MB

Download
memory/4848-14-0x0000000140000000-0x00000001401FF000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads