dridex | a9771c7fbc17f426c7e915dbfe99ea9b9fa76982383548f943ceb083add04a33

General

Target

fffac8fa967903a2ed108b4e37658e41_JaffaCakes118.dll
Size

1.7MB
MD5

fffac8fa967903a2ed108b4e37658e41
SHA1

229b27b08a907ff2be86d828d53bee5d501f257d
SHA256

a9771c7fbc17f426c7e915dbfe99ea9b9fa76982383548f943ceb083add04a33
SHA512

dce57aa74e34ed7d17b54e8e303158bc5f6dafa003e477e94990a5de64e26b0e7ef44b35e355629db85451196e2cb91b8c8dc149ea40d1a7364c836d107b4665
SSDEEP

12288:NVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:UfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1196-5-0x0000000002950000-0x0000000002951000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

calc.exevmicsvc.exewextract.exe

pid process

2884 calc.exe
2640 vmicsvc.exe
340 wextract.exe
Loads dropped DLL 7 IoCs

Processes:

calc.exevmicsvc.exewextract.exe

pid process

1196
2884 calc.exe
1196
2640 vmicsvc.exe
1196
340 wextract.exe
1196

pid	process
2884	calc.exe
2640	vmicsvc.exe
340	wextract.exe

pid	process
1196
2884	calc.exe
1196
2640	vmicsvc.exe
1196
340	wextract.exe
1196

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ydmmtcuy = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\kX584u75K\\vmicsvc.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.execalc.exevmicsvc.exewextract.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	calc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vmicsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wextract.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2924	rundll32.exe
2924	rundll32.exe
2924	rundll32.exe
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1196 wrote to memory of 2136	1196	calc.exe
PID 1196 wrote to memory of 2136	1196	calc.exe
PID 1196 wrote to memory of 2136	1196	calc.exe
PID 1196 wrote to memory of 2884	1196	calc.exe
PID 1196 wrote to memory of 2884	1196	calc.exe
PID 1196 wrote to memory of 2884	1196	calc.exe
PID 1196 wrote to memory of 2716	1196	vmicsvc.exe
PID 1196 wrote to memory of 2716	1196	vmicsvc.exe
PID 1196 wrote to memory of 2716	1196	vmicsvc.exe
PID 1196 wrote to memory of 2640	1196	vmicsvc.exe
PID 1196 wrote to memory of 2640	1196	vmicsvc.exe
PID 1196 wrote to memory of 2640	1196	vmicsvc.exe
PID 1196 wrote to memory of 2904	1196	wextract.exe
PID 1196 wrote to memory of 2904	1196	wextract.exe
PID 1196 wrote to memory of 2904	1196	wextract.exe
PID 1196 wrote to memory of 340	1196	wextract.exe
PID 1196 wrote to memory of 340	1196	wextract.exe
PID 1196 wrote to memory of 340	1196	wextract.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\fffac8fa967903a2ed108b4e37658e41_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2924

C:\Windows\system32\calc.exe
C:\Windows\system32\calc.exe
1⤵
PID:2136

C:\Users\Admin\AppData\Local\9j6\calc.exe
C:\Users\Admin\AppData\Local\9j6\calc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2884

C:\Windows\system32\vmicsvc.exe
C:\Windows\system32\vmicsvc.exe
1⤵
PID:2716

C:\Users\Admin\AppData\Local\2TVdt92\vmicsvc.exe
C:\Users\Admin\AppData\Local\2TVdt92\vmicsvc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2640

C:\Windows\system32\wextract.exe
C:\Windows\system32\wextract.exe
1⤵
PID:2904

C:\Users\Admin\AppData\Local\UEedWB3\wextract.exe
C:\Users\Admin\AppData\Local\UEedWB3\wextract.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:340

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\2TVdt92\ACTIVEDS.dll
Filesize
1.7MB

MD5
fbf8144e07cca1341a9396f7569d5e71

SHA1
9b98476f07710102d86cfa9d495a090a89a07a5f

SHA256
0a93d29c52c0e8e1a6b7e38ad746f4afd4b28e229b0ab19dac310006d96fbca2

SHA512
251300e7c987447fee0bd1fac372699a35165b4f92fe9b8c5bf04a9a15dce48a5b9505243f8e1bacace2ce8c5ee60ad1de6e1d4b21f7d1c65a34fa08af2f7ad6

Download Submit
C:\Users\Admin\AppData\Local\9j6\UxTheme.dll
Filesize
1.7MB

MD5
618eb8906ab83bc7922d15bc37a898a1

SHA1
4ec3bf981c870bb272679eb521e24340a9f65f98

SHA256
32fbc7bf201d95c16f724df04e2d4aba1e3328589ebeab60105c9ebdbf36b855

SHA512
87d628269907d497a62ecb8987aeb541a9b92e21116326ae7e391447935717517788d9a13115a3a1ab82dbbd8a6b37c49ee31bd3e76bc307a6ac7416e1e5259f

Download Submit
C:\Users\Admin\AppData\Local\UEedWB3\VERSION.dll
Filesize
1.7MB

MD5
d73b519e73713f788d2bd3ccc8fdf47a

SHA1
e8d48c423a708fc02800645468c8924d6a5c74c2

SHA256
376728bc59791c5246af8aa72ec57b67ca558182f5df18ccbc25be8999972ed0

SHA512
3d4fc2917a8a60d9697e0bfbd111d8d3107fa5f2f5d5fa4959cf2ac4d86a8b07d33d4e08d9cca6c3b21369023d269f606c94cb63bcdd3e4d22d1a50bb09971cb

Download Submit
C:\Users\Admin\AppData\Local\UEedWB3\wextract.exe
Filesize
140KB

MD5
1ea6500c25a80e8bdb65099c509af993

SHA1
6a090ef561feb4ae1c6794de5b19c5e893c4aafc

SHA256
99123d4e7bf93aa7f3315a432307c8b0cbaf24ad2cfb46edc149edbe24de4ca2

SHA512
b8f9f1ab48671e382d1385c34f0f19fc52fc0061e00db53bbbc2cdaee6d8a3f245707329f98e9167c53721aeaddcebfe66632729b6bcc98892031fd9914fb1fb

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Piadwmdtymfdd.lnk
Filesize
1KB

MD5
08fa16e75d6f41ae24a0875d88097f26

SHA1
be15caccd46481b52626065914812a97ef49119d

SHA256
555a4149797815680a5bda5160ad895c9257519678676bc524242444c69fca75

SHA512
c449bd2339e25621ca4877f763180188997fd514754225650df62b053be288300ddc10391e69587566bfd79dc74d0068d42238226b2055937ace02eeb4dfeec3

Download Submit
\Users\Admin\AppData\Local\2TVdt92\vmicsvc.exe
Filesize
238KB

MD5
79e14b291ca96a02f1eb22bd721deccd

SHA1
4c8dbff611acd8a92cd2280239f78bebd2a9947e

SHA256
d829166db30923406a025bf33d6a0997be0a3df950114d1f34547a9525b749e8

SHA512
f3d1fa7732b6b027bbaf22530331d27ede85f92c9fd64f940139fd262bd7468211a8a54c835d3934b1974b3d8ecddefa79ea77901b9ef49ab36069963693f988

Download Submit
\Users\Admin\AppData\Local\9j6\calc.exe
Filesize
897KB

MD5
10e4a1d2132ccb5c6759f038cdb6f3c9

SHA1
42d36eeb2140441b48287b7cd30b38105986d68f

SHA256
c6a91cba00bf87cdb064c49adaac82255cbec6fdd48fd21f9b3b96abf019916b

SHA512
9bd44afb164ab3e09a784c765cd03838d2e5f696c549fc233eb5a69cada47a8e1fb62095568cb272a80da579d9d0e124b1c27cf61bb2ac8cf6e584a722d8864d

Download Submit
memory/340-109-0x0000000000280000-0x0000000000287000-memory.dmp

Filesize
28KB

Download
memory/1196-20-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/1196-13-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/1196-27-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/1196-28-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/1196-30-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/1196-32-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/1196-33-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/1196-36-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/1196-38-0x0000000002930000-0x0000000002937000-memory.dmp

Filesize
28KB

Download
memory/1196-35-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/1196-34-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/1196-31-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/1196-29-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/1196-26-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/1196-25-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/1196-23-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/1196-44-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/1196-21-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/1196-134-0x00000000777E6000-0x00000000777E7000-memory.dmp

Filesize
4KB

Download
memory/1196-19-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/1196-17-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/1196-16-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/1196-14-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/1196-24-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/1196-11-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/1196-10-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/1196-4-0x00000000777E6000-0x00000000777E7000-memory.dmp

Filesize
4KB

Download
memory/1196-7-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/1196-45-0x00000000778F1000-0x00000000778F2000-memory.dmp

Filesize
4KB

Download
memory/1196-46-0x0000000077A50000-0x0000000077A52000-memory.dmp

Filesize
8KB

Download
memory/1196-55-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/1196-61-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/1196-22-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/1196-18-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/1196-5-0x0000000002950000-0x0000000002951000-memory.dmp

Filesize
4KB

Download
memory/1196-9-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/1196-12-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/1196-15-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/2640-92-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download
memory/2640-97-0x0000000140000000-0x00000001401B8000-memory.dmp

Filesize
1.7MB

Download
memory/2884-76-0x0000000000320000-0x0000000000327000-memory.dmp

Filesize
28KB

Download
memory/2884-79-0x0000000140000000-0x00000001401B8000-memory.dmp

Filesize
1.7MB

Download
memory/2884-73-0x0000000140000000-0x00000001401B8000-memory.dmp

Filesize
1.7MB

Download
memory/2924-8-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/2924-1-0x0000000000390000-0x0000000000397000-memory.dmp

Filesize
28KB

Download
memory/2924-0-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads