dridex | a9771c7fbc17f426c7e915dbfe99ea9b9fa76982383548f943ceb083add04a33

General

Target

fffac8fa967903a2ed108b4e37658e41_JaffaCakes118.dll
Size

1.7MB
MD5

fffac8fa967903a2ed108b4e37658e41
SHA1

229b27b08a907ff2be86d828d53bee5d501f257d
SHA256

a9771c7fbc17f426c7e915dbfe99ea9b9fa76982383548f943ceb083add04a33
SHA512

dce57aa74e34ed7d17b54e8e303158bc5f6dafa003e477e94990a5de64e26b0e7ef44b35e355629db85451196e2cb91b8c8dc149ea40d1a7364c836d107b4665
SSDEEP

12288:NVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:UfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3452-4-0x0000000002160000-0x0000000002161000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

Taskmgr.exeEaseOfAccessDialog.exemsra.exe

pid process

4672 Taskmgr.exe
1700 EaseOfAccessDialog.exe
4816 msra.exe
Loads dropped DLL 4 IoCs

Processes:

Taskmgr.exeEaseOfAccessDialog.exemsra.exe

pid process

4672 Taskmgr.exe
4672 Taskmgr.exe
1700 EaseOfAccessDialog.exe
4816 msra.exe

pid	process
4672	Taskmgr.exe
1700	EaseOfAccessDialog.exe
4816	msra.exe

pid	process
4672	Taskmgr.exe
4672	Taskmgr.exe
1700	EaseOfAccessDialog.exe
4816	msra.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Yqyvrmzmpvckvj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\XsMtRKQ\\EaseOfAccessDialog.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

Taskmgr.exeEaseOfAccessDialog.exemsra.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	EaseOfAccessDialog.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msra.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1812	rundll32.exe
1812	rundll32.exe
1812	rundll32.exe
1812	rundll32.exe
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

pid process

3452
3452
3452
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

pid process

3452
3452
3452
Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3452

pid	process
3452
3452
3452

pid	process
3452
3452
3452

pid	process
3452

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3452 wrote to memory of 180	3452	Taskmgr.exe
PID 3452 wrote to memory of 180	3452	Taskmgr.exe
PID 3452 wrote to memory of 4672	3452	Taskmgr.exe
PID 3452 wrote to memory of 4672	3452	Taskmgr.exe
PID 3452 wrote to memory of 1984	3452	EaseOfAccessDialog.exe
PID 3452 wrote to memory of 1984	3452	EaseOfAccessDialog.exe
PID 3452 wrote to memory of 1700	3452	EaseOfAccessDialog.exe
PID 3452 wrote to memory of 1700	3452	EaseOfAccessDialog.exe
PID 3452 wrote to memory of 3716	3452	msra.exe
PID 3452 wrote to memory of 3716	3452	msra.exe
PID 3452 wrote to memory of 4816	3452	msra.exe
PID 3452 wrote to memory of 4816	3452	msra.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\fffac8fa967903a2ed108b4e37658e41_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1812

C:\Windows\system32\Taskmgr.exe
C:\Windows\system32\Taskmgr.exe
1⤵
PID:180

C:\Users\Admin\AppData\Local\2NR\Taskmgr.exe
C:\Users\Admin\AppData\Local\2NR\Taskmgr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4672

C:\Windows\system32\EaseOfAccessDialog.exe
C:\Windows\system32\EaseOfAccessDialog.exe
1⤵
PID:1984

C:\Users\Admin\AppData\Local\72PirAD\EaseOfAccessDialog.exe
C:\Users\Admin\AppData\Local\72PirAD\EaseOfAccessDialog.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1700

C:\Windows\system32\msra.exe
C:\Windows\system32\msra.exe
1⤵
PID:3716

C:\Users\Admin\AppData\Local\iVwyoHJWS\msra.exe
C:\Users\Admin\AppData\Local\iVwyoHJWS\msra.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4816

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\2NR\Taskmgr.exe
Filesize
1.2MB

MD5
58d5bc7895f7f32ee308e34f06f25dd5

SHA1
7a7f5e991ddeaf73e15a0fdcb5c999c0248a2fa4

SHA256
4e305198f15bafd5728b5fb8e7ff48d9f312399c744ecfea0ecac79d93c5e478

SHA512
872c84c92b0e4050ae4a4137330ec3cda30008fd15d6413bf7a913c03a021ad41b6131e5a7356b374ced98d37ae207147ebefd93893560dc15c3e9875f93f7a9

Download Submit
C:\Users\Admin\AppData\Local\2NR\dxgi.dll
Filesize
1.7MB

MD5
914db80d7a0d745d578e09619eaaea9f

SHA1
3b13e8f43d4bfa2ac933af39e2b129df036f7fbc

SHA256
fde7cb12f2031586069a370cdea7521599eb6e00ba0c90af5273924ed09c8186

SHA512
ab1d58bc0fbfa4d680236bee82d5c409013122b5ae9faec5647a312714598622ec77217762860bb1d54323be65855333887145336345cd863eae1c2d4e2e2b71

Download Submit
C:\Users\Admin\AppData\Local\72PirAD\EaseOfAccessDialog.exe
Filesize
123KB

MD5
e75ee992c1041341f709a517c8723c87

SHA1
471021260055eac0021f0abffa2d0ba77a2f380e

SHA256
0b1731562413eaa972b373cd7388c644a3059940ce67eb89668e4073f3e068dc

SHA512
48c3a8531df6bcc5077367cdf32af104c94cf7701118a85e8beabba2e9c4f511ae14e47b6d1b57d11a2bc1e8b4f6d5bacae27a8d16fcd09a8f9e0018f5a6370a

Download Submit
C:\Users\Admin\AppData\Local\72PirAD\OLEACC.dll
Filesize
1.7MB

MD5
2b20d621a129226cb43f9e5f8d12fe37

SHA1
94272ed0e6318409dfebe46a77700ee16c18eebb

SHA256
3301771c2950297dae7c73710d55c31ad45621897d5e5292ebaa282769c90808

SHA512
8445558245b80ed0fa92744a1247404d3b65cb79e4c6e2f63af43b1300025682c324a8253805f971403393bfbfd9f7947fed93bc18a916470f46f80a5a4f730d

Download Submit
C:\Users\Admin\AppData\Local\iVwyoHJWS\UxTheme.dll
Filesize
1.7MB

MD5
a37f31b1b4ae1a1823269c8078c5346f

SHA1
d6a65ea14535ab656d2241ca87b1359e826cd67a

SHA256
94cb634d33c01829010c933bc6a0c36b1e1cc127d325e176248d89ec8570426e

SHA512
7602bb81948a3f896baf2d2ec8af459d0060af5bea832ca08d3680bd266cf20b24ce015874f4e07067893ff3035ae418efb42fc22f8399ffb3974b60e74e9297

Download Submit
C:\Users\Admin\AppData\Local\iVwyoHJWS\msra.exe
Filesize
579KB

MD5
dcda3b7b8eb0bfbccb54b4d6a6844ad6

SHA1
316a2925e451f739f45e31bc233a95f91bf775fa

SHA256
011e1decd6683afe5f1e397fe9697f2cf592ae21766a7629e234682f721658ae

SHA512
18e8c99f8b86375627aba0d2b10cf4db24ee5ac61a3d6a73d382a83ec63217c7e455570d4fa7dcdbb188dcc73988689661f8cab2337ae8c615fa6bc9a08f71f5

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Qbfswxgeo.lnk
Filesize
1KB

MD5
ca976ac4cd06f79febef97c7c18ecc03

SHA1
b5c0c61cde3e6a4f8754110b7481eadd262a2c21

SHA256
0c04b2d69ba7b94a57079ead38c743edac4e799a2af1eb4e9a95ced9420a8792

SHA512
e1adda9b11a44c2afa1c81f84e8965b84c66e629d88cb495bd407cdb10c16aef6ef3914a298d5e10db730a093d31676125eb3bdc4188ffa65de4d8969d9f3ee9

Download Submit
memory/1700-92-0x0000000140000000-0x00000001401B8000-memory.dmp

Filesize
1.7MB

Download
memory/1700-86-0x000001E240720000-0x000001E240727000-memory.dmp

Filesize
28KB

Download
memory/1812-0-0x0000012B175C0000-0x0000012B175C7000-memory.dmp

Filesize
28KB

Download
memory/1812-1-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/1812-7-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/3452-16-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/3452-37-0x00000000021A0000-0x00000000021A7000-memory.dmp

Filesize
28KB

Download
memory/3452-18-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/3452-17-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/3452-19-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/3452-21-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/3452-23-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/3452-22-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/3452-20-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/3452-24-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/3452-25-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/3452-27-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/3452-28-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/3452-29-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/3452-30-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/3452-31-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/3452-26-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/3452-32-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/3452-33-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/3452-34-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/3452-35-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/3452-15-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/3452-36-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/3452-44-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/3452-48-0x00007FFDA16C0000-0x00007FFDA16D0000-memory.dmp

Filesize
64KB

Download
memory/3452-54-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/3452-56-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/3452-14-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/3452-13-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/3452-4-0x0000000002160000-0x0000000002161000-memory.dmp

Filesize
4KB

Download
memory/3452-9-0x00007FFDA0C3A000-0x00007FFDA0C3B000-memory.dmp

Filesize
4KB

Download
memory/3452-10-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/3452-11-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/3452-6-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/3452-8-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/3452-12-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/4672-73-0x0000000140000000-0x00000001401B8000-memory.dmp

Filesize
1.7MB

Download
memory/4672-68-0x0000022FEE4C0000-0x0000022FEE4C7000-memory.dmp

Filesize
28KB

Download
memory/4672-66-0x0000022FEE470000-0x0000022FEE628000-memory.dmp

Filesize
1.7MB

Download
memory/4672-67-0x0000000140000000-0x00000001401B8000-memory.dmp

Filesize
1.7MB

Download
memory/4816-105-0x0000024AEA7F0000-0x0000024AEA7F7000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads