dridex | 008b899a2dc53b0bdaa123e4fc83e7df7594098cc179624bfdafedafcdcd135e

General

Target

004b51e805c513d678b7627d4ebc63ce_JaffaCakes118.dll
Size

1.2MB
MD5

004b51e805c513d678b7627d4ebc63ce
SHA1

3ef5481b3e3090f633de2915a04e45dcd129d560
SHA256

008b899a2dc53b0bdaa123e4fc83e7df7594098cc179624bfdafedafcdcd135e
SHA512

8657cfd745d7b1a7694747a43affb27e12a025576986eceac6bae5e23526c5f5446b6ec58ef059e97a50ae5ed497fe46779915adc68b0d8a92d27f2e84351577
SSDEEP

24576:WVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:WV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1192-5-0x0000000002AD0000-0x0000000002AD1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

WindowsAnytimeUpgradeResults.exeBitLockerWizard.exeMpSigStub.exe

pid process

584 WindowsAnytimeUpgradeResults.exe
1860 BitLockerWizard.exe
1240 MpSigStub.exe
Loads dropped DLL 7 IoCs

Processes:

WindowsAnytimeUpgradeResults.exeBitLockerWizard.exeMpSigStub.exe

pid process

1192
584 WindowsAnytimeUpgradeResults.exe
1192
1860 BitLockerWizard.exe
1192
1240 MpSigStub.exe
1192

pid	process
584	WindowsAnytimeUpgradeResults.exe
1860	BitLockerWizard.exe
1240	MpSigStub.exe

pid	process
1192
584	WindowsAnytimeUpgradeResults.exe
1192
1860	BitLockerWizard.exe
1192
1240	MpSigStub.exe
1192

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Uxhwu = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\9.0\\Collab\\Y9lJzbaO\\BitLockerWizard.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeWindowsAnytimeUpgradeResults.exeBitLockerWizard.exeMpSigStub.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WindowsAnytimeUpgradeResults.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BitLockerWizard.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MpSigStub.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1908	rundll32.exe
1908	rundll32.exe
1908	rundll32.exe
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1192 wrote to memory of 1036	1192	WindowsAnytimeUpgradeResults.exe
PID 1192 wrote to memory of 1036	1192	WindowsAnytimeUpgradeResults.exe
PID 1192 wrote to memory of 1036	1192	WindowsAnytimeUpgradeResults.exe
PID 1192 wrote to memory of 584	1192	WindowsAnytimeUpgradeResults.exe
PID 1192 wrote to memory of 584	1192	WindowsAnytimeUpgradeResults.exe
PID 1192 wrote to memory of 584	1192	WindowsAnytimeUpgradeResults.exe
PID 1192 wrote to memory of 1788	1192	BitLockerWizard.exe
PID 1192 wrote to memory of 1788	1192	BitLockerWizard.exe
PID 1192 wrote to memory of 1788	1192	BitLockerWizard.exe
PID 1192 wrote to memory of 1860	1192	BitLockerWizard.exe
PID 1192 wrote to memory of 1860	1192	BitLockerWizard.exe
PID 1192 wrote to memory of 1860	1192	BitLockerWizard.exe
PID 1192 wrote to memory of 2308	1192	MpSigStub.exe
PID 1192 wrote to memory of 2308	1192	MpSigStub.exe
PID 1192 wrote to memory of 2308	1192	MpSigStub.exe
PID 1192 wrote to memory of 1240	1192	MpSigStub.exe
PID 1192 wrote to memory of 1240	1192	MpSigStub.exe
PID 1192 wrote to memory of 1240	1192	MpSigStub.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\004b51e805c513d678b7627d4ebc63ce_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1908

C:\Windows\system32\WindowsAnytimeUpgradeResults.exe
C:\Windows\system32\WindowsAnytimeUpgradeResults.exe
1⤵
PID:1036

C:\Users\Admin\AppData\Local\hdzlRrDM\WindowsAnytimeUpgradeResults.exe
C:\Users\Admin\AppData\Local\hdzlRrDM\WindowsAnytimeUpgradeResults.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:584

C:\Windows\system32\BitLockerWizard.exe
C:\Windows\system32\BitLockerWizard.exe
1⤵
PID:1788

C:\Users\Admin\AppData\Local\wRkbGPT2p\BitLockerWizard.exe
C:\Users\Admin\AppData\Local\wRkbGPT2p\BitLockerWizard.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1860

C:\Windows\system32\MpSigStub.exe
C:\Windows\system32\MpSigStub.exe
1⤵
PID:2308

C:\Users\Admin\AppData\Local\ul0wqnHO\MpSigStub.exe
C:\Users\Admin\AppData\Local\ul0wqnHO\MpSigStub.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1240

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\hdzlRrDM\DUI70.dll
Filesize
1.4MB

MD5
e045805fa0de649721204f43064238cd

SHA1
cd623ef40511abc521e53b3beed1e19a750a48eb

SHA256
d70ddfe3cf0bda9753469c9382a8d550832295c9703a13ee83971991d9d6a5c3

SHA512
9db35185dfe60abdd106b4ead8ff53f93d120aaaf55ca9d533f9800a61f489f58c823b061da0abb672d166863cde96c3557ca434d17dc901b56e82af0f4a5e6b

Download Submit
C:\Users\Admin\AppData\Local\hdzlRrDM\WindowsAnytimeUpgradeResults.exe
Filesize
288KB

MD5
6f3f29905f0ec4ce22c1fd8acbf6c6de

SHA1
68bdfefe549dfa6262ad659f1578f3e87d862773

SHA256
e9c4d718d09a28de8a99386b0dd65429f433837c712314e98ec4f01031af595b

SHA512
16a9ad3183d7e11d9f0dd3c79363aa9a7af306f4f35a6f1e0cc1e175ef254e8052ec94dfd600dbe882f9ab41254d482cce9190ab7b0c005a34e46c66e8ff5f9e

Download Submit
C:\Users\Admin\AppData\Local\ul0wqnHO\VERSION.dll
Filesize
1.2MB

MD5
e715cd172f91ad213528dd45696e11f9

SHA1
25618520d94556e19aee60564cfcb0ddc2cb2482

SHA256
0b105f58ea494a2f03e759fd2adf22306744b7c0bfe1997808a8975c3a440d51

SHA512
22867094d665b81d4e38ab06f38a0b47df11d3f91d5fa3c4aa24fd7974db6c557ebf7f03e237ec5cfa6296a1dad950eecdcaba837eefc94a21bfdc52ddda807b

Download Submit
C:\Users\Admin\AppData\Local\wRkbGPT2p\BitLockerWizard.exe
Filesize
98KB

MD5
08a761595ad21d152db2417d6fdb239a

SHA1
d84c1bc2e8c9afce9fb79916df9bca169f93a936

SHA256
ec0b9e5f29a43f9db44fa76b85701058f26776ab974044c1d4741591b74d0620

SHA512
8b07828e9c0edf09277f89294b8e1a54816f6f3d1fe132b3eb70370b81feb82d056ec31566793bd6f451725f79c3b4aeedb15a83216115e00943e0c19cab37c9

Download Submit
C:\Users\Admin\AppData\Local\wRkbGPT2p\FVEWIZ.dll
Filesize
1.2MB

MD5
2a2555b1e8d0ea4c057b1fe49dacd443

SHA1
689f03b45b772fdef921e2739f62ff1ec1b4555b

SHA256
158a412c7177a2ab3c1adce5b6a050c928ae3d430cea59d8b66b5427f5f57d45

SHA512
ad00ad6f6d415a653f6962695bab300021b46a965645fc56b82e61239d410b01124fb58f1abd63563b6c65abb497ef35d477e0d1c3a158687b491e122343d321

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dgsmy.lnk
Filesize
1KB

MD5
fd3322912f92f7f904cdf1c85b5fb7de

SHA1
657d6571cdbf462aa6de59dba6afb81c7d5e938f

SHA256
9ab8963f0a071fcffbb66525b2baa9d12eefc3a013330b7424614b22b6683c23

SHA512
07be214dbf8eaeffc3a0276013842f363744b1ad675a96136353117d0f05b477d38f58473b8817a6d42fdda0c7c68edb919cf6e3a630c93909d6781d11e54113

Download Submit
\Users\Admin\AppData\Local\ul0wqnHO\MpSigStub.exe
Filesize
264KB

MD5
2e6bd16aa62e5e95c7b256b10d637f8f

SHA1
350be084477b1fe581af83ca79eb58d4defe260f

SHA256
d795968b8067bb610033fa4a5b21eb2f96cef61513aba62912b8eb5c6a5ff7b3

SHA512
1f37150f6bcbe0df54bb85a5ad585824cea9332baa9be1649a95c1dfb41723de85c09d98fb2ca8261a49c2184d3bda638b84b2b7b60b97fe42a15ab1620a2542

Download Submit
memory/584-60-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/584-55-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/584-54-0x0000000001AA0000-0x0000000001AA7000-memory.dmp

Filesize
28KB

Download
memory/1192-14-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1192-11-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1192-15-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1192-16-0x0000000002260000-0x0000000002267000-memory.dmp

Filesize
28KB

Download
memory/1192-25-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1192-26-0x0000000077291000-0x0000000077292000-memory.dmp

Filesize
4KB

Download
memory/1192-27-0x0000000077420000-0x0000000077422000-memory.dmp

Filesize
8KB

Download
memory/1192-36-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1192-38-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1192-4-0x0000000077086000-0x0000000077087000-memory.dmp

Filesize
4KB

Download
memory/1192-46-0x0000000077086000-0x0000000077087000-memory.dmp

Filesize
4KB

Download
memory/1192-12-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1192-5-0x0000000002AD0000-0x0000000002AD1000-memory.dmp

Filesize
4KB

Download
memory/1192-13-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1192-10-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1192-9-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1192-8-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1192-7-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1240-92-0x0000000000080000-0x0000000000087000-memory.dmp

Filesize
28KB

Download
memory/1240-98-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1860-75-0x0000000000270000-0x0000000000277000-memory.dmp

Filesize
28KB

Download
memory/1860-74-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1860-80-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1908-0-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/1908-39-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1908-1-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads