dridex | 008b899a2dc53b0bdaa123e4fc83e7df7594098cc179624bfdafedafcdcd135e

General

Target

004b51e805c513d678b7627d4ebc63ce_JaffaCakes118.dll
Size

1.2MB
MD5

004b51e805c513d678b7627d4ebc63ce
SHA1

3ef5481b3e3090f633de2915a04e45dcd129d560
SHA256

008b899a2dc53b0bdaa123e4fc83e7df7594098cc179624bfdafedafcdcd135e
SHA512

8657cfd745d7b1a7694747a43affb27e12a025576986eceac6bae5e23526c5f5446b6ec58ef059e97a50ae5ed497fe46779915adc68b0d8a92d27f2e84351577
SSDEEP

24576:WVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:WV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3360-4-0x0000000002FF0000-0x0000000002FF1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

psr.exesigverif.exewlrmdr.exe

pid process

3752 psr.exe
5088 sigverif.exe
2796 wlrmdr.exe
Loads dropped DLL 3 IoCs

Processes:

psr.exesigverif.exewlrmdr.exe

pid process

3752 psr.exe
5088 sigverif.exe
2796 wlrmdr.exe

pid	process
3752	psr.exe
5088	sigverif.exe
2796	wlrmdr.exe

pid	process
3752	psr.exe
5088	sigverif.exe
2796	wlrmdr.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Xcdbzlxvqxxhz = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\j8f\\sigverif.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

wlrmdr.exerundll32.exepsr.exesigverif.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wlrmdr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	psr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sigverif.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
4048	rundll32.exe
4048	rundll32.exe
4048	rundll32.exe
4048	rundll32.exe
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3360 wrote to memory of 2088	3360	psr.exe
PID 3360 wrote to memory of 2088	3360	psr.exe
PID 3360 wrote to memory of 3752	3360	psr.exe
PID 3360 wrote to memory of 3752	3360	psr.exe
PID 3360 wrote to memory of 1552	3360	sigverif.exe
PID 3360 wrote to memory of 1552	3360	sigverif.exe
PID 3360 wrote to memory of 5088	3360	sigverif.exe
PID 3360 wrote to memory of 5088	3360	sigverif.exe
PID 3360 wrote to memory of 3592	3360	wlrmdr.exe
PID 3360 wrote to memory of 3592	3360	wlrmdr.exe
PID 3360 wrote to memory of 2796	3360	wlrmdr.exe
PID 3360 wrote to memory of 2796	3360	wlrmdr.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\004b51e805c513d678b7627d4ebc63ce_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4048

C:\Windows\system32\psr.exe
C:\Windows\system32\psr.exe
1⤵
PID:2088

C:\Users\Admin\AppData\Local\Pr54\psr.exe
C:\Users\Admin\AppData\Local\Pr54\psr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3752

C:\Windows\system32\sigverif.exe
C:\Windows\system32\sigverif.exe
1⤵
PID:1552

C:\Users\Admin\AppData\Local\08xSkKC\sigverif.exe
C:\Users\Admin\AppData\Local\08xSkKC\sigverif.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:5088

C:\Windows\system32\wlrmdr.exe
C:\Windows\system32\wlrmdr.exe
1⤵
PID:3592

C:\Users\Admin\AppData\Local\be2z\wlrmdr.exe
C:\Users\Admin\AppData\Local\be2z\wlrmdr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4100 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8
1⤵
PID:712

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\08xSkKC\VERSION.dll
Filesize
1.2MB

MD5
ac2aba1890e9ee5dcb4433730dee4fa1

SHA1
fcbc23709de16e50a00a9b0de34cb2d26605f50b

SHA256
bc218a77cc2512c817428b1a5f6dbb3a6f918a497078d54bb688c54504cd9b33

SHA512
106e18c48b23c122a7d374b0cb695796a736907e814036a1a7179e6d911800262788fe4d7053b4a02bf7cf58a73089730908e00209789e17c6bac0f83dad418d

Download Submit
C:\Users\Admin\AppData\Local\08xSkKC\sigverif.exe
Filesize
77KB

MD5
2151a535274b53ba8a728e542cbc07a8

SHA1
a2304c0f2616a7d12298540dce459dd9ccf07443

SHA256
064de47877b00dc35886e829a697e4adb3d3cfdf294ddba13b6009a0f415b1bd

SHA512
e6fd520ee1bd80a5fe8a7c2ae6446dcaabd4e335a602c36356f85305abef751b7dffa7eaac1ec13c105ccd8c3e9070bd32ed4b14bc8a9e52dc5f47b936d69a9f

Download Submit
C:\Users\Admin\AppData\Local\Pr54\XmlLite.dll
Filesize
1.2MB

MD5
3a724276fa6fe2a022bbe1523120e38f

SHA1
5562cdfd4d0accbe17f497a4c609bf40b96295f7

SHA256
831f21a09317fe68c26e5ff66e4d8ce5fe68c41715c453eefb6636aa9a58ce5e

SHA512
7ab1649c20d5b1a1193249f05be123acd1005733f94276881d1b8decaff4e23bc053379848cfbb95b3a1db8954dba5d58dd71a8986e2b69279811bc730624e19

Download Submit
C:\Users\Admin\AppData\Local\Pr54\psr.exe
Filesize
232KB

MD5
ad53ead5379985081b7c3f1f357e545a

SHA1
6f5aa32c1d15fbf073558fadafd046d97b60184e

SHA256
4f0144f0e3e721b44babbf41b513942e4117f730546105480571f9c8fce56a1f

SHA512
433098bd74c34fbadfa447ef45cfa9dc076aef4cf7f2a0a6fe79d5e67f2504eebe8aa31fc1b7a4c5eeb20ede2c5485f75ad0fd77b4ecba3d68ca63313e6f6ea0

Download Submit
C:\Users\Admin\AppData\Local\be2z\DUI70.dll
Filesize
1.5MB

MD5
e6be1fdc92f721321e56a0e30579a109

SHA1
2b77ef5c769980074c4bb6d093be8b37f87f3c57

SHA256
d09427e0ed447314d1916134b8dc3c8aa2306ad34a07b18662c9560c06f6c0cd

SHA512
84c1ddfe1636dba22a138aa8ec19abec7f92a18a513d591094a361caf027c120c6cb101f127616c4633c365f88f1c36cd7102bb02aeaa683e7f649757428fb9d

Download Submit
C:\Users\Admin\AppData\Local\be2z\wlrmdr.exe
Filesize
66KB

MD5
ef9bba7a637a11b224a90bf90a8943ac

SHA1
4747ec6efd2d41e049159249c2d888189bb33d1d

SHA256
2fda95aafb2e9284c730bf912b93f60a75b151941adc14445ed1e056140325b1

SHA512
4c1fdb8e4bf25546a2a33c95268593746f5ae2666ce36c6d9ba5833357f13720c4722231224e82308af8c156485a2c86ffd97e3093717a28d1300d3787ef1831

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Axoeay.lnk
Filesize
1KB

MD5
e05b3eca936af8aef7fe8a13c8e00576

SHA1
14a1c5bb8be89abcf2660d1cc85b2d7c630ad63d

SHA256
68e0673de2340ff4730b1d688dc8504eb57df8b87192abd392590052b92c9df6

SHA512
2755f50904f6150c6b88b935c7ecbb63668cfe8fcd04a727d9d0bf43119e6c612f132d46119c049f49e510a85b6bbfb52f66419b03d5bcb558381e1d732bf092

Download Submit
memory/2796-85-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/2796-79-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/2796-80-0x000002A97AC50000-0x000002A97AC57000-memory.dmp

Filesize
28KB

Download
memory/3360-11-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3360-4-0x0000000002FF0000-0x0000000002FF1000-memory.dmp

Filesize
4KB

Download
memory/3360-15-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3360-17-0x0000000000D40000-0x0000000000D47000-memory.dmp

Filesize
28KB

Download
memory/3360-25-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3360-26-0x00007FF9A4250000-0x00007FF9A4260000-memory.dmp

Filesize
64KB

Download
memory/3360-35-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3360-9-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3360-13-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3360-12-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3360-6-0x00007FF9A24AA000-0x00007FF9A24AB000-memory.dmp

Filesize
4KB

Download
memory/3360-14-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3360-7-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3360-8-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3360-10-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3752-45-0x0000018477370000-0x0000018477377000-memory.dmp

Filesize
28KB

Download
memory/3752-51-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3752-46-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/4048-0-0x000001C0B94D0000-0x000001C0B94D7000-memory.dmp

Filesize
28KB

Download
memory/4048-38-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/4048-1-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/5088-68-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/5088-62-0x000001EAC0D70000-0x000001EAC0D77000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads