dridex | 729d4b47c771bb857a969a80d6fb82302896584a8c0a69fdcd6171489365008f

General

Target

036e3859b663301f666bc11f9655bc86_JaffaCakes118.dll
Size

989KB
MD5

036e3859b663301f666bc11f9655bc86
SHA1

e1442aa7e7415fda529f1ed0d4845558d00354f7
SHA256

729d4b47c771bb857a969a80d6fb82302896584a8c0a69fdcd6171489365008f
SHA512

b1d001e641959a11195726aa12f2f4b810867ad003dd0eeb9c55a3479b1ae7e15b9e3142a2713abf758d3e5f7f20326af77d31cf5b573d28a62373513d945b50
SSDEEP

24576:JVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:JV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3456-4-0x00000000031F0000-0x00000000031F1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

ApplicationFrameHost.exemspaint.exeshrpubw.exe

pid process

3548 ApplicationFrameHost.exe
3096 mspaint.exe
100 shrpubw.exe
Loads dropped DLL 3 IoCs

Processes:

ApplicationFrameHost.exemspaint.exeshrpubw.exe

pid process

3548 ApplicationFrameHost.exe
3096 mspaint.exe
100 shrpubw.exe

pid	process
3548	ApplicationFrameHost.exe
3096	mspaint.exe
100	shrpubw.exe

pid	process
3548	ApplicationFrameHost.exe
3096	mspaint.exe
100	shrpubw.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Kjdyleps = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\BMhH\\mspaint.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeApplicationFrameHost.exemspaint.exeshrpubw.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ApplicationFrameHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mspaint.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	shrpubw.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
4464	rundll32.exe
4464	rundll32.exe
4464	rundll32.exe
4464	rundll32.exe
4464	rundll32.exe
4464	rundll32.exe
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3456

pid	process
3456

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3456 wrote to memory of 1512	3456	ApplicationFrameHost.exe
PID 3456 wrote to memory of 1512	3456	ApplicationFrameHost.exe
PID 3456 wrote to memory of 3548	3456	ApplicationFrameHost.exe
PID 3456 wrote to memory of 3548	3456	ApplicationFrameHost.exe
PID 3456 wrote to memory of 1732	3456	mspaint.exe
PID 3456 wrote to memory of 1732	3456	mspaint.exe
PID 3456 wrote to memory of 3096	3456	mspaint.exe
PID 3456 wrote to memory of 3096	3456	mspaint.exe
PID 3456 wrote to memory of 3552	3456	shrpubw.exe
PID 3456 wrote to memory of 3552	3456	shrpubw.exe
PID 3456 wrote to memory of 100	3456	shrpubw.exe
PID 3456 wrote to memory of 100	3456	shrpubw.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\036e3859b663301f666bc11f9655bc86_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4464

C:\Windows\system32\ApplicationFrameHost.exe
C:\Windows\system32\ApplicationFrameHost.exe
1⤵
PID:1512

C:\Users\Admin\AppData\Local\3XaAfO\ApplicationFrameHost.exe
C:\Users\Admin\AppData\Local\3XaAfO\ApplicationFrameHost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3548

C:\Windows\system32\mspaint.exe
C:\Windows\system32\mspaint.exe
1⤵
PID:1732

C:\Users\Admin\AppData\Local\vxUEPmkjL\mspaint.exe
C:\Users\Admin\AppData\Local\vxUEPmkjL\mspaint.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3096

C:\Windows\system32\shrpubw.exe
C:\Windows\system32\shrpubw.exe
1⤵
PID:3552

C:\Users\Admin\AppData\Local\3clWRWEn\shrpubw.exe
C:\Users\Admin\AppData\Local\3clWRWEn\shrpubw.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:100

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\3XaAfO\ApplicationFrameHost.exe
Filesize
76KB

MD5
d58a8a987a8dafad9dc32a548cc061e7

SHA1
f79fc9e0ab066cad530b949c2153c532a5223156

SHA256
cf58e424b86775e6f2354291052126a646f842fff811b730714dfbbd8ebc71a4

SHA512
93df28b65af23a5f82124ba644e821614e2e2074c98dbb2bd7319d1dfe9e2179b9d660d7720913c79a8e7b2f8560440789ad5e170b9d94670589885060c14265

Download Submit
C:\Users\Admin\AppData\Local\3XaAfO\dxgi.dll
Filesize
990KB

MD5
d1880474f425b739864d68de27652722

SHA1
78069ed3c5d499619fdb7ee9d4ae5c382e6c1490

SHA256
b2c1296c864378bbcd847ef9bbf52603f733928a703a1b946a9d766a013ff192

SHA512
0e8c082155064b1db2e67dd022d40c15a0ada24fdeed0c881ed5b675ccab2c4a90160949d5137bc1bacf34b25d9d42b9a1a6a4c54587ccf668a77e5d79339375

Download Submit
C:\Users\Admin\AppData\Local\3clWRWEn\MFC42u.dll
Filesize
1017KB

MD5
013d1dcf9599991b45016aec105b38ca

SHA1
f93ba8c6004ac8234768f577341d1f31cea89e93

SHA256
ba88d4bd6d8dd4c1d1ec5d7d6b6f4ee8a9b2aba3cb1615f9adfb6b64bd076875

SHA512
58e667bd1110cc9232562b207fc1367f272a4cd2a809f5398404c284e847cf3a88ee2ee1a1c561971aac45bb14f2d4d2eeafd3be2c2a16b7437282645c8982ce

Download Submit
C:\Users\Admin\AppData\Local\3clWRWEn\shrpubw.exe
Filesize
59KB

MD5
9910d5c62428ec5f92b04abf9428eec9

SHA1
05f27d7515e8ae1fa3bc974ec65b864ec4c9ac8b

SHA256
6b84e6e55d8572d7edf0b6243d00abb651fcb0cddddac8461de5f9bb80035a2e

SHA512
01be043f7ff879a683e53962eec58456ba200d6787ea66581bb62669ae65d5e58a5577cdf23441165f7a535fce1dec933e3ad2465c72172b4a1488b24ce722cb

Download Submit
C:\Users\Admin\AppData\Local\vxUEPmkjL\WINMM.dll
Filesize
994KB

MD5
cd62d684e9c84431a3d77480691db9d6

SHA1
0404bb06d507b44fd357fda9b5d308429359b89d

SHA256
cf9080180507fa7142fdf2525a40775cddfdaf00f1145c4968e2f9e2fe26d63a

SHA512
5dd033adf7d6e248621bf333d36dd6fe04ac40da89bdb9b1cc19ad4ecdf07b2d4539a10561ff8df48baf2f6e0c0e5cb07c8e56b0f6edbd9b93079ae677abd5af

Download Submit
C:\Users\Admin\AppData\Local\vxUEPmkjL\mspaint.exe
Filesize
965KB

MD5
f221a4ccafec690101c59f726c95b646

SHA1
2098e4b62eaab213cbee73ba40fe4f1b8901a782

SHA256
94aa32a2c9c1d2db78318d9c68262c2f834abe26b6e9a661700324b55fdd5709

SHA512
8e3f4e4f68565ef09f5e762d6bb41b160711bbacac9dfcbe33edea9885fd042e6ce9a248bfcc62f9cffdb8e6bbe1b04c89bd41fcd9a373a5c8bc7bbff96dceaf

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Lkikclgcaixpoht.lnk
Filesize
967B

MD5
293590d630105decd03147faa56cf8e9

SHA1
6ad528faec9aa1517568e3c7c5b9c634ab75f8e1

SHA256
ed7a3bda442d5fcdaded8746e82b5b351226855eb6a9fe1f0fce20445133c62b

SHA512
00a820a2b5c666bd447e1e28e3223c55103484e49abdc8d9dfa26d0b676f8b654a1070a3ff53131d19d7910c12eaeeae66affae46e98f451eb8867cfaaa0cd3a

Download Submit
memory/100-76-0x0000000140000000-0x0000000140103000-memory.dmp

Filesize
1.0MB

Download
memory/100-75-0x00000206F9490000-0x00000206F9497000-memory.dmp

Filesize
28KB

Download
memory/100-81-0x0000000140000000-0x0000000140103000-memory.dmp

Filesize
1.0MB

Download
memory/3096-62-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/3096-65-0x00000235BA2E0000-0x00000235BA2E7000-memory.dmp

Filesize
28KB

Download
memory/3096-66-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/3456-31-0x00000000010C0000-0x00000000010C7000-memory.dmp

Filesize
28KB

Download
memory/3456-11-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3456-6-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3456-4-0x00000000031F0000-0x00000000031F1000-memory.dmp

Filesize
4KB

Download
memory/3456-9-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3456-10-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3456-7-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3456-12-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3456-22-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3456-8-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3456-13-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3456-30-0x00007FF84FC5A000-0x00007FF84FC5B000-memory.dmp

Filesize
4KB

Download
memory/3456-32-0x00007FF850A30000-0x00007FF850A40000-memory.dmp

Filesize
64KB

Download
memory/3456-34-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3548-44-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3548-50-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3548-47-0x0000022F77D00000-0x0000022F77D07000-memory.dmp

Filesize
28KB

Download
memory/4464-0-0x0000011CE46B0000-0x0000011CE46B7000-memory.dmp

Filesize
28KB

Download
memory/4464-37-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/4464-1-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads