dridex | 7debe439df429d32f9038ce6bc1cf0d873d64273fbf1ca44df840bdb4bf60302

General

Target

047d2f4724128d47aefb732f8c7edf86_JaffaCakes118.dll
Size

989KB
MD5

047d2f4724128d47aefb732f8c7edf86
SHA1

46b3eb21a3661cc09940cfbba4541ff1442c7bd6
SHA256

7debe439df429d32f9038ce6bc1cf0d873d64273fbf1ca44df840bdb4bf60302
SHA512

2bc764f2dd39966507de9487c4cb8de0008920a26f5f3a98a6a1c2d16a9d34bef41a15978cf892b045d063f62be1742bbafa58607a3c233a1e14b56ed9fdbbff
SSDEEP

24576:3VHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:3V8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1396-5-0x0000000002A60000-0x0000000002A61000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

DevicePairingWizard.exep2phost.exeSystemPropertiesAdvanced.exe

pid process

2372 DevicePairingWizard.exe
2856 p2phost.exe
812 SystemPropertiesAdvanced.exe
Loads dropped DLL 7 IoCs

Processes:

DevicePairingWizard.exep2phost.exeSystemPropertiesAdvanced.exe

pid process

1396
2372 DevicePairingWizard.exe
1396
2856 p2phost.exe
1396
812 SystemPropertiesAdvanced.exe
1396

pid	process
2372	DevicePairingWizard.exe
2856	p2phost.exe
812	SystemPropertiesAdvanced.exe

pid	process
1396
2372	DevicePairingWizard.exe
1396
2856	p2phost.exe
1396
812	SystemPropertiesAdvanced.exe
1396

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Uxhwu = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\FLASHP~1\\NATIVE~1\\OHJOM9~1\\p2phost.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeDevicePairingWizard.exep2phost.exeSystemPropertiesAdvanced.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DevicePairingWizard.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	p2phost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesAdvanced.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2804	rundll32.exe
2804	rundll32.exe
2804	rundll32.exe
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396
1396

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1396 wrote to memory of 1540	1396	DevicePairingWizard.exe
PID 1396 wrote to memory of 1540	1396	DevicePairingWizard.exe
PID 1396 wrote to memory of 1540	1396	DevicePairingWizard.exe
PID 1396 wrote to memory of 2372	1396	DevicePairingWizard.exe
PID 1396 wrote to memory of 2372	1396	DevicePairingWizard.exe
PID 1396 wrote to memory of 2372	1396	DevicePairingWizard.exe
PID 1396 wrote to memory of 2800	1396	p2phost.exe
PID 1396 wrote to memory of 2800	1396	p2phost.exe
PID 1396 wrote to memory of 2800	1396	p2phost.exe
PID 1396 wrote to memory of 2856	1396	p2phost.exe
PID 1396 wrote to memory of 2856	1396	p2phost.exe
PID 1396 wrote to memory of 2856	1396	p2phost.exe
PID 1396 wrote to memory of 760	1396	SystemPropertiesAdvanced.exe
PID 1396 wrote to memory of 760	1396	SystemPropertiesAdvanced.exe
PID 1396 wrote to memory of 760	1396	SystemPropertiesAdvanced.exe
PID 1396 wrote to memory of 812	1396	SystemPropertiesAdvanced.exe
PID 1396 wrote to memory of 812	1396	SystemPropertiesAdvanced.exe
PID 1396 wrote to memory of 812	1396	SystemPropertiesAdvanced.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\047d2f4724128d47aefb732f8c7edf86_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2804

C:\Windows\system32\DevicePairingWizard.exe
C:\Windows\system32\DevicePairingWizard.exe
1⤵
PID:1540

C:\Users\Admin\AppData\Local\WluvIkE\DevicePairingWizard.exe
C:\Users\Admin\AppData\Local\WluvIkE\DevicePairingWizard.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2372

C:\Windows\system32\p2phost.exe
C:\Windows\system32\p2phost.exe
1⤵
PID:2800

C:\Users\Admin\AppData\Local\ne6mh\p2phost.exe
C:\Users\Admin\AppData\Local\ne6mh\p2phost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2856

C:\Windows\system32\SystemPropertiesAdvanced.exe
C:\Windows\system32\SystemPropertiesAdvanced.exe
1⤵
PID:760

C:\Users\Admin\AppData\Local\URfkRpB0\SystemPropertiesAdvanced.exe
C:\Users\Admin\AppData\Local\URfkRpB0\SystemPropertiesAdvanced.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\URfkRpB0\SYSDM.CPL

Filesize
989KB

MD5
288e47962b7c7308737ca7054c862313

SHA1
c840d71820fb09cad4bb73302572db2c406d8a9d

SHA256
65ba4253ac42e3e5afcf56d11df942bb1a321cb3999a65b30b8dc0ef1f9a4a1a

SHA512
f5fc37316fdf367e96ab4ce309e80b8d466b1df4485ba41cf0cee70455a26e4d7b85c41454dd1b624ccc3cc9b9e2947016d34172379be50b1f77fd5e12c64847

Download Submit
C:\Users\Admin\AppData\Local\URfkRpB0\SystemPropertiesAdvanced.exe

Filesize
80KB

MD5
25dc1e599591871c074a68708206e734

SHA1
27a9dffa92d979d39c07d889fada536c062dac77

SHA256
a13b2ba5892c11c731869410b1e3dd2f250d70ff9efd513a9f260ab506dd42ef

SHA512
f7da9ce4c3e8aea9095fcc977084c042f85df48fca0b58fb136dfd835ce69b5b1e68f3c11eeb14c617ffcec7011ffc7e5d5a948f49dde653a2348b28e10adb72

Download Submit
C:\Users\Admin\AppData\Local\ne6mh\P2P.dll

Filesize
993KB

MD5
dbca1609af043a7f85032c733fe9d769

SHA1
a11decdd788f17385f2cffd0dd1b0e6c02d549cf

SHA256
6b1c7dddfe67194141acb06f9f39be1a299551e9190387ba8eb287d65eb3798c

SHA512
23dd83c8fa523fd7210958d9a96dbb5f0a52e684808f05a84da172a50c032631ce490ad09667d0849b6591af2a676ba7b968e294f7ac72bbc38250dcdeddab67

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dgsmy.lnk

Filesize
1KB

MD5
92d60db1d09c894368315be341492f5f

SHA1
3b975e73659908a940766b47ee0ef03d0b3ca90a

SHA256
1a1f7a7840b55add78d124bdd63c7763698ac40018f226ccc095a7908499bbab

SHA512
9e57ea3d85ba54150c928f34ebcdcac83ef7266c183210a3cafa3fe4e70ad537d5fb9bc195f6a8ca2655e6924d0d6cf4a03397676dca54bd790558419eee4e9a

Download Submit
\Users\Admin\AppData\Local\WluvIkE\DevicePairingWizard.exe

Filesize
73KB

MD5
9728725678f32e84575e0cd2d2c58e9b

SHA1
dd9505d3548f08e5198a8d6ba6bcd60b1da86d5c

SHA256
d95d3aa065a657c354244e3d9d4dc62673dc36c1bed60650fade7d128ddab544

SHA512
a5d22240450e7b659cba507f9abe7e6d861e9712ca2335ea5ceb69e3557362b00f5d02bf84c3a6fed82a09eda555866dcab43741ad9c6db96e1e302ef2363377

Download Submit
\Users\Admin\AppData\Local\WluvIkE\MFC42u.dll

Filesize
1016KB

MD5
9128689fd5798b20d7c3518589fed61e

SHA1
a9d152469839f5312ab10d16cab34fcf2b6d89d0

SHA256
e43faa2823a7b39ce3f93cbbcf14db979e7a7cf085fd859e34481a29c03319bb

SHA512
d87cd4de4af1289d4f5b39ab6f8ad299a090d83b849b1e83bdc9942a50c82d32870387a177192475a03fb5bc0aba6f3ef558ee14be1740aa78c7d77b38cd5ec3

Download Submit
\Users\Admin\AppData\Local\ne6mh\p2phost.exe

Filesize
172KB

MD5
0dbd420477352b278dfdc24f4672b79c

SHA1
df446f25be33ac60371557717073249a64e04bb2

SHA256
1baba169de6c8f3b3c33cea96314c67b709a171bdc8ea9c250a0d016db767345

SHA512
84014b2dcc00f9fa1a337089ad4d4abcaa9e3155171978ec07bc155ddaebebfabb529d8de3578e564b3aae59545f52d71af173ebb50d2af252f219ac60b453d1

Download Submit
memory/812-94-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/812-91-0x0000000000090000-0x0000000000097000-memory.dmp

Filesize
28KB

Download
memory/1396-37-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1396-4-0x0000000076FC6000-0x0000000076FC7000-memory.dmp

Filesize
4KB

Download
memory/1396-10-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1396-9-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1396-8-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1396-26-0x0000000077260000-0x0000000077262000-memory.dmp

Filesize
8KB

Download
memory/1396-25-0x00000000770D1000-0x00000000770D2000-memory.dmp

Filesize
4KB

Download
memory/1396-11-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1396-35-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1396-12-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1396-13-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1396-14-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1396-7-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1396-5-0x0000000002A60000-0x0000000002A61000-memory.dmp

Filesize
4KB

Download
memory/1396-24-0x0000000002A40000-0x0000000002A47000-memory.dmp

Filesize
28KB

Download
memory/1396-63-0x0000000076FC6000-0x0000000076FC7000-memory.dmp

Filesize
4KB

Download
memory/1396-23-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/2372-58-0x0000000140000000-0x0000000140103000-memory.dmp

Filesize
1.0MB

Download
memory/2372-52-0x0000000140000000-0x0000000140103000-memory.dmp

Filesize
1.0MB

Download
memory/2372-55-0x00000000000F0000-0x00000000000F7000-memory.dmp

Filesize
28KB

Download
memory/2804-0-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/2804-44-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/2804-3-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/2856-76-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/2856-71-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads