dridex | 7debe439df429d32f9038ce6bc1cf0d873d64273fbf1ca44df840bdb4bf60302

General

Target

047d2f4724128d47aefb732f8c7edf86_JaffaCakes118.dll
Size

989KB
MD5

047d2f4724128d47aefb732f8c7edf86
SHA1

46b3eb21a3661cc09940cfbba4541ff1442c7bd6
SHA256

7debe439df429d32f9038ce6bc1cf0d873d64273fbf1ca44df840bdb4bf60302
SHA512

2bc764f2dd39966507de9487c4cb8de0008920a26f5f3a98a6a1c2d16a9d34bef41a15978cf892b045d063f62be1742bbafa58607a3c233a1e14b56ed9fdbbff
SSDEEP

24576:3VHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:3V8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3396-4-0x0000000002FB0000-0x0000000002FB1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

SystemPropertiesHardware.exeMoUsoCoreWorker.exeApplicationFrameHost.exe

pid process

1140 SystemPropertiesHardware.exe
3372 MoUsoCoreWorker.exe
1432 ApplicationFrameHost.exe
Loads dropped DLL 3 IoCs

Processes:

SystemPropertiesHardware.exeMoUsoCoreWorker.exeApplicationFrameHost.exe

pid process

1140 SystemPropertiesHardware.exe
3372 MoUsoCoreWorker.exe
1432 ApplicationFrameHost.exe

pid	process
1140	SystemPropertiesHardware.exe
3372	MoUsoCoreWorker.exe
1432	ApplicationFrameHost.exe

pid	process
1140	SystemPropertiesHardware.exe
3372	MoUsoCoreWorker.exe
1432	ApplicationFrameHost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wuaobpzp = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\ACCESS~1\\bj2\\MOUSOC~1.EXE"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeSystemPropertiesHardware.exeMoUsoCoreWorker.exeApplicationFrameHost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesHardware.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MoUsoCoreWorker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ApplicationFrameHost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
628	rundll32.exe
628	rundll32.exe
628	rundll32.exe
628	rundll32.exe
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

pid process

3396
3396
3396
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

pid process

3396
3396
3396
Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3396

pid	process
3396
3396
3396

pid	process
3396
3396
3396

pid	process
3396

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3396 wrote to memory of 4528	3396	SystemPropertiesHardware.exe
PID 3396 wrote to memory of 4528	3396	SystemPropertiesHardware.exe
PID 3396 wrote to memory of 1140	3396	SystemPropertiesHardware.exe
PID 3396 wrote to memory of 1140	3396	SystemPropertiesHardware.exe
PID 3396 wrote to memory of 1856	3396	MoUsoCoreWorker.exe
PID 3396 wrote to memory of 1856	3396	MoUsoCoreWorker.exe
PID 3396 wrote to memory of 3372	3396	MoUsoCoreWorker.exe
PID 3396 wrote to memory of 3372	3396	MoUsoCoreWorker.exe
PID 3396 wrote to memory of 1948	3396	ApplicationFrameHost.exe
PID 3396 wrote to memory of 1948	3396	ApplicationFrameHost.exe
PID 3396 wrote to memory of 1432	3396	ApplicationFrameHost.exe
PID 3396 wrote to memory of 1432	3396	ApplicationFrameHost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\047d2f4724128d47aefb732f8c7edf86_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:628

C:\Windows\system32\SystemPropertiesHardware.exe
C:\Windows\system32\SystemPropertiesHardware.exe
1⤵
PID:4528

C:\Users\Admin\AppData\Local\OU591K\SystemPropertiesHardware.exe
C:\Users\Admin\AppData\Local\OU591K\SystemPropertiesHardware.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1140

C:\Windows\system32\MoUsoCoreWorker.exe
C:\Windows\system32\MoUsoCoreWorker.exe
1⤵
PID:1856

C:\Users\Admin\AppData\Local\2f4f\MoUsoCoreWorker.exe
C:\Users\Admin\AppData\Local\2f4f\MoUsoCoreWorker.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3372

C:\Windows\system32\ApplicationFrameHost.exe
C:\Windows\system32\ApplicationFrameHost.exe
1⤵
PID:1948

C:\Users\Admin\AppData\Local\b35n\ApplicationFrameHost.exe
C:\Users\Admin\AppData\Local\b35n\ApplicationFrameHost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1432

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\2f4f\MoUsoCoreWorker.exe
Filesize
1.6MB

MD5
47c6b45ff22b73caf40bb29392386ce3

SHA1
7e29a8d98fbb9b02d3d22e3576f4fd61ab50ffe9

SHA256
cbccb642725edb42e749e26ded68a16b3aa20e291a1a7793a2d4efebb75f99c0

SHA512
c919ab84a497616e7969d58c251f4e6efc337b41ef6956864b86d66ae1437294c124232fec54433eab3a6518ed529f8445dd0b23706b2f42f3fa42e69711f331

Download Submit
C:\Users\Admin\AppData\Local\2f4f\XmlLite.dll
Filesize
989KB

MD5
6a9f4b92fc8408769ce0f5cc2d3225e6

SHA1
84ac227c42eca6b2d4a37f243a9f265f8355f76f

SHA256
72540b980f3cdc4591f3c209e42caebfed6af2b053b46806e70497a07feeb99e

SHA512
f25f86e700b5ad36e09d4dc3b1294d602196912cf2f2b5008b39810d7baea382d194da51a2c9f41515456146784ece778665be83de44b0e51bf0d0a33b1d9eef

Download Submit
C:\Users\Admin\AppData\Local\OU591K\SYSDM.CPL
Filesize
989KB

MD5
77f75d0463daad39fccfe475670e0126

SHA1
440d75e324edac9bcd605ce85cd456c1b1b64fd9

SHA256
8db24b869ea94254521d8749880aa998b197a098debb2b5f278718cc1d194a3e

SHA512
6e0654de11548d2389b33ddb0341140ed482fcdee213920b2fb7060236b905a4edff0f7d7c810f4aa22e5118b2eb4eed7d1f6d56adc66c56fd02e11dc3f2dd3e

Download Submit
C:\Users\Admin\AppData\Local\OU591K\SystemPropertiesHardware.exe
Filesize
82KB

MD5
bf5bc0d70a936890d38d2510ee07a2cd

SHA1
69d5971fd264d8128f5633db9003afef5fad8f10

SHA256
c8ebd920399ebcf3ab72bd325b71a6b4c6119dfecea03f25059a920c4d32acc7

SHA512
0e129044777cbbf5ea995715159c50773c1818fc5e8faa5c827fd631b44c086b34dfdcbe174b105891ccc3882cc63a8664d189fb6a631d8f589de4e01a862f51

Download Submit
C:\Users\Admin\AppData\Local\b35n\ApplicationFrameHost.exe
Filesize
76KB

MD5
d58a8a987a8dafad9dc32a548cc061e7

SHA1
f79fc9e0ab066cad530b949c2153c532a5223156

SHA256
cf58e424b86775e6f2354291052126a646f842fff811b730714dfbbd8ebc71a4

SHA512
93df28b65af23a5f82124ba644e821614e2e2074c98dbb2bd7319d1dfe9e2179b9d660d7720913c79a8e7b2f8560440789ad5e170b9d94670589885060c14265

Download Submit
C:\Users\Admin\AppData\Local\b35n\dxgi.dll
Filesize
990KB

MD5
0bbe7efc7b2c1be1bfef806027081180

SHA1
fc0d41feecbe8a5f3c9d54cc03a1c596b30fcab3

SHA256
bb7146fdf16dad8869b5c453e28929e573bed2d500aa876a882982491ff25ead

SHA512
eb75261ebdc85073bb9eaf8349751707b780c992753f55d285396246bc813668b134a2e0a6038ca9d8f2d00d570fced83c88f1e08993fa01c2b4dd4dbddc79db

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Aibqacvbwgcfz.lnk
Filesize
1KB

MD5
a20e9636c7011372aeb5fa106566a7d4

SHA1
303c4cf523ccb99561ec471b00c1fec7732977f9

SHA256
ec09404f25b495b3b26b006fba87397cef2ce70a53680f71e73f151fe52c7942

SHA512
193403c0b4a5f004d1a8cc86e0b36b338aedef5e1b9e942303f1cf307b1cb06a1fd8daafab0714e0effbfd0b6f702c86e967a5fa1e63e2a8d9d7cc06a584830a

Download Submit
memory/628-37-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/628-1-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/628-3-0x0000018BDDF00000-0x0000018BDDF07000-memory.dmp

Filesize
28KB

Download
memory/1140-44-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1140-45-0x0000016C74070000-0x0000016C74077000-memory.dmp

Filesize
28KB

Download
memory/1140-50-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1432-81-0x000002BBCD540000-0x000002BBCD547000-memory.dmp

Filesize
28KB

Download
memory/1432-84-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3372-64-0x00000285E9C50000-0x00000285E9C57000-memory.dmp

Filesize
28KB

Download
memory/3372-67-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3396-34-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3396-7-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3396-8-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3396-9-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3396-10-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3396-11-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3396-13-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3396-22-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3396-30-0x00007FFBEBF8A000-0x00007FFBEBF8B000-memory.dmp

Filesize
4KB

Download
memory/3396-31-0x0000000002BD0000-0x0000000002BD7000-memory.dmp

Filesize
28KB

Download
memory/3396-32-0x00007FFBEC850000-0x00007FFBEC860000-memory.dmp

Filesize
64KB

Download
memory/3396-12-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3396-6-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3396-4-0x0000000002FB0000-0x0000000002FB1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads