dridex | cae8b0197e1f3643f83907680a94d215094f17f6b4b226f2239eb4ac202c2a38

General

Target

068e7ec20a1a2347dc4c128d1e114a37_JaffaCakes118.dll
Size

991KB
MD5

068e7ec20a1a2347dc4c128d1e114a37
SHA1

5b79433282f513a55818595f0f3e5679da23e862
SHA256

cae8b0197e1f3643f83907680a94d215094f17f6b4b226f2239eb4ac202c2a38
SHA512

ca6587a2fb9b8b9812ef694347625052db8e42f61cc8681300911e5eb460ee2190923dfec57fdfe0102ad8a5909a5f97cfcd28f2406c8d6450eb989ec1e3cc03
SSDEEP

24576:hVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:hV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3564-4-0x0000000002190000-0x0000000002191000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

DisplaySwitch.exebdeunlock.exesystemreset.exe

pid process

2280 DisplaySwitch.exe
3464 bdeunlock.exe
4528 systemreset.exe
Loads dropped DLL 4 IoCs

Processes:

DisplaySwitch.exebdeunlock.exesystemreset.exe

pid process

2280 DisplaySwitch.exe
3464 bdeunlock.exe
4528 systemreset.exe
4528 systemreset.exe

pid	process
2280	DisplaySwitch.exe
3464	bdeunlock.exe
4528	systemreset.exe

pid	process
2280	DisplaySwitch.exe
3464	bdeunlock.exe
4528	systemreset.exe
4528	systemreset.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Jhyzxpkzi = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\MVBcZ\\bdeunlock.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeDisplaySwitch.exebdeunlock.exesystemreset.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DisplaySwitch.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bdeunlock.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	systemreset.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
4140	rundll32.exe
4140	rundll32.exe
4140	rundll32.exe
4140	rundll32.exe
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

pid process

3564
3564
3564
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

pid process

3564
3564
3564

pid	process
3564
3564
3564

pid	process
3564
3564
3564

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3564 wrote to memory of 1968	3564	DisplaySwitch.exe
PID 3564 wrote to memory of 1968	3564	DisplaySwitch.exe
PID 3564 wrote to memory of 2280	3564	DisplaySwitch.exe
PID 3564 wrote to memory of 2280	3564	DisplaySwitch.exe
PID 3564 wrote to memory of 3120	3564	bdeunlock.exe
PID 3564 wrote to memory of 3120	3564	bdeunlock.exe
PID 3564 wrote to memory of 3464	3564	bdeunlock.exe
PID 3564 wrote to memory of 3464	3564	bdeunlock.exe
PID 3564 wrote to memory of 5060	3564	systemreset.exe
PID 3564 wrote to memory of 5060	3564	systemreset.exe
PID 3564 wrote to memory of 4528	3564	systemreset.exe
PID 3564 wrote to memory of 4528	3564	systemreset.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\068e7ec20a1a2347dc4c128d1e114a37_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4140

C:\Windows\system32\DisplaySwitch.exe
C:\Windows\system32\DisplaySwitch.exe
1⤵
PID:1968

C:\Users\Admin\AppData\Local\QOolmSIi\DisplaySwitch.exe
C:\Users\Admin\AppData\Local\QOolmSIi\DisplaySwitch.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2280

C:\Windows\system32\bdeunlock.exe
C:\Windows\system32\bdeunlock.exe
1⤵
PID:3120

C:\Users\Admin\AppData\Local\KNlhzfAU\bdeunlock.exe
C:\Users\Admin\AppData\Local\KNlhzfAU\bdeunlock.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3464

C:\Windows\system32\systemreset.exe
C:\Windows\system32\systemreset.exe
1⤵
PID:5060

C:\Users\Admin\AppData\Local\jZy\systemreset.exe
C:\Users\Admin\AppData\Local\jZy\systemreset.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\KNlhzfAU\DUser.dll
Filesize
995KB

MD5
cff865c720a5c86812e51293ef2d0bc8

SHA1
511116dc08ad48f6ac75b1c91b7cf0879fd4def5

SHA256
af58c5c7ce7de130dec2fac8ea4307cf73f6f037b0a258818b65f88433102898

SHA512
da9cdb386bb4e240fc6e8f292de33e7dfdd4ae484fcb0f77167d6247242724ebc992c401a088271f3828956273be84d0e12d72cd6f9980886be54de2fcdfa877

Download Submit
C:\Users\Admin\AppData\Local\KNlhzfAU\bdeunlock.exe
Filesize
279KB

MD5
fef5d67150c249db3c1f4b30a2a5a22e

SHA1
41ca037b0229be9338da4d78244b4f0ea5a3d5f3

SHA256
dcfdd67bf3244ff86cadaaea50b43cce5479014ea2021c0c2fb40b7c856e5603

SHA512
4ded9ca87d9d30c31ab2baededaa6e26681741ea1742d80c318173536c643a01bc049e03a03c3b45b3cb8860464a855830e12e87670503e65eedcdd5e9b2d1e7

Download Submit
C:\Users\Admin\AppData\Local\QOolmSIi\DisplaySwitch.exe
Filesize
1.8MB

MD5
5338d4beddf23db817eb5c37500b5735

SHA1
1b5c56f00b53fca3205ff24770203af46cbc7c54

SHA256
8b581f1d15a6920e4ecfe172d8ef753d0a2bf1a47e686a8d5d8e01147fa4c65e

SHA512
173170b83e0048ee05da18c0c957744204954da58a93c532b669d62edb632c4c73d0744c13eb864ecf357ff12831aa46c4f2445dc33b62a4547385b9e0297b0c

Download Submit
C:\Users\Admin\AppData\Local\QOolmSIi\WINSTA.dll
Filesize
998KB

MD5
b7669256d20210f82f7d2914bdb87878

SHA1
75c3c990f9a495ba47958c26fb45162f7a210c85

SHA256
466834257f505f05a7090a1edc5693e03b17625dd8d238558ea4b43890581ed0

SHA512
a6985d8f3ec5577493365f832a575c014c9220145ed6040e799b0c77d34c52e859799e987b1af0266d73909a576ba11bd58347f465bd4d3f987cdd8cb1edf079

Download Submit
C:\Users\Admin\AppData\Local\jZy\ReAgent.dll
Filesize
993KB

MD5
512c0770d4697f7e62210aab7fcd0512

SHA1
d5ea600a47083023abcffa21b9f72ba7f0bade19

SHA256
17d01f617ff430100dd36990a71afbd0194a99b657956c3a69af3e7171608b1b

SHA512
427048085a3960cf46bfea3093589348107e0aa430f77b8377e4192ea7b4e8e2508cf61fe6151a5b3655c3077ae332dd34043db83edc126ae4c3028042d65039

Download Submit
C:\Users\Admin\AppData\Local\jZy\systemreset.exe
Filesize
508KB

MD5
325ff647506adb89514defdd1c372194

SHA1
84234ff97d6ddc8a4ea21303ea842aa76a74e0ea

SHA256
ebff6159a7627234f94f606afa2e55e98e1548fd197d22779a5fcff24aa477ad

SHA512
8a9758f4af0264be08d684125827ef11efe651138059f6b463c52476f8a8e1bed94d093042f85893cb3e37c5f3ba7b55c6ce9394595001e661bccbc578da3868

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Usvyddaywmbx.lnk
Filesize
1KB

MD5
0e00b3ffb4232b6c8f74aefb979c1e3b

SHA1
4536a9b48458b1906e8fa34aa250b83fde5543ef

SHA256
6441d880d588f0cd5ce3d684b90db09cc82471aab36a1f896bfd9bc6d1e9cddb

SHA512
a0196fdc235b259d3f46ac0c47cb43e5f4b6715aa63fbcfd2d7d1eee102c5213cea303938c98164486cceb6ce98da508e5a7355e0bee82a7fdac59a148a1cd90

Download Submit
memory/2280-44-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/2280-50-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/2280-47-0x000001CE83150000-0x000001CE83157000-memory.dmp

Filesize
28KB

Download
memory/3464-69-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/3464-66-0x0000026FD6DD0000-0x0000026FD6DD7000-memory.dmp

Filesize
28KB

Download
memory/3564-31-0x0000000000840000-0x0000000000847000-memory.dmp

Filesize
28KB

Download
memory/3564-34-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3564-7-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3564-6-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3564-4-0x0000000002190000-0x0000000002191000-memory.dmp

Filesize
4KB

Download
memory/3564-9-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3564-10-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3564-13-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3564-30-0x00007FFB03D0A000-0x00007FFB03D0B000-memory.dmp

Filesize
4KB

Download
memory/3564-8-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3564-12-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3564-32-0x00007FFB04EB0000-0x00007FFB04EC0000-memory.dmp

Filesize
64KB

Download
memory/3564-22-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3564-11-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/4140-0-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/4140-37-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/4140-3-0x000001FBD2210000-0x000001FBD2217000-memory.dmp

Filesize
28KB

Download
memory/4528-81-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/4528-86-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads