dridex | 59d9e70834bb6d70b2174b5d11706ecb7cea61f4ab905c986aa98448edc76367

General

Target

07a15ed8751def5bbf538964fbf993b0_JaffaCakes118.dll
Size

990KB
MD5

07a15ed8751def5bbf538964fbf993b0
SHA1

a04388f19678f0a1991115224a6a2e7c669d3a90
SHA256

59d9e70834bb6d70b2174b5d11706ecb7cea61f4ab905c986aa98448edc76367
SHA512

00d92eb16d19ba3994fa0b72a98e636d3cc929386d98657e7b73bf532412f9e12ece449379190bb0251cf4b62d5a1b6147294776c206c434942fd16c52c7a20c
SSDEEP

24576:pVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:pV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1152-5-0x0000000002E90000-0x0000000002E91000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

wextract.exeperfmon.exedialer.exe

pid process

2576 wextract.exe
884 perfmon.exe
2716 dialer.exe
Loads dropped DLL 7 IoCs

Processes:

wextract.exeperfmon.exedialer.exe

pid process

1152
2576 wextract.exe
1152
884 perfmon.exe
1152
2716 dialer.exe
1152

pid	process
2576	wextract.exe
884	perfmon.exe
2716	dialer.exe

pid	process
1152
2576	wextract.exe
1152
884	perfmon.exe
1152
2716	dialer.exe
1152

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mwyjnbrrs = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\9ftKAfrV5QY\\perfmon.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exewextract.exeperfmon.exedialer.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wextract.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	perfmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dialer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
3020	rundll32.exe
3020	rundll32.exe
3020	rundll32.exe
1152
1152
1152
1152
1152
1152
1152
1152
1152
1152
1152
1152
1152
1152
1152
1152
1152
1152
1152
1152
1152
1152
1152
1152
1152
1152
1152
1152
1152
1152
1152
1152
1152
1152
1152
1152
1152
1152
1152
1152
1152
1152
1152
1152
1152
1152
1152
1152
1152
1152
1152
1152
1152
1152
1152
1152
1152
1152
1152
1152
1152

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1152 wrote to memory of 2764	1152	wextract.exe
PID 1152 wrote to memory of 2764	1152	wextract.exe
PID 1152 wrote to memory of 2764	1152	wextract.exe
PID 1152 wrote to memory of 2576	1152	wextract.exe
PID 1152 wrote to memory of 2576	1152	wextract.exe
PID 1152 wrote to memory of 2576	1152	wextract.exe
PID 1152 wrote to memory of 2920	1152	perfmon.exe
PID 1152 wrote to memory of 2920	1152	perfmon.exe
PID 1152 wrote to memory of 2920	1152	perfmon.exe
PID 1152 wrote to memory of 884	1152	perfmon.exe
PID 1152 wrote to memory of 884	1152	perfmon.exe
PID 1152 wrote to memory of 884	1152	perfmon.exe
PID 1152 wrote to memory of 2532	1152	dialer.exe
PID 1152 wrote to memory of 2532	1152	dialer.exe
PID 1152 wrote to memory of 2532	1152	dialer.exe
PID 1152 wrote to memory of 2716	1152	dialer.exe
PID 1152 wrote to memory of 2716	1152	dialer.exe
PID 1152 wrote to memory of 2716	1152	dialer.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\07a15ed8751def5bbf538964fbf993b0_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3020

C:\Windows\system32\wextract.exe
C:\Windows\system32\wextract.exe
1⤵
PID:2764

C:\Users\Admin\AppData\Local\wgUk\wextract.exe
C:\Users\Admin\AppData\Local\wgUk\wextract.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2576

C:\Windows\system32\perfmon.exe
C:\Windows\system32\perfmon.exe
1⤵
PID:2920

C:\Users\Admin\AppData\Local\uJhPf10E\perfmon.exe
C:\Users\Admin\AppData\Local\uJhPf10E\perfmon.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:884

C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
1⤵
PID:2532

C:\Users\Admin\AppData\Local\GaBJ\dialer.exe
C:\Users\Admin\AppData\Local\GaBJ\dialer.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2716

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\GaBJ\TAPI32.dll
Filesize
998KB

MD5
84f736b403a405412756a08fbdd449ab

SHA1
3647ff5a1eea874105e84606aa5f428b635b23b5

SHA256
585755afe3d8bd95dc4bbe5cf8a7e74977a02d27f89979ab4b5a37394b00686c

SHA512
a518aee0be31d21c4a717bbde77f2f334886ef959fe1b408f8ca432104ca5dbdce81e0e367374278e84a4d290fe2898768ce072a696e478fb2ba614673d1bdb1

Download Submit
C:\Users\Admin\AppData\Local\uJhPf10E\Secur32.dll
Filesize
993KB

MD5
a9f4c42b1e6d4b31a05fa44110007645

SHA1
2ad6a8d119bb7e81ca8cc582918fe7b092753650

SHA256
f4c3f95ea62325e27943e9086ceb605c02f5fc82c159f3a358912a7f3c3f7bb6

SHA512
28e5a8a9a826cf4083121653be33341c803f90633eef3a2fe360d90905e86d0f9a412ac96c52e9f70e2eeab8d38b81f68a544104b8bf2bf7040bcfc6048aa83d

Download Submit
C:\Users\Admin\AppData\Local\wgUk\VERSION.dll
Filesize
990KB

MD5
28b1decda01f309b5f149cc663483637

SHA1
a26695c6f18a645289d53091a17ac9fdd4b4db1c

SHA256
3f024f22e92f477de43e4505cf9e2fbda8dbda388d76cc392f374457332b622d

SHA512
ed0bcf465221fbb20664f4671624dae60ac6af28f3449fb6b07e2e4b0dc1891b32a6d6781f3247932cd0cf7a51c23edb67a3c22f8448b01d007c7c5e40f79ffb

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Pclfpjzoauil.lnk
Filesize
947B

MD5
44087bc317363c9e8194cbf0bcbe0de0

SHA1
0bbc51ae9f0f6cd07ba088c7ee65976cfdccecc0

SHA256
dae5a3c48add2b4e5b8f2b333a774a930d4ba4fd393c2446c1e87f262895b282

SHA512
a8e5c0b02674b95508f04420cb36b4fcfa42079b353a4942da02176aa7c3b09f7927b3aea7e5882e0584f02e2aab595763d9483eb45fdcd09ed8729ce488dfaa

Download Submit
\Users\Admin\AppData\Local\GaBJ\dialer.exe
Filesize
34KB

MD5
46523e17ee0f6837746924eda7e9bac9

SHA1
d6b2a9cc6bd3588fa9804ada5197afda6a9e034b

SHA256
23d8a6a1d847a324c556c30e10c8f63c2004aeb42ac3f5a5ca362077f1517382

SHA512
c7117c3778650864e685bd89df599d7cdd9319d757344ddc7cfd9403d6673964127f6ff0c5ac48455fd3097af31a6ff09173f85dfa7be2d25f395cdf3692bb9a

Download Submit
\Users\Admin\AppData\Local\uJhPf10E\perfmon.exe
Filesize
168KB

MD5
3eb98cff1c242167df5fdbc6441ce3c5

SHA1
730b27a1c92e8df1e60db5a6fc69ea1b24f68a69

SHA256
6d8d5a244bb5a23c95653853fec3d04d2bdd2df5cff8cffb9848bddeb6adb081

SHA512
f42be2a52d97fd1db2ed5a1a1a81a186a0aab41204980a103df33a4190632ba03f3cbb88fcea8da7ed9a5e15f60732d49a924b025fe6d3e623195ec1d37dfb35

Download Submit
\Users\Admin\AppData\Local\wgUk\wextract.exe
Filesize
140KB

MD5
1ea6500c25a80e8bdb65099c509af993

SHA1
6a090ef561feb4ae1c6794de5b19c5e893c4aafc

SHA256
99123d4e7bf93aa7f3315a432307c8b0cbaf24ad2cfb46edc149edbe24de4ca2

SHA512
b8f9f1ab48671e382d1385c34f0f19fc52fc0061e00db53bbbc2cdaee6d8a3f245707329f98e9167c53721aeaddcebfe66632729b6bcc98892031fd9914fb1fb

Download Submit
memory/884-74-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/884-71-0x00000000002B0000-0x00000000002B7000-memory.dmp

Filesize
28KB

Download
memory/1152-14-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1152-70-0x0000000076CD6000-0x0000000076CD7000-memory.dmp

Filesize
4KB

Download
memory/1152-12-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1152-11-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1152-9-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1152-27-0x0000000076F70000-0x0000000076F72000-memory.dmp

Filesize
8KB

Download
memory/1152-26-0x0000000076DE1000-0x0000000076DE2000-memory.dmp

Filesize
4KB

Download
memory/1152-25-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1152-32-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1152-33-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1152-4-0x0000000076CD6000-0x0000000076CD7000-memory.dmp

Filesize
4KB

Download
memory/1152-5-0x0000000002E90000-0x0000000002E91000-memory.dmp

Filesize
4KB

Download
memory/1152-16-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1152-8-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1152-13-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1152-7-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1152-10-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1152-15-0x0000000002DF0000-0x0000000002DF7000-memory.dmp

Filesize
28KB

Download
memory/2576-53-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/2576-52-0x0000000000390000-0x0000000000397000-memory.dmp

Filesize
28KB

Download
memory/2576-49-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/2716-86-0x0000000140000000-0x00000001400FF000-memory.dmp

Filesize
1020KB

Download
memory/2716-89-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/2716-92-0x0000000140000000-0x00000001400FF000-memory.dmp

Filesize
1020KB

Download
memory/3020-0-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3020-41-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3020-3-0x00000000001A0000-0x00000000001A7000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads