dridex | 998ad9f4b08ca563f76ec2e50176bfcfd2d3eee637baa90216664644618204ab

General

Target

0c2f2c5053a1aeca9442fe7a94a12d90_JaffaCakes118.dll
Size

1.2MB
MD5

0c2f2c5053a1aeca9442fe7a94a12d90
SHA1

4472a3f7d0837f108a94c1e85f66a4ee59862e80
SHA256

998ad9f4b08ca563f76ec2e50176bfcfd2d3eee637baa90216664644618204ab
SHA512

dda17f58b7be7fb21602fc3073713a5fbf29dcf086e428f610f11afc856789691ffb84c0e393a01f12b918164658c4aa4ba92baa3e680af39ca2bc183551b76c
SSDEEP

24576:NuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:H9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1360-5-0x00000000025B0000-0x00000000025B1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

dvdupgrd.exemblctr.exedccw.exe

pid process

2480 dvdupgrd.exe
2936 mblctr.exe
2916 dccw.exe
Loads dropped DLL 7 IoCs

Processes:

dvdupgrd.exemblctr.exedccw.exe

pid process

1360
2480 dvdupgrd.exe
1360
2936 mblctr.exe
1360
2916 dccw.exe
1360

pid	process
2480	dvdupgrd.exe
2936	mblctr.exe
2916	dccw.exe

pid	process
1360
2480	dvdupgrd.exe
1360
2936	mblctr.exe
1360
2916	dccw.exe
1360

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Groztcac = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\FLASHP~1\\NATIVE~1\\mgdjLkip\\mblctr.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exedvdupgrd.exemblctr.exedccw.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dvdupgrd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mblctr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dccw.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1420	rundll32.exe
1420	rundll32.exe
1420	rundll32.exe
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1360 wrote to memory of 2488	1360	dvdupgrd.exe
PID 1360 wrote to memory of 2488	1360	dvdupgrd.exe
PID 1360 wrote to memory of 2488	1360	dvdupgrd.exe
PID 1360 wrote to memory of 2480	1360	dvdupgrd.exe
PID 1360 wrote to memory of 2480	1360	dvdupgrd.exe
PID 1360 wrote to memory of 2480	1360	dvdupgrd.exe
PID 1360 wrote to memory of 1984	1360	mblctr.exe
PID 1360 wrote to memory of 1984	1360	mblctr.exe
PID 1360 wrote to memory of 1984	1360	mblctr.exe
PID 1360 wrote to memory of 2936	1360	mblctr.exe
PID 1360 wrote to memory of 2936	1360	mblctr.exe
PID 1360 wrote to memory of 2936	1360	mblctr.exe
PID 1360 wrote to memory of 2748	1360	dccw.exe
PID 1360 wrote to memory of 2748	1360	dccw.exe
PID 1360 wrote to memory of 2748	1360	dccw.exe
PID 1360 wrote to memory of 2916	1360	dccw.exe
PID 1360 wrote to memory of 2916	1360	dccw.exe
PID 1360 wrote to memory of 2916	1360	dccw.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0c2f2c5053a1aeca9442fe7a94a12d90_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1420

C:\Windows\system32\dvdupgrd.exe
C:\Windows\system32\dvdupgrd.exe
1⤵
PID:2488

C:\Users\Admin\AppData\Local\9IBL2N8c\dvdupgrd.exe
C:\Users\Admin\AppData\Local\9IBL2N8c\dvdupgrd.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2480

C:\Windows\system32\mblctr.exe
C:\Windows\system32\mblctr.exe
1⤵
PID:1984

C:\Users\Admin\AppData\Local\eUZFU6k5\mblctr.exe
C:\Users\Admin\AppData\Local\eUZFU6k5\mblctr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2936

C:\Windows\system32\dccw.exe
C:\Windows\system32\dccw.exe
1⤵
PID:2748

C:\Users\Admin\AppData\Local\UVrE\dccw.exe
C:\Users\Admin\AppData\Local\UVrE\dccw.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2916

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\9IBL2N8c\VERSION.dll
Filesize
1.2MB

MD5
d15e96cdd34c02e680989869cd73da24

SHA1
1b6c39c4c04838f8eb2f43c7f5bc67729ef15245

SHA256
ffd28014a7b0c01c6a06e0aed5776a26267cb98eb6a4f4ec1e9494da2106475a

SHA512
2528d12c325c48ec4a4335b851690542e954289495e855bd922c6e12795f6e03c1800697d612cd68c48a17ddb760d83ed3ad46ec69d064d0b840f5f8b61abeb4

Download Submit
C:\Users\Admin\AppData\Local\9IBL2N8c\dvdupgrd.exe
Filesize
25KB

MD5
75a9b4172eac01d9648c6d2133af952f

SHA1
63c7e1af762d2b584e9cc841e8b0100f2a482b81

SHA256
18f9f520c7157023b0e7dfe7433a63c4dedd47b04d24aac4038b795893050736

SHA512
5a7a2c7f184efd9c84256a1a0a5e7aeb95432d63a567196be54e7a9437a5ada9b922983c5fc0cafb16eab4493665d8e56e2f646f9f6a2d6179986925ffcdf769

Download Submit
C:\Users\Admin\AppData\Local\UVrE\mscms.dll
Filesize
1.2MB

MD5
cd4e6dd5685a9116fbaba437ac2e694c

SHA1
0d9fb51bb2f5f72ac88092826d96747ebe2fe5be

SHA256
818cb04a98208f08f296ccc52f70f0ef3f597241e46da4b4edfc34ff2f17a606

SHA512
86d134eb9ad55479ad5930abe2e19030f0011f0a0458194d4d85d66d365d8aac1d06338cc35e1520eb3c0809fc7064bddb66a3ccddcd3b5914590f79b154ce85

Download Submit
C:\Users\Admin\AppData\Local\eUZFU6k5\WTSAPI32.dll
Filesize
1.2MB

MD5
d54034eebe7011687c9aaf1b8155a98e

SHA1
4937a2bcfc4af95f660f3ce9167514760b406d7a

SHA256
c18c9422a0a8d61b54bb929b5eb3742973909ec07cea69be8c68d4079f8ef91b

SHA512
331ebdfda60ab6873e881bd8c7056c27a58597bb6d85d2267650bbd33c1b1bf6a97ba39ea616067ac94ddc33bdbd10bfac9ee8f03da0d9d2be677d25b1cca2a3

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Aqrvnhd.lnk
Filesize
1KB

MD5
a2e6c581202cbf094b0de7844b43d9c1

SHA1
cbdd0996b335b9edcaa5aa67be101279d1fcdf7d

SHA256
93d39a12445c512b20429f85ce533aa2827ab3d79d002b8bf33d7a9e45c06af0

SHA512
808d296620a2b44d46e0a070f81565e4ddbaace96d41a5857e336ba3c7ec42891d3773e873abab1b203f9cc9f904d9654f823f0d5707a16e656eee0e793f93dd

Download Submit
\Users\Admin\AppData\Local\UVrE\dccw.exe
Filesize
861KB

MD5
a46cee731351eb4146db8e8a63a5c520

SHA1
8ea441e4a77642e12987ac842b36034230edd731

SHA256
283526a98a83524d21ff23f9109754c6587380b67f74cc02a9a4cd56fdb720d5

SHA512
3573c0ae21406db0c6fdda7c065fabde03235bde7f5589910822500bdfa37144f59f6e58e753e7347b899998db1dcb28050ac5a4e2c611558ae5fa405fbbc5cc

Download Submit
\Users\Admin\AppData\Local\eUZFU6k5\mblctr.exe
Filesize
935KB

MD5
fa4c36b574bf387d9582ed2c54a347a8

SHA1
149077715ee56c668567e3a9cb9842284f4fe678

SHA256
b71cdf708d4a4f045f784de5e5458ebf9a4fa2b188c3f7422e2fbfe19310be3f

SHA512
1f04ce0440eec7477153ebc2ce56eaabcbbac58d9d703c03337f030e160d22cd635ae201752bc2962643c75bbf2036afdd69d97e8cbc81260fd0e2f55946bb55

Download Submit
memory/1360-27-0x0000000002590000-0x0000000002597000-memory.dmp

Filesize
28KB

Download
memory/1360-8-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1360-9-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1360-29-0x0000000077450000-0x0000000077452000-memory.dmp

Filesize
8KB

Download
memory/1360-28-0x00000000772C1000-0x00000000772C2000-memory.dmp

Filesize
4KB

Download
memory/1360-18-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1360-17-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1360-15-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1360-14-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1360-13-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1360-10-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1360-4-0x00000000770B6000-0x00000000770B7000-memory.dmp

Filesize
4KB

Download
memory/1360-26-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1360-35-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1360-34-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1360-5-0x00000000025B0000-0x00000000025B1000-memory.dmp

Filesize
4KB

Download
memory/1360-11-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1360-12-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1360-72-0x00000000770B6000-0x00000000770B7000-memory.dmp

Filesize
4KB

Download
memory/1360-16-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1360-7-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1420-43-0x000007FEF5ED0000-0x000007FEF6011000-memory.dmp

Filesize
1.3MB

Download
memory/1420-1-0x000007FEF5ED0000-0x000007FEF6011000-memory.dmp

Filesize
1.3MB

Download
memory/1420-3-0x0000000000120000-0x0000000000127000-memory.dmp

Filesize
28KB

Download
memory/2480-57-0x000007FEF6950000-0x000007FEF6A92000-memory.dmp

Filesize
1.3MB

Download
memory/2480-54-0x00000000001A0000-0x00000000001A7000-memory.dmp

Filesize
28KB

Download
memory/2480-51-0x000007FEF6950000-0x000007FEF6A92000-memory.dmp

Filesize
1.3MB

Download
memory/2916-87-0x0000000000290000-0x0000000000297000-memory.dmp

Filesize
28KB

Download
memory/2916-93-0x000007FEF5ED0000-0x000007FEF6012000-memory.dmp

Filesize
1.3MB

Download
memory/2936-69-0x000007FEF5ED0000-0x000007FEF6012000-memory.dmp

Filesize
1.3MB

Download
memory/2936-75-0x000007FEF5ED0000-0x000007FEF6012000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads