dridex | fb7040dce4fffb1394723ad25f6c9d088db9340cd2aed96b972f476693788f9a

General

Target

0e60f420fdf85dd1b7fbaea84e647693_JaffaCakes118.dll
Size

1.2MB
MD5

0e60f420fdf85dd1b7fbaea84e647693
SHA1

e8aabce04be2e42aaf0235e7ab5f2b354ea727bb
SHA256

fb7040dce4fffb1394723ad25f6c9d088db9340cd2aed96b972f476693788f9a
SHA512

505fca3bcc20f0a9c16e566cccb6a8d1ab1949d7f5f4dd10bbf019e99b119d57947245b6a3dfe779c63636b4dfceaaf83a49efa40f832d57515097e6fca3cb4c
SSDEEP

24576:SuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:69cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3496-4-0x0000000002640000-0x0000000002641000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

DWWIN.EXEphoneactivate.exeshrpubw.exe

pid process

3532 DWWIN.EXE
4032 phoneactivate.exe
3352 shrpubw.exe
Loads dropped DLL 3 IoCs

Processes:

DWWIN.EXEphoneactivate.exeshrpubw.exe

pid process

3532 DWWIN.EXE
4032 phoneactivate.exe
3352 shrpubw.exe

pid	process
3532	DWWIN.EXE
4032	phoneactivate.exe
3352	shrpubw.exe

pid	process
3532	DWWIN.EXE
4032	phoneactivate.exe
3352	shrpubw.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ramyketlbwvbqf = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\USERPI~1\\IMPLIC~1\\OC5THIs\\PHONEA~1.EXE"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeDWWIN.EXEphoneactivate.exeshrpubw.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DWWIN.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	phoneactivate.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	shrpubw.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1948	rundll32.exe
1948	rundll32.exe
1948	rundll32.exe
1948	rundll32.exe
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496
3496

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3496

pid	process
3496

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3496 wrote to memory of 2908	3496	DWWIN.EXE
PID 3496 wrote to memory of 2908	3496	DWWIN.EXE
PID 3496 wrote to memory of 3532	3496	DWWIN.EXE
PID 3496 wrote to memory of 3532	3496	DWWIN.EXE
PID 3496 wrote to memory of 4296	3496	phoneactivate.exe
PID 3496 wrote to memory of 4296	3496	phoneactivate.exe
PID 3496 wrote to memory of 4032	3496	phoneactivate.exe
PID 3496 wrote to memory of 4032	3496	phoneactivate.exe
PID 3496 wrote to memory of 2804	3496	shrpubw.exe
PID 3496 wrote to memory of 2804	3496	shrpubw.exe
PID 3496 wrote to memory of 3352	3496	shrpubw.exe
PID 3496 wrote to memory of 3352	3496	shrpubw.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0e60f420fdf85dd1b7fbaea84e647693_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1948

C:\Windows\system32\DWWIN.EXE
C:\Windows\system32\DWWIN.EXE
1⤵
PID:2908

C:\Users\Admin\AppData\Local\0tmzV7b\DWWIN.EXE
C:\Users\Admin\AppData\Local\0tmzV7b\DWWIN.EXE
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3532

C:\Windows\system32\phoneactivate.exe
C:\Windows\system32\phoneactivate.exe
1⤵
PID:4296

C:\Users\Admin\AppData\Local\p6yOS\phoneactivate.exe
C:\Users\Admin\AppData\Local\p6yOS\phoneactivate.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4032

C:\Windows\system32\shrpubw.exe
C:\Windows\system32\shrpubw.exe
1⤵
PID:2804

C:\Users\Admin\AppData\Local\XGe\shrpubw.exe
C:\Users\Admin\AppData\Local\XGe\shrpubw.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\0tmzV7b\DWWIN.EXE

Filesize
229KB

MD5
444cc4d3422a0fdd45c1b78070026c60

SHA1
97162ff341fff1ec54b827ec02f8b86fd2d41a97

SHA256
4b3f620272e709ce3e01ae5b19ef0300bd476f2da6412637f703bbaded2821f0

SHA512
21742d330a6a5763ea41a8fed4d71b98e4a1b4c685675c4cfeb7253033c3a208c23902caf0efdf470a85e0770cb8fac8af0eb6d3a8511445b0570054b42d5553

Download Submit
C:\Users\Admin\AppData\Local\0tmzV7b\wer.dll

Filesize
1.2MB

MD5
6251f7510550721effebf16b39d5e6ff

SHA1
d64166fad07db549b3beb3b1e9ba1f7704b7d372

SHA256
4d6beb42dd30b64a374150348a37cf58a1712d7678df9ba1c3cd1de276b8862f

SHA512
979e2f7535444b1887ae077e892c4db25ce331b5b2cfffb4db09a65ac6fc3378bfb08b1ec243fc5c379046226c4efe6db47c205ddc1ed219bcb83088492292e4

Download Submit
C:\Users\Admin\AppData\Local\XGe\ACLUI.dll

Filesize
1.2MB

MD5
8836a08ea286744b2eaccda25a612485

SHA1
5da9c27b15af83e483578e06eebbd95adc26da07

SHA256
2ac84b824084a577d0e2793184d7508200384db602c8381dc0e1df8a052e7bce

SHA512
1441778e548fef03d68a5485e653af4d664aa6d813325eae389325f197ffb77ad6fa7d23291af023d14c7f3b224b9536ce5f5f12cec8e29c1db0ccf39ca3f12b

Download Submit
C:\Users\Admin\AppData\Local\XGe\shrpubw.exe

Filesize
59KB

MD5
9910d5c62428ec5f92b04abf9428eec9

SHA1
05f27d7515e8ae1fa3bc974ec65b864ec4c9ac8b

SHA256
6b84e6e55d8572d7edf0b6243d00abb651fcb0cddddac8461de5f9bb80035a2e

SHA512
01be043f7ff879a683e53962eec58456ba200d6787ea66581bb62669ae65d5e58a5577cdf23441165f7a535fce1dec933e3ad2465c72172b4a1488b24ce722cb

Download Submit
C:\Users\Admin\AppData\Local\p6yOS\SLC.dll

Filesize
1.2MB

MD5
033b071355693b696fb9baaf3dfc229e

SHA1
1d494c7b43a3ad79095fa9636b81b535ea301916

SHA256
191235550dd3ed197f0086037a022cc30501a6888f3e07c29e4e507e4fe27fb3

SHA512
bffd13c178a1a2e5dea84962a43378743cea25252419d062ff87903fedb6a5b06fc4bd0240e709ee8c9da1f82411f7c248ffd29772cee348aa81486938a1eb36

Download Submit
C:\Users\Admin\AppData\Local\p6yOS\phoneactivate.exe

Filesize
107KB

MD5
32c31f06e0b68f349f68afdd08e45f3d

SHA1
e4b642f887e2c1d76b6b4777ade91e3cb3b9e27c

SHA256
cea83eb34233fed5ebeef8745c7c581a8adbefbcfc0e30e2d30a81000c821017

SHA512
fe61764b471465b164c9c2202ed349605117d57ceb0eca75acf8bda44e8744c115767ee0caed0b7feb70ba37b477d00805b3fdf0d0fa879dd4c8e3c1dc1c0d26

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ehesgegqlj.lnk

Filesize
1KB

MD5
cb4ecabc78483de182ab8df782b0b9cd

SHA1
d757bcf3fd52e1951f313111acfab1ec96e58b01

SHA256
bc93d5132d0df03abf8e264e9e0c3390daafaf0b3831b6a6d94722920182bc23

SHA512
40056f07fb7bf2852df3c4c1c71a5e5754327bf285a359948e64ca5c29f03718935e285334c63f5a4d093137cc6007e52272200818c5f676d71465f197352c10

Download Submit
memory/1948-0-0x00007FF9E6050000-0x00007FF9E6184000-memory.dmp

Filesize
1.2MB

Download
memory/1948-41-0x00007FF9E6050000-0x00007FF9E6184000-memory.dmp

Filesize
1.2MB

Download
memory/1948-3-0x000001F3A7B40000-0x000001F3A7B47000-memory.dmp

Filesize
28KB

Download
memory/3352-82-0x00007FF9D73F0000-0x00007FF9D7525000-memory.dmp

Filesize
1.2MB

Download
memory/3352-85-0x0000023CD1710000-0x0000023CD1717000-memory.dmp

Filesize
28KB

Download
memory/3352-88-0x00007FF9D73F0000-0x00007FF9D7525000-memory.dmp

Filesize
1.2MB

Download
memory/3496-18-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/3496-32-0x00000000008A0000-0x00000000008A7000-memory.dmp

Filesize
28KB

Download
memory/3496-9-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/3496-8-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/3496-7-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/3496-6-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/3496-4-0x0000000002640000-0x0000000002641000-memory.dmp

Filesize
4KB

Download
memory/3496-11-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/3496-13-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/3496-14-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/3496-15-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/3496-12-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/3496-17-0x00007FF9F34EA000-0x00007FF9F34EB000-memory.dmp

Filesize
4KB

Download
memory/3496-27-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/3496-16-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/3496-19-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/3496-38-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/3496-33-0x00007FF9F4A50000-0x00007FF9F4A60000-memory.dmp

Filesize
64KB

Download
memory/3496-10-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/3532-54-0x00007FF9D73F0000-0x00007FF9D7526000-memory.dmp

Filesize
1.2MB

Download
memory/3532-51-0x00000263AB740000-0x00000263AB747000-memory.dmp

Filesize
28KB

Download
memory/3532-48-0x00007FF9D73F0000-0x00007FF9D7526000-memory.dmp

Filesize
1.2MB

Download
memory/4032-71-0x00007FF9D6620000-0x00007FF9D6755000-memory.dmp

Filesize
1.2MB

Download
memory/4032-68-0x0000015C4B3A0000-0x0000015C4B3A7000-memory.dmp

Filesize
28KB

Download
memory/4032-65-0x00007FF9D6620000-0x00007FF9D6755000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads