dridex | 089a19bb3d0bec505d505cb6870fb9b97f14a1bec81d00307e21cfb968d87947

General

Target

106616b4d3c012a99a747f9d0e951596_JaffaCakes118.dll
Size

1.2MB
MD5

106616b4d3c012a99a747f9d0e951596
SHA1

a78f314463068a3d3438aff44a1ac85eed0ab282
SHA256

089a19bb3d0bec505d505cb6870fb9b97f14a1bec81d00307e21cfb968d87947
SHA512

3bea54a84d57d1e53b631d241f09730f0c07db7477885b521ef40120afc226e6766f0347bc52d8d082e2971c7f3edc783df3fe6152affea172617d6712ad1725
SSDEEP

24576:kVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:kV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3508-4-0x0000000008CA0000-0x0000000008CA1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

ApplySettingsTemplateCatalog.exemsinfo32.execttune.exe

pid process

980 ApplySettingsTemplateCatalog.exe
4352 msinfo32.exe
2200 cttune.exe
Loads dropped DLL 3 IoCs

Processes:

ApplySettingsTemplateCatalog.exemsinfo32.execttune.exe

pid process

980 ApplySettingsTemplateCatalog.exe
4352 msinfo32.exe
2200 cttune.exe

pid	process
980	ApplySettingsTemplateCatalog.exe
4352	msinfo32.exe
2200	cttune.exe

pid	process
980	ApplySettingsTemplateCatalog.exe
4352	msinfo32.exe
2200	cttune.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Minhbfns = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\h0sowo\\msinfo32.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeApplySettingsTemplateCatalog.exemsinfo32.execttune.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ApplySettingsTemplateCatalog.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cttune.exe

Modifies registry class 1 IoCs

Processes:

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
4104	rundll32.exe
4104	rundll32.exe
4104	rundll32.exe
4104	rundll32.exe
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508
3508

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3508
Token: SeCreatePagefilePrivilege	3508
Token: SeShutdownPrivilege	3508
Token: SeCreatePagefilePrivilege	3508

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

3508
3508
Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3508

pid	process
3508
3508

pid	process
3508

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3508 wrote to memory of 2972	3508	ApplySettingsTemplateCatalog.exe
PID 3508 wrote to memory of 2972	3508	ApplySettingsTemplateCatalog.exe
PID 3508 wrote to memory of 980	3508	ApplySettingsTemplateCatalog.exe
PID 3508 wrote to memory of 980	3508	ApplySettingsTemplateCatalog.exe
PID 3508 wrote to memory of 3156	3508	msinfo32.exe
PID 3508 wrote to memory of 3156	3508	msinfo32.exe
PID 3508 wrote to memory of 4352	3508	msinfo32.exe
PID 3508 wrote to memory of 4352	3508	msinfo32.exe
PID 3508 wrote to memory of 2352	3508	cttune.exe
PID 3508 wrote to memory of 2352	3508	cttune.exe
PID 3508 wrote to memory of 2200	3508	cttune.exe
PID 3508 wrote to memory of 2200	3508	cttune.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\106616b4d3c012a99a747f9d0e951596_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4104

C:\Windows\system32\ApplySettingsTemplateCatalog.exe
C:\Windows\system32\ApplySettingsTemplateCatalog.exe
1⤵
PID:2972

C:\Users\Admin\AppData\Local\GHrqh4\ApplySettingsTemplateCatalog.exe
C:\Users\Admin\AppData\Local\GHrqh4\ApplySettingsTemplateCatalog.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:980

C:\Windows\system32\msinfo32.exe
C:\Windows\system32\msinfo32.exe
1⤵
PID:3156

C:\Users\Admin\AppData\Local\4bs\msinfo32.exe
C:\Users\Admin\AppData\Local\4bs\msinfo32.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4352

C:\Windows\system32\cttune.exe
C:\Windows\system32\cttune.exe
1⤵
PID:2352

C:\Users\Admin\AppData\Local\BaKV00lom\cttune.exe
C:\Users\Admin\AppData\Local\BaKV00lom\cttune.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\4bs\SLC.dll

Filesize
1.2MB

MD5
d2811778cc0e3bf78a18012862090656

SHA1
b3bdfd9a0c9d19bc04b67966e69dec4e1f182696

SHA256
40d9578e76a33ddc1a1fdf97132f0afad2e2a1cf6fe78b75741aaab7c8c2ba04

SHA512
c5d66d0f9d680fdbc57961a4703d6a96dadf09ca0001af6737a612cf37798025f2bbc6b5061495d96ef872096cc547d9a8a6443295070b048b6b7d64779ad465

Download Submit
C:\Users\Admin\AppData\Local\4bs\msinfo32.exe

Filesize
376KB

MD5
0aed91da63713bf9f881b03a604a1c9d

SHA1
b1b2d292cb1a4c13dc243b5eab13afb316a28b9a

SHA256
5cf1604d2473661266e08fc0e4e144ea98f99b7584c43585eb2b01551130fd14

SHA512
04bca9b321d702122b6e72c2ad15b7cd98924e5dfc3b8dd0e907ea28fd7826d3f72b98c67242b6698594df648d3c2b6b0952bb52a2363b687bbe44a66e830c03

Download Submit
C:\Users\Admin\AppData\Local\BaKV00lom\UxTheme.dll

Filesize
1.2MB

MD5
4805062b5804473fec13260470f04dd7

SHA1
ace58da7426303bcd7ba30cd2941e8656aff45b2

SHA256
5aa56f35e0912c50f79fc497138b1bcc477f8322d0700d58c04b6e6412c03e33

SHA512
b7926afd3b923747dedd7fa4406a82f987a34c55be4319905ae9035d0f67b26f0d27bd3af392f25ddc6bdc94b9743197c9d7d278b52c6acb498e455150b5656c

Download Submit
C:\Users\Admin\AppData\Local\BaKV00lom\cttune.exe

Filesize
90KB

MD5
fa924465a33833f41c1a39f6221ba460

SHA1
801d505d81e49d2b4ffa316245ca69ff58c523c3

SHA256
de2d871afe2c071cf305fc488875563b778e7279e57030ba1a1c9f7e360748da

SHA512
eef91316e1a679cc2183d4fe9f8f40b5efa6d06f7d1246fd399292e14952053309b6891059da88134a184d9bd0298a45a1bf4bc9f27140b1a31b9523acbf3757

Download Submit
C:\Users\Admin\AppData\Local\GHrqh4\ACTIVEDS.dll

Filesize
1.2MB

MD5
577a01d8d3fdb71668404752aa95c474

SHA1
384f93233aaddee07c5383571251492262028aee

SHA256
9079039df465f6b15406288726d952b58e48df2ef70e39ff1347b18abda74c63

SHA512
d506003143ba097e90c5d347e19559b89680cbc048d4ab447fce439f4759107e3fe9748c7e540beb848fcb7e31b761972784c48c9c17d219acce34e8246610b4

Download Submit
C:\Users\Admin\AppData\Local\GHrqh4\ApplySettingsTemplateCatalog.exe

Filesize
1.1MB

MD5
13af41b1c1c53c7360cd582a82ec2093

SHA1
7425f893d1245e351483ab4a20a5f59d114df4e1

SHA256
a462f29efaaa3c30411e76f32608a2ba5b7d21af3b9804e5dda99e342ba8c429

SHA512
c7c82acef623d964c520f1a458dbfe34099981de0b781fb56e14b1f82632e3a8437db6434e7c20988aa3b39efde47aab8d188e80845e841a13e74b079285706a

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Rnysjhcczxaxza.lnk

Filesize
1KB

MD5
3b8e76dd8004bd2cb22fce2cb340b9c2

SHA1
91984523782f49d429557410d0ba692b8e4203a3

SHA256
24c07cdee771d36bccb3d175828f4547b168b25fce3e4f9071b417c8e162f394

SHA512
57109848c361c738ffd1d17174f507d6ae2367c8642753fb098bd558ad64897109ff7814d01266c401342f571d758428e66b2e42e84d0865582178e6c20c390c

Download Submit
memory/980-51-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/980-47-0x0000016265830000-0x0000016265837000-memory.dmp

Filesize
28KB

Download
memory/980-45-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/2200-84-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3508-33-0x00007FF8426FA000-0x00007FF8426FB000-memory.dmp

Filesize
4KB

Download
memory/3508-14-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3508-8-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3508-7-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3508-6-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3508-4-0x0000000008CA0000-0x0000000008CA1000-memory.dmp

Filesize
4KB

Download
memory/3508-10-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3508-11-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3508-12-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3508-9-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3508-32-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3508-13-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3508-35-0x0000000008AF0000-0x0000000008AF7000-memory.dmp

Filesize
28KB

Download
memory/3508-37-0x00007FF843A10000-0x00007FF843A20000-memory.dmp

Filesize
64KB

Download
memory/3508-23-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/4104-1-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/4104-38-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/4104-3-0x000001ED24CD0000-0x000001ED24CD7000-memory.dmp

Filesize
28KB

Download
memory/4352-68-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/4352-65-0x000001B337440000-0x000001B337447000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads