dridex | b23b7277f4aa14f76a34accc9c26a18714be7e1601ca8c19c195d0b8251cf96d

General

Target

14424e927320cb758b2c314ebe1df889_JaffaCakes118.dll
Size

1.2MB
MD5

14424e927320cb758b2c314ebe1df889
SHA1

1f20dd2472d5684b850b991ce30714ecf8a3b9d1
SHA256

b23b7277f4aa14f76a34accc9c26a18714be7e1601ca8c19c195d0b8251cf96d
SHA512

717aa863b1935aec5e50025bc90aeb580f905b74019060ca3960f11c4ffe2a5f8ec1a2086ea8a19297696f68519b714cb4e94b53486b8b6fcd160e1076d04055
SSDEEP

24576:vuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:R9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1196-5-0x00000000025D0000-0x00000000025D1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

vmicsvc.exeWindowsAnytimeUpgradeResults.exeDxpserver.exe

pid process

2740 vmicsvc.exe
1912 WindowsAnytimeUpgradeResults.exe
2912 Dxpserver.exe
Loads dropped DLL 7 IoCs

Processes:

vmicsvc.exeWindowsAnytimeUpgradeResults.exeDxpserver.exe

pid process

1196
2740 vmicsvc.exe
1196
1912 WindowsAnytimeUpgradeResults.exe
1196
2912 Dxpserver.exe
1196

pid	process
2740	vmicsvc.exe
1912	WindowsAnytimeUpgradeResults.exe
2912	Dxpserver.exe

pid	process
1196
2740	vmicsvc.exe
1196
1912	WindowsAnytimeUpgradeResults.exe
1196
2912	Dxpserver.exe
1196

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Yyeybzteybdsbj = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\ACCESS~1\\SYSTEM~1\\iWMpp\\WINDOW~1.EXE"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

Dxpserver.exerundll32.exevmicsvc.exeWindowsAnytimeUpgradeResults.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Dxpserver.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vmicsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WindowsAnytimeUpgradeResults.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
3008	rundll32.exe
3008	rundll32.exe
3008	rundll32.exe
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1196 wrote to memory of 3020	1196	vmicsvc.exe
PID 1196 wrote to memory of 3020	1196	vmicsvc.exe
PID 1196 wrote to memory of 3020	1196	vmicsvc.exe
PID 1196 wrote to memory of 2740	1196	vmicsvc.exe
PID 1196 wrote to memory of 2740	1196	vmicsvc.exe
PID 1196 wrote to memory of 2740	1196	vmicsvc.exe
PID 1196 wrote to memory of 2992	1196	WindowsAnytimeUpgradeResults.exe
PID 1196 wrote to memory of 2992	1196	WindowsAnytimeUpgradeResults.exe
PID 1196 wrote to memory of 2992	1196	WindowsAnytimeUpgradeResults.exe
PID 1196 wrote to memory of 1912	1196	WindowsAnytimeUpgradeResults.exe
PID 1196 wrote to memory of 1912	1196	WindowsAnytimeUpgradeResults.exe
PID 1196 wrote to memory of 1912	1196	WindowsAnytimeUpgradeResults.exe
PID 1196 wrote to memory of 2956	1196	Dxpserver.exe
PID 1196 wrote to memory of 2956	1196	Dxpserver.exe
PID 1196 wrote to memory of 2956	1196	Dxpserver.exe
PID 1196 wrote to memory of 2912	1196	Dxpserver.exe
PID 1196 wrote to memory of 2912	1196	Dxpserver.exe
PID 1196 wrote to memory of 2912	1196	Dxpserver.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\14424e927320cb758b2c314ebe1df889_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3008

C:\Windows\system32\vmicsvc.exe
C:\Windows\system32\vmicsvc.exe
1⤵
PID:3020

C:\Users\Admin\AppData\Local\GO1d3\vmicsvc.exe
C:\Users\Admin\AppData\Local\GO1d3\vmicsvc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2740

C:\Windows\system32\WindowsAnytimeUpgradeResults.exe
C:\Windows\system32\WindowsAnytimeUpgradeResults.exe
1⤵
PID:2992

C:\Users\Admin\AppData\Local\EdcmhpPVn\WindowsAnytimeUpgradeResults.exe
C:\Users\Admin\AppData\Local\EdcmhpPVn\WindowsAnytimeUpgradeResults.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1912

C:\Windows\system32\Dxpserver.exe
C:\Windows\system32\Dxpserver.exe
1⤵
PID:2956

C:\Users\Admin\AppData\Local\9H1yWC6R\Dxpserver.exe
C:\Users\Admin\AppData\Local\9H1yWC6R\Dxpserver.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2912

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\9H1yWC6R\XmlLite.dll
Filesize
1.2MB

MD5
0146980d1cff6478d148584fe8ad0d67

SHA1
7430b62692a5b17e26264b945567da6fc58205a3

SHA256
868c4f887537538adc6199c2a1fa918dfdc351579e8525c27dc04f70ecd9b2da

SHA512
a8f26e786602641fa70f4438b91bbaef7c64a8197286ea4f1682bc2989e01b31d6f9acfa5cfae35267b1736c79c120b48aeab014340ea74072e8d2887c484236

Download Submit
C:\Users\Admin\AppData\Local\EdcmhpPVn\UxTheme.dll
Filesize
1.2MB

MD5
6a5a5dc515a062719d867f15285c83ea

SHA1
cc51cda33d897dee488c51823a033dad1b6537e5

SHA256
f203f39d1e056362b34e4569a58802b98f88885d0268e585d4bd17b9e7d53498

SHA512
3bf88c34fff3cde7cf63b7b4e6cbe81a11196e85d9e3d9dd5725fab2c1891e6d01c58f8ec7aba6922b28a07847915d11adecf0fb494bb10de3e91e1cc87f4a35

Download Submit
C:\Users\Admin\AppData\Local\GO1d3\ACTIVEDS.dll
Filesize
1.2MB

MD5
672b2bc2c73a83c1acd182960d2952e6

SHA1
f2254e27f37d48a4a95b17c03116e367462966b4

SHA256
a808b4c3ace70b605a90df973d61bb5f460299797512db0654dce5ba9a59027a

SHA512
6360e07f04d23e6772779208b4cb7af1985e5d7ebc9e0d494bba832ccdd1875cd24d29d56d42f7037050dc7c62f17029176b2e7044a547405a6de51a08518dfd

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Omdqupblcei.lnk
Filesize
1KB

MD5
f4767a951c6126d6c25d3e2f2f60dfd5

SHA1
a6db18caabc386f6c1b4455eba0da977e4354bcf

SHA256
5878c105e903fd12cd62a51e4ddb83553f6301e6d6e110671a14b24b29dc1a0e

SHA512
d395dfec603e2fddd4d7fd3f2e881f7a78903f9c56b93596b6c0a47bbaff9b7650c94a1256088fa480ce307d3aff2703197e848f82139f4b5cbab027b6f86b48

Download Submit
\Users\Admin\AppData\Local\9H1yWC6R\Dxpserver.exe
Filesize
259KB

MD5
4d38389fb92e43c77a524fd96dbafd21

SHA1
08014e52f6894cad4f1d1e6fc1a703732e9acd19

SHA256
070bc95c486c15d2edc3548ba416dc9565ead401cb03a0472f719fb55ac94e73

SHA512
02d8d130cff2b8de15139d309e1cd74a2148bb786fd749e5f22775d45e193b0f75adf40274375cabce33576480ff20456f25172d29a034cd134b8084d40a67ba

Download Submit
\Users\Admin\AppData\Local\EdcmhpPVn\WindowsAnytimeUpgradeResults.exe
Filesize
288KB

MD5
6f3f29905f0ec4ce22c1fd8acbf6c6de

SHA1
68bdfefe549dfa6262ad659f1578f3e87d862773

SHA256
e9c4d718d09a28de8a99386b0dd65429f433837c712314e98ec4f01031af595b

SHA512
16a9ad3183d7e11d9f0dd3c79363aa9a7af306f4f35a6f1e0cc1e175ef254e8052ec94dfd600dbe882f9ab41254d482cce9190ab7b0c005a34e46c66e8ff5f9e

Download Submit
\Users\Admin\AppData\Local\GO1d3\vmicsvc.exe
Filesize
238KB

MD5
79e14b291ca96a02f1eb22bd721deccd

SHA1
4c8dbff611acd8a92cd2280239f78bebd2a9947e

SHA256
d829166db30923406a025bf33d6a0997be0a3df950114d1f34547a9525b749e8

SHA512
f3d1fa7732b6b027bbaf22530331d27ede85f92c9fd64f940139fd262bd7468211a8a54c835d3934b1974b3d8ecddefa79ea77901b9ef49ab36069963693f988

Download Submit
memory/1196-8-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1196-12-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1196-28-0x0000000077311000-0x0000000077312000-memory.dmp

Filesize
4KB

Download
memory/1196-17-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1196-16-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1196-15-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1196-14-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1196-13-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1196-11-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1196-10-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1196-9-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1196-4-0x0000000077206000-0x0000000077207000-memory.dmp

Filesize
4KB

Download
memory/1196-29-0x00000000774A0000-0x00000000774A2000-memory.dmp

Filesize
8KB

Download
memory/1196-39-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1196-38-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1196-5-0x00000000025D0000-0x00000000025D1000-memory.dmp

Filesize
4KB

Download
memory/1196-27-0x00000000025B0000-0x00000000025B7000-memory.dmp

Filesize
28KB

Download
memory/1196-26-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1196-7-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1196-18-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1196-66-0x0000000077206000-0x0000000077207000-memory.dmp

Filesize
4KB

Download
memory/1912-74-0x00000000002A0000-0x00000000002A7000-memory.dmp

Filesize
28KB

Download
memory/1912-75-0x000007FEF5F90000-0x000007FEF60D2000-memory.dmp

Filesize
1.3MB

Download
memory/1912-80-0x000007FEF5F90000-0x000007FEF60D2000-memory.dmp

Filesize
1.3MB

Download
memory/2740-61-0x000007FEF6A30000-0x000007FEF6B72000-memory.dmp

Filesize
1.3MB

Download
memory/2740-58-0x00000000000F0000-0x00000000000F7000-memory.dmp

Filesize
28KB

Download
memory/2740-55-0x000007FEF6A30000-0x000007FEF6B72000-memory.dmp

Filesize
1.3MB

Download
memory/2912-95-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/2912-98-0x000007FEF5F90000-0x000007FEF60D2000-memory.dmp

Filesize
1.3MB

Download
memory/3008-47-0x000007FEF5F90000-0x000007FEF60D1000-memory.dmp

Filesize
1.3MB

Download
memory/3008-0-0x0000000000120000-0x0000000000127000-memory.dmp

Filesize
28KB

Download
memory/3008-1-0x000007FEF5F90000-0x000007FEF60D1000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads