dridex | b23b7277f4aa14f76a34accc9c26a18714be7e1601ca8c19c195d0b8251cf96d

General

Target

14424e927320cb758b2c314ebe1df889_JaffaCakes118.dll
Size

1.2MB
MD5

14424e927320cb758b2c314ebe1df889
SHA1

1f20dd2472d5684b850b991ce30714ecf8a3b9d1
SHA256

b23b7277f4aa14f76a34accc9c26a18714be7e1601ca8c19c195d0b8251cf96d
SHA512

717aa863b1935aec5e50025bc90aeb580f905b74019060ca3960f11c4ffe2a5f8ec1a2086ea8a19297696f68519b714cb4e94b53486b8b6fcd160e1076d04055
SSDEEP

24576:vuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:R9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3544-4-0x0000000002670000-0x0000000002671000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

PresentationHost.exesigverif.execttune.exe

pid process

3428 PresentationHost.exe
3228 sigverif.exe
920 cttune.exe
Loads dropped DLL 3 IoCs

Processes:

PresentationHost.exesigverif.execttune.exe

pid process

3428 PresentationHost.exe
3228 sigverif.exe
920 cttune.exe

pid	process
3428	PresentationHost.exe
3228	sigverif.exe
920	cttune.exe

pid	process
3428	PresentationHost.exe
3228	sigverif.exe
920	cttune.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wuaobpzp = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3726321484-1950364574-433157660-1000\\03nzJxt5IdQ\\sigverif.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exePresentationHost.exesigverif.execttune.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	PresentationHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sigverif.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cttune.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
3484	rundll32.exe
3484	rundll32.exe
3484	rundll32.exe
3484	rundll32.exe
3484	rundll32.exe
3484	rundll32.exe
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3544

pid	process
3544

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3544 wrote to memory of 1436	3544	PresentationHost.exe
PID 3544 wrote to memory of 1436	3544	PresentationHost.exe
PID 3544 wrote to memory of 3428	3544	PresentationHost.exe
PID 3544 wrote to memory of 3428	3544	PresentationHost.exe
PID 3544 wrote to memory of 4592	3544	sigverif.exe
PID 3544 wrote to memory of 4592	3544	sigverif.exe
PID 3544 wrote to memory of 3228	3544	sigverif.exe
PID 3544 wrote to memory of 3228	3544	sigverif.exe
PID 3544 wrote to memory of 2896	3544	cttune.exe
PID 3544 wrote to memory of 2896	3544	cttune.exe
PID 3544 wrote to memory of 920	3544	cttune.exe
PID 3544 wrote to memory of 920	3544	cttune.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\14424e927320cb758b2c314ebe1df889_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3484

C:\Windows\system32\PresentationHost.exe
C:\Windows\system32\PresentationHost.exe
1⤵
PID:1436

C:\Users\Admin\AppData\Local\ETZyuzI\PresentationHost.exe
C:\Users\Admin\AppData\Local\ETZyuzI\PresentationHost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3428

C:\Windows\system32\sigverif.exe
C:\Windows\system32\sigverif.exe
1⤵
PID:4592

C:\Users\Admin\AppData\Local\j5pFM\sigverif.exe
C:\Users\Admin\AppData\Local\j5pFM\sigverif.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3228

C:\Windows\system32\cttune.exe
C:\Windows\system32\cttune.exe
1⤵
PID:2896

C:\Users\Admin\AppData\Local\8Nog\cttune.exe
C:\Users\Admin\AppData\Local\8Nog\cttune.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:920

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\8Nog\OLEACC.dll
Filesize
1.2MB

MD5
eaf26032403b374f75ffa95247e72b5b

SHA1
c100765426108dd0c756e64ea16c717f26094109

SHA256
01031d41295775620ca30056f00e107b8fa1758a6b626a77756c18b8debd47ba

SHA512
88e332dee2cec2dc0e31c2e94b58b7634a6315ad285bdd8d93e4d4c933eb535b8ce04eb199e4d5807fe89cc0ff09e8da6fdf1054d1072b89de2b757bca0f73db

Download Submit
C:\Users\Admin\AppData\Local\8Nog\cttune.exe
Filesize
90KB

MD5
fa924465a33833f41c1a39f6221ba460

SHA1
801d505d81e49d2b4ffa316245ca69ff58c523c3

SHA256
de2d871afe2c071cf305fc488875563b778e7279e57030ba1a1c9f7e360748da

SHA512
eef91316e1a679cc2183d4fe9f8f40b5efa6d06f7d1246fd399292e14952053309b6891059da88134a184d9bd0298a45a1bf4bc9f27140b1a31b9523acbf3757

Download Submit
C:\Users\Admin\AppData\Local\ETZyuzI\PresentationHost.exe
Filesize
276KB

MD5
ef27d65b92d89e8175e6751a57ed9d93

SHA1
7279b58e711b459434f047e9098f9131391c3778

SHA256
17d6dcfaced6873a4ac0361ff14f48313f270ac9c465e9f02b5c12b5a5274c48

SHA512
40f46c3a131bb0388b8a3f7aee422936f6e2aa8d2cda547c43c4e7979c163d06c5aa20033a5156d3eeee5d455eeb929cbce89bcc8bb1766cbb65d7f03dd23e2e

Download Submit
C:\Users\Admin\AppData\Local\ETZyuzI\VERSION.dll
Filesize
1.2MB

MD5
7cfe9791804b4220b13a70f02f0e91f4

SHA1
838629ce4c800b9b914acc8db59eeb68b60f80c7

SHA256
d3dea9209554220114cb9f8a8c17ecbe2e7e9b36c29324f9cceb23b6a341cef2

SHA512
8912b387dc52cf9add6c889d0abc482055ef51d1cdfe41111eb61aabcc6526085e2ad12b7927b03c181df616652354d5a6fdfc3c1e0e327e5d9f928e180a6bce

Download Submit
C:\Users\Admin\AppData\Local\j5pFM\VERSION.dll
Filesize
1.2MB

MD5
e3628355c20af112457ddbc248a3a843

SHA1
d9da37bd312c185d03fa62b2305b70b08ae9a447

SHA256
dcd771d076464514148e6e15962ff0d4824de581049eb3c4b2e5fc6b8f42d693

SHA512
f763fd9a5c67bff4d5d2bc38f571e44f27dea6e0e4542db7372a00b66099a814bd80930aa9cee73aaf589ea1beea5d126e3f0afa838a7b227f51cb231be80e2b

Download Submit
C:\Users\Admin\AppData\Local\j5pFM\sigverif.exe
Filesize
77KB

MD5
2151a535274b53ba8a728e542cbc07a8

SHA1
a2304c0f2616a7d12298540dce459dd9ccf07443

SHA256
064de47877b00dc35886e829a697e4adb3d3cfdf294ddba13b6009a0f415b1bd

SHA512
e6fd520ee1bd80a5fe8a7c2ae6446dcaabd4e335a602c36356f85305abef751b7dffa7eaac1ec13c105ccd8c3e9070bd32ed4b14bc8a9e52dc5f47b936d69a9f

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Aibqacvbwgcfz.lnk
Filesize
1KB

MD5
d7e76f86270d9cb8adefeea66c8917e2

SHA1
d9243b0e28e66ceaee446485db02c55df86d97fd

SHA256
edc5109a7e2e49a9ea237640ad13977b9285f789d3aa7ed5c6cb7d1f87c5c067

SHA512
579d27bae97a430891334c5bd4cb13443b9733ff5b41cdf341843b8dea2610cef3851ac6f9ccfec29ff65a016dd191633e6616d53a3323f409958be5a3a1b910

Download Submit
memory/920-86-0x00007FFC83070000-0x00007FFC831B2000-memory.dmp

Filesize
1.3MB

Download
memory/3228-70-0x00007FFC92220000-0x00007FFC92362000-memory.dmp

Filesize
1.3MB

Download
memory/3228-64-0x00007FFC92220000-0x00007FFC92362000-memory.dmp

Filesize
1.3MB

Download
memory/3228-67-0x00000219A48F0000-0x00000219A48F7000-memory.dmp

Filesize
28KB

Download
memory/3428-53-0x00007FFC83070000-0x00007FFC831B2000-memory.dmp

Filesize
1.3MB

Download
memory/3428-47-0x00007FFC83070000-0x00007FFC831B2000-memory.dmp

Filesize
1.3MB

Download
memory/3428-50-0x0000022DA3010000-0x0000022DA3017000-memory.dmp

Filesize
28KB

Download
memory/3484-40-0x00007FFC92220000-0x00007FFC92361000-memory.dmp

Filesize
1.3MB

Download
memory/3484-0-0x00007FFC92220000-0x00007FFC92361000-memory.dmp

Filesize
1.3MB

Download
memory/3484-3-0x000002C820040000-0x000002C820047000-memory.dmp

Filesize
28KB

Download
memory/3544-33-0x00007FFC9F62A000-0x00007FFC9F62B000-memory.dmp

Filesize
4KB

Download
memory/3544-14-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/3544-37-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/3544-7-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/3544-8-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/3544-9-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/3544-10-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/3544-11-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/3544-12-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/3544-6-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/3544-15-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/3544-17-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/3544-34-0x0000000000C90000-0x0000000000C97000-memory.dmp

Filesize
28KB

Download
memory/3544-35-0x00007FFCA07B0000-0x00007FFCA07C0000-memory.dmp

Filesize
64KB

Download
memory/3544-25-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/3544-16-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/3544-13-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/3544-4-0x0000000002670000-0x0000000002671000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads