dridex | de768935312e545c65bc8eb1f91461fb2729fcb0517af6efdbdca5c9b6cb6c66

General

Target

1ac433a51896469ce8de0c2112476c6b_JaffaCakes118.dll
Size

987KB
MD5

1ac433a51896469ce8de0c2112476c6b
SHA1

5c865ccaac2a42edeeca9faa7928a8b578fc95d5
SHA256

de768935312e545c65bc8eb1f91461fb2729fcb0517af6efdbdca5c9b6cb6c66
SHA512

112a8ba84ca41f00c0fe649b70453f07851a973ec018488fab0ec5e57bc28378f4c520ea607e31f8251163cfa8a6c69b7d2352609ab0d917a7d4319f07aef4d4
SSDEEP

24576:6VHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:6V8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3528-4-0x0000000003020000-0x0000000003021000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

SystemPropertiesComputerName.exeSystemPropertiesAdvanced.exesystemreset.exe

pid process

3280 SystemPropertiesComputerName.exe
4512 SystemPropertiesAdvanced.exe
2544 systemreset.exe
Loads dropped DLL 4 IoCs

Processes:

SystemPropertiesComputerName.exeSystemPropertiesAdvanced.exesystemreset.exe

pid process

3280 SystemPropertiesComputerName.exe
4512 SystemPropertiesAdvanced.exe
2544 systemreset.exe
2544 systemreset.exe

pid	process
3280	SystemPropertiesComputerName.exe
4512	SystemPropertiesAdvanced.exe
2544	systemreset.exe

pid	process
3280	SystemPropertiesComputerName.exe
4512	SystemPropertiesAdvanced.exe
2544	systemreset.exe
2544	systemreset.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Jhyzxpkzi = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\MAINTE~1\\Jj\\SYSTEM~1.EXE"

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

SystemPropertiesComputerName.exeSystemPropertiesAdvanced.exesystemreset.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesComputerName.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesAdvanced.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	systemreset.exe

Modifies registry class 2 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

regsvr32.exe

pid	process
3996	regsvr32.exe
3996	regsvr32.exe
3996	regsvr32.exe
3996	regsvr32.exe
3996	regsvr32.exe
3996	regsvr32.exe
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3528

pid	process
3528

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3528 wrote to memory of 4048	3528	SystemPropertiesComputerName.exe
PID 3528 wrote to memory of 4048	3528	SystemPropertiesComputerName.exe
PID 3528 wrote to memory of 3280	3528	SystemPropertiesComputerName.exe
PID 3528 wrote to memory of 3280	3528	SystemPropertiesComputerName.exe
PID 3528 wrote to memory of 3640	3528	SystemPropertiesAdvanced.exe
PID 3528 wrote to memory of 3640	3528	SystemPropertiesAdvanced.exe
PID 3528 wrote to memory of 4512	3528	SystemPropertiesAdvanced.exe
PID 3528 wrote to memory of 4512	3528	SystemPropertiesAdvanced.exe
PID 3528 wrote to memory of 4064	3528	systemreset.exe
PID 3528 wrote to memory of 4064	3528	systemreset.exe
PID 3528 wrote to memory of 2544	3528	systemreset.exe
PID 3528 wrote to memory of 2544	3528	systemreset.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\1ac433a51896469ce8de0c2112476c6b_JaffaCakes118.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3996

C:\Windows\system32\SystemPropertiesComputerName.exe
C:\Windows\system32\SystemPropertiesComputerName.exe
1⤵
PID:4048

C:\Users\Admin\AppData\Local\COQW\SystemPropertiesComputerName.exe
C:\Users\Admin\AppData\Local\COQW\SystemPropertiesComputerName.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3280

C:\Windows\system32\SystemPropertiesAdvanced.exe
C:\Windows\system32\SystemPropertiesAdvanced.exe
1⤵
PID:3640

C:\Users\Admin\AppData\Local\PFYyr57s\SystemPropertiesAdvanced.exe
C:\Users\Admin\AppData\Local\PFYyr57s\SystemPropertiesAdvanced.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4512

C:\Windows\system32\systemreset.exe
C:\Windows\system32\systemreset.exe
1⤵
PID:4064

C:\Users\Admin\AppData\Local\9ak\systemreset.exe
C:\Users\Admin\AppData\Local\9ak\systemreset.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2544

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\9ak\ReAgent.dll
Filesize
989KB

MD5
ea67dcb9b03937fcee3e2be787fd011d

SHA1
eb7e44e0c329e78137b6f747ec1f5d4f1d321192

SHA256
e8532eceaed93a4cf71a5e70e175f22c46d88227caa98843a7b935a86469f2e7

SHA512
5329f1f19a5670a9c0224a7d7f77d954158725812f917950e69f177224f369e863b891338feda3b531638f94574bb215aaf0032baf1e040d9c108acedab185c1

Download Submit
C:\Users\Admin\AppData\Local\9ak\systemreset.exe
Filesize
508KB

MD5
325ff647506adb89514defdd1c372194

SHA1
84234ff97d6ddc8a4ea21303ea842aa76a74e0ea

SHA256
ebff6159a7627234f94f606afa2e55e98e1548fd197d22779a5fcff24aa477ad

SHA512
8a9758f4af0264be08d684125827ef11efe651138059f6b463c52476f8a8e1bed94d093042f85893cb3e37c5f3ba7b55c6ce9394595001e661bccbc578da3868

Download Submit
C:\Users\Admin\AppData\Local\COQW\SYSDM.CPL
Filesize
988KB

MD5
364ae88f2734d0c32192594e70609e0e

SHA1
eb5d888025ea449f94821f9c27be2a6267e9e6af

SHA256
84f22f1ca2817ebde8443d073f9dda75f9f02f3db63fd6a7b1607ea77e671cd2

SHA512
25689c1dba5536f903964152aa7fcce1bad73f1c793fcd49c320c1b72ed8fea672e3e94e37955ebc0df7d1b4b297479cbdaa403291f1eb646401cfcf1f6920e0

Download Submit
C:\Users\Admin\AppData\Local\COQW\SystemPropertiesComputerName.exe
Filesize
82KB

MD5
6711765f323289f5008a6a2a04b6f264

SHA1
d8116fdf73608b4b254ad83c74f2232584d24144

SHA256
bd3a97327326e2245938ec6099f20059b446ff0fe1c10b9317d15d1a1dd5331e

SHA512
438abd282d9d1c0e7e5db2ce027ff9522c3980278b32b2eae09c595884a8dcbfd5178bc5926b1d15f03174303382e13f5d5ecab9a5d8e31fc07ef39e66c012e8

Download Submit
C:\Users\Admin\AppData\Local\PFYyr57s\SYSDM.CPL
Filesize
988KB

MD5
129bf8ae6f20fa7dea0e7f095c5b504b

SHA1
0fcf38b9265c6cccf79222d1d0113652c1564678

SHA256
e25221c5bc08f397ca6abc6614ce69c474b01bffe5058f76c1cb4efd039024ae

SHA512
7367b7fb21c98df699e7522fef260b97b166828a8fd509b853e59c5ec9e8619f61095351db785610cb015e7dc59db908b4e1406af466490e28b59daa3f755663

Download Submit
C:\Users\Admin\AppData\Local\PFYyr57s\SystemPropertiesAdvanced.exe
Filesize
82KB

MD5
fa040b18d2d2061ab38cf4e52e753854

SHA1
b1b37124e9afd6c860189ce4d49cebbb2e4c57bc

SHA256
c61fa0f8c5d8d61110adbcceaa453a6c1d31255b3244dc7e3b605a4a931c245c

SHA512
511f5981bd2c446f1f3039f6674f972651512305630bd688b1ef159af36a23cb836b43d7010b132a86b5f4d6c46206057abd31600f1e7dc930cb32ed962298a4

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Usvyddaywmbx.lnk
Filesize
1KB

MD5
f4993befe74ddbc52224f8c9f2a3fe59

SHA1
0b6fabc2deb529544f4de5790fa8b0e12a6c0090

SHA256
cb9988914e77499fe00a1273169c03c20dc357b65fbba9261b244dd29b794ace

SHA512
b5950f6d8592b2559f2e09cbeb93a327e3d7835662aefac335889a7fa65a1a8258d493d31d336afb47735f4d8c784e918398ca6093b770ad2b71ff9962762ce7

Download Submit
memory/2544-84-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3280-50-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3280-47-0x000001451DB80000-0x000001451DB87000-memory.dmp

Filesize
28KB

Download
memory/3280-44-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3528-31-0x0000000001010000-0x0000000001017000-memory.dmp

Filesize
28KB

Download
memory/3528-11-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3528-8-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3528-7-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3528-22-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3528-9-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3528-10-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3528-12-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3528-30-0x00007FFDBF49A000-0x00007FFDBF49B000-memory.dmp

Filesize
4KB

Download
memory/3528-34-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3528-4-0x0000000003020000-0x0000000003021000-memory.dmp

Filesize
4KB

Download
memory/3528-32-0x00007FFDC1370000-0x00007FFDC1380000-memory.dmp

Filesize
64KB

Download
memory/3528-13-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3528-6-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3996-37-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3996-1-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3996-3-0x0000000002840000-0x0000000002847000-memory.dmp

Filesize
28KB

Download
memory/4512-67-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/4512-64-0x0000024466A70000-0x0000024466A77000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads