dridex | 75a98ffedbb5dee82b11bc4a19ac10b9d58d8080ec4c4be4f70bff6ed3428cbe

General

Target

1b2ca79cca5e5492588d3d2661fc858a_JaffaCakes118.dll
Size

990KB
MD5

1b2ca79cca5e5492588d3d2661fc858a
SHA1

a7a57ae852789a84636ee60383edaf89b4b91f28
SHA256

75a98ffedbb5dee82b11bc4a19ac10b9d58d8080ec4c4be4f70bff6ed3428cbe
SHA512

416dc8c67d95eab78e7567b0a5e0a5f4f6a454ed4d663d1cfa072cb331543e6e73834bdb5b32349cc77a5b79f6d3fb61ddb5530745ac8f4a6c1934c37913f41a
SSDEEP

24576:IVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8zt:IV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3544-4-0x00000000024C0000-0x00000000024C1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

EhStorAuthn.exeAtBroker.exemsinfo32.exe

pid process

4716 EhStorAuthn.exe
2788 AtBroker.exe
4400 msinfo32.exe
Loads dropped DLL 3 IoCs

Processes:

EhStorAuthn.exeAtBroker.exemsinfo32.exe

pid process

4716 EhStorAuthn.exe
2788 AtBroker.exe
4400 msinfo32.exe

pid	process
4716	EhStorAuthn.exe
2788	AtBroker.exe
4400	msinfo32.exe

pid	process
4716	EhStorAuthn.exe
2788	AtBroker.exe
4400	msinfo32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Jrbkpoyx = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab\\UQf4x34Ykfy\\AtBroker.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeEhStorAuthn.exeAtBroker.exemsinfo32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	EhStorAuthn.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	AtBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msinfo32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
4948	rundll32.exe
4948	rundll32.exe
4948	rundll32.exe
4948	rundll32.exe
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3544

pid	process
3544

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3544 wrote to memory of 1608	3544	EhStorAuthn.exe
PID 3544 wrote to memory of 1608	3544	EhStorAuthn.exe
PID 3544 wrote to memory of 4716	3544	EhStorAuthn.exe
PID 3544 wrote to memory of 4716	3544	EhStorAuthn.exe
PID 3544 wrote to memory of 4960	3544	AtBroker.exe
PID 3544 wrote to memory of 4960	3544	AtBroker.exe
PID 3544 wrote to memory of 2788	3544	AtBroker.exe
PID 3544 wrote to memory of 2788	3544	AtBroker.exe
PID 3544 wrote to memory of 3772	3544	msinfo32.exe
PID 3544 wrote to memory of 3772	3544	msinfo32.exe
PID 3544 wrote to memory of 4400	3544	msinfo32.exe
PID 3544 wrote to memory of 4400	3544	msinfo32.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1b2ca79cca5e5492588d3d2661fc858a_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4948

C:\Windows\system32\EhStorAuthn.exe
C:\Windows\system32\EhStorAuthn.exe
1⤵
PID:1608

C:\Users\Admin\AppData\Local\kFlK\EhStorAuthn.exe
C:\Users\Admin\AppData\Local\kFlK\EhStorAuthn.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4716

C:\Windows\system32\AtBroker.exe
C:\Windows\system32\AtBroker.exe
1⤵
PID:4960

C:\Users\Admin\AppData\Local\dzjNa8\AtBroker.exe
C:\Users\Admin\AppData\Local\dzjNa8\AtBroker.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2788

C:\Windows\system32\msinfo32.exe
C:\Windows\system32\msinfo32.exe
1⤵
PID:3772

C:\Users\Admin\AppData\Local\pytpZzSM\msinfo32.exe
C:\Users\Admin\AppData\Local\pytpZzSM\msinfo32.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4400

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\dzjNa8\AtBroker.exe
Filesize
90KB

MD5
30076e434a015bdf4c136e09351882cc

SHA1
584c958a35e23083a0861421357405afd26d9a0c

SHA256
ae7b1e298a6e38f0a3428151bfc5565ede50a8d98dafaa147b13cf89c61f2ddd

SHA512
675e310c2455acf9220735f34fa527afe87dac691e89cc0edc3c4659147e9fd223f96b7a3beea532047aa0ebc58880a7010343019a50aa73ce69a038e3592024

Download Submit
C:\Users\Admin\AppData\Local\dzjNa8\UxTheme.dll
Filesize
993KB

MD5
ce4092286f1bc79372caa0915c9a8845

SHA1
c04c8b7dccffbd36ec9758a74a45efe1e75378ec

SHA256
a01bcf704c9374e318445d6d9e3c83ea24bb5b03ed1e694e51456ff18d6caae6

SHA512
eb44ff7bfb3a7a03976b6563d891250a24e0d6b5350a62094dbe88dcc432a86e724bdc8b4c5e51cedccdd1f6eb26dcb83f6ab8800fb83ea37fbe758886201381

Download Submit
C:\Users\Admin\AppData\Local\kFlK\EhStorAuthn.exe
Filesize
128KB

MD5
d45618e58303edb4268a6cca5ec99ecc

SHA1
1f8049fc5ea8b57bb68e19fb55cb9dc1e18e9513

SHA256
d527323643be9df4d174c3169c6f2c7854a59b781654bcaebd154cb51fb4219c

SHA512
5d7ae663dcfedfaf00836dc018131851e5a40778bd582b417b9f0bbd4bb6d1b2eb8f37f7f5a01cd2beed78b6037ef6eb2a3290248d5e901173b1407990a202bd

Download Submit
C:\Users\Admin\AppData\Local\kFlK\UxTheme.dll
Filesize
993KB

MD5
efba8adc274630a47baa2758cc6f6a75

SHA1
af5afc1eec3fdfef38a11a1fd9d81d28195806b9

SHA256
97d75089ea1a97f74cc0a343fc6d1623b38c332ef015874e2429720f21e4de21

SHA512
fb85c2d46ba8eb921e9d54c7dee0774945f188acbcd78b78f5081ce72bfe43dc230bf59e4e7be3bd013c73b90842e6ca59b4a944abee4ec31c96ed539a0a8022

Download Submit
C:\Users\Admin\AppData\Local\pytpZzSM\MFC42u.dll
Filesize
1018KB

MD5
63e6d7ea4a540ff9141da9e73c6bb4ec

SHA1
d44a101fb18a49760a4f036101a4bd61a45025e0

SHA256
b2e268020496f233a73dc06605f364a532ae6abccec7b14b2d79e6f63028b514

SHA512
d9debcb5903634ff17ceade3a841c077a60318ddd89680f950923eb4c0296c0b5735a59dd9d831ba92c286b5bd995901cbb8dc8c81db2454a965b92131ccf35b

Download Submit
C:\Users\Admin\AppData\Local\pytpZzSM\msinfo32.exe
Filesize
376KB

MD5
0aed91da63713bf9f881b03a604a1c9d

SHA1
b1b2d292cb1a4c13dc243b5eab13afb316a28b9a

SHA256
5cf1604d2473661266e08fc0e4e144ea98f99b7584c43585eb2b01551130fd14

SHA512
04bca9b321d702122b6e72c2ad15b7cd98924e5dfc3b8dd0e907ea28fd7826d3f72b98c67242b6698594df648d3c2b6b0952bb52a2363b687bbe44a66e830c03

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Xzasfouulwckbw.lnk
Filesize
1KB

MD5
68a63da172eab2efa3464ac9c1ff16c7

SHA1
0af2076578573855b4d2173ba465ffeec39cd45e

SHA256
4b802cfef1698374dd59e458e734d25952fbaf6b8f4ab33be799e348b6c4a145

SHA512
a8ccf07405178ca0e57d74b18e8a57a8fdfbaa38cfc1af201c4f2ef97abe93f0ea7514c640c55b3582d555de4997819ec25127cdb616cbb57cf12d5fb6c91afa

Download Submit
memory/2788-67-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/2788-64-0x0000020C867A0000-0x0000020C867A7000-memory.dmp

Filesize
28KB

Download
memory/3544-31-0x0000000001E20000-0x0000000001E27000-memory.dmp

Filesize
28KB

Download
memory/3544-12-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3544-10-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3544-9-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3544-8-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3544-7-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3544-6-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3544-4-0x00000000024C0000-0x00000000024C1000-memory.dmp

Filesize
4KB

Download
memory/3544-30-0x00007FFB9079A000-0x00007FFB9079B000-memory.dmp

Filesize
4KB

Download
memory/3544-11-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3544-13-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3544-22-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3544-32-0x00007FFB91F50000-0x00007FFB91F60000-memory.dmp

Filesize
64KB

Download
memory/3544-34-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/4400-80-0x0000000140000000-0x0000000140103000-memory.dmp

Filesize
1.0MB

Download
memory/4400-83-0x0000020406B00000-0x0000020406B07000-memory.dmp

Filesize
28KB

Download
memory/4400-86-0x0000000140000000-0x0000000140103000-memory.dmp

Filesize
1.0MB

Download
memory/4716-50-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/4716-44-0x000001F4DC0C0000-0x000001F4DC0C7000-memory.dmp

Filesize
28KB

Download
memory/4716-45-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/4948-0-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/4948-37-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/4948-3-0x00000255B7460000-0x00000255B7467000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads