dridex | 46041e5c693d0750c1d45de49962be9a767692f56c79ead576198d48ca0ed5d5

General

Target

1d19acd154bf1676f07c6ca4ade6d4d6_JaffaCakes118.dll
Size

1.2MB
MD5

1d19acd154bf1676f07c6ca4ade6d4d6
SHA1

ebbf27f296de3c89a58021d31e054204698ab477
SHA256

46041e5c693d0750c1d45de49962be9a767692f56c79ead576198d48ca0ed5d5
SHA512

1dcb97135d50c4e6ddf243473883440ad34537fd54aae72929e7a1c4d57c1e301400ccd2c4c870e127bee8be69052b796f3a222b9bc4f41c73b033cb80f4f210
SSDEEP

24576:FVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:FV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1192-5-0x0000000002510000-0x0000000002511000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

osk.exeSystemPropertiesHardware.exeSystemPropertiesComputerName.exe

pid process

2660 osk.exe
3000 SystemPropertiesHardware.exe
3016 SystemPropertiesComputerName.exe
Loads dropped DLL 7 IoCs

Processes:

osk.exeSystemPropertiesHardware.exeSystemPropertiesComputerName.exe

pid process

1192
2660 osk.exe
1192
3000 SystemPropertiesHardware.exe
1192
3016 SystemPropertiesComputerName.exe
1192

pid	process
2660	osk.exe
3000	SystemPropertiesHardware.exe
3016	SystemPropertiesComputerName.exe

pid	process
1192
2660	osk.exe
1192
3000	SystemPropertiesHardware.exe
1192
3016	SystemPropertiesComputerName.exe
1192

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mwyjnbrrs = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\YNz4ERW23eG\\SystemPropertiesHardware.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeosk.exeSystemPropertiesHardware.exeSystemPropertiesComputerName.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	osk.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesHardware.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesComputerName.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2888	rundll32.exe
2888	rundll32.exe
2888	rundll32.exe
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1192 wrote to memory of 2564	1192	osk.exe
PID 1192 wrote to memory of 2564	1192	osk.exe
PID 1192 wrote to memory of 2564	1192	osk.exe
PID 1192 wrote to memory of 2660	1192	osk.exe
PID 1192 wrote to memory of 2660	1192	osk.exe
PID 1192 wrote to memory of 2660	1192	osk.exe
PID 1192 wrote to memory of 1152	1192	SystemPropertiesHardware.exe
PID 1192 wrote to memory of 1152	1192	SystemPropertiesHardware.exe
PID 1192 wrote to memory of 1152	1192	SystemPropertiesHardware.exe
PID 1192 wrote to memory of 3000	1192	SystemPropertiesHardware.exe
PID 1192 wrote to memory of 3000	1192	SystemPropertiesHardware.exe
PID 1192 wrote to memory of 3000	1192	SystemPropertiesHardware.exe
PID 1192 wrote to memory of 2992	1192	SystemPropertiesComputerName.exe
PID 1192 wrote to memory of 2992	1192	SystemPropertiesComputerName.exe
PID 1192 wrote to memory of 2992	1192	SystemPropertiesComputerName.exe
PID 1192 wrote to memory of 3016	1192	SystemPropertiesComputerName.exe
PID 1192 wrote to memory of 3016	1192	SystemPropertiesComputerName.exe
PID 1192 wrote to memory of 3016	1192	SystemPropertiesComputerName.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1d19acd154bf1676f07c6ca4ade6d4d6_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2888

C:\Windows\system32\osk.exe
C:\Windows\system32\osk.exe
1⤵
PID:2564

C:\Users\Admin\AppData\Local\rEpfd\osk.exe
C:\Users\Admin\AppData\Local\rEpfd\osk.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2660

C:\Windows\system32\SystemPropertiesHardware.exe
C:\Windows\system32\SystemPropertiesHardware.exe
1⤵
PID:1152

C:\Users\Admin\AppData\Local\Fh7h9D\SystemPropertiesHardware.exe
C:\Users\Admin\AppData\Local\Fh7h9D\SystemPropertiesHardware.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3000

C:\Windows\system32\SystemPropertiesComputerName.exe
C:\Windows\system32\SystemPropertiesComputerName.exe
1⤵
PID:2992

C:\Users\Admin\AppData\Local\e1Ee\SystemPropertiesComputerName.exe
C:\Users\Admin\AppData\Local\e1Ee\SystemPropertiesComputerName.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3016

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Fh7h9D\SYSDM.CPL
Filesize
1.2MB

MD5
b38d46e264f8734174d1613c3d0d7f40

SHA1
7852b62dc51b05002b5e432dc7feb6adf05ed9cb

SHA256
4c048506f0394b69c6ae8b07becd45f94c32e56578d7d6928fbf735a856e4919

SHA512
d7fa879847507090f78ea0d90c08c77a6f684aee07d9d8f5ff7c4fd11e2afcc30fb2be7ad03dded5d2d5b7639c16032a2a8996307fb8c64b5d858e2cf175cb92

Download Submit
C:\Users\Admin\AppData\Local\e1Ee\SYSDM.CPL
Filesize
1.2MB

MD5
441a4f93d357064e71c6ecb9e4d08831

SHA1
97193533dde299b3da83bc7994114d86beefce75

SHA256
56128620769e3a6b765fedbd321a15db277d78553c773c31cc99534a25ca01d7

SHA512
5dd9fdf06dd106148e2d09a7d002a99c1e5b39e5e0fbbf10c6adee74cfc7b9a859216c2ef2093b2b234cdb77ea44204f86f1bf477b090b28d9dcb850a2928683

Download Submit
C:\Users\Admin\AppData\Local\rEpfd\WMsgAPI.dll
Filesize
1.2MB

MD5
11523253d83da1d3cbd744e803c4fec5

SHA1
3748e0c6a834e642aa88bef90d73cc186cc88990

SHA256
706ab2c9a40d8aa8e35e09ed924b910a8e81367c108e3422c447bc17c1bd2639

SHA512
2b47bdc621ac0e9b8edc65f18b29364ba24c2ae33f6652d134917c1e091549f00aa9e6943a9ef5829d4ef7e76db9afc0b8fbc9283f5b6b4b629378eb0ce0ef93

Download Submit
C:\Users\Admin\AppData\Local\rEpfd\osk.exe
Filesize
676KB

MD5
b918311a8e59fb8ccf613a110024deba

SHA1
a9a64a53d2d1c023d058cfe23db4c9b4fbe59d1b

SHA256
e1f7612086c2d01f15f2e74f1c22bc6abeb56f18e6bda058edce8d780aebb353

SHA512
e3a2480e546bf31509d6e0ffb5ce9dc5da3eb93a1a06d8e89b68165f2dd9ad520edac52af4c485c93fe6028dffaf7fcaadaafb04e524954dd117551afff87cf1

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Pclfpjzoauil.lnk
Filesize
1KB

MD5
9dd323706c587b65e04872b97a2f9430

SHA1
88b108169c519d9bc0bd63a09a750ccbd36b9b8f

SHA256
2368629a63c868f731133a4710a12e0f5942d10a188f9d57374ed17df12a77ed

SHA512
595d1ce3745bd929f6aaead861441b40f03766a94a8d39cbd2fa9196831d6f96406cca5ccfcedda70049340f152ea9e7f24d8e4150a91a3363fe9583e1ee8924

Download Submit
\Users\Admin\AppData\Local\Fh7h9D\SystemPropertiesHardware.exe
Filesize
80KB

MD5
c63d722641c417764247f683f9fb43be

SHA1
948ec61ebf241c4d80efca3efdfc33fe746e3b98

SHA256
4759296b421d60c80db0bb112a30425e04883900374602e13ed97f7c03a49df2

SHA512
7223d1c81a4785ed790ec2303d5d9d7ebcae9404d7bf173b3145e51202564de9977e94ac10ab80c6fe49b5f697af3ec70dfd922a891915e8951b5a1b5841c8be

Download Submit
\Users\Admin\AppData\Local\e1Ee\SystemPropertiesComputerName.exe
Filesize
80KB

MD5
bd889683916aa93e84e1a75802918acf

SHA1
5ee66571359178613a4256a7470c2c3e6dd93cfa

SHA256
0e22894595891a9ff9706e03b3db31a751541c4a773f82420fce57237d6c47cf

SHA512
9d76de848b319f44657fb7fbe5a3b927774ae999362ff811a199002ffa77ad9e1638a65a271388e605ab5e5a7cb6ce5aa7fcabc3ed583ade00eaa4c265552026

Download Submit
memory/1192-9-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/1192-65-0x0000000076DF6000-0x0000000076DF7000-memory.dmp

Filesize
4KB

Download
memory/1192-25-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/1192-14-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/1192-13-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/1192-27-0x0000000076F01000-0x0000000076F02000-memory.dmp

Filesize
4KB

Download
memory/1192-12-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/1192-11-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/1192-10-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/1192-4-0x0000000076DF6000-0x0000000076DF7000-memory.dmp

Filesize
4KB

Download
memory/1192-28-0x0000000077090000-0x0000000077092000-memory.dmp

Filesize
8KB

Download
memory/1192-38-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/1192-37-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/1192-5-0x0000000002510000-0x0000000002511000-memory.dmp

Filesize
4KB

Download
memory/1192-26-0x00000000024F0000-0x00000000024F7000-memory.dmp

Filesize
28KB

Download
memory/1192-16-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/1192-8-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/1192-7-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/1192-15-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/2660-60-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2660-54-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2660-57-0x00000000001A0000-0x00000000001A7000-memory.dmp

Filesize
28KB

Download
memory/2888-46-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/2888-0-0x00000000003A0000-0x00000000003A7000-memory.dmp

Filesize
28KB

Download
memory/2888-1-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/3000-73-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/3000-79-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/3016-96-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads