dridex | 46041e5c693d0750c1d45de49962be9a767692f56c79ead576198d48ca0ed5d5

General

Target

1d19acd154bf1676f07c6ca4ade6d4d6_JaffaCakes118.dll
Size

1.2MB
MD5

1d19acd154bf1676f07c6ca4ade6d4d6
SHA1

ebbf27f296de3c89a58021d31e054204698ab477
SHA256

46041e5c693d0750c1d45de49962be9a767692f56c79ead576198d48ca0ed5d5
SHA512

1dcb97135d50c4e6ddf243473883440ad34537fd54aae72929e7a1c4d57c1e301400ccd2c4c870e127bee8be69052b796f3a222b9bc4f41c73b033cb80f4f210
SSDEEP

24576:FVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:FV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3528-4-0x0000000003240000-0x0000000003241000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

RecoveryDrive.exeSystemPropertiesAdvanced.exesessionmsg.exe

pid process

2564 RecoveryDrive.exe
3756 SystemPropertiesAdvanced.exe
1772 sessionmsg.exe
Loads dropped DLL 3 IoCs

Processes:

RecoveryDrive.exeSystemPropertiesAdvanced.exesessionmsg.exe

pid process

2564 RecoveryDrive.exe
3756 SystemPropertiesAdvanced.exe
1772 sessionmsg.exe

pid	process
2564	RecoveryDrive.exe
3756	SystemPropertiesAdvanced.exe
1772	sessionmsg.exe

pid	process
2564	RecoveryDrive.exe
3756	SystemPropertiesAdvanced.exe
1772	sessionmsg.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wuaobpzp = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Proof\\MfoQ6gU\\SystemPropertiesAdvanced.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

SystemPropertiesAdvanced.exesessionmsg.exerundll32.exeRecoveryDrive.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesAdvanced.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sessionmsg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RecoveryDrive.exe

Modifies registry class 3 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
3096	rundll32.exe
3096	rundll32.exe
3096	rundll32.exe
3096	rundll32.exe
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528
3528

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3528
Token: SeCreatePagefilePrivilege	3528
Token: SeShutdownPrivilege	3528
Token: SeCreatePagefilePrivilege	3528
Token: SeShutdownPrivilege	3528
Token: SeCreatePagefilePrivilege	3528
Token: SeShutdownPrivilege	3528
Token: SeCreatePagefilePrivilege	3528
Token: SeShutdownPrivilege	3528
Token: SeCreatePagefilePrivilege	3528
Token: SeShutdownPrivilege	3528
Token: SeCreatePagefilePrivilege	3528
Token: SeShutdownPrivilege	3528
Token: SeCreatePagefilePrivilege	3528
Token: SeShutdownPrivilege	3528
Token: SeCreatePagefilePrivilege	3528
Token: SeShutdownPrivilege	3528
Token: SeCreatePagefilePrivilege	3528
Token: SeShutdownPrivilege	3528
Token: SeCreatePagefilePrivilege	3528
Token: SeShutdownPrivilege	3528
Token: SeCreatePagefilePrivilege	3528
Token: SeShutdownPrivilege	3528
Token: SeCreatePagefilePrivilege	3528

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

3528
3528
Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3528

pid	process
3528
3528

pid	process
3528

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3528 wrote to memory of 1628	3528	RecoveryDrive.exe
PID 3528 wrote to memory of 1628	3528	RecoveryDrive.exe
PID 3528 wrote to memory of 2564	3528	RecoveryDrive.exe
PID 3528 wrote to memory of 2564	3528	RecoveryDrive.exe
PID 3528 wrote to memory of 2980	3528	SystemPropertiesAdvanced.exe
PID 3528 wrote to memory of 2980	3528	SystemPropertiesAdvanced.exe
PID 3528 wrote to memory of 3756	3528	SystemPropertiesAdvanced.exe
PID 3528 wrote to memory of 3756	3528	SystemPropertiesAdvanced.exe
PID 3528 wrote to memory of 5072	3528	sessionmsg.exe
PID 3528 wrote to memory of 5072	3528	sessionmsg.exe
PID 3528 wrote to memory of 1772	3528	sessionmsg.exe
PID 3528 wrote to memory of 1772	3528	sessionmsg.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1d19acd154bf1676f07c6ca4ade6d4d6_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3096

C:\Windows\system32\RecoveryDrive.exe
C:\Windows\system32\RecoveryDrive.exe
1⤵
PID:1628

C:\Users\Admin\AppData\Local\BcMw4F06w\RecoveryDrive.exe
C:\Users\Admin\AppData\Local\BcMw4F06w\RecoveryDrive.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2564

C:\Windows\system32\SystemPropertiesAdvanced.exe
C:\Windows\system32\SystemPropertiesAdvanced.exe
1⤵
PID:2980

C:\Users\Admin\AppData\Local\QvGyJhC\SystemPropertiesAdvanced.exe
C:\Users\Admin\AppData\Local\QvGyJhC\SystemPropertiesAdvanced.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3756

C:\Windows\system32\sessionmsg.exe
C:\Windows\system32\sessionmsg.exe
1⤵
PID:5072

C:\Users\Admin\AppData\Local\fKkhWk\sessionmsg.exe
C:\Users\Admin\AppData\Local\fKkhWk\sessionmsg.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1772

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\BcMw4F06w\RecoveryDrive.exe
Filesize
911KB

MD5
b9b3dc6f2eb89e41ff27400952602c74

SHA1
24ae07e0db3ace0809d08bbd039db3a9d533e81b

SHA256
630518cb2e4636f889d12c98fb2e6be4e579c5eeb86f88695d3f7fff3f5515c4

SHA512
7906954b881f1051a0c7f098e096bc28eddcc48643b8bf3134dd57b8c18d8beba4f9a0ac5d348de2f9b8ea607c3e9cb0e61d91e4f3ba1fefb02839f928e3e3fe

Download Submit
C:\Users\Admin\AppData\Local\BcMw4F06w\UxTheme.dll
Filesize
1.2MB

MD5
c41d6839c1f1ca4ec73f9eaf2409e1fa

SHA1
63882ba7db843a8d4e3657f7caea97f80ea4cda8

SHA256
97d6ab96faa525efd791c1f38f6b9720522b8cac00d1a3edd25c9e0faed3f3be

SHA512
fd2accf4b4fe1cc7a85d819ebf0dbeca8adefb1b9660dbc24dff86f51a11d16b07c23f44eff50c0357ec9969b5def4746b58f5ba32920005c8005b4044914206

Download Submit
C:\Users\Admin\AppData\Local\QvGyJhC\SYSDM.CPL
Filesize
1.2MB

MD5
f2e64830a2c214738968617c3647f9e1

SHA1
68d13f550dd4b7ca079d38f45f773ca1c06096b9

SHA256
5a3b92a6a9bfeb85b94f5df7363244fe95b6c98782f564a42e6a00a0279d105a

SHA512
e0a549b0b0787d87b4d191ce8c65fe93b3cca78cff1c875ec9d51633cb016f63ffaef1e46939cca2111f9a97cab655cb72858c426d92f54d1d2d6d084c3eba51

Download Submit
C:\Users\Admin\AppData\Local\QvGyJhC\SystemPropertiesAdvanced.exe
Filesize
82KB

MD5
fa040b18d2d2061ab38cf4e52e753854

SHA1
b1b37124e9afd6c860189ce4d49cebbb2e4c57bc

SHA256
c61fa0f8c5d8d61110adbcceaa453a6c1d31255b3244dc7e3b605a4a931c245c

SHA512
511f5981bd2c446f1f3039f6674f972651512305630bd688b1ef159af36a23cb836b43d7010b132a86b5f4d6c46206057abd31600f1e7dc930cb32ed962298a4

Download Submit
C:\Users\Admin\AppData\Local\fKkhWk\DUser.dll
Filesize
1.2MB

MD5
4ad7655783f220338f7f6539ec36a6c6

SHA1
20ccd6cbffcf18b231d9182b75e1a4fbce71edfd

SHA256
baaa1073b0a84c71aaf4ccce1847eec64d49dec422514b799905712d9e81b664

SHA512
7ee30807c02d8a2c3911c70df7c0482656ecb7cb66976ad2a69c752a2660be3725629ab3c9e2fd20f6fe0036466b20c9cbe036340fef73365c0533c177e13c95

Download Submit
C:\Users\Admin\AppData\Local\fKkhWk\sessionmsg.exe
Filesize
85KB

MD5
480f710806b68dfe478ca1ec7d7e79cc

SHA1
b4fc97fed2dbff9c4874cb65ede7b50699db37cd

SHA256
2416cd4aa577dbb2f8790a61e36fbab2b30bff81a4e1f67a5151c2fec29585bc

SHA512
29d3d234ebc45049a533b6a91b246ac043a56b9af67276aaf493b014ae34d73000f99a6b0c0b85d2dfb7fba54811cf8bbdfd167a9eed01a8617b7f05bf2971db

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Aibqacvbwgcfz.lnk
Filesize
1KB

MD5
1b40ee13acc468596e7244c2b6b59d8b

SHA1
c897cba440a1a12ab2b0cdafe3b970e7676de2e9

SHA256
23a6714bd9005dbc6d72e82acd8ef0814e1d6bac1249db2c84d844132640464e

SHA512
79e0775a933884f99ec2ee832042553b02ebfee556ec81bc2deff0ce92ec6b1cbf0e89db8c4c04f5fba55e3cd41af730393f8e66fe132d7d583a1e6fa7fa9bc5

Download Submit
memory/1772-86-0x0000000140000000-0x0000000140146000-memory.dmp

Filesize
1.3MB

Download
memory/1772-85-0x0000011B71940000-0x0000011B71947000-memory.dmp

Filesize
28KB

Download
memory/1772-80-0x0000000140000000-0x0000000140146000-memory.dmp

Filesize
1.3MB

Download
memory/2564-49-0x000001BC5BC40000-0x000001BC5BC47000-memory.dmp

Filesize
28KB

Download
memory/2564-52-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2564-46-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/3096-39-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/3096-0-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/3096-3-0x0000021250850000-0x0000021250857000-memory.dmp

Filesize
28KB

Download
memory/3528-14-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/3528-12-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/3528-6-0x00007FFE11C9A000-0x00007FFE11C9B000-memory.dmp

Filesize
4KB

Download
memory/3528-7-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/3528-25-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/3528-8-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/3528-9-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/3528-10-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/3528-11-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/3528-4-0x0000000003240000-0x0000000003241000-memory.dmp

Filesize
4KB

Download
memory/3528-13-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/3528-15-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/3528-16-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/3528-30-0x0000000003220000-0x0000000003227000-memory.dmp

Filesize
28KB

Download
memory/3528-31-0x00007FFE12FD0000-0x00007FFE12FE0000-memory.dmp

Filesize
64KB

Download
memory/3528-36-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/3756-69-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/3756-66-0x0000024B147F0000-0x0000024B147F7000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads