dridex | 3fa05daafcd5984a5c5e340e6b78138c8f3527eb35ba647f79c16b34a48eb9fd

General

Target

2247a1e7c2f18b255f28ef00d2d930f8_JaffaCakes118.dll
Size

989KB
MD5

2247a1e7c2f18b255f28ef00d2d930f8
SHA1

bd852bcc11266bd28c494b6bf036e5710d90c2f2
SHA256

3fa05daafcd5984a5c5e340e6b78138c8f3527eb35ba647f79c16b34a48eb9fd
SHA512

f4031a1236b6ced52fabe05934a4359fb0d352715d80f02c864cc3870c1a4917a3137eee7fba5ef5c93b8d7e11c4bd25c3d6225e9ea8589061c48f9d7ca7e6aa
SSDEEP

24576:JVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:JV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3360-4-0x0000000002F10000-0x0000000002F11000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

dccw.exeshrpubw.exemsconfig.exe

pid process

4492 dccw.exe
3872 shrpubw.exe
3192 msconfig.exe
Loads dropped DLL 3 IoCs

Processes:

dccw.exeshrpubw.exemsconfig.exe

pid process

4492 dccw.exe
3872 shrpubw.exe
3192 msconfig.exe

pid	process
4492	dccw.exe
3872	shrpubw.exe
3192	msconfig.exe

pid	process
4492	dccw.exe
3872	shrpubw.exe
3192	msconfig.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ovnmkkvrgnxhq = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\25gLtu\\shrpubw.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exedccw.exeshrpubw.exemsconfig.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dccw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	shrpubw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msconfig.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3360

pid	process
3360

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3360 wrote to memory of 876	3360	dccw.exe
PID 3360 wrote to memory of 876	3360	dccw.exe
PID 3360 wrote to memory of 4492	3360	dccw.exe
PID 3360 wrote to memory of 4492	3360	dccw.exe
PID 3360 wrote to memory of 2224	3360	shrpubw.exe
PID 3360 wrote to memory of 2224	3360	shrpubw.exe
PID 3360 wrote to memory of 3872	3360	shrpubw.exe
PID 3360 wrote to memory of 3872	3360	shrpubw.exe
PID 3360 wrote to memory of 2736	3360	msconfig.exe
PID 3360 wrote to memory of 2736	3360	msconfig.exe
PID 3360 wrote to memory of 3192	3360	msconfig.exe
PID 3360 wrote to memory of 3192	3360	msconfig.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2247a1e7c2f18b255f28ef00d2d930f8_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2364

C:\Windows\system32\dccw.exe
C:\Windows\system32\dccw.exe
1⤵
PID:876

C:\Users\Admin\AppData\Local\Bjri4Kg\dccw.exe
C:\Users\Admin\AppData\Local\Bjri4Kg\dccw.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4492

C:\Windows\system32\shrpubw.exe
C:\Windows\system32\shrpubw.exe
1⤵
PID:2224

C:\Users\Admin\AppData\Local\cNmfskFZd\shrpubw.exe
C:\Users\Admin\AppData\Local\cNmfskFZd\shrpubw.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3872

C:\Windows\system32\msconfig.exe
C:\Windows\system32\msconfig.exe
1⤵
PID:2736

C:\Users\Admin\AppData\Local\H1cvlen9\msconfig.exe
C:\Users\Admin\AppData\Local\H1cvlen9\msconfig.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3192

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Bjri4Kg\dccw.exe
Filesize
101KB

MD5
cb9374911bf5237179785c739a322c0f

SHA1
3f4d3dd3d58c9f19dfbb414ded16969ebd9f74b9

SHA256
f7f3300b78148a34f6a35796c777a832b638b6d3193e11f4a37f45d4c6dfa845

SHA512
9d47521538148b1823c0a17baa86ddf932f06f46d5d8b63fa87b2cc220fb98ce3f933e32d771222937bb8e41c88030839d489d1cd78b062bffeb2980dc6864be

Download Submit
C:\Users\Admin\AppData\Local\Bjri4Kg\mscms.dll
Filesize
995KB

MD5
d8035229009f1291b0ccfb01a01e62d0

SHA1
57a3ee45627287fd9165776604c22beb8cf1a9ef

SHA256
b83c64a0171d9d5175064ba037ef31d72be5181536b312742014a1e707b091a5

SHA512
f7e41966c94ee2eecbd2eaed82baeda0a52fdb72e52a9be176f32a4123f010be9c35dbf71253557d250488db1ae67a9dc90dde0ef8fef4d69723a9d676c42af0

Download Submit
C:\Users\Admin\AppData\Local\H1cvlen9\VERSION.dll
Filesize
990KB

MD5
50732f8b0b5f9505578ccdb78ad08d03

SHA1
0ba6420d6bebf669adc906cd82453e052c96c175

SHA256
58551b3c732211a43997486e843d26085805858a6a4cb1bc4e11d72da82ec107

SHA512
d93c810f1a1ad830db25e0d1cfa67de7f5059cfa0420cd4752c19b132cb93dd8b03877ee9ad2ae6147f0b1946f1956b2eabf16c58cae17cc708d8a6c4f382233

Download Submit
C:\Users\Admin\AppData\Local\H1cvlen9\msconfig.exe
Filesize
193KB

MD5
39009536cafe30c6ef2501fe46c9df5e

SHA1
6ff7b4d30f31186de899665c704a105227704b72

SHA256
93d2604f7fdf7f014ac5bef63ab177b6107f3cfc26da6cbd9a7ab50c96564a04

SHA512
95c9a8bc61c79108634f5578825544323e3d980ae97a105a325c58bc0e44b1d500637459969602f08d6d23d346baec6acd07d8351803981000c797190d48f03a

Download Submit
C:\Users\Admin\AppData\Local\cNmfskFZd\shrpubw.exe
Filesize
59KB

MD5
9910d5c62428ec5f92b04abf9428eec9

SHA1
05f27d7515e8ae1fa3bc974ec65b864ec4c9ac8b

SHA256
6b84e6e55d8572d7edf0b6243d00abb651fcb0cddddac8461de5f9bb80035a2e

SHA512
01be043f7ff879a683e53962eec58456ba200d6787ea66581bb62669ae65d5e58a5577cdf23441165f7a535fce1dec933e3ad2465c72172b4a1488b24ce722cb

Download Submit
C:\Users\Admin\AppData\Local\cNmfskFZd\srvcli.dll
Filesize
991KB

MD5
73567f044e40f17c0696d2cb6ffeb368

SHA1
b96dc5765734e271801f694ba319e315a434e186

SHA256
6c231ced6d6052796800cba18a8c48944d0f78aeef415f228a51c6dccdb75907

SHA512
9b8eaee50ae78c55b913a7f096a19b3fa6a2ee2f97428fc962d5b6ca5199591f3de3198a32020209751ff5c000eaa470f4f4a421d3207bd99acf79d4982d3ca6

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ymfrpxarx.lnk
Filesize
1KB

MD5
0a56fffce307e2f390db693f8bb29b24

SHA1
c1bcc7e2ce08fde370cd0bb4c656f93fbdd8ccff

SHA256
fd6741f161b98e42c61470a378d003f19a50c80e8cb50bd6a041dc496394ebf2

SHA512
b6ff5c6e2534f4467b99b1fa4d648438d8dcfd32af70e3cb2a94d3b2293f94664e6419475eb7ab257991a2774b8af7a06505f19950799cf889e6724daf29ee81

Download Submit
memory/2364-37-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/2364-1-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/2364-0-0x000002B1C6940000-0x000002B1C6947000-memory.dmp

Filesize
28KB

Download
memory/3192-84-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3192-81-0x000001A155460000-0x000001A155467000-memory.dmp

Filesize
28KB

Download
memory/3360-30-0x00007FFB5212A000-0x00007FFB5212B000-memory.dmp

Filesize
4KB

Download
memory/3360-4-0x0000000002F10000-0x0000000002F11000-memory.dmp

Filesize
4KB

Download
memory/3360-7-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3360-34-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3360-9-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3360-10-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3360-11-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3360-32-0x00007FFB53350000-0x00007FFB53360000-memory.dmp

Filesize
64KB

Download
memory/3360-6-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3360-12-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3360-13-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3360-31-0x0000000000F40000-0x0000000000F47000-memory.dmp

Filesize
28KB

Download
memory/3360-22-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3360-8-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3872-64-0x000001F858D10000-0x000001F858D17000-memory.dmp

Filesize
28KB

Download
memory/3872-67-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3872-61-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/4492-50-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/4492-44-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/4492-47-0x0000016EF61F0000-0x0000016EF61F7000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads