dridex | 04c81016fa21625303306f3574fc1294105ef223c7dc498510819681eedd52f5

General

Target

25d810dc0c2458141f99fc9e784a2906_JaffaCakes118.dll
Size

987KB
MD5

25d810dc0c2458141f99fc9e784a2906
SHA1

69fdff77d5a20cc2bc1aab7ded817adb5196aff2
SHA256

04c81016fa21625303306f3574fc1294105ef223c7dc498510819681eedd52f5
SHA512

666b0a3f3f6594e49e79c858961828f501ffb6514b2b403e48d908a2f7d47729c97864fb844b1b71727b434ef787178d9ee4d8eb3ec7a5a531f24f3e75831a05
SSDEEP

24576:6VHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8ct:6V8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1196-5-0x0000000002510000-0x0000000002511000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

dpnsvr.exefveprompt.exeosk.exe

pid process

2596 dpnsvr.exe
1524 fveprompt.exe
2532 osk.exe
Loads dropped DLL 7 IoCs

Processes:

dpnsvr.exefveprompt.exeosk.exe

pid process

1196
2596 dpnsvr.exe
1196
1524 fveprompt.exe
1196
2532 osk.exe
1196

pid	process
2596	dpnsvr.exe
1524	fveprompt.exe
2532	osk.exe

pid	process
1196
2596	dpnsvr.exe
1196
1524	fveprompt.exe
1196
2532	osk.exe
1196

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Yyeybzteybdsbj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\miCYqEA\\fveprompt.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exedpnsvr.exefveprompt.exeosk.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dpnsvr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fveprompt.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	osk.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2300	rundll32.exe
2300	rundll32.exe
2300	rundll32.exe
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1196 wrote to memory of 2012	1196	dpnsvr.exe
PID 1196 wrote to memory of 2012	1196	dpnsvr.exe
PID 1196 wrote to memory of 2012	1196	dpnsvr.exe
PID 1196 wrote to memory of 2596	1196	dpnsvr.exe
PID 1196 wrote to memory of 2596	1196	dpnsvr.exe
PID 1196 wrote to memory of 2596	1196	dpnsvr.exe
PID 1196 wrote to memory of 2504	1196	fveprompt.exe
PID 1196 wrote to memory of 2504	1196	fveprompt.exe
PID 1196 wrote to memory of 2504	1196	fveprompt.exe
PID 1196 wrote to memory of 1524	1196	fveprompt.exe
PID 1196 wrote to memory of 1524	1196	fveprompt.exe
PID 1196 wrote to memory of 1524	1196	fveprompt.exe
PID 1196 wrote to memory of 2824	1196	osk.exe
PID 1196 wrote to memory of 2824	1196	osk.exe
PID 1196 wrote to memory of 2824	1196	osk.exe
PID 1196 wrote to memory of 2532	1196	osk.exe
PID 1196 wrote to memory of 2532	1196	osk.exe
PID 1196 wrote to memory of 2532	1196	osk.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\25d810dc0c2458141f99fc9e784a2906_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2300

C:\Windows\system32\dpnsvr.exe
C:\Windows\system32\dpnsvr.exe
1⤵
PID:2012

C:\Users\Admin\AppData\Local\xdDos\dpnsvr.exe
C:\Users\Admin\AppData\Local\xdDos\dpnsvr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2596

C:\Windows\system32\fveprompt.exe
C:\Windows\system32\fveprompt.exe
1⤵
PID:2504

C:\Users\Admin\AppData\Local\AQysG7PxM\fveprompt.exe
C:\Users\Admin\AppData\Local\AQysG7PxM\fveprompt.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1524

C:\Windows\system32\osk.exe
C:\Windows\system32\osk.exe
1⤵
PID:2824

C:\Users\Admin\AppData\Local\IBzL43Nq\osk.exe
C:\Users\Admin\AppData\Local\IBzL43Nq\osk.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2532

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\AQysG7PxM\slc.dll
Filesize
988KB

MD5
87831a5d306b2aaa9230892b3c64a85d

SHA1
1dc563178646518314cb668ec2ea527a85de1612

SHA256
cb6427fe802627caafac31a345e22d7de06d3126ebfe9de85d2c6cb5c6ba0d66

SHA512
1055ace50dc2f4facf72a4b6334e29e003a9df09a63e007a7ae5a506794c3c8a2026ec1a267232592709afc167813d255b879f48a58eb7fb5e3c8240b2a31063

Download Submit
C:\Users\Admin\AppData\Local\IBzL43Nq\dwmapi.dll
Filesize
988KB

MD5
a85cea87b511e97ff23bbcc92a0fb3bc

SHA1
f012ad10e549b32500ec7e31bf8fe257d0b10eea

SHA256
64694d88b1493323a0666159e19f283dfd67213a1fb35d8c892d2365a9a020ed

SHA512
f43f7b962e2cbd09cf349f1f25a440844008fbec428ea14c5c4c9ee0c9673f75ca6b6aa2d19b08d28dbe086903a0bb7f89539e16d45b1cc0f57119d14635b4f6

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Omdqupblcei.lnk
Filesize
1KB

MD5
76302bdd00a3bc5f442c0a4143a342ff

SHA1
2db953c6f42866abc96a79adc8dd1dc054df79eb

SHA256
bbcfdba60ce0d1b0b41e26fc86deca8fb0d8602bbae641cddb434044c7bcb5a2

SHA512
322f46fa1db4d3877e4c05a3d1ee29707e67ce6cc2df240f841cb421c08c6f99598392c5e7a24ee248d2a1ff72fe83fa04f042533ee4c8ec40045af7177364e3

Download Submit
\Users\Admin\AppData\Local\AQysG7PxM\fveprompt.exe
Filesize
104KB

MD5
dc2c44a23b2cd52bd53accf389ae14b2

SHA1
e36c7b6f328aa2ab2f52478169c52c1916f04b5f

SHA256
7f5b19f2c6a94833196ee1929d48094889b33b504d73d3af88dd857ceaf67921

SHA512
ff083f74777a9cfc940d4e0cb55886397e27c85f867de9a5dd9ea2c2751d2a77bf75fe0734e424d9678c83e927788d07d0b3072024f7e5a9848c7ff1aa4090dc

Download Submit
\Users\Admin\AppData\Local\IBzL43Nq\osk.exe
Filesize
676KB

MD5
b918311a8e59fb8ccf613a110024deba

SHA1
a9a64a53d2d1c023d058cfe23db4c9b4fbe59d1b

SHA256
e1f7612086c2d01f15f2e74f1c22bc6abeb56f18e6bda058edce8d780aebb353

SHA512
e3a2480e546bf31509d6e0ffb5ce9dc5da3eb93a1a06d8e89b68165f2dd9ad520edac52af4c485c93fe6028dffaf7fcaadaafb04e524954dd117551afff87cf1

Download Submit
\Users\Admin\AppData\Local\xdDos\WINMM.dll
Filesize
992KB

MD5
8151b18bb35f24a5066e0dee493a49ad

SHA1
c266dc88332e3ee7aef54157132eb368802f3eb9

SHA256
2d1e5223c9cc94055e762eb9df51e530a486990414bfe4b2b9f4c99f23b241e1

SHA512
229717d287d0d930aaa31b94164bc2a6d7de6c195177a135a83e204ff6186a8d62ef19d10cccfe3d13f9175d901d1954aedac57649ec692af3d22d2e3b1509ff

Download Submit
\Users\Admin\AppData\Local\xdDos\dpnsvr.exe
Filesize
33KB

MD5
6806b72978f6bd27aef57899be68b93b

SHA1
713c246d0b0b8dcc298afaed4f62aed82789951c

SHA256
3485ee4159c5f9e4ed9dd06e668d1e04148154ff40327a9ccb591e8c5a79958c

SHA512
43c942358b2e949751149ecc4be5ff6cb0634957ff1128ad5e6051e83379fb5643100cae2f6ef3eaf36aff016063c150e93297aa866e780d0e4d51656a251c7b

Download Submit
memory/1196-35-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1196-24-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1196-25-0x0000000077991000-0x0000000077992000-memory.dmp

Filesize
4KB

Download
memory/1196-12-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1196-11-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1196-10-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1196-9-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1196-8-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1196-26-0x0000000077B20000-0x0000000077B22000-memory.dmp

Filesize
8KB

Download
memory/1196-4-0x0000000077786000-0x0000000077787000-memory.dmp

Filesize
4KB

Download
memory/1196-37-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1196-5-0x0000000002510000-0x0000000002511000-memory.dmp

Filesize
4KB

Download
memory/1196-17-0x00000000024F0000-0x00000000024F7000-memory.dmp

Filesize
28KB

Download
memory/1196-13-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1196-7-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1196-14-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1196-63-0x0000000077786000-0x0000000077787000-memory.dmp

Filesize
4KB

Download
memory/1524-71-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1524-74-0x0000000000290000-0x0000000000297000-memory.dmp

Filesize
28KB

Download
memory/1524-77-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/2300-44-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/2300-0-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/2300-3-0x00000000001A0000-0x00000000001A7000-memory.dmp

Filesize
28KB

Download
memory/2532-92-0x0000000000390000-0x0000000000397000-memory.dmp

Filesize
28KB

Download
memory/2532-95-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/2596-58-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/2596-52-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/2596-55-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads