dridex | e75bb6327d366e83dd2f2e52c662343ef76dd47b5eb53ae2cc8cb27f047ed7cc

General

Target

2bff80f70ad0151ec6bebe69e0bfb972_JaffaCakes118.dll
Size

1.2MB
MD5

2bff80f70ad0151ec6bebe69e0bfb972
SHA1

bd6f81939f482411bad7030994e6724092db7d5c
SHA256

e75bb6327d366e83dd2f2e52c662343ef76dd47b5eb53ae2cc8cb27f047ed7cc
SHA512

f29a1232faadd2e064dc5ec77ac2fad95e0050191a753bd24fb40e95146fec09cb890348d911fe33e788e3ae9ebb18dca63802efad76cf6fab06fc7b7a7e2245
SSDEEP

24576:RVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:RV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1096-5-0x0000000002530000-0x0000000002531000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

sethc.exeDisplaySwitch.exetabcal.exe

pid process

2412 sethc.exe
2844 DisplaySwitch.exe
2620 tabcal.exe
Loads dropped DLL 7 IoCs

Processes:

sethc.exeDisplaySwitch.exetabcal.exe

pid process

1096
2412 sethc.exe
1096
2844 DisplaySwitch.exe
1096
2620 tabcal.exe
1096

pid	process
2412	sethc.exe
2844	DisplaySwitch.exe
2620	tabcal.exe

pid	process
1096
2412	sethc.exe
1096
2844	DisplaySwitch.exe
1096
2620	tabcal.exe
1096

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mqdbvnnwgmqj = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\USERPI~1\\RYJNN5~1\\DISPLA~1.EXE"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exesethc.exeDisplaySwitch.exetabcal.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sethc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DisplaySwitch.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	tabcal.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1936	rundll32.exe
1936	rundll32.exe
1936	rundll32.exe
1096
1096
1096
1096
1096
1096
1096
1096
1096
1096
1096
1096
1096
1096
1096
1096
1096
1096
1096
1096
1096
1096
1096
1096
1096
1096
1096
1096
1096
1096
1096
1096
1096
1096
1096
1096
1096
1096
1096
1096
1096
1096
1096
1096
1096
1096
1096
1096
1096
1096
1096
1096
1096
1096
1096
1096
1096
1096
1096
1096
1096

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1096 wrote to memory of 1824	1096	sethc.exe
PID 1096 wrote to memory of 1824	1096	sethc.exe
PID 1096 wrote to memory of 1824	1096	sethc.exe
PID 1096 wrote to memory of 2412	1096	sethc.exe
PID 1096 wrote to memory of 2412	1096	sethc.exe
PID 1096 wrote to memory of 2412	1096	sethc.exe
PID 1096 wrote to memory of 2108	1096	DisplaySwitch.exe
PID 1096 wrote to memory of 2108	1096	DisplaySwitch.exe
PID 1096 wrote to memory of 2108	1096	DisplaySwitch.exe
PID 1096 wrote to memory of 2844	1096	DisplaySwitch.exe
PID 1096 wrote to memory of 2844	1096	DisplaySwitch.exe
PID 1096 wrote to memory of 2844	1096	DisplaySwitch.exe
PID 1096 wrote to memory of 2352	1096	tabcal.exe
PID 1096 wrote to memory of 2352	1096	tabcal.exe
PID 1096 wrote to memory of 2352	1096	tabcal.exe
PID 1096 wrote to memory of 2620	1096	tabcal.exe
PID 1096 wrote to memory of 2620	1096	tabcal.exe
PID 1096 wrote to memory of 2620	1096	tabcal.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2bff80f70ad0151ec6bebe69e0bfb972_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1936

C:\Windows\system32\sethc.exe
C:\Windows\system32\sethc.exe
1⤵
PID:1824

C:\Users\Admin\AppData\Local\XfRrz7j\sethc.exe
C:\Users\Admin\AppData\Local\XfRrz7j\sethc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2412

C:\Windows\system32\DisplaySwitch.exe
C:\Windows\system32\DisplaySwitch.exe
1⤵
PID:2108

C:\Users\Admin\AppData\Local\Fz2v\DisplaySwitch.exe
C:\Users\Admin\AppData\Local\Fz2v\DisplaySwitch.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2844

C:\Windows\system32\tabcal.exe
C:\Windows\system32\tabcal.exe
1⤵
PID:2352

C:\Users\Admin\AppData\Local\3v5CaeJX\tabcal.exe
C:\Users\Admin\AppData\Local\3v5CaeJX\tabcal.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\3v5CaeJX\HID.DLL

Filesize
1.2MB

MD5
fbe515c358f874f2f526369bb40b2e77

SHA1
2b709cc3546d0fad99e564a71b619beeb2009200

SHA256
03149296c8c543238a40b6a2c9946a015c24a289068576c266ca2fe965661b83

SHA512
92e9095d9da779dde3a12ba04ea1e35f3606c1145fa8c67e6f3fabf5ea6d2f87ed77b451296caed832a4f59886ce8d7d91e12d5cb3dd91fe90348bd67475dd6c

Download Submit
C:\Users\Admin\AppData\Local\Fz2v\slc.dll

Filesize
1.2MB

MD5
f1f244fd49ab2562c22210f7890d9cb4

SHA1
73830f1db456ef8d8d3d594748533dbe832959db

SHA256
c59a7df7bc79400d1e50c8551015420445858bff93fcd9e337100f3e043aa357

SHA512
fc42b5b520055a80f5c6aa969b575a45bd1e34bbcf577fb3442fc41399f25fd62fb71a40b2cd74d60f53da03e897501a6c305ab10c2432c712c6b31b20d84541

Download Submit
C:\Users\Admin\AppData\Local\XfRrz7j\DUI70.dll

Filesize
1.4MB

MD5
55ae8ad1fc6a47992baadfe4be0a3d7d

SHA1
02262d0be7d9ba1b1ec159f3a12497141deda318

SHA256
373077744914e36f90492b02f6621b578a94aaf9735bbc2168d383bbc08631e3

SHA512
01da50a690aad530a0cf136e014367da909702222b03d57914f0ad8b73a7ab42885e3692d53d53313e04d95bddef4f2792f862aca06768ce6e1f81a0a4054934

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Gemerzbimpg.lnk

Filesize
1KB

MD5
4fd838de8f5be98cdb86402d3d9c07b3

SHA1
06d7ee719abdeeadfc6b7c128ecb3b60ee9d053a

SHA256
1ddfc76a5ebc2bb6b63d091793f54a6dc4bd17ba15aaa124a8a8e1a42b180666

SHA512
13c7991ebfadf9d12fa6d1f8c2f9f037a29d9a8b0c26e046c6fa0a034b6e403bd210c7ff44fa7ada230043c3807386463ee1ce8e42cb5cb7e36340e809a66285

Download Submit
\Users\Admin\AppData\Local\3v5CaeJX\tabcal.exe

Filesize
77KB

MD5
98e7911befe83f76777317ce6905666d

SHA1
2780088dffe1dd1356c5dd5112a9f04afee3ee8d

SHA256
3fe8b63367b4298e70d46e87ce04cc7af5f30dfdb86b79eae41d0731d9415ea1

SHA512
fc0226381d9a6984cccac8282697c78966524e1359f7f6044559b8223e773d3c108dda08a2dd283aa171dca3390801f2c92a5d1dbb978dd7f92a67bd8877b8b6

Download Submit
\Users\Admin\AppData\Local\Fz2v\DisplaySwitch.exe

Filesize
517KB

MD5
b795e6138e29a37508285fc31e92bd78

SHA1
d0fe0c38c7c61adbb77e58d48b96cd4bf98ecd4a

SHA256
01a9733871baa8518092bade3fce62dcca14cdf6fc55b98218253580b38d7659

SHA512
8312174a77bab5fef7c4e9efff66c43d3515b02f5766ed1d3b9bd0abb3d7344a9a22cbac228132098428c122293d2b1898b3a2d75f5e4247b1dcb9aa9c7913b1

Download Submit
\Users\Admin\AppData\Local\XfRrz7j\sethc.exe

Filesize
272KB

MD5
3bcb70da9b5a2011e01e35ed29a3f3f3

SHA1
9daecb1ee5d7cbcf46ee154dd642fcd993723a9b

SHA256
dd94bf73f0e3652b76cfb774b419ceaa2082bc7f30cc34e28dfa51952fa9ccb5

SHA512
69d231132f488fd7033349f232db1207f88f1d5cb84f5422adf0dd5fb7b373dada8fdfac7760b8845e5aab00a7ae56f24d66bbb8aa70c3c8de6ec5c31982b4df

Download Submit
memory/1096-25-0x0000000002510000-0x0000000002517000-memory.dmp

Filesize
28KB

Download
memory/1096-15-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1096-24-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1096-14-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1096-27-0x0000000077370000-0x0000000077372000-memory.dmp

Filesize
8KB

Download
memory/1096-26-0x00000000771E1000-0x00000000771E2000-memory.dmp

Filesize
4KB

Download
memory/1096-13-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1096-12-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1096-11-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1096-9-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1096-36-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1096-38-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1096-4-0x00000000770D6000-0x00000000770D7000-memory.dmp

Filesize
4KB

Download
memory/1096-5-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/1096-10-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1096-73-0x00000000770D6000-0x00000000770D7000-memory.dmp

Filesize
4KB

Download
memory/1096-8-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1096-7-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1936-3-0x00000000002A0000-0x00000000002A7000-memory.dmp

Filesize
28KB

Download
memory/1936-45-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1936-0-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/2412-58-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/2412-53-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/2620-92-0x00000000019B0000-0x00000000019B7000-memory.dmp

Filesize
28KB

Download
memory/2620-95-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/2844-70-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/2844-74-0x0000000000290000-0x0000000000297000-memory.dmp

Filesize
28KB

Download
memory/2844-77-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads