dridex | ed410f2cdffde66b642818f30bae9563ae0d678263cff6a0d6237b71d91ab111

General

Target

276b0106eb036e96dae54a0c93d51808_JaffaCakes118.dll
Size

992KB
MD5

276b0106eb036e96dae54a0c93d51808
SHA1

c08355f1e929d9992b848c511e8073ba89ec32cd
SHA256

ed410f2cdffde66b642818f30bae9563ae0d678263cff6a0d6237b71d91ab111
SHA512

aba4cea7cba6d2fb4fff79e088b0978324644f1435e2777e9fe201bbff748070a33a7370d4f7af6d9b5fafc3b9f539f78de05be219549e2e2fac118bbc1164d2
SSDEEP

24576:NVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:NV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3456-4-0x0000000003040000-0x0000000003041000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 4 IoCs

Processes:

SystemPropertiesAdvanced.exeNarrator.exeEaseOfAccessDialog.exeEhStorAuthn.exe

pid process

1388 SystemPropertiesAdvanced.exe
3904 Narrator.exe
2260 EaseOfAccessDialog.exe
3536 EhStorAuthn.exe
Loads dropped DLL 3 IoCs

Processes:

SystemPropertiesAdvanced.exeEaseOfAccessDialog.exeEhStorAuthn.exe

pid process

1388 SystemPropertiesAdvanced.exe
2260 EaseOfAccessDialog.exe
3536 EhStorAuthn.exe

pid	process
1388	SystemPropertiesAdvanced.exe
3904	Narrator.exe
2260	EaseOfAccessDialog.exe
3536	EhStorAuthn.exe

pid	process
1388	SystemPropertiesAdvanced.exe
2260	EaseOfAccessDialog.exe
3536	EhStorAuthn.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bhelxfhv = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\PRINTE~1\\RbrM6l\\EASEOF~1.EXE"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

EaseOfAccessDialog.exeEhStorAuthn.exerundll32.exeSystemPropertiesAdvanced.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	EaseOfAccessDialog.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	EhStorAuthn.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesAdvanced.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1424	rundll32.exe
1424	rundll32.exe
1424	rundll32.exe
1424	rundll32.exe
1424	rundll32.exe
1424	rundll32.exe
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3456

pid	process
3456

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

description	pid	target process
PID 3456 wrote to memory of 4252	3456	SystemPropertiesAdvanced.exe
PID 3456 wrote to memory of 4252	3456	SystemPropertiesAdvanced.exe
PID 3456 wrote to memory of 1388	3456	SystemPropertiesAdvanced.exe
PID 3456 wrote to memory of 1388	3456	SystemPropertiesAdvanced.exe
PID 3456 wrote to memory of 2620	3456	Narrator.exe
PID 3456 wrote to memory of 2620	3456	Narrator.exe
PID 3456 wrote to memory of 920	3456	EaseOfAccessDialog.exe
PID 3456 wrote to memory of 920	3456	EaseOfAccessDialog.exe
PID 3456 wrote to memory of 2260	3456	EaseOfAccessDialog.exe
PID 3456 wrote to memory of 2260	3456	EaseOfAccessDialog.exe
PID 3456 wrote to memory of 836	3456	EhStorAuthn.exe
PID 3456 wrote to memory of 836	3456	EhStorAuthn.exe
PID 3456 wrote to memory of 3536	3456	EhStorAuthn.exe
PID 3456 wrote to memory of 3536	3456	EhStorAuthn.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\276b0106eb036e96dae54a0c93d51808_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1424

C:\Windows\system32\SystemPropertiesAdvanced.exe
C:\Windows\system32\SystemPropertiesAdvanced.exe
1⤵
PID:4252

C:\Users\Admin\AppData\Local\cI3t\SystemPropertiesAdvanced.exe
C:\Users\Admin\AppData\Local\cI3t\SystemPropertiesAdvanced.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1388

C:\Windows\system32\Narrator.exe
C:\Windows\system32\Narrator.exe
1⤵
PID:2620

C:\Users\Admin\AppData\Local\5yPQXA\Narrator.exe
C:\Users\Admin\AppData\Local\5yPQXA\Narrator.exe
1⤵
- Executes dropped EXE
PID:3904

C:\Windows\system32\EaseOfAccessDialog.exe
C:\Windows\system32\EaseOfAccessDialog.exe
1⤵
PID:920

C:\Users\Admin\AppData\Local\Pa7tU\EaseOfAccessDialog.exe
C:\Users\Admin\AppData\Local\Pa7tU\EaseOfAccessDialog.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2260

C:\Windows\system32\EhStorAuthn.exe
C:\Windows\system32\EhStorAuthn.exe
1⤵
PID:836

C:\Users\Admin\AppData\Local\Cl2qYc9a\EhStorAuthn.exe
C:\Users\Admin\AppData\Local\Cl2qYc9a\EhStorAuthn.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\5yPQXA\Narrator.exe
Filesize
521KB

MD5
d92defaa4d346278480d2780325d8d18

SHA1
6494d55b2e5064ffe8add579edfcd13c3e69fffe

SHA256
69b8c93d9b262b36e2bdc223cc0d6e312cc471b49d7cc36befbba1f863a05d83

SHA512
b82c0fbc07361e4ad6e4ab171e55e1e41e9312ba995dce90696ca90f734f5d1ea11371ca046e8680ea566a1c2e0643ab86f1f6dcf6cbd05aed8448425a2830b5

Download Submit
C:\Users\Admin\AppData\Local\Cl2qYc9a\EhStorAuthn.exe
Filesize
128KB

MD5
d45618e58303edb4268a6cca5ec99ecc

SHA1
1f8049fc5ea8b57bb68e19fb55cb9dc1e18e9513

SHA256
d527323643be9df4d174c3169c6f2c7854a59b781654bcaebd154cb51fb4219c

SHA512
5d7ae663dcfedfaf00836dc018131851e5a40778bd582b417b9f0bbd4bb6d1b2eb8f37f7f5a01cd2beed78b6037ef6eb2a3290248d5e901173b1407990a202bd

Download Submit
C:\Users\Admin\AppData\Local\Cl2qYc9a\UxTheme.dll
Filesize
995KB

MD5
612c926ef5a4d3f565dfefd3ca4db2cb

SHA1
3d484d5510c6ba2b9dc3256f4eb49b023573c802

SHA256
bd4df8b81339e69fcb6541f74702ada7c128f1d54e72935985d821134d2ba415

SHA512
4615ac024e98f1379ac5e5805e9ca4c2f39fd7aa38eaa27a63736778b4af56697af7e4358a8b5ff7cd52acee0596993b948bd18ed5b4100e2ca3db5fc23321f0

Download Submit
C:\Users\Admin\AppData\Local\Pa7tU\DUI70.dll
Filesize
1.2MB

MD5
5ac22d40e0346acf3aaba1c7429137b6

SHA1
04861969946b7778a51a75c9ad5434a88c5e8c9f

SHA256
247593b34d2df5a699cbfe5645abc3627f960e3c67547d4affc432e1db779e35

SHA512
fb7d82c9ae0198efc390ee4a3cbfa2f7be04c1512fec5a2808574b7c986b5c0192e5ff579cd66dd1bd9c4a043ce3fa3f618ce0555e465a01eb79506277b98397

Download Submit
C:\Users\Admin\AppData\Local\Pa7tU\EaseOfAccessDialog.exe
Filesize
123KB

MD5
e75ee992c1041341f709a517c8723c87

SHA1
471021260055eac0021f0abffa2d0ba77a2f380e

SHA256
0b1731562413eaa972b373cd7388c644a3059940ce67eb89668e4073f3e068dc

SHA512
48c3a8531df6bcc5077367cdf32af104c94cf7701118a85e8beabba2e9c4f511ae14e47b6d1b57d11a2bc1e8b4f6d5bacae27a8d16fcd09a8f9e0018f5a6370a

Download Submit
C:\Users\Admin\AppData\Local\cI3t\SYSDM.CPL
Filesize
993KB

MD5
988877cf3df1b32dd4c75a1b14c96803

SHA1
983bf8100821f409cd888436dc5c9ba403a60943

SHA256
ee4f824153d95c5d93e630d34428f74b308a1d6eccd53ee5a2f2ae54177477bb

SHA512
d4792283216c900e030bed2f749beece9924ca519cc734024c20284562151b7bff75c9a10e7efa62169d190fbaa688fadb3b40f842e261a863f6a7dc94fdefab

Download Submit
C:\Users\Admin\AppData\Local\cI3t\SystemPropertiesAdvanced.exe
Filesize
82KB

MD5
fa040b18d2d2061ab38cf4e52e753854

SHA1
b1b37124e9afd6c860189ce4d49cebbb2e4c57bc

SHA256
c61fa0f8c5d8d61110adbcceaa453a6c1d31255b3244dc7e3b605a4a931c245c

SHA512
511f5981bd2c446f1f3039f6674f972651512305630bd688b1ef159af36a23cb836b43d7010b132a86b5f4d6c46206057abd31600f1e7dc930cb32ed962298a4

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Oabtankaq.lnk
Filesize
1KB

MD5
d63f0ded1b894ad1ab42e993055859f3

SHA1
8f4055b89ddbb9caffdb1187e9467a321bd26dfc

SHA256
3c84c5d5368625f72a756a411718406ab22242b3db390533df7aeb6fa9a27a6c

SHA512
0262beb31a5bba5febbdcca2e2c6f91eaa59aa7710d9decf8b053af53029f9781ed431aad9a7541697cbaac5dcfcfa5f548a17f0129ffa0b5124bfc334bdee7a

Download Submit
memory/1388-51-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/1388-48-0x000001F52A3A0000-0x000001F52A3A7000-memory.dmp

Filesize
28KB

Download
memory/1388-45-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/1424-0-0x0000018AFAFC0000-0x0000018AFAFC7000-memory.dmp

Filesize
28KB

Download
memory/1424-38-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1424-1-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/2260-70-0x0000016253290000-0x0000016253297000-memory.dmp

Filesize
28KB

Download
memory/2260-71-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/2260-76-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3456-27-0x00007FF8EB27A000-0x00007FF8EB27B000-memory.dmp

Filesize
4KB

Download
memory/3456-28-0x00000000011F0000-0x00000000011F7000-memory.dmp

Filesize
28KB

Download
memory/3456-7-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3456-8-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3456-9-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3456-10-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3456-11-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3456-12-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3456-14-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3456-35-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3456-29-0x00007FF8ECC10000-0x00007FF8ECC20000-memory.dmp

Filesize
64KB

Download
memory/3456-23-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3456-13-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3456-6-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3456-4-0x0000000003040000-0x0000000003041000-memory.dmp

Filesize
4KB

Download
memory/3536-93-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/3536-87-0x0000018CDF850000-0x0000018CDF857000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads