dridex | 9254cc93684a65329fc8c16f8e8ed6efb8414660f3091c9926d92d594e159e5e

General

Target

2e41aa5a63fd65eeec06fb0a3f6f0f74_JaffaCakes118.dll
Size

990KB
MD5

2e41aa5a63fd65eeec06fb0a3f6f0f74
SHA1

35aab120500000294092906bc18b9932f94341a5
SHA256

9254cc93684a65329fc8c16f8e8ed6efb8414660f3091c9926d92d594e159e5e
SHA512

16f5661d173f6c376c73f38586ae7f059f501f00e518b66cb34f4a0a646db956251b63734061636f12dffb0283636c99d00b4a96086f768eacb1a992c6fd0016
SSDEEP

24576:pVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:pV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3444-4-0x0000000002F10000-0x0000000002F11000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

upfc.exeWindowsActionDialog.exeusocoreworker.exe

pid process

1368 upfc.exe
2264 WindowsActionDialog.exe
4008 usocoreworker.exe
Loads dropped DLL 3 IoCs

Processes:

upfc.exeWindowsActionDialog.exeusocoreworker.exe

pid process

1368 upfc.exe
2264 WindowsActionDialog.exe
4008 usocoreworker.exe

pid	process
1368	upfc.exe
2264	WindowsActionDialog.exe
4008	usocoreworker.exe

pid	process
1368	upfc.exe
2264	WindowsActionDialog.exe
4008	usocoreworker.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ovnmkkvrgnxhq = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Office\\Recent\\PxKhOczm\\WindowsActionDialog.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

upfc.exeWindowsActionDialog.exeusocoreworker.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	upfc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WindowsActionDialog.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	usocoreworker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
5004	rundll32.exe
5004	rundll32.exe
5004	rundll32.exe
5004	rundll32.exe
5004	rundll32.exe
5004	rundll32.exe
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3444

pid	process
3444

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3444 wrote to memory of 4216	3444	upfc.exe
PID 3444 wrote to memory of 4216	3444	upfc.exe
PID 3444 wrote to memory of 1368	3444	upfc.exe
PID 3444 wrote to memory of 1368	3444	upfc.exe
PID 3444 wrote to memory of 2640	3444	WindowsActionDialog.exe
PID 3444 wrote to memory of 2640	3444	WindowsActionDialog.exe
PID 3444 wrote to memory of 2264	3444	WindowsActionDialog.exe
PID 3444 wrote to memory of 2264	3444	WindowsActionDialog.exe
PID 3444 wrote to memory of 2884	3444	usocoreworker.exe
PID 3444 wrote to memory of 2884	3444	usocoreworker.exe
PID 3444 wrote to memory of 4008	3444	usocoreworker.exe
PID 3444 wrote to memory of 4008	3444	usocoreworker.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2e41aa5a63fd65eeec06fb0a3f6f0f74_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:5004

C:\Windows\system32\upfc.exe
C:\Windows\system32\upfc.exe
1⤵
PID:4216

C:\Users\Admin\AppData\Local\nQeTJihbD\upfc.exe
C:\Users\Admin\AppData\Local\nQeTJihbD\upfc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1368

C:\Windows\system32\WindowsActionDialog.exe
C:\Windows\system32\WindowsActionDialog.exe
1⤵
PID:2640

C:\Users\Admin\AppData\Local\nZwZikGA\WindowsActionDialog.exe
C:\Users\Admin\AppData\Local\nZwZikGA\WindowsActionDialog.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2264

C:\Windows\system32\usocoreworker.exe
C:\Windows\system32\usocoreworker.exe
1⤵
PID:2884

C:\Users\Admin\AppData\Local\gYeE\usocoreworker.exe
C:\Users\Admin\AppData\Local\gYeE\usocoreworker.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4008

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\gYeE\XmlLite.dll
Filesize
990KB

MD5
f4092df121abc4e07edd072bc20719ec

SHA1
deb1af2ce9bc55d19b8ea86ebc3472bc4bb9473b

SHA256
23d228d8b70a6e677089bf99585dd930bb1e11438ad81092739156c4bbfc2997

SHA512
8866d5bb08c7d0864dfa06bc616f385059c403c576ca8154c7bfe5785dea0301ccf1dc57c4fec1a19dc4aeed88a12615aff94de5e9bcb9db4830c578ab17d8f6

Download Submit
C:\Users\Admin\AppData\Local\gYeE\usocoreworker.exe
Filesize
1.3MB

MD5
2c5efb321aa64af37dedc6383ce3198e

SHA1
a06d7020dd43a57047a62bfb443091cd9de946ba

SHA256
0fb6688a32340036f3eaab4a09a82dee533bfb2ca266c36f6142083134de6f0e

SHA512
5448ea01b24af7444505bda80064849a2efcc459011d32879e021e836fd573c9b1b9d3b37291d3f53ff536c691ac13a545b12f318a16c8a367421986bbf002ed

Download Submit
C:\Users\Admin\AppData\Local\nQeTJihbD\XmlLite.dll
Filesize
990KB

MD5
cfe2907fc97cfe5d1d6607d846d2001a

SHA1
a0f3a4373a7557105582f74a49f7b858e0542ebd

SHA256
0a2f31962be7e321efb1bbf849f6a614ed2fb68b90277719f6a24bfa407dc0ab

SHA512
ad65f33fdee013427246f693a39aa95aded7c8768a1e7799d2583f24317390daba220fab974a80363b8cfa0def91642a7af2d6447451c1147c8364a5e61abb31

Download Submit
C:\Users\Admin\AppData\Local\nQeTJihbD\upfc.exe
Filesize
118KB

MD5
299ea296575ccb9d2c1a779062535d5c

SHA1
2497169c13b0ba46a6be8a1fe493b250094079b7

SHA256
ee44fe14df89c4e5eaf8398f8fb4823fd910c5a94d913653d6b9e831254f6cc2

SHA512
02fc2b25167ebd7dfcc7b8aa74613e7004fdf33dfccccba6c3427434cca981c2eb50f4a801969b3a40c495a9bb0eac8176f4f2ec9091916cf3509a7f909b30fa

Download Submit
C:\Users\Admin\AppData\Local\nZwZikGA\DUI70.dll
Filesize
1.2MB

MD5
d1097daf59fc350f360ab9f3bdbfa675

SHA1
0e0888971406c7221dc04dc24bb27b08fea1817f

SHA256
05a7a0d9cf853afad8564a5ea6f7cd154cc8bcb8b59315ae5f30eae369369ac1

SHA512
252f794c9b78142dcc871dd47fe56c8332c27f26b1bb83a73d8a8fce4d4e8ef4d69555e473ad69e66f1901e950152e785749d38548e3aabca868aaec5a4f7985

Download Submit
C:\Users\Admin\AppData\Local\nZwZikGA\WindowsActionDialog.exe
Filesize
61KB

MD5
73c523b6556f2dc7eefc662338d66f8d

SHA1
1e6f9a1d885efa4d76f1e7a8be2e974f2b65cea5

SHA256
0c6397bfbcd7b1fcefb6de01a506578e36651725a61078c69708f1f92c41ea31

SHA512
69d0f23d1abaad657dd4672532936ef35f0e9d443caf9e19898017656a66ed46e75e7e05261c7e7636799c58feccd01dc93975d6a598cbb73242ddb48c6ec912

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ymfrpxarx.lnk
Filesize
1KB

MD5
e52e87360e3780a387420fc46524e883

SHA1
8582c6d7269d8081b6b5464c3332545b2846cf46

SHA256
d58057f8b0bbcb43204b9352d62c2ae9c0bff57ceb401ec8a8ebe01ff6344ff8

SHA512
e961e57acbeed8486acc0f9df80108ba089a1e7d1539792c829bd34ea508164671b427c22a059e0ee46d365f57c3a469b15135a0c76786923f3388524bcd5c73

Download Submit
memory/1368-51-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/1368-45-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/1368-48-0x0000026B61680000-0x0000026B61687000-memory.dmp

Filesize
28KB

Download
memory/2264-62-0x0000025CB9850000-0x0000025CB9857000-memory.dmp

Filesize
28KB

Download
memory/2264-63-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/2264-68-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3444-32-0x0000000001200000-0x0000000001207000-memory.dmp

Filesize
28KB

Download
memory/3444-31-0x00007FFF5427A000-0x00007FFF5427B000-memory.dmp

Filesize
4KB

Download
memory/3444-8-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3444-7-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3444-4-0x0000000002F10000-0x0000000002F11000-memory.dmp

Filesize
4KB

Download
memory/3444-10-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3444-11-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3444-12-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3444-14-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3444-9-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3444-6-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3444-34-0x00007FFF552B0000-0x00007FFF552C0000-memory.dmp

Filesize
64KB

Download
memory/3444-36-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3444-23-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3444-13-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/4008-82-0x0000026967800000-0x0000026967807000-memory.dmp

Filesize
28KB

Download
memory/4008-85-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/5004-0-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/5004-38-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/5004-3-0x000002ABF4940000-0x000002ABF4947000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads