dridex | 0f03f9d5f8d994375513f8839941e3784843030583098a0b7baace0ef9c896a8

General

Target

2ff600654e8bc24df8ca6ae128b918c1_JaffaCakes118.dll
Size

1.2MB
MD5

2ff600654e8bc24df8ca6ae128b918c1
SHA1

8a77bb477ae20d0376cabf30661e79d01b0b9262
SHA256

0f03f9d5f8d994375513f8839941e3784843030583098a0b7baace0ef9c896a8
SHA512

5f92fbd30bf99d66b3571d0c66b3e65e678aaa04bc239630b7ba7da452544fa790df4f96d2e9e41928bc48bf23ca193668fc0ad813ddce6217cfb2bddb3555d8
SSDEEP

24576:5uYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:r9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1212-5-0x0000000002E50000-0x0000000002E51000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

dialer.exeFXSCOVER.exewextract.exe

pid process

2444 dialer.exe
2628 FXSCOVER.exe
1648 wextract.exe
Loads dropped DLL 7 IoCs

Processes:

dialer.exeFXSCOVER.exewextract.exe

pid process

1212
2444 dialer.exe
1212
2628 FXSCOVER.exe
1212
1648 wextract.exe
1212

pid	process
2444	dialer.exe
2628	FXSCOVER.exe
1648	wextract.exe

pid	process
1212
2444	dialer.exe
1212
2628	FXSCOVER.exe
1212
1648	wextract.exe
1212

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Yyeybzteybdsbj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\eSAAn0\\FXSCOVER.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exedialer.exeFXSCOVER.exewextract.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dialer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	FXSCOVER.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wextract.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2412	rundll32.exe
2412	rundll32.exe
2412	rundll32.exe
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1212 wrote to memory of 2740	1212	dialer.exe
PID 1212 wrote to memory of 2740	1212	dialer.exe
PID 1212 wrote to memory of 2740	1212	dialer.exe
PID 1212 wrote to memory of 2444	1212	dialer.exe
PID 1212 wrote to memory of 2444	1212	dialer.exe
PID 1212 wrote to memory of 2444	1212	dialer.exe
PID 1212 wrote to memory of 2816	1212	FXSCOVER.exe
PID 1212 wrote to memory of 2816	1212	FXSCOVER.exe
PID 1212 wrote to memory of 2816	1212	FXSCOVER.exe
PID 1212 wrote to memory of 2628	1212	FXSCOVER.exe
PID 1212 wrote to memory of 2628	1212	FXSCOVER.exe
PID 1212 wrote to memory of 2628	1212	FXSCOVER.exe
PID 1212 wrote to memory of 2812	1212	wextract.exe
PID 1212 wrote to memory of 2812	1212	wextract.exe
PID 1212 wrote to memory of 2812	1212	wextract.exe
PID 1212 wrote to memory of 1648	1212	wextract.exe
PID 1212 wrote to memory of 1648	1212	wextract.exe
PID 1212 wrote to memory of 1648	1212	wextract.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2ff600654e8bc24df8ca6ae128b918c1_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2412

C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
1⤵
PID:2740

C:\Users\Admin\AppData\Local\FDn\dialer.exe
C:\Users\Admin\AppData\Local\FDn\dialer.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2444

C:\Windows\system32\FXSCOVER.exe
C:\Windows\system32\FXSCOVER.exe
1⤵
PID:2816

C:\Users\Admin\AppData\Local\rdhKarGf4\FXSCOVER.exe
C:\Users\Admin\AppData\Local\rdhKarGf4\FXSCOVER.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2628

C:\Windows\system32\wextract.exe
C:\Windows\system32\wextract.exe
1⤵
PID:2812

C:\Users\Admin\AppData\Local\byHZ\wextract.exe
C:\Users\Admin\AppData\Local\byHZ\wextract.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1648

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\FDn\TAPI32.dll
Filesize
1.2MB

MD5
ec6572bb5efaed3c4294310bbcc42291

SHA1
33754704b2badab88c79aa4470c50aef88d52ab5

SHA256
864fee2f579b866672ae15ac7a93307b877f4ed28f1b1388dda479d71c5ceb1c

SHA512
6e3dad6ceff933663a5c5128f642eadd9916195f78eefad09e14364dc52570035581bf013e279d5afacfce2a7459287bf769d2818944127e292d6ce102f8f386

Download Submit
C:\Users\Admin\AppData\Local\FDn\dialer.exe
Filesize
34KB

MD5
46523e17ee0f6837746924eda7e9bac9

SHA1
d6b2a9cc6bd3588fa9804ada5197afda6a9e034b

SHA256
23d8a6a1d847a324c556c30e10c8f63c2004aeb42ac3f5a5ca362077f1517382

SHA512
c7117c3778650864e685bd89df599d7cdd9319d757344ddc7cfd9403d6673964127f6ff0c5ac48455fd3097af31a6ff09173f85dfa7be2d25f395cdf3692bb9a

Download Submit
C:\Users\Admin\AppData\Local\byHZ\VERSION.dll
Filesize
1.2MB

MD5
2c1af4f7bff4cfde85b623de4f250a16

SHA1
3e20d162aeac78cb0e1987475627dd3df4af38c7

SHA256
aa83788991bf8ed2199871fe977b170127ed080267e62f69d8636251226f82a8

SHA512
6e6cd6c5adbf1d94c9686fef1868ce93d834df81a1cad4a3956fe8d2cf70a9e3ace75bd1c9dd1f230a1fcab9238532eec33db2568615801137842249e94209b7

Download Submit
C:\Users\Admin\AppData\Local\byHZ\wextract.exe
Filesize
140KB

MD5
1ea6500c25a80e8bdb65099c509af993

SHA1
6a090ef561feb4ae1c6794de5b19c5e893c4aafc

SHA256
99123d4e7bf93aa7f3315a432307c8b0cbaf24ad2cfb46edc149edbe24de4ca2

SHA512
b8f9f1ab48671e382d1385c34f0f19fc52fc0061e00db53bbbc2cdaee6d8a3f245707329f98e9167c53721aeaddcebfe66632729b6bcc98892031fd9914fb1fb

Download Submit
C:\Users\Admin\AppData\Local\rdhKarGf4\FXSCOVER.exe
Filesize
261KB

MD5
5e2c61be8e093dbfe7fc37585be42869

SHA1
ed46cda4ece3ef187b0cf29ca843a6c6735af6c0

SHA256
3d1719c1caa5d6b0358830a30713c43a9710fbf7bcedca20815be54d24aa9121

SHA512
90bf180c8f6e3d0286a19fcd4727f23925a39c90113db979e1b4bbf8f0491471ad26c877a6e2cf49638b14050d952a9ee02a3c1293129843ec6bba01bc325d0b

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Omdqupblcei.lnk
Filesize
1KB

MD5
14aecae2f0145cd0d93aa71e600e180c

SHA1
2d7cb0efa558a38856c7c11d96b81dcb2ff1de2a

SHA256
10509680a8b7acbea148fdd58624793d1768214e87ccbf13a85ba37c361bf166

SHA512
21d59beef75ba432aab5b47e63985f5efff48a8f873e7c943f8268a6eb97cf83643b4453206766651891ed585a2981112ad1115e8d685a1adc8ffc8034c15672

Download Submit
\Users\Admin\AppData\Local\rdhKarGf4\MFC42u.dll
Filesize
1.2MB

MD5
885e1189a3f8fd5e2e4709d3b418fda7

SHA1
69cb368e415c1ee8c7821c204ba84925ab3c8433

SHA256
bba3cb6731b090b6e510d532cebcd3f081143fb893cfeb8f00e5dbb6ab206571

SHA512
b69be164cf95430eec0ea0de721f3332f839b0d7ba8c2a3435d2503747937f0e3911d0d9b427e2af73b8bc7ea6c9c5c2d6a05ec1f868e9e0b9a56c515c6e4c7d

Download Submit
memory/1212-26-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/1212-10-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/1212-12-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/1212-4-0x0000000077726000-0x0000000077727000-memory.dmp

Filesize
4KB

Download
memory/1212-27-0x0000000002E30000-0x0000000002E37000-memory.dmp

Filesize
28KB

Download
memory/1212-18-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/1212-17-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/1212-16-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/1212-15-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/1212-14-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/1212-13-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/1212-32-0x0000000077AC0000-0x0000000077AC2000-memory.dmp

Filesize
8KB

Download
memory/1212-39-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/1212-38-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/1212-31-0x0000000077931000-0x0000000077932000-memory.dmp

Filesize
4KB

Download
memory/1212-5-0x0000000002E50000-0x0000000002E51000-memory.dmp

Filesize
4KB

Download
memory/1212-9-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/1212-11-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/1212-8-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/1212-7-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/1212-66-0x0000000077726000-0x0000000077727000-memory.dmp

Filesize
4KB

Download
memory/1648-95-0x00000000001A0000-0x00000000001A7000-memory.dmp

Filesize
28KB

Download
memory/1648-92-0x000007FEF64D0000-0x000007FEF6611000-memory.dmp

Filesize
1.3MB

Download
memory/1648-98-0x000007FEF64D0000-0x000007FEF6611000-memory.dmp

Filesize
1.3MB

Download
memory/2412-47-0x000007FEF64E0000-0x000007FEF6620000-memory.dmp

Filesize
1.2MB

Download
memory/2412-1-0x000007FEF64E0000-0x000007FEF6620000-memory.dmp

Filesize
1.2MB

Download
memory/2412-2-0x00000000001B0000-0x00000000001B7000-memory.dmp

Filesize
28KB

Download
memory/2444-61-0x000007FEF7050000-0x000007FEF7192000-memory.dmp

Filesize
1.3MB

Download
memory/2444-55-0x000007FEF7050000-0x000007FEF7192000-memory.dmp

Filesize
1.3MB

Download
memory/2444-58-0x00000000000A0000-0x00000000000A7000-memory.dmp

Filesize
28KB

Download
memory/2628-77-0x0000000000090000-0x0000000000097000-memory.dmp

Filesize
28KB

Download
memory/2628-74-0x000007FEF64D0000-0x000007FEF6617000-memory.dmp

Filesize
1.3MB

Download
memory/2628-80-0x000007FEF64D0000-0x000007FEF6617000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads