dridex | 6a97f1622c6915d1d477b97abd9977a2c49bb49a12c8bb38d43ffef5d91ff0c2

General

Target

32c1af30f0f5b0081b6523c5aaf5b099_JaffaCakes118.dll
Size

996KB
MD5

32c1af30f0f5b0081b6523c5aaf5b099
SHA1

0859743d3d53acf62ea5a8e005deb4bc9f106664
SHA256

6a97f1622c6915d1d477b97abd9977a2c49bb49a12c8bb38d43ffef5d91ff0c2
SHA512

6340b8e7a8eaf787e863a82c3b3202411e6e43965ded038f0057a11fcbdc03034e73dbb38e08de68f24ffd17d002b24d36d654a6ded6e354f895e1e563578e0d
SSDEEP

24576:9VHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:9V8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1224-5-0x00000000025B0000-0x00000000025B1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

cttune.exemblctr.exedwm.exe

pid process

2592 cttune.exe
1628 mblctr.exe
2088 dwm.exe
Loads dropped DLL 7 IoCs

Processes:

cttune.exemblctr.exedwm.exe

pid process

1224
2592 cttune.exe
1224
1628 mblctr.exe
1224
2088 dwm.exe
1224

pid	process
2592	cttune.exe
1628	mblctr.exe
2088	dwm.exe

pid	process
1224
2592	cttune.exe
1224
1628	mblctr.exe
1224
2088	dwm.exe
1224

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Javhf = "C:\\Users\\Admin\\AppData\\Roaming\\MACROM~1\\FLASHP~1\\Px0ukWJ\\mblctr.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.execttune.exemblctr.exedwm.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cttune.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mblctr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
856	rundll32.exe
856	rundll32.exe
856	rundll32.exe
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1224 wrote to memory of 2760	1224	cttune.exe
PID 1224 wrote to memory of 2760	1224	cttune.exe
PID 1224 wrote to memory of 2760	1224	cttune.exe
PID 1224 wrote to memory of 2592	1224	cttune.exe
PID 1224 wrote to memory of 2592	1224	cttune.exe
PID 1224 wrote to memory of 2592	1224	cttune.exe
PID 1224 wrote to memory of 2164	1224	mblctr.exe
PID 1224 wrote to memory of 2164	1224	mblctr.exe
PID 1224 wrote to memory of 2164	1224	mblctr.exe
PID 1224 wrote to memory of 1628	1224	mblctr.exe
PID 1224 wrote to memory of 1628	1224	mblctr.exe
PID 1224 wrote to memory of 1628	1224	mblctr.exe
PID 1224 wrote to memory of 2276	1224	dwm.exe
PID 1224 wrote to memory of 2276	1224	dwm.exe
PID 1224 wrote to memory of 2276	1224	dwm.exe
PID 1224 wrote to memory of 2088	1224	dwm.exe
PID 1224 wrote to memory of 2088	1224	dwm.exe
PID 1224 wrote to memory of 2088	1224	dwm.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\32c1af30f0f5b0081b6523c5aaf5b099_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:856

C:\Windows\system32\cttune.exe
C:\Windows\system32\cttune.exe
1⤵
PID:2760

C:\Users\Admin\AppData\Local\jLnR67B\cttune.exe
C:\Users\Admin\AppData\Local\jLnR67B\cttune.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2592

C:\Windows\system32\mblctr.exe
C:\Windows\system32\mblctr.exe
1⤵
PID:2164

C:\Users\Admin\AppData\Local\TOdt\mblctr.exe
C:\Users\Admin\AppData\Local\TOdt\mblctr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1628

C:\Windows\system32\dwm.exe
C:\Windows\system32\dwm.exe
1⤵
PID:2276

C:\Users\Admin\AppData\Local\CfSEZ15z\dwm.exe
C:\Users\Admin\AppData\Local\CfSEZ15z\dwm.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2088

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\CfSEZ15z\UxTheme.dll
Filesize
998KB

MD5
b4ebafe4d57e834c1f4583e977ab8c99

SHA1
cbfb47ce66bf5af847f1c2dfeeee6076af90eca1

SHA256
47400c26a48302b364cc3c338a6eb342ee2ec17cdedfa0240ddaffd304a8d581

SHA512
12dfaf763e1b08f3adf9b494b9939a34a0cddc15e0f981418a079d958335cd5e2ddf8e86b12cf0090e6192005990feb71ae6b16bae4a2cf71e385b4cf178b10b

Download Submit
C:\Users\Admin\AppData\Local\TOdt\WTSAPI32.dll
Filesize
998KB

MD5
96eb9aac4ff358b12da7ede319a4d240

SHA1
4a4bd384b36bcb556e29dcb4f6da9b95df84459c

SHA256
a6bf5a70ad50266b4262a681495f5bd82f6fe3e8b6d657c7d8fa4fe93ea43f34

SHA512
29f72b51e4a678ef80c19b589b4bc8581ea856135a4336e9f2905f6c83b26b0b10cd25da6cc668ac82b170576fc7e847fe9d7debb8fb0bf1523b3c57e6ac33a6

Download Submit
C:\Users\Admin\AppData\Local\jLnR67B\OLEACC.dll
Filesize
997KB

MD5
79939ee72aedc2fcb24d67418ef148f1

SHA1
8130cc4b7ea1da132dc4ea0acafcf5e8ccd13391

SHA256
d549db5512a46b320032f5779a440c1ceff89d25a960f0ad42802638037ca42f

SHA512
5d219ee62e250890c75dad34a3db85eb08189051d6da30b6166a1fb4ae2f8c046be8392eaafc5179723ed0fbb6f14380265788991343ee0dfa63d1689249df90

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Xwtifesqpwfy.lnk
Filesize
1KB

MD5
3f6c46dc7cfe2ddf572359b1c9fdf76e

SHA1
dbfb74b08c2e7b6fbd75ebfa3377b8f4dc19d585

SHA256
05338f007834a0b609a3ec78bec30708051215083ac159a22e9b8fdb234e1c92

SHA512
b9df3aecc559539b76866dcdebbb28fa302762bd4baa20a41c11cf3468da544ad8ff85c3395baea9658c0b1a677d139a19a14902faa83c47fb2fca836c5bc2af

Download Submit
\Users\Admin\AppData\Local\CfSEZ15z\dwm.exe
Filesize
117KB

MD5
f162d5f5e845b9dc352dd1bad8cef1bc

SHA1
35bc294b7e1f062ef5cb5fa1bd3fc942a3e37ae2

SHA256
8a7b7528db30ab123b060d8e41954d95913c07bb40cdae32e97f9edb0baf79c7

SHA512
7077e800453a4564a24af022636a2f6547bdae2c9c6f4ed080d0c98415ecc4fbf538109cbebd456e321b9b74a00613d647b63998e31925fbd841fc9d4613e851

Download Submit
\Users\Admin\AppData\Local\TOdt\mblctr.exe
Filesize
935KB

MD5
fa4c36b574bf387d9582ed2c54a347a8

SHA1
149077715ee56c668567e3a9cb9842284f4fe678

SHA256
b71cdf708d4a4f045f784de5e5458ebf9a4fa2b188c3f7422e2fbfe19310be3f

SHA512
1f04ce0440eec7477153ebc2ce56eaabcbbac58d9d703c03337f030e160d22cd635ae201752bc2962643c75bbf2036afdd69d97e8cbc81260fd0e2f55946bb55

Download Submit
\Users\Admin\AppData\Local\jLnR67B\cttune.exe
Filesize
314KB

MD5
7116848fd23e6195fcbbccdf83ce9af4

SHA1
35fb16a0b68f8a84d5dfac8c110ef5972f1bee93

SHA256
39937665f72725bdb3b82389a5dbd906c63f4c14208312d7f7a59d6067e1cfa6

SHA512
e38bf57eee5836b8598dd88dc3d266f497d911419a8426f73df6dcaa503611a965aabbd746181cb19bc38eebdb48db778a17f781a8f9e706cbd7a6ebec38f894

Download Submit
memory/856-44-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/856-3-0x00000000003A0000-0x00000000003A7000-memory.dmp

Filesize
28KB

Download
memory/856-0-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1224-14-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1224-5-0x00000000025B0000-0x00000000025B1000-memory.dmp

Filesize
4KB

Download
memory/1224-13-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1224-11-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1224-10-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1224-9-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1224-36-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1224-35-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1224-25-0x0000000077651000-0x0000000077652000-memory.dmp

Filesize
4KB

Download
memory/1224-26-0x00000000777E0000-0x00000000777E2000-memory.dmp

Filesize
8KB

Download
memory/1224-24-0x0000000002580000-0x0000000002587000-memory.dmp

Filesize
28KB

Download
memory/1224-4-0x0000000077546000-0x0000000077547000-memory.dmp

Filesize
4KB

Download
memory/1224-8-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1224-7-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1224-12-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1224-68-0x0000000077546000-0x0000000077547000-memory.dmp

Filesize
4KB

Download
memory/1224-23-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1628-77-0x0000000000130000-0x0000000000137000-memory.dmp

Filesize
28KB

Download
memory/1628-76-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/2088-93-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/2592-58-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/2592-55-0x00000000002A0000-0x00000000002A7000-memory.dmp

Filesize
28KB

Download
memory/2592-52-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads