dridex | 3f6bec2d9c14ebe6ddf25c6628cb39c4918acada8c37472134f45031d72221d7

General

Target

3485e0ac521bf858da4d8c19eb33c548_JaffaCakes118.dll
Size

986KB
MD5

3485e0ac521bf858da4d8c19eb33c548
SHA1

afad1434651161ac3d4e1c3ef169cdb6635134f7
SHA256

3f6bec2d9c14ebe6ddf25c6628cb39c4918acada8c37472134f45031d72221d7
SHA512

eafc4b171db0c06a975a4ca20a5289c6b9298b6db9ca170d4536a4034dc77074b8760c17d54da61e540bb0eb57f51839bad36294a95992ade96dac0275f45fea
SSDEEP

24576:0VHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:0V8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3380-4-0x00000000030D0000-0x00000000030D1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

EhStorAuthn.exeisoburn.exeie4ushowIE.exe

pid process

1720 EhStorAuthn.exe
4044 isoburn.exe
1920 ie4ushowIE.exe
Loads dropped DLL 3 IoCs

Processes:

EhStorAuthn.exeisoburn.exeie4ushowIE.exe

pid process

1720 EhStorAuthn.exe
4044 isoburn.exe
1920 ie4ushowIE.exe

pid	process
1720	EhStorAuthn.exe
4044	isoburn.exe
1920	ie4ushowIE.exe

pid	process
1720	EhStorAuthn.exe
4044	isoburn.exe
1920	ie4ushowIE.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Xcdbzlxvqxxhz = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\V8K8LK~1\\isoburn.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

ie4ushowIE.exerundll32.exeEhStorAuthn.exeisoburn.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ie4ushowIE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	EhStorAuthn.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	isoburn.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2116	rundll32.exe
2116	rundll32.exe
2116	rundll32.exe
2116	rundll32.exe
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380
3380

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3380 wrote to memory of 3100	3380	EhStorAuthn.exe
PID 3380 wrote to memory of 3100	3380	EhStorAuthn.exe
PID 3380 wrote to memory of 1720	3380	EhStorAuthn.exe
PID 3380 wrote to memory of 1720	3380	EhStorAuthn.exe
PID 3380 wrote to memory of 3464	3380	isoburn.exe
PID 3380 wrote to memory of 3464	3380	isoburn.exe
PID 3380 wrote to memory of 4044	3380	isoburn.exe
PID 3380 wrote to memory of 4044	3380	isoburn.exe
PID 3380 wrote to memory of 1044	3380	ie4ushowIE.exe
PID 3380 wrote to memory of 1044	3380	ie4ushowIE.exe
PID 3380 wrote to memory of 1920	3380	ie4ushowIE.exe
PID 3380 wrote to memory of 1920	3380	ie4ushowIE.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3485e0ac521bf858da4d8c19eb33c548_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2116

C:\Windows\system32\EhStorAuthn.exe
C:\Windows\system32\EhStorAuthn.exe
1⤵
PID:3100

C:\Users\Admin\AppData\Local\Ybik\EhStorAuthn.exe
C:\Users\Admin\AppData\Local\Ybik\EhStorAuthn.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1720

C:\Windows\system32\isoburn.exe
C:\Windows\system32\isoburn.exe
1⤵
PID:3464

C:\Users\Admin\AppData\Local\QXCmEvF\isoburn.exe
C:\Users\Admin\AppData\Local\QXCmEvF\isoburn.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4044

C:\Windows\system32\ie4ushowIE.exe
C:\Windows\system32\ie4ushowIE.exe
1⤵
PID:1044

C:\Users\Admin\AppData\Local\8Z8\ie4ushowIE.exe
C:\Users\Admin\AppData\Local\8Z8\ie4ushowIE.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3740 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:8
1⤵
PID:3992

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\8Z8\VERSION.dll
Filesize
987KB

MD5
29cf5bfbe522019406de2ae750c9a8cd

SHA1
43532e2d04e60854e937f20872852f37c832876e

SHA256
86baf3eb34ae72a1c0f4a7633dffb11ec9737ec0fd1484ef284c5138ec55a066

SHA512
d4374869479d250bf53983e3a23ae7529ab27db0e42643f097036633c6beaf0927594cf4c9c33ca052533cfa05a575d6db514067786511acd190b096fb6c1be7

Download Submit
C:\Users\Admin\AppData\Local\8Z8\ie4ushowIE.exe
Filesize
76KB

MD5
9de952f476abab0cd62bfd81e20a3deb

SHA1
109cc4467b78dad4b12a3225020ea590bccee3e6

SHA256
e9cb6336359ac6f71ac75af2836efb28daa3bafd10a1f0b775dcdc2ec8850a6b

SHA512
3cbe50a146ca50b0657a78a2d89a34630c69823005668906785b2d2015cc6139c8dbbf7aefa5fe55957ef55ae06e758933b3b41eaf822e49dba3b7700582e2c9

Download Submit
C:\Users\Admin\AppData\Local\QXCmEvF\UxTheme.dll
Filesize
989KB

MD5
446f16f53efa632cd6b0e74df204a3bf

SHA1
e4244e557d81ecea70fad0cd45fb1928ebe57594

SHA256
0beafe9302cf5e818b4b26a953ea2ab4bfcf35c7d63914503dab86997e84b255

SHA512
e56b239b4c279883e7d9be1d09db7389b30b3c58527362f9f0d09fe05c4cd4cae358dea9f3ddd6c54fde35ad738664cd971570f69aa43222872f406ced5f569c

Download Submit
C:\Users\Admin\AppData\Local\QXCmEvF\isoburn.exe
Filesize
119KB

MD5
68078583d028a4873399ae7f25f64bad

SHA1
a3c928fe57856a10aed7fee17670627fe663e6fe

SHA256
9478c095afe212bce91d2de1a3c3647109f2d54e46b9bf70843e839324458567

SHA512
25503a47c53fe83eeb56726b5a5eec5cb01bc783e866306f92242a7a8cbafa20a3209217e0f4561febfec78d2f64f1725727a6b2d3ee6da512618984d0bb0bc1

Download Submit
C:\Users\Admin\AppData\Local\Ybik\EhStorAuthn.exe
Filesize
128KB

MD5
d45618e58303edb4268a6cca5ec99ecc

SHA1
1f8049fc5ea8b57bb68e19fb55cb9dc1e18e9513

SHA256
d527323643be9df4d174c3169c6f2c7854a59b781654bcaebd154cb51fb4219c

SHA512
5d7ae663dcfedfaf00836dc018131851e5a40778bd582b417b9f0bbd4bb6d1b2eb8f37f7f5a01cd2beed78b6037ef6eb2a3290248d5e901173b1407990a202bd

Download Submit
C:\Users\Admin\AppData\Local\Ybik\UxTheme.dll
Filesize
989KB

MD5
9a0959526d92504f74bc81395c933825

SHA1
190d72f5febe15c028a680a819eda1a78fc7b7bc

SHA256
545f16171c2ab8215dec3ac3cbd4d3615dc499a0546878e6dcdad94bbab421aa

SHA512
c179e266af2a2457c9b372a1425e1138c4cc92d4355c92a49d325344d14fc72419c21c7dcfc90e4ef396daf8a3eb367f32452ba71e125a098154e69c14b3f2a4

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Axoeay.lnk
Filesize
1KB

MD5
ca1da249d32201534127e8e4ea8a00ee

SHA1
6c5291f13f7796b7f7e58d11146c00439021ef06

SHA256
34cd45f0190992dfbffde08fc01b7a409b25facfae014532629557ddd0e0c857

SHA512
249476e4ee79fe0e084e2f38bc21dab585972651007b1c9ed2170a8bd2770d893085a8cefbfd218371e60bcdffb5a77a12d2f5a8b25e91d3c925807c33ea1a5f

Download Submit
memory/1720-50-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1720-44-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1720-47-0x0000024F75030000-0x0000024F75037000-memory.dmp

Filesize
28KB

Download
memory/1920-78-0x0000027963370000-0x0000027963377000-memory.dmp

Filesize
28KB

Download
memory/1920-84-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/2116-0-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/2116-3-0x0000013B688E0000-0x0000013B688E7000-memory.dmp

Filesize
28KB

Download
memory/2116-37-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3380-23-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3380-11-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3380-12-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3380-7-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3380-8-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3380-9-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3380-10-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3380-34-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3380-14-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3380-4-0x00000000030D0000-0x00000000030D1000-memory.dmp

Filesize
4KB

Download
memory/3380-6-0x00007FFCAB50A000-0x00007FFCAB50B000-memory.dmp

Filesize
4KB

Download
memory/3380-25-0x00007FFCACD90000-0x00007FFCACDA0000-memory.dmp

Filesize
64KB

Download
memory/3380-24-0x0000000002EB0000-0x0000000002EB7000-memory.dmp

Filesize
28KB

Download
memory/3380-13-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/4044-67-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/4044-61-0x0000018E8A600000-0x0000018E8A607000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads