dridex | 4f846f7de56d607a034e7566c78afbf3c2f6ed27f89ef5f23952f35ebe4db627

General

Target

35c0649f734b4df238a3a0581b9d1a63_JaffaCakes118.dll
Size

995KB
MD5

35c0649f734b4df238a3a0581b9d1a63
SHA1

7e1b4b8b440c0148073bb1f6a480210001781630
SHA256

4f846f7de56d607a034e7566c78afbf3c2f6ed27f89ef5f23952f35ebe4db627
SHA512

8983fb656cefb48156367ec3ca87235eea04911e48ecc0a0c5c94a4c78cd081483d9bc08f38d030c6a61010cadd24aaab8ffefaacf4ac316143ff045b32210d3
SSDEEP

24576:tVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:tV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1204-5-0x0000000002E70000-0x0000000002E71000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

irftp.exepsr.exeMpSigStub.exe

pid process

2468 irftp.exe
2472 psr.exe
1280 MpSigStub.exe
Loads dropped DLL 7 IoCs

Processes:

irftp.exepsr.exeMpSigStub.exe

pid process

1204
2468 irftp.exe
1204
2472 psr.exe
1204
1280 MpSigStub.exe
1204

pid	process
2468	irftp.exe
2472	psr.exe
1280	MpSigStub.exe

pid	process
1204
2468	irftp.exe
1204
2472	psr.exe
1204
1280	MpSigStub.exe
1204

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mqdbvnnwgmqj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\4p\\psr.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeirftp.exepsr.exeMpSigStub.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	irftp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	psr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MpSigStub.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1196	rundll32.exe
1196	rundll32.exe
1196	rundll32.exe
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1204 wrote to memory of 2788	1204	irftp.exe
PID 1204 wrote to memory of 2788	1204	irftp.exe
PID 1204 wrote to memory of 2788	1204	irftp.exe
PID 1204 wrote to memory of 2468	1204	irftp.exe
PID 1204 wrote to memory of 2468	1204	irftp.exe
PID 1204 wrote to memory of 2468	1204	irftp.exe
PID 1204 wrote to memory of 2636	1204	psr.exe
PID 1204 wrote to memory of 2636	1204	psr.exe
PID 1204 wrote to memory of 2636	1204	psr.exe
PID 1204 wrote to memory of 2472	1204	psr.exe
PID 1204 wrote to memory of 2472	1204	psr.exe
PID 1204 wrote to memory of 2472	1204	psr.exe
PID 1204 wrote to memory of 2384	1204	MpSigStub.exe
PID 1204 wrote to memory of 2384	1204	MpSigStub.exe
PID 1204 wrote to memory of 2384	1204	MpSigStub.exe
PID 1204 wrote to memory of 1280	1204	MpSigStub.exe
PID 1204 wrote to memory of 1280	1204	MpSigStub.exe
PID 1204 wrote to memory of 1280	1204	MpSigStub.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\35c0649f734b4df238a3a0581b9d1a63_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1196

C:\Windows\system32\irftp.exe
C:\Windows\system32\irftp.exe
1⤵
PID:2788

C:\Users\Admin\AppData\Local\sdNv\irftp.exe
C:\Users\Admin\AppData\Local\sdNv\irftp.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2468

C:\Windows\system32\psr.exe
C:\Windows\system32\psr.exe
1⤵
PID:2636

C:\Users\Admin\AppData\Local\fmzMSkCX5\psr.exe
C:\Users\Admin\AppData\Local\fmzMSkCX5\psr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2472

C:\Windows\system32\MpSigStub.exe
C:\Windows\system32\MpSigStub.exe
1⤵
PID:2384

C:\Users\Admin\AppData\Local\aU4J3m\MpSigStub.exe
C:\Users\Admin\AppData\Local\aU4J3m\MpSigStub.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1280

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\aU4J3m\VERSION.dll
Filesize
995KB

MD5
c90366100d9455c66a43da13733c2ac4

SHA1
1e8479ecea3a776dac331b763c8dcf7733ff2197

SHA256
a244f99a54444861fe2bf5aec47a4c4b00f901f2b06a862a2d830c42621b19f3

SHA512
5bd44f26c64fec86c11020e814332929e16687bb4e81486dc8023933e9d23059566ca589b45d234a745369068b851d0f3197cdfd4b88f0a14e281a6e25d76c80

Download Submit
C:\Users\Admin\AppData\Local\fmzMSkCX5\XmlLite.dll
Filesize
995KB

MD5
24a872a3d208d5cbd3916dd6b4dbc644

SHA1
16270c9d92f2c9b59dc4ded7782b970e78e52f34

SHA256
c1c4a01f343f49d3716c8c3d25d494f1703ef6eefcbcc7cd616abe96f05fd317

SHA512
33461e6e0ae4b035b44f664623770e8f7c67ca0293ff71422ac5bdd3f1906e3d4c8d28b2604eec292c94c80ea66c03923a88c878b5a06d928dc26cc4e2330b63

Download Submit
C:\Users\Admin\AppData\Local\sdNv\WINMM.dll
Filesize
1000KB

MD5
612fb3b0f71d58ce7ca036591d3b4bc4

SHA1
296c57fdb35fca979c51ccb990bbdc766cbf64bd

SHA256
63d8b3ee974bf8893e9e66d0ae0f727e01d057180763bae5a0d3d267ad292905

SHA512
36ecd0f410439fd87e4ca1f3213df0128326b665b3945bf8e5ff7061da120ebf260f5c307d1bb4575c3ecff28806d8676a29ff6d75445c15f857ec5e9df3aa39

Download Submit
C:\Users\Admin\AppData\Local\sdNv\irftp.exe
Filesize
192KB

MD5
0cae1fb725c56d260bfd6feba7ae9a75

SHA1
102ac676a1de3ec3d56401f8efd518c31c8b0b80

SHA256
312f4107ff37dc988d99c5f56178708bb74a3906740cff4e337c0dde8f1e151d

SHA512
db969064577c4158d6bf925354319766b0d0373ddefb03dbfc9a9d2cadf8ddcd50a7f99b7ddf2ffad5e7fdbb6f02090b5b678bdf792d265054bff3b56ee0b8ec

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Gemerzbimpg.lnk
Filesize
1KB

MD5
789d4a59610fdc874c03550a5476091c

SHA1
4b75179eb9e9b8fa21c3a016207693b3266166f7

SHA256
6f875555379517247a2a25e41959b921bbbb5d3f0491e9753413701fb93b0c75

SHA512
2e1fe35490442532c5ea5bfb92f2cbc111b98777372b86c8b91f8450e7b252bdaf25ef61b848c09f838dc18b8bee2d5b8c1af1c31a9d2defd1cfc07b30d0a264

Download Submit
\Users\Admin\AppData\Local\aU4J3m\MpSigStub.exe
Filesize
264KB

MD5
2e6bd16aa62e5e95c7b256b10d637f8f

SHA1
350be084477b1fe581af83ca79eb58d4defe260f

SHA256
d795968b8067bb610033fa4a5b21eb2f96cef61513aba62912b8eb5c6a5ff7b3

SHA512
1f37150f6bcbe0df54bb85a5ad585824cea9332baa9be1649a95c1dfb41723de85c09d98fb2ca8261a49c2184d3bda638b84b2b7b60b97fe42a15ab1620a2542

Download Submit
\Users\Admin\AppData\Local\fmzMSkCX5\psr.exe
Filesize
715KB

MD5
a80527109d75cba125d940b007eea151

SHA1
facf32a9ede6abfaa09368bfdfcfec8554107272

SHA256
68910f8aae867e938b6a3b76cdf176898ba275d9ade85b4ce00b03232de4c495

SHA512
77b86a597c33af8d3fbd9711f4abe6e0ca33b86279b1d28a25dcf3545a34b221be1ad7d11004d016203809cead1ebfd4b7e889ee9df2efc100eabf77963c1774

Download Submit
memory/1196-45-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1196-3-0x00000000003A0000-0x00000000003A7000-memory.dmp

Filesize
28KB

Download
memory/1196-0-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1204-13-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1204-12-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1204-10-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1204-9-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1204-8-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1204-26-0x0000000076F41000-0x0000000076F42000-memory.dmp

Filesize
4KB

Download
memory/1204-27-0x00000000770D0000-0x00000000770D2000-memory.dmp

Filesize
8KB

Download
memory/1204-36-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1204-38-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1204-7-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1204-14-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1204-25-0x00000000029C0000-0x00000000029C7000-memory.dmp

Filesize
28KB

Download
memory/1204-4-0x0000000076E36000-0x0000000076E37000-memory.dmp

Filesize
4KB

Download
memory/1204-11-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1204-5-0x0000000002E70000-0x0000000002E71000-memory.dmp

Filesize
4KB

Download
memory/1204-64-0x0000000076E36000-0x0000000076E37000-memory.dmp

Filesize
4KB

Download
memory/1204-24-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1204-15-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1280-93-0x0000000000080000-0x0000000000087000-memory.dmp

Filesize
28KB

Download
memory/1280-96-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/2468-56-0x0000000000130000-0x0000000000137000-memory.dmp

Filesize
28KB

Download
memory/2468-59-0x0000000140000000-0x00000001400FF000-memory.dmp

Filesize
1020KB

Download
memory/2468-53-0x0000000140000000-0x00000001400FF000-memory.dmp

Filesize
1020KB

Download
memory/2472-78-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/2472-75-0x00000000001B0000-0x00000000001B7000-memory.dmp

Filesize
28KB

Download
memory/2472-72-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads