dridex | dea896300dcba7e6727fcb52a9e07abaea0ec9524261fe9c8b079c8a9dff0b58

General

Target

3646d96c51ae392630a7ac3d4e79d19e_JaffaCakes118.dll
Size

1.2MB
MD5

3646d96c51ae392630a7ac3d4e79d19e
SHA1

d352da9cffdc69418eeb3c6fd580a746e52a67cc
SHA256

dea896300dcba7e6727fcb52a9e07abaea0ec9524261fe9c8b079c8a9dff0b58
SHA512

0d825794a073c1f935a3b57788d7a30334ab64828226bb5cdbebfb1bc367947b983ad731c909eadf50527fd8e8f945b43b1e5362bb3caf35c81f7661728eb8bb
SSDEEP

24576:1VHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:1V8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1224-5-0x0000000002910000-0x0000000002911000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

wbengine.execmstp.exeunregmp2.exe

pid process

2768 wbengine.exe
2484 cmstp.exe
1828 unregmp2.exe
Loads dropped DLL 7 IoCs

Processes:

wbengine.execmstp.exeunregmp2.exe

pid process

1224
2768 wbengine.exe
1224
2484 cmstp.exe
1224
1828 unregmp2.exe
1224

pid	process
2768	wbengine.exe
2484	cmstp.exe
1828	unregmp2.exe

pid	process
1224
2768	wbengine.exe
1224
2484	cmstp.exe
1224
1828	unregmp2.exe
1224

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Uxhwu = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\Zl0yyvm\\cmstp.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exewbengine.execmstp.exeunregmp2.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wbengine.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmstp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unregmp2.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1300	rundll32.exe
1300	rundll32.exe
1300	rundll32.exe
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224
1224

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1224 wrote to memory of 2372	1224	wbengine.exe
PID 1224 wrote to memory of 2372	1224	wbengine.exe
PID 1224 wrote to memory of 2372	1224	wbengine.exe
PID 1224 wrote to memory of 2768	1224	wbengine.exe
PID 1224 wrote to memory of 2768	1224	wbengine.exe
PID 1224 wrote to memory of 2768	1224	wbengine.exe
PID 1224 wrote to memory of 1244	1224	cmstp.exe
PID 1224 wrote to memory of 1244	1224	cmstp.exe
PID 1224 wrote to memory of 1244	1224	cmstp.exe
PID 1224 wrote to memory of 2484	1224	cmstp.exe
PID 1224 wrote to memory of 2484	1224	cmstp.exe
PID 1224 wrote to memory of 2484	1224	cmstp.exe
PID 1224 wrote to memory of 2240	1224	unregmp2.exe
PID 1224 wrote to memory of 2240	1224	unregmp2.exe
PID 1224 wrote to memory of 2240	1224	unregmp2.exe
PID 1224 wrote to memory of 1828	1224	unregmp2.exe
PID 1224 wrote to memory of 1828	1224	unregmp2.exe
PID 1224 wrote to memory of 1828	1224	unregmp2.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3646d96c51ae392630a7ac3d4e79d19e_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1300

C:\Windows\system32\wbengine.exe
C:\Windows\system32\wbengine.exe
1⤵
PID:2372

C:\Users\Admin\AppData\Local\NCsr\wbengine.exe
C:\Users\Admin\AppData\Local\NCsr\wbengine.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2768

C:\Windows\system32\cmstp.exe
C:\Windows\system32\cmstp.exe
1⤵
PID:1244

C:\Users\Admin\AppData\Local\O1cR\cmstp.exe
C:\Users\Admin\AppData\Local\O1cR\cmstp.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2484

C:\Windows\system32\unregmp2.exe
C:\Windows\system32\unregmp2.exe
1⤵
PID:2240

C:\Users\Admin\AppData\Local\o31Aa\unregmp2.exe
C:\Users\Admin\AppData\Local\o31Aa\unregmp2.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1828

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\NCsr\XmlLite.dll
Filesize
1.2MB

MD5
7b59e506480c7b68253e4f6bad0fe848

SHA1
8d9c6676fab08e77a6c6e515d46e48b635244b0d

SHA256
9551d5db95a08678caab87192b66ce32cb22fac50e9a572f161f97527ae4a889

SHA512
a0278d562edacb305b9a5f952a8a2263227487a6fbeed443cc15c0111f4d760f5b37d0232c1cdca40ce703e177cb9e696417e419abc987695c9daf61bed2d4c1

Download Submit
C:\Users\Admin\AppData\Local\O1cR\VERSION.dll
Filesize
1.2MB

MD5
c6d1df33a2df3f45600cef249a4e74ff

SHA1
8815eb87d2f5244157e367c9b4d4ca0a878df670

SHA256
6d486c9e62a5bc9ae79f85edcec1b702ffe46b5f1e0f5928c09405a47629847b

SHA512
e9c672467a01e6229c045d6617608a96d95a93986757956e58ca918a1ca781086d5cef5a7fc0872503e3391bd7a0988c6fc9085d5d47cd40abbd2c8d9106ad34

Download Submit
C:\Users\Admin\AppData\Local\o31Aa\slc.dll
Filesize
1.2MB

MD5
7f4f011fed615a3a82e42429568e51ac

SHA1
8ad36bbfe9a63dbadca99b3c4b9583863c7d3cea

SHA256
e72f5fed0e2dc4b2e53c0610d16c349a88f60eaf482b654fcbfa2a828acc94ba

SHA512
52fb3591ff015b88539711c3c66fb0d39c1ab3b6d7c56c1b343a5e396df91f7cd9e23502b9e6a6a531a49d0d4b66afd92a40ed5f02130d6f8cb9100eff92ff3e

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dgsmy.lnk
Filesize
1KB

MD5
054a5c85c9f753291d5d44722e37eb04

SHA1
ac6710e4bdcd9b10b802793d02a8e8d06d0f699c

SHA256
e0a23a5ad89147602f97f0d16402472708af44e1419fd1d9b11792105bfbb280

SHA512
a1e3e2cddc60a16b935e06240ec8091cbdce1b886bb08f5ae8b25336eec6150eccd031d088fe8e48db24005ebeb542ab0b9d4e1e4f909da15a1083ded2573a32

Download Submit
\Users\Admin\AppData\Local\NCsr\wbengine.exe
Filesize
1.4MB

MD5
78f4e7f5c56cb9716238eb57da4b6a75

SHA1
98b0b9db6ec5961dbb274eff433a8bc21f7e557b

SHA256
46a4e78ce5f2a4b26f4e9c3ff04a99d9b727a82ac2e390a82a1611c3f6e0c9af

SHA512
1a24ea71624dbbca188ee3b4812e09bc42e7d38ceac02b69940d7693475c792685a23141c8faa85a87ab6aace3f951c1a81facb610d757ac6df37cf2aa65ccd2

Download Submit
\Users\Admin\AppData\Local\O1cR\cmstp.exe
Filesize
90KB

MD5
74c6da5522f420c394ae34b2d3d677e3

SHA1
ba135738ef1fb2f4c2c6c610be2c4e855a526668

SHA256
51d298b1a8a2d00d5c608c52dba0655565d021e9798ee171d7fa92cc0de729a6

SHA512
bfd76b1c3e677292748f88bf595bfef0b536eb22f2583b028cbf08f6ae4eda1aa3787c4e892aad12b7681fc2363f99250430a0e7019a7498e24db391868e787a

Download Submit
\Users\Admin\AppData\Local\o31Aa\unregmp2.exe
Filesize
316KB

MD5
64b328d52dfc8cda123093e3f6e4c37c

SHA1
f68f45b21b911906f3aa982e64504e662a92e5ab

SHA256
7d6be433ba7dd4a2b8f8b79d7b87055da8daafa3e0404432d40469c39c2040e1

SHA512
e29fc068532df36f39c86b79392b5c6191de6f69b7beaba28f9ac96a26089b341b770ff29556eca14f57afd1de59a6f3726818482d6861bdd8ac556ae768df00

Download Submit
memory/1224-16-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/1224-13-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/1224-4-0x0000000076D36000-0x0000000076D37000-memory.dmp

Filesize
4KB

Download
memory/1224-15-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/1224-14-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/1224-12-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/1224-11-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/1224-26-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/1224-9-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/1224-28-0x0000000076FD0000-0x0000000076FD2000-memory.dmp

Filesize
8KB

Download
memory/1224-32-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/1224-31-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/1224-27-0x0000000076E41000-0x0000000076E42000-memory.dmp

Filesize
4KB

Download
memory/1224-5-0x0000000002910000-0x0000000002911000-memory.dmp

Filesize
4KB

Download
memory/1224-8-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/1224-17-0x00000000028F0000-0x00000000028F7000-memory.dmp

Filesize
28KB

Download
memory/1224-7-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/1224-10-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/1224-59-0x0000000076D36000-0x0000000076D37000-memory.dmp

Filesize
4KB

Download
memory/1300-40-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/1300-1-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/1300-0-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/1828-85-0x0000000000080000-0x0000000000087000-memory.dmp

Filesize
28KB

Download
memory/1828-91-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2484-67-0x0000000000270000-0x0000000000277000-memory.dmp

Filesize
28KB

Download
memory/2484-73-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2768-54-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2768-49-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2768-48-0x0000000000180000-0x0000000000187000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads