dridex | f929aa41bdd0ed0a0caaa89a180f6f5aec0fda92fcf627e80c7838bb8e86e7d1

General

Target

3e3c3c8c63d07d53471c045b4b8436f8_JaffaCakes118.dll
Size

1.2MB
MD5

3e3c3c8c63d07d53471c045b4b8436f8
SHA1

91dbeda1577541b699330a9c923888d2409e3e17
SHA256

f929aa41bdd0ed0a0caaa89a180f6f5aec0fda92fcf627e80c7838bb8e86e7d1
SHA512

7bb1fb036e417ab8ec2ce2866974051703606bb16d0227e0970e4b09eecfb4d2dadda06d5b14c22303fa83b14901f019c3b3efff4e39cf5788f6ea76721fea2d
SSDEEP

24576:7yTonNVlKTt/Q5ECvVP7hpJMvjtKpvPf9+m6kLRqgSyI:7yWRKTt/QlPVp3h9

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1204-5-0x0000000002E10000-0x0000000002E11000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

cmstp.exewisptis.exetaskmgr.exe

pid process

2648 cmstp.exe
1084 wisptis.exe
3068 taskmgr.exe
Loads dropped DLL 7 IoCs

Processes:

cmstp.exewisptis.exetaskmgr.exe

pid process

1204
2648 cmstp.exe
1204
1084 wisptis.exe
1204
3068 taskmgr.exe
1204

pid	process
2648	cmstp.exe
1084	wisptis.exe
3068	taskmgr.exe

pid	process
1204
2648	cmstp.exe
1204
1084	wisptis.exe
1204
3068	taskmgr.exe
1204

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Tonqjizj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\xgo2fxp\\wisptis.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

wisptis.exetaskmgr.exerundll32.execmstp.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wisptis.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmstp.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1596	rundll32.exe
1596	rundll32.exe
1596	rundll32.exe
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1204 wrote to memory of 2532	1204	cmstp.exe
PID 1204 wrote to memory of 2532	1204	cmstp.exe
PID 1204 wrote to memory of 2532	1204	cmstp.exe
PID 1204 wrote to memory of 2648	1204	cmstp.exe
PID 1204 wrote to memory of 2648	1204	cmstp.exe
PID 1204 wrote to memory of 2648	1204	cmstp.exe
PID 1204 wrote to memory of 2228	1204	wisptis.exe
PID 1204 wrote to memory of 2228	1204	wisptis.exe
PID 1204 wrote to memory of 2228	1204	wisptis.exe
PID 1204 wrote to memory of 1084	1204	wisptis.exe
PID 1204 wrote to memory of 1084	1204	wisptis.exe
PID 1204 wrote to memory of 1084	1204	wisptis.exe
PID 1204 wrote to memory of 3064	1204	taskmgr.exe
PID 1204 wrote to memory of 3064	1204	taskmgr.exe
PID 1204 wrote to memory of 3064	1204	taskmgr.exe
PID 1204 wrote to memory of 3068	1204	taskmgr.exe
PID 1204 wrote to memory of 3068	1204	taskmgr.exe
PID 1204 wrote to memory of 3068	1204	taskmgr.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3e3c3c8c63d07d53471c045b4b8436f8_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1596

C:\Windows\system32\cmstp.exe
C:\Windows\system32\cmstp.exe
1⤵
PID:2532

C:\Users\Admin\AppData\Local\vtL\cmstp.exe
C:\Users\Admin\AppData\Local\vtL\cmstp.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2648

C:\Windows\system32\wisptis.exe
C:\Windows\system32\wisptis.exe
1⤵
PID:2228

C:\Users\Admin\AppData\Local\siKrPe\wisptis.exe
C:\Users\Admin\AppData\Local\siKrPe\wisptis.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1084

C:\Windows\system32\taskmgr.exe
C:\Windows\system32\taskmgr.exe
1⤵
PID:3064

C:\Users\Admin\AppData\Local\t817\taskmgr.exe
C:\Users\Admin\AppData\Local\t817\taskmgr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3068

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\siKrPe\MAGNIFICATION.dll
Filesize
1.2MB

MD5
e48995542ccc49719ba8df8f0f5fbc01

SHA1
0158033a6c9d1619d6d7f1a773d20f99fc8b8e72

SHA256
9a7b8bf91892b3a555469bfbba7319dcf64b7d2a2f7744259b301ed46b2b4859

SHA512
13e85ceeb748ace0559e7b6cb5f9b66d0a77ba83a788a4a6c8e9a00da984fce236f5e98e8c032d5dad56b38220e349d0918b9dc59ce1043b2a244514c2be34c7

Download Submit
C:\Users\Admin\AppData\Local\t817\UxTheme.dll
Filesize
1.2MB

MD5
dffbc40a25bb01f8e7e8bb134180f1f2

SHA1
00ba9b181bc958183618d06a123abda01a00f363

SHA256
f728ba8d56fd47f7bd400bab7a45668b0b3055ab049eb93ccc23dc88809c8f9e

SHA512
cdd89cf3fac305a71321e935585ec527d68946cc9c97294522c7bbc5b8537c45b428422cf2af82d722b2454a63bd1245485789840d44bda9387df7161a21fdcd

Download Submit
C:\Users\Admin\AppData\Local\vtL\VERSION.dll
Filesize
1.2MB

MD5
dcae4c2655eab8fa29e8b4fef17488b9

SHA1
9e463a393a80d6ef8d900c5baffb9b4358a41bf7

SHA256
cce95802a36749f3ce9cd1a5a23635d2035541b67c8f8ea33b338b76b8399786

SHA512
70f19256c772fc8c67d94ddb21e2f5d14a03698b700ee9845aaae36338a1529144d2fc9e07c161be5cba8dcfb0d8c7364e9fc31510ea0cecfb160b204b8dfc24

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Mewsro.lnk
Filesize
1KB

MD5
d83680ae5672e040a202110f0cca43db

SHA1
cd418c871645fc6753ad48f51dbe8ff1ce543c11

SHA256
220aa5d9f268051bd2315fbc124644ef3ffc5f0a91efc65c416e3bdd2af8a212

SHA512
65f272b9c46ca50e1897e68d98c5bb4779a2b4154246bef5a6db601baf717a079566e469e32be11e97f4e438445a2541648f83ee0525ac260ad485e28f4d6e68

Download Submit
\Users\Admin\AppData\Local\siKrPe\wisptis.exe
Filesize
396KB

MD5
02e20372d9d6d28e37ba9704edc90b67

SHA1
d7d18ba0df95c3507bf20be8d72e25c5d11ab40c

SHA256
3338129ddf6fb53d6e743c10bc39ec372d9b2c39c607cbe8a71cff929f854144

SHA512
bcad8894614dcfc1429be04829c217e7c8ac3c40ea3927073de3421d96d9815739ee1b84f0200eb18b3b8406b972bd934204b7b31638c9fe7c297fb201ed4200

Download Submit
\Users\Admin\AppData\Local\t817\taskmgr.exe
Filesize
251KB

MD5
09f7401d56f2393c6ca534ff0241a590

SHA1
e8b4d84a28e5ea17272416ec45726964fdf25883

SHA256
6766717b8afafe46b5fd66c7082ccce6b382cbea982c73cb651e35dc8187ace1

SHA512
7187a27cd32c1b295c74e36e1b6148a31d602962448b18395a44a721d17daa7271d0cd198edb2ed05ace439746517ffb1bcc11c7f682e09b025c950ea7b83192

Download Submit
\Users\Admin\AppData\Local\vtL\cmstp.exe
Filesize
90KB

MD5
74c6da5522f420c394ae34b2d3d677e3

SHA1
ba135738ef1fb2f4c2c6c610be2c4e855a526668

SHA256
51d298b1a8a2d00d5c608c52dba0655565d021e9798ee171d7fa92cc0de729a6

SHA512
bfd76b1c3e677292748f88bf595bfef0b536eb22f2583b028cbf08f6ae4eda1aa3787c4e892aad12b7681fc2363f99250430a0e7019a7498e24db391868e787a

Download Submit
memory/1084-79-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1084-76-0x0000000000290000-0x0000000000297000-memory.dmp

Filesize
28KB

Download
memory/1204-27-0x0000000077581000-0x0000000077582000-memory.dmp

Filesize
4KB

Download
memory/1204-23-0x0000000002DF0000-0x0000000002DF7000-memory.dmp

Filesize
28KB

Download
memory/1204-14-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1204-12-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1204-11-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1204-10-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1204-9-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1204-4-0x0000000077476000-0x0000000077477000-memory.dmp

Filesize
4KB

Download
memory/1204-28-0x0000000077710000-0x0000000077712000-memory.dmp

Filesize
8KB

Download
memory/1204-37-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1204-38-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1204-5-0x0000000002E10000-0x0000000002E11000-memory.dmp

Filesize
4KB

Download
memory/1204-26-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1204-16-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1204-8-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1204-7-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1204-15-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1204-65-0x0000000077476000-0x0000000077477000-memory.dmp

Filesize
4KB

Download
memory/1204-13-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1596-46-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1596-0-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1596-3-0x0000000000320000-0x0000000000327000-memory.dmp

Filesize
28KB

Download
memory/2648-60-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/2648-57-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download
memory/2648-54-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3068-96-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads