dridex | f929aa41bdd0ed0a0caaa89a180f6f5aec0fda92fcf627e80c7838bb8e86e7d1

General

Target

3e3c3c8c63d07d53471c045b4b8436f8_JaffaCakes118.dll
Size

1.2MB
MD5

3e3c3c8c63d07d53471c045b4b8436f8
SHA1

91dbeda1577541b699330a9c923888d2409e3e17
SHA256

f929aa41bdd0ed0a0caaa89a180f6f5aec0fda92fcf627e80c7838bb8e86e7d1
SHA512

7bb1fb036e417ab8ec2ce2866974051703606bb16d0227e0970e4b09eecfb4d2dadda06d5b14c22303fa83b14901f019c3b3efff4e39cf5788f6ea76721fea2d
SSDEEP

24576:7yTonNVlKTt/Q5ECvVP7hpJMvjtKpvPf9+m6kLRqgSyI:7yWRKTt/QlPVp3h9

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3460-4-0x00000000025A0000-0x00000000025A1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

dwm.exepsr.exeSystemPropertiesProtection.exe

pid process

4436 dwm.exe
2724 psr.exe
1272 SystemPropertiesProtection.exe
Loads dropped DLL 4 IoCs

Processes:

dwm.exepsr.exeSystemPropertiesProtection.exe

pid process

4436 dwm.exe
4436 dwm.exe
2724 psr.exe
1272 SystemPropertiesProtection.exe

pid	process
4436	dwm.exe
2724	psr.exe
1272	SystemPropertiesProtection.exe

pid	process
4436	dwm.exe
4436	dwm.exe
2724	psr.exe
1272	SystemPropertiesProtection.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Pruztwesow = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\yxUe6Ldr1\\psr.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

dwm.exepsr.exeSystemPropertiesProtection.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	psr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesProtection.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1140	rundll32.exe
1140	rundll32.exe
1140	rundll32.exe
1140	rundll32.exe
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3460 wrote to memory of 1224	3460	dwm.exe
PID 3460 wrote to memory of 1224	3460	dwm.exe
PID 3460 wrote to memory of 4436	3460	dwm.exe
PID 3460 wrote to memory of 4436	3460	dwm.exe
PID 3460 wrote to memory of 4752	3460	psr.exe
PID 3460 wrote to memory of 4752	3460	psr.exe
PID 3460 wrote to memory of 2724	3460	psr.exe
PID 3460 wrote to memory of 2724	3460	psr.exe
PID 3460 wrote to memory of 1908	3460	SystemPropertiesProtection.exe
PID 3460 wrote to memory of 1908	3460	SystemPropertiesProtection.exe
PID 3460 wrote to memory of 1272	3460	SystemPropertiesProtection.exe
PID 3460 wrote to memory of 1272	3460	SystemPropertiesProtection.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3e3c3c8c63d07d53471c045b4b8436f8_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1140

C:\Windows\system32\dwm.exe
C:\Windows\system32\dwm.exe
1⤵
PID:1224

C:\Users\Admin\AppData\Local\ZHivCJ5yp\dwm.exe
C:\Users\Admin\AppData\Local\ZHivCJ5yp\dwm.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4436

C:\Windows\system32\psr.exe
C:\Windows\system32\psr.exe
1⤵
PID:4752

C:\Users\Admin\AppData\Local\iTHJmMJ\psr.exe
C:\Users\Admin\AppData\Local\iTHJmMJ\psr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2724

C:\Windows\system32\SystemPropertiesProtection.exe
C:\Windows\system32\SystemPropertiesProtection.exe
1⤵
PID:1908

C:\Users\Admin\AppData\Local\MdCF4DJv\SystemPropertiesProtection.exe
C:\Users\Admin\AppData\Local\MdCF4DJv\SystemPropertiesProtection.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\MdCF4DJv\SYSDM.CPL
Filesize
1.2MB

MD5
62e4b873282d6a9f0ded0e03e2c13d50

SHA1
c5715095e5d39795178bdd05fda5ab3fdbf7d3a1

SHA256
f878c13fd3d06a414c1e526dbdffca49514fb852a8d1d65ee60337120d1f1485

SHA512
68a0c14098e61a9deacb572528b3cbf114e33b488ba6ea95f5f9e150b320338b73abb09b5bf7c20b9aa285ca9affbbc0396458e56c16de1919cbe2acf77ccc05

Download Submit
C:\Users\Admin\AppData\Local\MdCF4DJv\SystemPropertiesProtection.exe
Filesize
82KB

MD5
26640d2d4fa912fc9a354ef6cfe500ff

SHA1
a343fd82659ce2d8de3beb587088867cf2ab8857

SHA256
a8ddf1b17b0cbc96a7eaedb0003aa7b1631da09ebfe85b387f8f630222511b37

SHA512
26162a3d9d4a8e3290dbcf6fe387b5c48ab1d9552aa02a38954649d877f408cb282e57580f81e15128e3a41da0eb58328d1d6253e1b57232f9a8cecdd99991dc

Download Submit
C:\Users\Admin\AppData\Local\ZHivCJ5yp\dwm.exe
Filesize
92KB

MD5
5c27608411832c5b39ba04e33d53536c

SHA1
f92f8b7439ce1de4c297046ed1d3ff9f20bc97af

SHA256
0ac827c9e35cdaa492ddd435079415805dcc276352112b040bcd34ef122cf565

SHA512
1fa25eabc08dff9ea25dfa7da310a677927c6344b76815696b0483f8860fa1469820ff15d88a78ed32f712d03003631d9aceaf9c9851de5dd40c1fc2a7bc1309

Download Submit
C:\Users\Admin\AppData\Local\ZHivCJ5yp\dxgi.dll
Filesize
1.2MB

MD5
a70909378857896eb1a5fdd6c4007ab4

SHA1
ce4b5980b627aed5b1dbbc06bb08a837ec9a9bdd

SHA256
e3d8f1eb305d76a474d08b1b2a113d237f2619cd81b21e5e4a9203f965bc4da1

SHA512
5917868388a2826342e302700411baff038de34052ff575d6b5ced1ffa451b81e1f33a0aa52dfbbdc7e5266058f1ec8506b5650c3cb6b1e355075aebc6dda82b

Download Submit
C:\Users\Admin\AppData\Local\iTHJmMJ\XmlLite.dll
Filesize
1.2MB

MD5
3a9d52ac97fa7ca5eb2634aa1aff45ac

SHA1
2d2321d81e4a3cc9e7a49f56fd89b5b430f0f834

SHA256
c41e93222f380249e03b52b1b96ee62d0f4599c75debdb71036b8367f3310855

SHA512
34c793045023bc544d51d391c41dce0b5080d91589ad8a43e3df35c01fd5ccd7b171ff83e938a68125bcc68d69c92855be22177e7a065b91c8945ca3298045c1

Download Submit
C:\Users\Admin\AppData\Local\iTHJmMJ\psr.exe
Filesize
232KB

MD5
ad53ead5379985081b7c3f1f357e545a

SHA1
6f5aa32c1d15fbf073558fadafd046d97b60184e

SHA256
4f0144f0e3e721b44babbf41b513942e4117f730546105480571f9c8fce56a1f

SHA512
433098bd74c34fbadfa447ef45cfa9dc076aef4cf7f2a0a6fe79d5e67f2504eebe8aa31fc1b7a4c5eeb20ede2c5485f75ad0fd77b4ecba3d68ca63313e6f6ea0

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Arcabpqqvo.lnk
Filesize
874B

MD5
353ef3ed91953b4f2dfcdd11a4645dbe

SHA1
0dfcc418b68c0c9f2c26b0b2478b17d64a60c37f

SHA256
d985f55c0057c120cf31710c3db7cc823c773c93694497b5631968ccd229f226

SHA512
73a4761a73d3d319098e065128a3105a2702d2950bfaaadc9b1467c4779e939d42e06456cfabaa5beef35aad613f427b80a3a5a897e4443145e565a69727faf9

Download Submit
memory/1140-3-0x000001BADF830000-0x000001BADF837000-memory.dmp

Filesize
28KB

Download
memory/1140-39-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1140-1-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1272-83-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/2724-64-0x00000201D33A0000-0x00000201D33A7000-memory.dmp

Filesize
28KB

Download
memory/2724-67-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3460-34-0x00007FFFD84B0000-0x00007FFFD84C0000-memory.dmp

Filesize
64KB

Download
memory/3460-36-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3460-9-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3460-8-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3460-7-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3460-11-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3460-12-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3460-15-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3460-6-0x00007FFFD6E8A000-0x00007FFFD6E8B000-memory.dmp

Filesize
4KB

Download
memory/3460-4-0x00000000025A0000-0x00000000025A1000-memory.dmp

Filesize
4KB

Download
memory/3460-13-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3460-16-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3460-33-0x0000000000600000-0x0000000000607000-memory.dmp

Filesize
28KB

Download
memory/3460-10-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3460-25-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3460-14-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/4436-52-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/4436-51-0x0000019B809D0000-0x0000019B809D7000-memory.dmp

Filesize
28KB

Download
memory/4436-48-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads