dridex | 04cf75d0e0684e29799390a40209ee9a357fcd561af47662b26dee8954a31bcb

General

Target

3c561335b84b1b6ec405b90307df1495_JaffaCakes118.dll
Size

1.2MB
MD5

3c561335b84b1b6ec405b90307df1495
SHA1

96c6d79ab3982f5598a8883a46d3605f79bdcc2f
SHA256

04cf75d0e0684e29799390a40209ee9a357fcd561af47662b26dee8954a31bcb
SHA512

9424214f2ae46ae5e5b99f728872ac203554b1004c1aa2f4664cc36cb7f521b953a96783e86e243d4bae42f1099e5669858557568e0c980366d5231fa4fd0793
SSDEEP

24576:WVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:WV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3376-4-0x00000000089E0000-0x00000000089E1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

SystemPropertiesRemote.exeInfDefaultInstall.exesppsvc.exe

pid process

4340 SystemPropertiesRemote.exe
4708 InfDefaultInstall.exe
4320 sppsvc.exe
Loads dropped DLL 3 IoCs

Processes:

SystemPropertiesRemote.exeInfDefaultInstall.exesppsvc.exe

pid process

4340 SystemPropertiesRemote.exe
4708 InfDefaultInstall.exe
4320 sppsvc.exe

pid	process
4340	SystemPropertiesRemote.exe
4708	InfDefaultInstall.exe
4320	sppsvc.exe

pid	process
4340	SystemPropertiesRemote.exe
4708	InfDefaultInstall.exe
4320	sppsvc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ihmks = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\WINDOW~1\\GAUYNS~1\\INFDEF~1.EXE"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

sppsvc.exerundll32.exeSystemPropertiesRemote.exeInfDefaultInstall.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesRemote.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	InfDefaultInstall.exe

Modifies registry class 1 IoCs

Processes:

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
4252	rundll32.exe
4252	rundll32.exe
4252	rundll32.exe
4252	rundll32.exe
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376
3376

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3376
Token: SeCreatePagefilePrivilege	3376
Token: SeShutdownPrivilege	3376
Token: SeCreatePagefilePrivilege	3376
Token: SeShutdownPrivilege	3376
Token: SeCreatePagefilePrivilege	3376
Token: SeShutdownPrivilege	3376
Token: SeCreatePagefilePrivilege	3376

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

3376
3376
Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3376

pid	process
3376
3376

pid	process
3376

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

description	pid	target process
PID 3376 wrote to memory of 4840	3376	SystemPropertiesRemote.exe
PID 3376 wrote to memory of 4840	3376	SystemPropertiesRemote.exe
PID 3376 wrote to memory of 4340	3376	SystemPropertiesRemote.exe
PID 3376 wrote to memory of 4340	3376	SystemPropertiesRemote.exe
PID 3376 wrote to memory of 3924	3376	InfDefaultInstall.exe
PID 3376 wrote to memory of 3924	3376	InfDefaultInstall.exe
PID 3376 wrote to memory of 4708	3376	InfDefaultInstall.exe
PID 3376 wrote to memory of 4708	3376	InfDefaultInstall.exe
PID 3376 wrote to memory of 4320	3376	sppsvc.exe
PID 3376 wrote to memory of 4320	3376	sppsvc.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3c561335b84b1b6ec405b90307df1495_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4252

C:\Windows\system32\SystemPropertiesRemote.exe
C:\Windows\system32\SystemPropertiesRemote.exe
1⤵
PID:4840

C:\Users\Admin\AppData\Local\s3Qjs\SystemPropertiesRemote.exe
C:\Users\Admin\AppData\Local\s3Qjs\SystemPropertiesRemote.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4340

C:\Windows\system32\InfDefaultInstall.exe
C:\Windows\system32\InfDefaultInstall.exe
1⤵
PID:3924

C:\Users\Admin\AppData\Local\I0jWI\InfDefaultInstall.exe
C:\Users\Admin\AppData\Local\I0jWI\InfDefaultInstall.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4708

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
1⤵
PID:4324

C:\Users\Admin\AppData\Local\DMn2PXfl7\sppsvc.exe
C:\Users\Admin\AppData\Local\DMn2PXfl7\sppsvc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4320

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\DMn2PXfl7\XmlLite.dll
Filesize
1.2MB

MD5
bab8f1fbad38a9daf96d57b19dd2f501

SHA1
b04539e1834c7c82a16e76d81803985562ec2dae

SHA256
e9d18ed06a171de117b99a3d0d74de726e3a93eed05fd272dcd3745df61b122f

SHA512
2ad9a468e607cd809713f1d2cc04337885fc29c194810631004260bffb3ded4fa26cd957ecc3fc0598a9b6eaf3bc423925e16b70ee6cea194f74cc442e7090c4

Download Submit
C:\Users\Admin\AppData\Local\DMn2PXfl7\sppsvc.exe
Filesize
4.4MB

MD5
ec6cef0a81f167668e18fa32f1606fce

SHA1
6d56837a388ae5573a38a439cee16e6dde5b4de8

SHA256
82c59a2f606ebf1a8a0de16be150600ac63ad8351c6bf3952c27a70257cb70f8

SHA512
f40b37675329ca7875d958b4b0019082548a563ada217c7431c2ca5c7f93957b242f095f7f04bcdd6240b97ea99e89bfe3a003f97c43366d00a93768fef7b4c5

Download Submit
C:\Users\Admin\AppData\Local\I0jWI\InfDefaultInstall.exe
Filesize
13KB

MD5
ee18876c1e5de583de7547075975120e

SHA1
f7fcb3d77da74deee25de9296a7c7335916504e3

SHA256
e59127b5fe82714956c7a1f10392a8673086a8e1f609e059935c7da1fa015a5d

SHA512
08bc4d28b8f528582c58175a74871dd33ac97955c3709c991779fc34b5ba4b2ba6ff40476d9f59345b61b0153fd932b0ea539431a67ff5012cb2ac8ab392f73c

Download Submit
C:\Users\Admin\AppData\Local\I0jWI\newdev.dll
Filesize
1.2MB

MD5
de7e93955ef03c35e91c0013e52a7f9e

SHA1
2d051e3a1a638a0af3dd78730d34e8435ba8155e

SHA256
370ee96c075d203e3c2e473adad5b32cfe4cb8587cf50b9e78d49f08c9012a08

SHA512
d4eecf2c62daedfae755a1de1e5a9d6657d4c36c459329c37df3b0cccaf2a944338b028adaf8ff891b6a4b0bd26b6e2de9078effdcc81b83db3f624d8b814f94

Download Submit
C:\Users\Admin\AppData\Local\s3Qjs\SYSDM.CPL
Filesize
1.2MB

MD5
df7c95f55eec0d5e2cd6aa5c5ae4cc05

SHA1
f724e3c6adf61cc4c65ae3363be18cf801487872

SHA256
fc971162fa54cd16db6349f722765e240240f7de12b02c42afed0c058b93642a

SHA512
c5ec3c80000a13ba5f17699b3ec80eb6436d124298120b0ef4f5fb4447b80ce4cd716579cd606522053806a3f3416b0356093096ac16ad715ffd4a1335957093

Download Submit
C:\Users\Admin\AppData\Local\s3Qjs\SystemPropertiesRemote.exe
Filesize
82KB

MD5
cdce1ee7f316f249a3c20cc7a0197da9

SHA1
dadb23af07827758005ec0235ac1573ffcea0da6

SHA256
7984e2bff295c8dbcbd3cd296d0741e3a6844b8db9f962abdbc8d333e9a83932

SHA512
f1dc529ebfed814adcf3e68041243ee02ba33b56c356a63eba5ef2cb6ede1eda192e03349f6a200d34dfab67263df79cf295be3706f4197b9008ccdc53410c26

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yvephsk.lnk
Filesize
1KB

MD5
276f9ac3845adfe865f98a46ed9bb3c3

SHA1
35b09d4ae0a592ae3acba02af83e6d5a86309907

SHA256
a1883ea391f73c933d83b226c52c98ac443a411b99eec5ab4d381b2f8f036b54

SHA512
42fe295d15cddae246c103361f0e4a591614850d475411b14d447fd3322c88890fe40548f45525f074d62136121029e51f9fc03d5cbffb2b021fd70f73cfd6b2

Download Submit
memory/3376-8-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3376-33-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3376-15-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3376-13-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3376-12-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3376-10-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3376-9-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3376-6-0x00007FF8DC71A000-0x00007FF8DC71B000-memory.dmp

Filesize
4KB

Download
memory/3376-24-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3376-7-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3376-4-0x00000000089E0000-0x00000000089E1000-memory.dmp

Filesize
4KB

Download
memory/3376-36-0x00000000084A0000-0x00000000084A7000-memory.dmp

Filesize
28KB

Download
memory/3376-37-0x00007FF8DE650000-0x00007FF8DE660000-memory.dmp

Filesize
64KB

Download
memory/3376-11-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3376-14-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/4252-38-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/4252-0-0x0000016A4BDD0000-0x0000016A4BDD7000-memory.dmp

Filesize
28KB

Download
memory/4252-1-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/4320-84-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/4340-51-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/4340-45-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/4340-48-0x0000027320670000-0x0000027320677000-memory.dmp

Filesize
28KB

Download
memory/4708-65-0x00000273C9F50000-0x00000273C9F57000-memory.dmp

Filesize
28KB

Download
memory/4708-68-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads