dridex | 7bf840ca70c270a4d2ffdfa43d0cdc99dbce46c021d3487cff99b7326dbf121d

General

Target

48261eb1530a4239ebb56bb5bc9aa217_JaffaCakes118.dll
Size

1.2MB
MD5

48261eb1530a4239ebb56bb5bc9aa217
SHA1

cda82eb1ede80e356c15219eae4750b995cd2803
SHA256

7bf840ca70c270a4d2ffdfa43d0cdc99dbce46c021d3487cff99b7326dbf121d
SHA512

f0a98c79ddfa49e85ee1f69fcf8ef3eaefd76ae1c45b7a9e566e8da19263c9ece413c3367e6325b7604789668384acc28060d3e2f0fea92ed7992714f7c53fa4
SSDEEP

24576:BVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8K:BV8hf6STw1ZlQauvzSq01ICe6zvmV

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1248-5-0x0000000002560000-0x0000000002561000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

DisplaySwitch.exeSystemPropertiesAdvanced.exeunregmp2.exe

pid process

2468 DisplaySwitch.exe
2956 SystemPropertiesAdvanced.exe
2824 unregmp2.exe
Loads dropped DLL 7 IoCs

Processes:

DisplaySwitch.exeSystemPropertiesAdvanced.exeunregmp2.exe

pid process

1248
2468 DisplaySwitch.exe
1248
2956 SystemPropertiesAdvanced.exe
1248
2824 unregmp2.exe
1248

pid	process
2468	DisplaySwitch.exe
2956	SystemPropertiesAdvanced.exe
2824	unregmp2.exe

pid	process
1248
2468	DisplaySwitch.exe
1248
2956	SystemPropertiesAdvanced.exe
1248
2824	unregmp2.exe
1248

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ybhspkdtbke = "C:\\Users\\Admin\\AppData\\Roaming\\MACROM~1\\FLASHP~1\\MACROM~1.COM\\support\\fd1y956\\SYSTEM~1.EXE"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeDisplaySwitch.exeSystemPropertiesAdvanced.exeunregmp2.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DisplaySwitch.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesAdvanced.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unregmp2.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2972	rundll32.exe
2972	rundll32.exe
2972	rundll32.exe
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1248 wrote to memory of 2260	1248	DisplaySwitch.exe
PID 1248 wrote to memory of 2260	1248	DisplaySwitch.exe
PID 1248 wrote to memory of 2260	1248	DisplaySwitch.exe
PID 1248 wrote to memory of 2468	1248	DisplaySwitch.exe
PID 1248 wrote to memory of 2468	1248	DisplaySwitch.exe
PID 1248 wrote to memory of 2468	1248	DisplaySwitch.exe
PID 1248 wrote to memory of 2604	1248	SystemPropertiesAdvanced.exe
PID 1248 wrote to memory of 2604	1248	SystemPropertiesAdvanced.exe
PID 1248 wrote to memory of 2604	1248	SystemPropertiesAdvanced.exe
PID 1248 wrote to memory of 2956	1248	SystemPropertiesAdvanced.exe
PID 1248 wrote to memory of 2956	1248	SystemPropertiesAdvanced.exe
PID 1248 wrote to memory of 2956	1248	SystemPropertiesAdvanced.exe
PID 1248 wrote to memory of 2612	1248	unregmp2.exe
PID 1248 wrote to memory of 2612	1248	unregmp2.exe
PID 1248 wrote to memory of 2612	1248	unregmp2.exe
PID 1248 wrote to memory of 2824	1248	unregmp2.exe
PID 1248 wrote to memory of 2824	1248	unregmp2.exe
PID 1248 wrote to memory of 2824	1248	unregmp2.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\48261eb1530a4239ebb56bb5bc9aa217_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2972

C:\Windows\system32\DisplaySwitch.exe
C:\Windows\system32\DisplaySwitch.exe
1⤵
PID:2260

C:\Users\Admin\AppData\Local\AJ4Qj\DisplaySwitch.exe
C:\Users\Admin\AppData\Local\AJ4Qj\DisplaySwitch.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2468

C:\Windows\system32\SystemPropertiesAdvanced.exe
C:\Windows\system32\SystemPropertiesAdvanced.exe
1⤵
PID:2604

C:\Users\Admin\AppData\Local\VyCFEC\SystemPropertiesAdvanced.exe
C:\Users\Admin\AppData\Local\VyCFEC\SystemPropertiesAdvanced.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2956

C:\Windows\system32\unregmp2.exe
C:\Windows\system32\unregmp2.exe
1⤵
PID:2612

C:\Users\Admin\AppData\Local\IVD\unregmp2.exe
C:\Users\Admin\AppData\Local\IVD\unregmp2.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\AJ4Qj\slc.dll

Filesize
1.2MB

MD5
fdf862473dbe55c32bf7fe770507caf8

SHA1
718ab9fc4bb788b95f87ce37d75e1234673ec036

SHA256
6ee9802d2815a5e089a69e905f2ea5c7613d9af4c63e790cb44cbacc0219188a

SHA512
7204a7d2950917b5b86c247a12248e775ebcf35907526b28665942dc72ad254a981593594ff8d0c2aedcc723a70c67e45e0cbd0e44ffdd313a4666971561dc8b

Download Submit
C:\Users\Admin\AppData\Local\IVD\slc.dll

Filesize
1.2MB

MD5
4d830eb0d4613106228d15d96bd8e93e

SHA1
189ecbf0889e2be039bbc5d3d3563165d4fe1cb5

SHA256
55453165d01da399620ae0e888a03d4a65d91e772710804b0f1dd2a2bd93ec1c

SHA512
cb71d4519a658f38f28519900493318633e890e7d6f16570d4fae7c37c2f66a2599c8b13e23739bcd05ed52237238791d00c11fcb429e0583f6057d6b8a62185

Download Submit
C:\Users\Admin\AppData\Local\VyCFEC\SYSDM.CPL

Filesize
1.2MB

MD5
6b789661a2f087a8ea291be97beecd97

SHA1
0a19fabb8c220a18a85e35f2fff95c6623be0a7c

SHA256
38d38c519f28c829d1d7b6ae0b1304342a22062194c6714365f60de30b1fe26e

SHA512
923c87c6e253c712816cbfbcf402124cebe0aee143dd6ed72ea903770fe23beb6f1d8ab4f370c1988e8d7b158efbd67084f7404be4ba059d02bd99f04b02a2b3

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Tkjddllshxzvy.lnk

Filesize
1KB

MD5
208179d196b9cec7dbf204979915eabe

SHA1
3493a13a8ba60fb04433c125d32740c356256abc

SHA256
b98c989f2a89f89c9f8b0b888998d6e4d85caf9f0a8676fcf3a749ef608f20a6

SHA512
fb16a7e4a6c6fd4ed785526421b5693dc614c0408f8abbfbf8e21d9f2654c37c70960fe5d349c6801903c550c208ef62952a14e9333a42032e3df4a517e295b0

Download Submit
\Users\Admin\AppData\Local\AJ4Qj\DisplaySwitch.exe

Filesize
517KB

MD5
b795e6138e29a37508285fc31e92bd78

SHA1
d0fe0c38c7c61adbb77e58d48b96cd4bf98ecd4a

SHA256
01a9733871baa8518092bade3fce62dcca14cdf6fc55b98218253580b38d7659

SHA512
8312174a77bab5fef7c4e9efff66c43d3515b02f5766ed1d3b9bd0abb3d7344a9a22cbac228132098428c122293d2b1898b3a2d75f5e4247b1dcb9aa9c7913b1

Download Submit
\Users\Admin\AppData\Local\IVD\unregmp2.exe

Filesize
316KB

MD5
64b328d52dfc8cda123093e3f6e4c37c

SHA1
f68f45b21b911906f3aa982e64504e662a92e5ab

SHA256
7d6be433ba7dd4a2b8f8b79d7b87055da8daafa3e0404432d40469c39c2040e1

SHA512
e29fc068532df36f39c86b79392b5c6191de6f69b7beaba28f9ac96a26089b341b770ff29556eca14f57afd1de59a6f3726818482d6861bdd8ac556ae768df00

Download Submit
\Users\Admin\AppData\Local\VyCFEC\SystemPropertiesAdvanced.exe

Filesize
80KB

MD5
25dc1e599591871c074a68708206e734

SHA1
27a9dffa92d979d39c07d889fada536c062dac77

SHA256
a13b2ba5892c11c731869410b1e3dd2f250d70ff9efd513a9f260ab506dd42ef

SHA512
f7da9ce4c3e8aea9095fcc977084c042f85df48fca0b58fb136dfd835ce69b5b1e68f3c11eeb14c617ffcec7011ffc7e5d5a948f49dde653a2348b28e10adb72

Download Submit
memory/1248-24-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1248-10-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1248-13-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1248-12-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1248-11-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1248-27-0x00000000770F0000-0x00000000770F2000-memory.dmp

Filesize
8KB

Download
memory/1248-26-0x0000000076F61000-0x0000000076F62000-memory.dmp

Filesize
4KB

Download
memory/1248-8-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1248-25-0x0000000002540000-0x0000000002547000-memory.dmp

Filesize
28KB

Download
memory/1248-4-0x0000000076E56000-0x0000000076E57000-memory.dmp

Filesize
4KB

Download
memory/1248-32-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1248-33-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1248-5-0x0000000002560000-0x0000000002561000-memory.dmp

Filesize
4KB

Download
memory/1248-14-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1248-15-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1248-67-0x0000000076E56000-0x0000000076E57000-memory.dmp

Filesize
4KB

Download
memory/1248-7-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1248-9-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/2468-55-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/2468-52-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/2468-49-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/2824-88-0x0000000000290000-0x0000000000297000-memory.dmp

Filesize
28KB

Download
memory/2824-91-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/2956-73-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/2972-41-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/2972-0-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/2972-3-0x00000000001B0000-0x00000000001B7000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads