dridex | 588b58453ab4fce0cf03730ab7802b5d8477f21ec26ef8d19ab0d992ac93fff3

General

Target

4d950b19cf1259d8507195d85bee6117_JaffaCakes118.dll
Size

1.4MB
MD5

4d950b19cf1259d8507195d85bee6117
SHA1

a811e17a47a4245169044ebaaa24341e20f1606b
SHA256

588b58453ab4fce0cf03730ab7802b5d8477f21ec26ef8d19ab0d992ac93fff3
SHA512

1b06dd3c0840021c2d155134580465bcaa4dfc69051ce35932a57f3b4ec4d2f8822af9197122c077b2e5d622a867043027c2a7ec6f0789dfb9f7edbad5d40a16
SSDEEP

24576:8uYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9NFt:09cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1204-5-0x00000000025B0000-0x00000000025B1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

spreview.exedpnsvr.exeFXSCOVER.exe

pid process

2692 spreview.exe
1884 dpnsvr.exe
1988 FXSCOVER.exe
Loads dropped DLL 7 IoCs

Processes:

spreview.exedpnsvr.exeFXSCOVER.exe

pid process

1204
2692 spreview.exe
1204
1884 dpnsvr.exe
1204
1988 FXSCOVER.exe
1204

pid	process
2692	spreview.exe
1884	dpnsvr.exe
1988	FXSCOVER.exe

pid	process
1204
2692	spreview.exe
1204
1884	dpnsvr.exe
1204
1988	FXSCOVER.exe
1204

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Tonqjizj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Credentials\\11iRiiY\\dpnsvr.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exespreview.exedpnsvr.exeFXSCOVER.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spreview.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dpnsvr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	FXSCOVER.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1712	rundll32.exe
1712	rundll32.exe
1712	rundll32.exe
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1204 wrote to memory of 2040	1204	spreview.exe
PID 1204 wrote to memory of 2040	1204	spreview.exe
PID 1204 wrote to memory of 2040	1204	spreview.exe
PID 1204 wrote to memory of 2692	1204	spreview.exe
PID 1204 wrote to memory of 2692	1204	spreview.exe
PID 1204 wrote to memory of 2692	1204	spreview.exe
PID 1204 wrote to memory of 2984	1204	dpnsvr.exe
PID 1204 wrote to memory of 2984	1204	dpnsvr.exe
PID 1204 wrote to memory of 2984	1204	dpnsvr.exe
PID 1204 wrote to memory of 1884	1204	dpnsvr.exe
PID 1204 wrote to memory of 1884	1204	dpnsvr.exe
PID 1204 wrote to memory of 1884	1204	dpnsvr.exe
PID 1204 wrote to memory of 2704	1204	FXSCOVER.exe
PID 1204 wrote to memory of 2704	1204	FXSCOVER.exe
PID 1204 wrote to memory of 2704	1204	FXSCOVER.exe
PID 1204 wrote to memory of 1988	1204	FXSCOVER.exe
PID 1204 wrote to memory of 1988	1204	FXSCOVER.exe
PID 1204 wrote to memory of 1988	1204	FXSCOVER.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4d950b19cf1259d8507195d85bee6117_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1712

C:\Windows\system32\spreview.exe
C:\Windows\system32\spreview.exe
1⤵
PID:2040

C:\Users\Admin\AppData\Local\Gn0A\spreview.exe
C:\Users\Admin\AppData\Local\Gn0A\spreview.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2692

C:\Windows\system32\dpnsvr.exe
C:\Windows\system32\dpnsvr.exe
1⤵
PID:2984

C:\Users\Admin\AppData\Local\0DwkYfnU\dpnsvr.exe
C:\Users\Admin\AppData\Local\0DwkYfnU\dpnsvr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1884

C:\Windows\system32\FXSCOVER.exe
C:\Windows\system32\FXSCOVER.exe
1⤵
PID:2704

C:\Users\Admin\AppData\Local\kkmu\FXSCOVER.exe
C:\Users\Admin\AppData\Local\kkmu\FXSCOVER.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1988

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\0DwkYfnU\WINMM.dll
Filesize
1.4MB

MD5
44af2a791acbeec689ba5efbddada2cc

SHA1
e4ca7e075354eef61300d118d26654d85c5fcfc8

SHA256
d135f4095564a944b2134885b6ed660670c306e78bd5475b5db579455c4802aa

SHA512
f371b93feb2b79cc29fd10c92211cdc9ee44fa68013209f4d34ba27c3be14112c95f318201ab4acb071d509479344981bf6bab855d8e65c4b89610e720354eb7

Download Submit
C:\Users\Admin\AppData\Local\Gn0A\WINBRAND.dll
Filesize
1.4MB

MD5
bd0512e245da33bd5461b728cf4e13ad

SHA1
aafcf3574d35247e440e157a13b866255714d6f3

SHA256
970221c7f4bced64ca4d9f27c2207edb78032ba360a66cadc0e51e4b3412de66

SHA512
95b541da9a95994f39983ec27f84f4d1c2dc0f4344ccf41d2c74ee9741267be44e861aadffded986520d1add39cc9685efb62a4445d57fd0daff48caaaec504c

Download Submit
C:\Users\Admin\AppData\Local\kkmu\MFC42u.dll
Filesize
1.4MB

MD5
057a13bbdaa8baacf921542684fbf903

SHA1
8e14353a5a09278b8caa13890ea32251adb0a0ca

SHA256
56066b8a03f2b1f6bce178ee185b2e3bcfb8190f195970b99571d3d349d78bf2

SHA512
dd8f672a1d29b0fd6a0f262ab1b235d19eee8102fa4967b3867e44b88764aeda4de00cbff6241e7d997433962f02c8e055f3ad7950e297e226094eb4e9064c1c

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Mewsro.lnk
Filesize
1KB

MD5
989f8bb568bdfac86fe68c0689b7ec61

SHA1
7a00f6a2bf5a33c1e70e6635c0b71c264296ad18

SHA256
d67aa73a66eb5378ecf55b8c7ca0a54c87ef9c60e728467571778b3dfc7f02e6

SHA512
7260ac10ad95063d74730d925e7cec5175e65ddf9187126d9d39545d27f96ca868fd594d624707fe6781c50127c93622cd4668f4a012c859dd23050d084e89ad

Download Submit
\Users\Admin\AppData\Local\0DwkYfnU\dpnsvr.exe
Filesize
33KB

MD5
6806b72978f6bd27aef57899be68b93b

SHA1
713c246d0b0b8dcc298afaed4f62aed82789951c

SHA256
3485ee4159c5f9e4ed9dd06e668d1e04148154ff40327a9ccb591e8c5a79958c

SHA512
43c942358b2e949751149ecc4be5ff6cb0634957ff1128ad5e6051e83379fb5643100cae2f6ef3eaf36aff016063c150e93297aa866e780d0e4d51656a251c7b

Download Submit
\Users\Admin\AppData\Local\Gn0A\spreview.exe
Filesize
294KB

MD5
704cd4cac010e8e6d8de9b778ed17773

SHA1
81856abf70640f102b8b3defe2cf65669fe8e165

SHA256
4307f21d3ec3b51cba6a905a80045314ffccb4c60c11d99a3d77cc8103014208

SHA512
b380264276bad01d619a5f1f112791d6bf73dc52cdd5cca0cc1f726a6f66eefc5a78a37646792987c508f9cb5049f0eb86c71fb4c7a2d3e670c0c8623f0522ee

Download Submit
\Users\Admin\AppData\Local\kkmu\FXSCOVER.exe
Filesize
261KB

MD5
5e2c61be8e093dbfe7fc37585be42869

SHA1
ed46cda4ece3ef187b0cf29ca843a6c6735af6c0

SHA256
3d1719c1caa5d6b0358830a30713c43a9710fbf7bcedca20815be54d24aa9121

SHA512
90bf180c8f6e3d0286a19fcd4727f23925a39c90113db979e1b4bbf8f0491471ad26c877a6e2cf49638b14050d952a9ee02a3c1293129843ec6bba01bc325d0b

Download Submit
memory/1204-17-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/1204-22-0x0000000002590000-0x0000000002597000-memory.dmp

Filesize
28KB

Download
memory/1204-18-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/1204-4-0x0000000076E86000-0x0000000076E87000-memory.dmp

Filesize
4KB

Download
memory/1204-16-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/1204-15-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/1204-14-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/1204-13-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/1204-12-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/1204-11-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/1204-10-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/1204-9-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/1204-40-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/1204-39-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/1204-36-0x0000000077120000-0x0000000077122000-memory.dmp

Filesize
8KB

Download
memory/1204-35-0x0000000076F91000-0x0000000076F92000-memory.dmp

Filesize
4KB

Download
memory/1204-7-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/1204-19-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/1204-28-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/1204-77-0x0000000076E86000-0x0000000076E87000-memory.dmp

Filesize
4KB

Download
memory/1204-5-0x00000000025B0000-0x00000000025B1000-memory.dmp

Filesize
4KB

Download
memory/1204-8-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/1712-48-0x000007FEF5BF0000-0x000007FEF5D5E000-memory.dmp

Filesize
1.4MB

Download
memory/1712-2-0x0000000001D00000-0x0000000001D07000-memory.dmp

Filesize
28KB

Download
memory/1712-0-0x000007FEF5BF0000-0x000007FEF5D5E000-memory.dmp

Filesize
1.4MB

Download
memory/1884-74-0x000007FEF5BF0000-0x000007FEF5D60000-memory.dmp

Filesize
1.4MB

Download
memory/1884-78-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download
memory/1884-81-0x000007FEF5BF0000-0x000007FEF5D60000-memory.dmp

Filesize
1.4MB

Download
memory/1988-93-0x000007FEF5BE0000-0x000007FEF5D55000-memory.dmp

Filesize
1.5MB

Download
memory/1988-98-0x000007FEF5BE0000-0x000007FEF5D55000-memory.dmp

Filesize
1.5MB

Download
memory/2692-62-0x000007FEF6690000-0x000007FEF67FF000-memory.dmp

Filesize
1.4MB

Download
memory/2692-59-0x00000000000F0000-0x00000000000F7000-memory.dmp

Filesize
28KB

Download
memory/2692-56-0x000007FEF6690000-0x000007FEF67FF000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads