dridex | 588b58453ab4fce0cf03730ab7802b5d8477f21ec26ef8d19ab0d992ac93fff3

General

Target

4d950b19cf1259d8507195d85bee6117_JaffaCakes118.dll
Size

1.4MB
MD5

4d950b19cf1259d8507195d85bee6117
SHA1

a811e17a47a4245169044ebaaa24341e20f1606b
SHA256

588b58453ab4fce0cf03730ab7802b5d8477f21ec26ef8d19ab0d992ac93fff3
SHA512

1b06dd3c0840021c2d155134580465bcaa4dfc69051ce35932a57f3b4ec4d2f8822af9197122c077b2e5d622a867043027c2a7ec6f0789dfb9f7edbad5d40a16
SSDEEP

24576:8uYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9NFt:09cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3536-4-0x0000000002EB0000-0x0000000002EB1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

InfDefaultInstall.exesystemreset.exewextract.exe

pid process

4460 InfDefaultInstall.exe
3324 systemreset.exe
3624 wextract.exe
Loads dropped DLL 3 IoCs

Processes:

InfDefaultInstall.exesystemreset.exewextract.exe

pid process

4460 InfDefaultInstall.exe
3324 systemreset.exe
3624 wextract.exe

pid	process
4460	InfDefaultInstall.exe
3324	systemreset.exe
3624	wextract.exe

pid	process
4460	InfDefaultInstall.exe
3324	systemreset.exe
3624	wextract.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Pruztwesow = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\8OxmrOE\\SYSTEM~1.EXE"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

systemreset.exewextract.exerundll32.exeInfDefaultInstall.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	systemreset.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wextract.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	InfDefaultInstall.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
4008	rundll32.exe
4008	rundll32.exe
4008	rundll32.exe
4008	rundll32.exe
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536
3536

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3536 wrote to memory of 4464	3536	InfDefaultInstall.exe
PID 3536 wrote to memory of 4464	3536	InfDefaultInstall.exe
PID 3536 wrote to memory of 4460	3536	InfDefaultInstall.exe
PID 3536 wrote to memory of 4460	3536	InfDefaultInstall.exe
PID 3536 wrote to memory of 3276	3536	systemreset.exe
PID 3536 wrote to memory of 3276	3536	systemreset.exe
PID 3536 wrote to memory of 3324	3536	systemreset.exe
PID 3536 wrote to memory of 3324	3536	systemreset.exe
PID 3536 wrote to memory of 2724	3536	wextract.exe
PID 3536 wrote to memory of 2724	3536	wextract.exe
PID 3536 wrote to memory of 3624	3536	wextract.exe
PID 3536 wrote to memory of 3624	3536	wextract.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4d950b19cf1259d8507195d85bee6117_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4008

C:\Windows\system32\InfDefaultInstall.exe
C:\Windows\system32\InfDefaultInstall.exe
1⤵
PID:4464

C:\Users\Admin\AppData\Local\Tfmzj\InfDefaultInstall.exe
C:\Users\Admin\AppData\Local\Tfmzj\InfDefaultInstall.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4460

C:\Windows\system32\systemreset.exe
C:\Windows\system32\systemreset.exe
1⤵
PID:3276

C:\Users\Admin\AppData\Local\8J3\systemreset.exe
C:\Users\Admin\AppData\Local\8J3\systemreset.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3324

C:\Windows\system32\wextract.exe
C:\Windows\system32\wextract.exe
1⤵
PID:2724

C:\Users\Admin\AppData\Local\mSDX1Pb\wextract.exe
C:\Users\Admin\AppData\Local\mSDX1Pb\wextract.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3624

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\8J3\DUI70.dll
Filesize
1.7MB

MD5
817709ac08fdc7c20f80935809549170

SHA1
67eb2610a817f4d53907b158cfba7380ffa0f0ec

SHA256
80c0f8744d1101d79d8263387be2f4a52857311b7d2f256b0ab325c6b13a650f

SHA512
d97af278b297a6effbe6e988903789069fa1e8bc13dff1e8053371b30888a0e15a26f90f3bf89a52c1b8a6557b51ef56db4239707aee7ba36509cbb0fd7bb670

Download Submit
C:\Users\Admin\AppData\Local\8J3\systemreset.exe
Filesize
508KB

MD5
325ff647506adb89514defdd1c372194

SHA1
84234ff97d6ddc8a4ea21303ea842aa76a74e0ea

SHA256
ebff6159a7627234f94f606afa2e55e98e1548fd197d22779a5fcff24aa477ad

SHA512
8a9758f4af0264be08d684125827ef11efe651138059f6b463c52476f8a8e1bed94d093042f85893cb3e37c5f3ba7b55c6ce9394595001e661bccbc578da3868

Download Submit
C:\Users\Admin\AppData\Local\Tfmzj\InfDefaultInstall.exe
Filesize
13KB

MD5
ee18876c1e5de583de7547075975120e

SHA1
f7fcb3d77da74deee25de9296a7c7335916504e3

SHA256
e59127b5fe82714956c7a1f10392a8673086a8e1f609e059935c7da1fa015a5d

SHA512
08bc4d28b8f528582c58175a74871dd33ac97955c3709c991779fc34b5ba4b2ba6ff40476d9f59345b61b0153fd932b0ea539431a67ff5012cb2ac8ab392f73c

Download Submit
C:\Users\Admin\AppData\Local\Tfmzj\newdev.dll
Filesize
1.4MB

MD5
469ad2b380526ae35e8782be53ce4590

SHA1
72e27748b6ea8380f947c97fbc222c32a19617e3

SHA256
932747ac577a11713e7ed3ed5e11463d7f6897d2a40136fdcc6fead9eb50a850

SHA512
d1c09d62cc41d88bb42ee4273ff74e2a679f8a691022a41515dbb3d95778085fe7d03ac6d0d71ad2783b4372f4c00c706e50cf13eb2ced9cf82c0f99d5a01797

Download Submit
C:\Users\Admin\AppData\Local\mSDX1Pb\VERSION.dll
Filesize
1.4MB

MD5
17b1cfc8c42629e080d5feebef01834e

SHA1
079c3393c7499d41980093ce731e00633409543b

SHA256
f33313f39d32e4d60b253a35fb44f0e9f4f8f8a5bb267d47f1605d60548b9b71

SHA512
cd9f6dd6dfcd09eed83ea403407ab2adc37d36b5242185e31a7a4c3a797fa99f73a5d68bcfe913c7b822a7390068e3917af2f17f1f8978fb887d116b1609b454

Download Submit
C:\Users\Admin\AppData\Local\mSDX1Pb\wextract.exe
Filesize
143KB

MD5
56e501e3e49cfde55eb1caabe6913e45

SHA1
ab2399cbf17dbee7b302bea49e40d4cee7caea76

SHA256
fbb6dc62abeeb222b49a63f43dc6eea96f3d7e9a8da55381c15d57a5d099f3e0

SHA512
2b536e86cbd8ab026529ba2c72c0fda97e9b6f0bc4fd96777024155852670cb41d17937cde372a44cdbad3e53b8cd3ef1a4a3ee9b34dfb3c2069822095f7a172

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Arcabpqqvo.lnk
Filesize
1KB

MD5
e6ff922a8da05ad17f9d7186f84328f2

SHA1
5f25f503bafc85cee4b5c5df53fbada7d65aaf6d

SHA256
cb6817ff09521729000f6ea9d1f75ac2d22c605a773f55184deec966985d8a04

SHA512
42fce1078a93548004ae5f7bb7deb4baf3d2301aa4e83b5aa7d4845219f6e31232608a76911137dcac7a14ac2456659c83a4d5b7af1e53f88aac9049f0084084

Download Submit
memory/3324-71-0x00007FFE30190000-0x00007FFE30344000-memory.dmp

Filesize
1.7MB

Download
memory/3324-66-0x00007FFE30190000-0x00007FFE30344000-memory.dmp

Filesize
1.7MB

Download
memory/3324-65-0x000001FB50500000-0x000001FB50507000-memory.dmp

Filesize
28KB

Download
memory/3536-35-0x00007FFE4CD4A000-0x00007FFE4CD4B000-memory.dmp

Filesize
4KB

Download
memory/3536-38-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/3536-14-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/3536-13-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/3536-12-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/3536-11-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/3536-10-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/3536-9-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/3536-8-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/3536-7-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/3536-18-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/3536-4-0x0000000002EB0000-0x0000000002EB1000-memory.dmp

Filesize
4KB

Download
memory/3536-17-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/3536-6-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/3536-15-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/3536-26-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/3536-16-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/3536-36-0x0000000000E20000-0x0000000000E27000-memory.dmp

Filesize
28KB

Download
memory/3536-37-0x00007FFE4E510000-0x00007FFE4E520000-memory.dmp

Filesize
64KB

Download
memory/3624-82-0x00007FFE301E0000-0x00007FFE3034F000-memory.dmp

Filesize
1.4MB

Download
memory/3624-87-0x00007FFE301E0000-0x00007FFE3034F000-memory.dmp

Filesize
1.4MB

Download
memory/4008-1-0x00007FFE40000000-0x00007FFE4016E000-memory.dmp

Filesize
1.4MB

Download
memory/4008-41-0x00007FFE40000000-0x00007FFE4016E000-memory.dmp

Filesize
1.4MB

Download
memory/4008-3-0x0000020C73260000-0x0000020C73267000-memory.dmp

Filesize
28KB

Download
memory/4460-54-0x00007FFE30240000-0x00007FFE303AF000-memory.dmp

Filesize
1.4MB

Download
memory/4460-49-0x00007FFE30240000-0x00007FFE303AF000-memory.dmp

Filesize
1.4MB

Download
memory/4460-48-0x000002835FBE0000-0x000002835FBE7000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads