dridex | a2463dbdef943b264b909c265284f607f024c4bbfb5a85f89c7c0543dd1f2671

General

Target

4b2042c03f8a331856122cb3f8c1029e_JaffaCakes118.dll
Size

994KB
MD5

4b2042c03f8a331856122cb3f8c1029e
SHA1

57527c2704de7f7c191b38dd75db13961755dcda
SHA256

a2463dbdef943b264b909c265284f607f024c4bbfb5a85f89c7c0543dd1f2671
SHA512

5caedd38a3b49856d5d3b941005c29e5ef312e6e1a77d3f945cfa860409f70585c455cade7d148dc66644501e31dd6e21315716a77f181d1056e8894b1f68b6e
SSDEEP

24576:zVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:zV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1204-5-0x00000000025B0000-0x00000000025B1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

spreview.exemfpmp.exexpsrchvw.exe

pid process

2684 spreview.exe
1936 mfpmp.exe
2712 xpsrchvw.exe
Loads dropped DLL 7 IoCs

Processes:

spreview.exemfpmp.exexpsrchvw.exe

pid process

1204
2684 spreview.exe
1204
1936 mfpmp.exe
1204
2712 xpsrchvw.exe
1204

pid	process
2684	spreview.exe
1936	mfpmp.exe
2712	xpsrchvw.exe

pid	process
1204
2684	spreview.exe
1204
1936	mfpmp.exe
1204
2712	xpsrchvw.exe
1204

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Tonqjizj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\jhO6Ml2n4a5\\mfpmp.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exespreview.exemfpmp.exexpsrchvw.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spreview.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mfpmp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	xpsrchvw.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1712	rundll32.exe
1712	rundll32.exe
1712	rundll32.exe
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1204 wrote to memory of 2836	1204	spreview.exe
PID 1204 wrote to memory of 2836	1204	spreview.exe
PID 1204 wrote to memory of 2836	1204	spreview.exe
PID 1204 wrote to memory of 2684	1204	spreview.exe
PID 1204 wrote to memory of 2684	1204	spreview.exe
PID 1204 wrote to memory of 2684	1204	spreview.exe
PID 1204 wrote to memory of 2980	1204	mfpmp.exe
PID 1204 wrote to memory of 2980	1204	mfpmp.exe
PID 1204 wrote to memory of 2980	1204	mfpmp.exe
PID 1204 wrote to memory of 1936	1204	mfpmp.exe
PID 1204 wrote to memory of 1936	1204	mfpmp.exe
PID 1204 wrote to memory of 1936	1204	mfpmp.exe
PID 1204 wrote to memory of 2772	1204	xpsrchvw.exe
PID 1204 wrote to memory of 2772	1204	xpsrchvw.exe
PID 1204 wrote to memory of 2772	1204	xpsrchvw.exe
PID 1204 wrote to memory of 2712	1204	xpsrchvw.exe
PID 1204 wrote to memory of 2712	1204	xpsrchvw.exe
PID 1204 wrote to memory of 2712	1204	xpsrchvw.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4b2042c03f8a331856122cb3f8c1029e_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1712

C:\Windows\system32\spreview.exe
C:\Windows\system32\spreview.exe
1⤵
PID:2836

C:\Users\Admin\AppData\Local\c4zRY9m\spreview.exe
C:\Users\Admin\AppData\Local\c4zRY9m\spreview.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2684

C:\Windows\system32\mfpmp.exe
C:\Windows\system32\mfpmp.exe
1⤵
PID:2980

C:\Users\Admin\AppData\Local\2w3DK\mfpmp.exe
C:\Users\Admin\AppData\Local\2w3DK\mfpmp.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1936

C:\Windows\system32\xpsrchvw.exe
C:\Windows\system32\xpsrchvw.exe
1⤵
PID:2772

C:\Users\Admin\AppData\Local\e5qwa\xpsrchvw.exe
C:\Users\Admin\AppData\Local\e5qwa\xpsrchvw.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2712

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\2w3DK\MFPlat.DLL
Filesize
1000KB

MD5
33848947746796a737f3d16a09ce44ea

SHA1
04345feb1b30b19262441e5813186ff7d5991e2f

SHA256
a39f69dd87251350d4b4bfc0d8762dddaa0f729bef39985bdfdd3802833f088d

SHA512
62937f5ba51a9797c42dbfb56f5c001c6e32fad25703c730595e33ea3acbc7ec9d1b5a55f3438ee73ebe93793117bd3ff1d87d35219a35ad47c0dc3a0a836122

Download Submit
C:\Users\Admin\AppData\Local\c4zRY9m\WINBRAND.dll
Filesize
995KB

MD5
c67905ef4a705c97b743e57ad645dc4d

SHA1
48f86d07625242b97fe85b8654403b50e2b9eb97

SHA256
3b7544b87b9c5b0cfa8a0d74954226093cacfd35d7a392c4fb7e3db0562f4aac

SHA512
0f50784b187354f1888108d117272e0973353d2f49779aa1372fba0b8235e86bdb8a463cd738d8a36553f74a2b7f797f2b9d2ac1dc2508d79f3e448d253059da

Download Submit
C:\Users\Admin\AppData\Local\e5qwa\WINMM.dll
Filesize
999KB

MD5
b5b92d0058e1c0475ceae2302f113936

SHA1
b75c3b52dbd0f8890249f0f34300443dd67c64c4

SHA256
a429a8c61212a5ecc71640b0387f26fa5003c27dda2fe2596887899c98f51b6b

SHA512
3c2ec1cdf7af28ab1a15072ce176eeccd46fec7bccc93030fb12f7c6dcfb2f017ca05e573c9cb0215b9b30a780e071002695f51ca7dbc634a0c365eeb5b041f1

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Mewsro.lnk
Filesize
899B

MD5
28fb561346e57fdbc647fe241c5b0d51

SHA1
bee5a24eaa2ab4cfd1a0811fb64fd96ad84679af

SHA256
23c0e47abff87d5f251e0538b7e4e370d0219eee5947a2a43a87cdd54afe17cd

SHA512
7b78e3ae109440d49ca55ffe7f256683b6581fb6c0f2c2c7a8c6608a16313cca5cca1babc814d547deb14bc27b084044a64bcb92431b807502d3a09e6b8bbe5a

Download Submit
\Users\Admin\AppData\Local\2w3DK\mfpmp.exe
Filesize
24KB

MD5
2d8600b94de72a9d771cbb56b9f9c331

SHA1
a0e2ac409159546183aa45875497844c4adb5aac

SHA256
7d8d8918761b8b6c95758375a6e7cf7fb8e43abfdd3846476219883ef3f8c185

SHA512
3aaa6619f29434c294b9b197c3b86fdc5d88b0254c8f35f010c9b5f254fd47fbc3272412907e2a5a4f490bda2acfbbd7a90f968e25067abf921b934d2616eafc

Download Submit
\Users\Admin\AppData\Local\c4zRY9m\spreview.exe
Filesize
294KB

MD5
704cd4cac010e8e6d8de9b778ed17773

SHA1
81856abf70640f102b8b3defe2cf65669fe8e165

SHA256
4307f21d3ec3b51cba6a905a80045314ffccb4c60c11d99a3d77cc8103014208

SHA512
b380264276bad01d619a5f1f112791d6bf73dc52cdd5cca0cc1f726a6f66eefc5a78a37646792987c508f9cb5049f0eb86c71fb4c7a2d3e670c0c8623f0522ee

Download Submit
\Users\Admin\AppData\Local\e5qwa\xpsrchvw.exe
Filesize
4.6MB

MD5
492cb6a624d5dad73ee0294b5db37dd6

SHA1
e74806af04a5147ccabfb5b167eb95a0177c43b3

SHA256
ccb4ecd48561ce024ea176b7036f0f2713b98bc82aa37347a30d8187762a8784

SHA512
63bf2931764efe767fb42f9576702dd585a032f74ad2be2481eaf309f34950f05974d77b5cb220a3ff89c92af0c7693dc558f8e3a3ee2a0be6c5c07171d03835

Download Submit
memory/1204-26-0x0000000076F91000-0x0000000076F92000-memory.dmp

Filesize
4KB

Download
memory/1204-16-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/1204-14-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/1204-13-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/1204-12-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/1204-11-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/1204-10-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/1204-9-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/1204-27-0x0000000077120000-0x0000000077122000-memory.dmp

Filesize
8KB

Download
memory/1204-4-0x0000000076E86000-0x0000000076E87000-memory.dmp

Filesize
4KB

Download
memory/1204-38-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/1204-36-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/1204-5-0x00000000025B0000-0x00000000025B1000-memory.dmp

Filesize
4KB

Download
memory/1204-15-0x0000000002590000-0x0000000002597000-memory.dmp

Filesize
28KB

Download
memory/1204-25-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/1204-73-0x0000000076E86000-0x0000000076E87000-memory.dmp

Filesize
4KB

Download
memory/1204-7-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/1204-8-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/1712-45-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/1712-0-0x0000000000130000-0x0000000000137000-memory.dmp

Filesize
28KB

Download
memory/1712-1-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/1936-74-0x0000000000390000-0x0000000000397000-memory.dmp

Filesize
28KB

Download
memory/1936-71-0x0000000140000000-0x0000000140100000-memory.dmp

Filesize
1024KB

Download
memory/1936-78-0x0000000140000000-0x0000000140100000-memory.dmp

Filesize
1024KB

Download
memory/2684-59-0x0000000140000000-0x00000001400FF000-memory.dmp

Filesize
1020KB

Download
memory/2684-56-0x0000000000270000-0x0000000000277000-memory.dmp

Filesize
28KB

Download
memory/2684-53-0x0000000140000000-0x00000001400FF000-memory.dmp

Filesize
1020KB

Download
memory/2712-94-0x0000000140000000-0x0000000140100000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads