dridex | c16e01bd1c034e16aa5459108ac9894a175f8e9754e1e360f81e0c8ddf720a94

General

Target

4c5464886e6c66edad677dddc6606f1f_JaffaCakes118.dll
Size

1.2MB
MD5

4c5464886e6c66edad677dddc6606f1f
SHA1

0b422d84ce42e2d925cfb03c21e03cf52c80c99d
SHA256

c16e01bd1c034e16aa5459108ac9894a175f8e9754e1e360f81e0c8ddf720a94
SHA512

57db43d75b4f3354a9e77a4a4b40086094fb0501f76132c007fa64cb1355b952f8d7258de0460b4646250fb2d2073bf34a50be7d23498e6a09d0065045624652
SSDEEP

24576:NuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:H9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1256-5-0x0000000002150000-0x0000000002151000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

ComputerDefaults.exeisoburn.exewinlogon.exe

pid process

2556 ComputerDefaults.exe
280 isoburn.exe
2148 winlogon.exe
Loads dropped DLL 7 IoCs

Processes:

ComputerDefaults.exeisoburn.exewinlogon.exe

pid process

1256
2556 ComputerDefaults.exe
1256
280 isoburn.exe
1256
2148 winlogon.exe
1256

pid	process
2556	ComputerDefaults.exe
280	isoburn.exe
2148	winlogon.exe

pid	process
1256
2556	ComputerDefaults.exe
1256
280	isoburn.exe
1256
2148	winlogon.exe
1256

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Uxhwu = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\DZOPIQ~1\\isoburn.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeComputerDefaults.exeisoburn.exewinlogon.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ComputerDefaults.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	isoburn.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2876	rundll32.exe
2876	rundll32.exe
2876	rundll32.exe
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1256 wrote to memory of 2540	1256	ComputerDefaults.exe
PID 1256 wrote to memory of 2540	1256	ComputerDefaults.exe
PID 1256 wrote to memory of 2540	1256	ComputerDefaults.exe
PID 1256 wrote to memory of 2556	1256	ComputerDefaults.exe
PID 1256 wrote to memory of 2556	1256	ComputerDefaults.exe
PID 1256 wrote to memory of 2556	1256	ComputerDefaults.exe
PID 1256 wrote to memory of 556	1256	isoburn.exe
PID 1256 wrote to memory of 556	1256	isoburn.exe
PID 1256 wrote to memory of 556	1256	isoburn.exe
PID 1256 wrote to memory of 280	1256	isoburn.exe
PID 1256 wrote to memory of 280	1256	isoburn.exe
PID 1256 wrote to memory of 280	1256	isoburn.exe
PID 1256 wrote to memory of 2768	1256	winlogon.exe
PID 1256 wrote to memory of 2768	1256	winlogon.exe
PID 1256 wrote to memory of 2768	1256	winlogon.exe
PID 1256 wrote to memory of 2148	1256	winlogon.exe
PID 1256 wrote to memory of 2148	1256	winlogon.exe
PID 1256 wrote to memory of 2148	1256	winlogon.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4c5464886e6c66edad677dddc6606f1f_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2876

C:\Windows\system32\ComputerDefaults.exe
C:\Windows\system32\ComputerDefaults.exe
1⤵
PID:2540

C:\Users\Admin\AppData\Local\9zIq\ComputerDefaults.exe
C:\Users\Admin\AppData\Local\9zIq\ComputerDefaults.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2556

C:\Windows\system32\isoburn.exe
C:\Windows\system32\isoburn.exe
1⤵
PID:556

C:\Users\Admin\AppData\Local\bGj1eBkT\isoburn.exe
C:\Users\Admin\AppData\Local\bGj1eBkT\isoburn.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:280

C:\Windows\system32\winlogon.exe
C:\Windows\system32\winlogon.exe
1⤵
PID:2768

C:\Users\Admin\AppData\Local\7E54mW\winlogon.exe
C:\Users\Admin\AppData\Local\7E54mW\winlogon.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2148

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\7E54mW\WINSTA.dll
Filesize
1.2MB

MD5
dfa5f97e35459635b7cc6c3b0663fe1d

SHA1
ef164d2a1c38933aaabaa24464054a40436de945

SHA256
a75f977c3cf7d4c0320a97fa8c47ee09b7f43d90bf19cc836bf95d5847383947

SHA512
3dcb1913a19443aa32a60361dc9bd152be5a4e1826bcd72aaebe74601166f671f6d3b4499111b2a7208dceba1cfe220b185eddacda5ca7f2840abdddf3e141d3

Download Submit
C:\Users\Admin\AppData\Local\7E54mW\winlogon.exe
Filesize
381KB

MD5
1151b1baa6f350b1db6598e0fea7c457

SHA1
434856b834baf163c5ea4d26434eeae775a507fb

SHA256
b1506e0a7e826eff0f5252ef5026070c46e2235438403a9a24d73ee69c0b8a49

SHA512
df728d06238da1dece96f8b8d67a2423ed4dcb344b42d5958768d23bd570a79e7189e7c5ba783c1628fe8ddd1deaebeacb1b471c59c8a7c9beb21b4f1eb9edab

Download Submit
C:\Users\Admin\AppData\Local\9zIq\appwiz.cpl
Filesize
1.2MB

MD5
4f61c5c67dea24f472383a0160ddddc8

SHA1
f8839aa0f7805c4d83bbdaa4d9f5dbe77215bda6

SHA256
0d23ef8759dd5c504158982c8fb4ff09d27e358cf50fa5bc53c7095ae1efc140

SHA512
a948a61a9ee4303588c6ecd834afb5b5d5065ef839c45109528301fe941a87843db4d079e9d410a20d430d0d61b0ade9197b6b711621f2a3ad90adb2ce149c70

Download Submit
C:\Users\Admin\AppData\Local\bGj1eBkT\UxTheme.dll
Filesize
1.2MB

MD5
9d55f22bd6a87e580d90a87b32ec14f4

SHA1
a99e4b8e730d67443a2baef9ab0254c22fa6e2b3

SHA256
f5256f9ffae3ebaf16bd1d4e37f8448f3bcc0cc9d22ab0e7ccf2937cc4ef9db0

SHA512
1e54ca566ad0b4f68bc69651d9ba2891146c229e0eca26c537c41880773f7f9a6a9521a687f23a8d3249db9b27b3ed475566b3ef957fd4986ab89aa3b3bba6c6

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dgsmy.lnk
Filesize
1KB

MD5
0d4b40e4b77dadf83ea57fbaf7d311f9

SHA1
690310450c35a57a95e8c55ccb43226ccb19f356

SHA256
792a5849d98815e050170a07cc98d2cc6bdfb7a29aa6f7e9103ef6ad8932619d

SHA512
fbbc893452f4b2a12899d258ec6ddbe87b65d14bc4ad7104e05f8e45240a36b3c10ca307e339a981ee613256f5600e414c218b0ac438555c0f0f2900931681b7

Download Submit
\Users\Admin\AppData\Local\9zIq\ComputerDefaults.exe
Filesize
36KB

MD5
86bd981f55341273753ac42ea200a81e

SHA1
14fe410efc9aeb0a905b984ac27719ff0dd10ea7

SHA256
40b194be2bad2d3d4d1b69f9aec2853c8b663130810a11607ff72a9e3a06d5b3

SHA512
49bb6d4bf7a9356fadde7f6165af6973630827d28b69db10ad477a84d98b08fb82e4daae777166e1ddddb5b5efcdf634e4e9bd34b255dae87462ba32e8bba143

Download Submit
\Users\Admin\AppData\Local\bGj1eBkT\isoburn.exe
Filesize
89KB

MD5
f8051f06e1c4aa3f2efe4402af5919b1

SHA1
bbcf3711501dfb22b04b1a6f356d95a6d5998790

SHA256
50dcb4be409f50d26c0fc32dd9cdbf96bff4e19bf624221cb566ebeb3e09ce1a

SHA512
5f664d937abe4426ee7e0d8491a395f9ef4ffe7a51dba05b54b7ba27e80c9be37833400911c5878d3dec659f4fa1579ec8ba4cfc485fb2ce24dd37c321006daa

Download Submit
memory/280-81-0x000007FEF5D80000-0x000007FEF5EB5000-memory.dmp

Filesize
1.2MB

Download
memory/280-76-0x000007FEF5D80000-0x000007FEF5EB5000-memory.dmp

Filesize
1.2MB

Download
memory/280-75-0x0000000000270000-0x0000000000277000-memory.dmp

Filesize
28KB

Download
memory/1256-27-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/1256-10-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/1256-19-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/1256-30-0x0000000077310000-0x0000000077312000-memory.dmp

Filesize
8KB

Download
memory/1256-29-0x0000000077181000-0x0000000077182000-memory.dmp

Filesize
4KB

Download
memory/1256-18-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/1256-17-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/1256-16-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/1256-15-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/1256-14-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/1256-12-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/1256-39-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/1256-40-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/1256-4-0x0000000077076000-0x0000000077077000-memory.dmp

Filesize
4KB

Download
memory/1256-5-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/1256-28-0x0000000002130000-0x0000000002137000-memory.dmp

Filesize
28KB

Download
memory/1256-8-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/1256-7-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/1256-74-0x0000000077076000-0x0000000077077000-memory.dmp

Filesize
4KB

Download
memory/1256-11-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/1256-13-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/1256-9-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/2148-93-0x00000000000F0000-0x00000000000F7000-memory.dmp

Filesize
28KB

Download
memory/2148-94-0x000007FEF5D80000-0x000007FEF5EB6000-memory.dmp

Filesize
1.2MB

Download
memory/2148-99-0x000007FEF5D80000-0x000007FEF5EB6000-memory.dmp

Filesize
1.2MB

Download
memory/2556-62-0x000007FEF6890000-0x000007FEF69C5000-memory.dmp

Filesize
1.2MB

Download
memory/2556-57-0x000007FEF6890000-0x000007FEF69C5000-memory.dmp

Filesize
1.2MB

Download
memory/2556-56-0x0000000000170000-0x0000000000177000-memory.dmp

Filesize
28KB

Download
memory/2876-0-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download
memory/2876-48-0x000007FEF5D80000-0x000007FEF5EB4000-memory.dmp

Filesize
1.2MB

Download
memory/2876-1-0x000007FEF5D80000-0x000007FEF5EB4000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads