dridex | c67b7882517ca00db7213591140e8512d741b47ef6d4f25777db75c05a67eead

General

Target

573dd0433642ceaeec1f5da4f0c1c0bb_JaffaCakes118.dll
Size

989KB
MD5

573dd0433642ceaeec1f5da4f0c1c0bb
SHA1

b46be86d5574cb5e9d4f22ab630c6308703bff28
SHA256

c67b7882517ca00db7213591140e8512d741b47ef6d4f25777db75c05a67eead
SHA512

469d257cfaac936c654f71ae159d62547c22c55d391a79ce38dcc97699044a65c3a7ae978fdd83ad0405f6141a0c354ec9b8cf4b15cbc412e2b70f2cf4da7a86
SSDEEP

24576:xVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:xV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1368-5-0x0000000002620000-0x0000000002621000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

SoundRecorder.exewisptis.exemstsc.exe

pid process

2504 SoundRecorder.exe
2492 wisptis.exe
1216 mstsc.exe
Loads dropped DLL 7 IoCs

Processes:

SoundRecorder.exewisptis.exemstsc.exe

pid process

1368
2504 SoundRecorder.exe
1368
2492 wisptis.exe
1368
1216 mstsc.exe
1368

pid	process
2504	SoundRecorder.exe
2492	wisptis.exe
1216	mstsc.exe

pid	process
1368
2504	SoundRecorder.exe
1368
2492	wisptis.exe
1368
1216	mstsc.exe
1368

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Uxhwu = "C:\\Users\\Admin\\AppData\\Roaming\\MACROM~1\\FLASHP~1\\MACROM~1.COM\\support\\FLASHP~1\\sys\\QrY6s\\wisptis.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

wisptis.exemstsc.exerundll32.exeSoundRecorder.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wisptis.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mstsc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SoundRecorder.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2008	rundll32.exe
2008	rundll32.exe
2008	rundll32.exe
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1368 wrote to memory of 2784	1368	SoundRecorder.exe
PID 1368 wrote to memory of 2784	1368	SoundRecorder.exe
PID 1368 wrote to memory of 2784	1368	SoundRecorder.exe
PID 1368 wrote to memory of 2504	1368	SoundRecorder.exe
PID 1368 wrote to memory of 2504	1368	SoundRecorder.exe
PID 1368 wrote to memory of 2504	1368	SoundRecorder.exe
PID 1368 wrote to memory of 2544	1368	wisptis.exe
PID 1368 wrote to memory of 2544	1368	wisptis.exe
PID 1368 wrote to memory of 2544	1368	wisptis.exe
PID 1368 wrote to memory of 2492	1368	wisptis.exe
PID 1368 wrote to memory of 2492	1368	wisptis.exe
PID 1368 wrote to memory of 2492	1368	wisptis.exe
PID 1368 wrote to memory of 2860	1368	mstsc.exe
PID 1368 wrote to memory of 2860	1368	mstsc.exe
PID 1368 wrote to memory of 2860	1368	mstsc.exe
PID 1368 wrote to memory of 1216	1368	mstsc.exe
PID 1368 wrote to memory of 1216	1368	mstsc.exe
PID 1368 wrote to memory of 1216	1368	mstsc.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\573dd0433642ceaeec1f5da4f0c1c0bb_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2008

C:\Windows\system32\SoundRecorder.exe
C:\Windows\system32\SoundRecorder.exe
1⤵
PID:2784

C:\Users\Admin\AppData\Local\vIo\SoundRecorder.exe
C:\Users\Admin\AppData\Local\vIo\SoundRecorder.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2504

C:\Windows\system32\wisptis.exe
C:\Windows\system32\wisptis.exe
1⤵
PID:2544

C:\Users\Admin\AppData\Local\Yio0wJ1cM\wisptis.exe
C:\Users\Admin\AppData\Local\Yio0wJ1cM\wisptis.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2492

C:\Windows\system32\mstsc.exe
C:\Windows\system32\mstsc.exe
1⤵
PID:2860

C:\Users\Admin\AppData\Local\KGg\mstsc.exe
C:\Users\Admin\AppData\Local\KGg\mstsc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1216

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Yio0wJ1cM\MAGNIFICATION.dll
Filesize
990KB

MD5
3b2c33a1820b0c8e7f963809b9d0bed9

SHA1
39584e1a982803babb89f05113871904b20c348b

SHA256
e3ed49ce7435ff44b9260bba7590d6942688385fe163b28c76a2a6bdda2cb9a2

SHA512
ec500d92db95055e6549c00e6790116892152bf6147f2379fc8bcdfe26d382a49f579bf4cf35acd769c2172c74d4e8ca06f477cc2ac91118c40aac656be2e38c

Download Submit
C:\Users\Admin\AppData\Local\vIo\UxTheme.dll
Filesize
992KB

MD5
deef57429beef01b575286db6b65a417

SHA1
490b86a812e33995d80d4b397e4698d07ad5eba3

SHA256
b383e27c5c258c21632b2ed1feb3df6c0019d40966db5257203cd554420394bf

SHA512
8cfe584f4853b2ca9d44dc1f9a887de8ec270b19cb82a2ee3e05d7d33759c659735cd43ca2c9cf43339590ee18b61bbef5855223c79fcf459934a1f39c8839e6

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dgsmy.lnk
Filesize
1KB

MD5
47fa6df6fc45a2f0c83d14a2ef1d59a7

SHA1
23b474ec2e6c8345517ba0e230694e497c60a251

SHA256
54a60c225315466226b0871c8476de4ebb3103d7353a18a8863f5da390dc1df8

SHA512
077d0bbe88d21d2b26717d1cc7db47271958dee05e89f1320c5fb20b9cc593fcb2314e249ce3c4b12c4a191b6703e949a7235db574a1ce80ca17a119451dca10

Download Submit
\Users\Admin\AppData\Local\KGg\WINMM.dll
Filesize
994KB

MD5
04533fcdeedeeca3acb73dd832c85b17

SHA1
f2d139a6091e96bbf292a6e5a55d076d79f22026

SHA256
c7ce554fc278aed5b52b37b45725814a27902cc263e2a6e8408796d25718cc12

SHA512
ede3b2a0248b8e12bf1f04841054a28db5a5ad2ea517645c23d6ccf68b7e82f053c32da7a6a9a956ed53a6106b6a83e1bd1d3c53d35221e1311f9497d2d8e073

Download Submit
\Users\Admin\AppData\Local\KGg\mstsc.exe
Filesize
1.1MB

MD5
50f739538ef014b2e7ec59431749d838

SHA1
b439762b8efe8cfb977e7374c11a7e4d8ed05eb3

SHA256
85c510c7fa8d64c70886ea01ec99e7b9064594f021a95b4cf88359421e732be3

SHA512
02e231ddc4ac012c597b9db42f8a77fbf35ca8253c030d443a0dd4db3d76a9ee1cced600f12d7bb06305e7a4da4a8fda980faad335adcb12738d80d453cb3cc8

Download Submit
\Users\Admin\AppData\Local\Yio0wJ1cM\wisptis.exe
Filesize
396KB

MD5
02e20372d9d6d28e37ba9704edc90b67

SHA1
d7d18ba0df95c3507bf20be8d72e25c5d11ab40c

SHA256
3338129ddf6fb53d6e743c10bc39ec372d9b2c39c607cbe8a71cff929f854144

SHA512
bcad8894614dcfc1429be04829c217e7c8ac3c40ea3927073de3421d96d9815739ee1b84f0200eb18b3b8406b972bd934204b7b31638c9fe7c297fb201ed4200

Download Submit
\Users\Admin\AppData\Local\vIo\SoundRecorder.exe
Filesize
139KB

MD5
47f0f526ad4982806c54b845b3289de1

SHA1
8420ea488a2e187fe1b7fcfb53040d10d5497236

SHA256
e81b11fe30b16fa4e3f08810513c245248adce8566355a8f2a19c63b1143ff5b

SHA512
4c9a1aa5ed55087538c91a77d7420932263b69e59dc57b1db738e59624265b734bf29e2b6ed8d0adb2e0dec5763bfbf86876fd7d1139c21e829001c7868d515d

Download Submit
memory/1216-89-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/1216-84-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/1216-83-0x0000000000120000-0x0000000000127000-memory.dmp

Filesize
28KB

Download
memory/1368-25-0x0000000077B71000-0x0000000077B72000-memory.dmp

Filesize
4KB

Download
memory/1368-14-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1368-9-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1368-26-0x0000000077D00000-0x0000000077D02000-memory.dmp

Filesize
8KB

Download
memory/1368-30-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1368-29-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1368-4-0x0000000077A66000-0x0000000077A67000-memory.dmp

Filesize
4KB

Download
memory/1368-24-0x0000000002230000-0x0000000002237000-memory.dmp

Filesize
28KB

Download
memory/1368-5-0x0000000002620000-0x0000000002621000-memory.dmp

Filesize
4KB

Download
memory/1368-11-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1368-12-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1368-7-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1368-8-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1368-10-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1368-57-0x0000000077A66000-0x0000000077A67000-memory.dmp

Filesize
4KB

Download
memory/1368-23-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1368-13-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/2008-38-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/2008-0-0x00000000000A0000-0x00000000000A7000-memory.dmp

Filesize
28KB

Download
memory/2008-1-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/2492-65-0x0000000000360000-0x0000000000367000-memory.dmp

Filesize
28KB

Download
memory/2492-71-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/2504-51-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/2504-47-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/2504-46-0x00000000000F0000-0x00000000000F7000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads