dridex | c67b7882517ca00db7213591140e8512d741b47ef6d4f25777db75c05a67eead

General

Target

573dd0433642ceaeec1f5da4f0c1c0bb_JaffaCakes118.dll
Size

989KB
MD5

573dd0433642ceaeec1f5da4f0c1c0bb
SHA1

b46be86d5574cb5e9d4f22ab630c6308703bff28
SHA256

c67b7882517ca00db7213591140e8512d741b47ef6d4f25777db75c05a67eead
SHA512

469d257cfaac936c654f71ae159d62547c22c55d391a79ce38dcc97699044a65c3a7ae978fdd83ad0405f6141a0c354ec9b8cf4b15cbc412e2b70f2cf4da7a86
SSDEEP

24576:xVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:xV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3364-4-0x0000000003270000-0x0000000003271000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

shrpubw.exepsr.exeupfc.exe

pid process

4708 shrpubw.exe
4764 psr.exe
3596 upfc.exe
Loads dropped DLL 3 IoCs

Processes:

shrpubw.exepsr.exeupfc.exe

pid process

4708 shrpubw.exe
4764 psr.exe
3596 upfc.exe

pid	process
4708	shrpubw.exe
4764	psr.exe
3596	upfc.exe

pid	process
4708	shrpubw.exe
4764	psr.exe
3596	upfc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Xcdbzlxvqxxhz = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\FczmP8XF5J\\psr.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeshrpubw.exepsr.exeupfc.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	shrpubw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	psr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	upfc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1312	rundll32.exe
1312	rundll32.exe
1312	rundll32.exe
1312	rundll32.exe
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364
3364

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3364 wrote to memory of 4672	3364	shrpubw.exe
PID 3364 wrote to memory of 4672	3364	shrpubw.exe
PID 3364 wrote to memory of 4708	3364	shrpubw.exe
PID 3364 wrote to memory of 4708	3364	shrpubw.exe
PID 3364 wrote to memory of 868	3364	psr.exe
PID 3364 wrote to memory of 868	3364	psr.exe
PID 3364 wrote to memory of 4764	3364	psr.exe
PID 3364 wrote to memory of 4764	3364	psr.exe
PID 3364 wrote to memory of 2892	3364	upfc.exe
PID 3364 wrote to memory of 2892	3364	upfc.exe
PID 3364 wrote to memory of 3596	3364	upfc.exe
PID 3364 wrote to memory of 3596	3364	upfc.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\573dd0433642ceaeec1f5da4f0c1c0bb_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1312

C:\Windows\system32\shrpubw.exe
C:\Windows\system32\shrpubw.exe
1⤵
PID:4672

C:\Users\Admin\AppData\Local\wFiDOnGNB\shrpubw.exe
C:\Users\Admin\AppData\Local\wFiDOnGNB\shrpubw.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4708

C:\Windows\system32\psr.exe
C:\Windows\system32\psr.exe
1⤵
PID:868

C:\Users\Admin\AppData\Local\EQdYb\psr.exe
C:\Users\Admin\AppData\Local\EQdYb\psr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4764

C:\Windows\system32\upfc.exe
C:\Windows\system32\upfc.exe
1⤵
PID:2892

C:\Users\Admin\AppData\Local\6oiw\upfc.exe
C:\Users\Admin\AppData\Local\6oiw\upfc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3596

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3716 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:8
1⤵
PID:1868

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\6oiw\XmlLite.dll
Filesize
990KB

MD5
f16bf1ba030a4bf83f08c04c5432f1e2

SHA1
4a212b284aac418533c4e59f23b0aaf4c3ee71f4

SHA256
f40f60da9eb0d291e9b722b32b541848b695b1fa3866742a78e88c554eda88ea

SHA512
01a8c9e081b6cb124e43833bf5a5cc974b5f981b121ed2c9e2ad45b39502c77c6b5ba8810413b0c2fb9823ac10e76595ed4ca13fe7ad3c7938c09d84dacca822

Download Submit
C:\Users\Admin\AppData\Local\6oiw\upfc.exe
Filesize
118KB

MD5
299ea296575ccb9d2c1a779062535d5c

SHA1
2497169c13b0ba46a6be8a1fe493b250094079b7

SHA256
ee44fe14df89c4e5eaf8398f8fb4823fd910c5a94d913653d6b9e831254f6cc2

SHA512
02fc2b25167ebd7dfcc7b8aa74613e7004fdf33dfccccba6c3427434cca981c2eb50f4a801969b3a40c495a9bb0eac8176f4f2ec9091916cf3509a7f909b30fa

Download Submit
C:\Users\Admin\AppData\Local\EQdYb\VERSION.dll
Filesize
990KB

MD5
e462c506167240cacd6400a4038493ac

SHA1
e375c99bf96c65323d2c7cde5cb9a4ee9038897a

SHA256
4e630f9a39fc5c7dcd09167ced04a893fdac0402ebc20ecadd7b19f988612b43

SHA512
767f472c44819e3205c3c04b99a4a2bcf942853f467cda84b4f1d09368ac07e10d55056de7851770a408ebe8b212eb9f677ed230412512802c99289d194d9804

Download Submit
C:\Users\Admin\AppData\Local\EQdYb\psr.exe
Filesize
232KB

MD5
ad53ead5379985081b7c3f1f357e545a

SHA1
6f5aa32c1d15fbf073558fadafd046d97b60184e

SHA256
4f0144f0e3e721b44babbf41b513942e4117f730546105480571f9c8fce56a1f

SHA512
433098bd74c34fbadfa447ef45cfa9dc076aef4cf7f2a0a6fe79d5e67f2504eebe8aa31fc1b7a4c5eeb20ede2c5485f75ad0fd77b4ecba3d68ca63313e6f6ea0

Download Submit
C:\Users\Admin\AppData\Local\wFiDOnGNB\shrpubw.exe
Filesize
59KB

MD5
9910d5c62428ec5f92b04abf9428eec9

SHA1
05f27d7515e8ae1fa3bc974ec65b864ec4c9ac8b

SHA256
6b84e6e55d8572d7edf0b6243d00abb651fcb0cddddac8461de5f9bb80035a2e

SHA512
01be043f7ff879a683e53962eec58456ba200d6787ea66581bb62669ae65d5e58a5577cdf23441165f7a535fce1dec933e3ad2465c72172b4a1488b24ce722cb

Download Submit
C:\Users\Admin\AppData\Local\wFiDOnGNB\srvcli.dll
Filesize
991KB

MD5
5e4231ef48f2c8f637f8d5d9e268241c

SHA1
cce2f1b789d40ba45f77ff06d8923e27a23185d3

SHA256
ee228b22f97e08aa9e78a0f5ae076380498c63ecd7f31f345c4d7c1890e3f80e

SHA512
3e81d72afdaac544181d6654a5c233c7391fef92e40ebecedf760a80d9161c23fe1ef0ef6bd7ad9f920a2c909168ea69b7ee6cd2c1d97add59062409c6d72389

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Axoeay.lnk
Filesize
1KB

MD5
b02f764647a944d40f7038366771a6d1

SHA1
5a9abe19a10bfb2f614e598cbeada39a014d3da0

SHA256
5870fcdd24e948ac5062c1b069cd72e2f3d31a2cf494e5f6b810ddef800f6584

SHA512
974723562cf6505e06307fdcafd8c66eb8c4145ce60fdc05454b99ca6a5109af5a5acc795010ea00c5bf01a1ff2f05431b78a3f07354121003f43661824b2753

Download Submit
memory/1312-0-0x0000028A4F8F0000-0x0000028A4F8F7000-memory.dmp

Filesize
28KB

Download
memory/1312-1-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1312-37-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3364-8-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3364-7-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3364-10-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3364-9-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3364-12-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3364-34-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3364-14-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3364-23-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3364-24-0x00000000012D0000-0x00000000012D7000-memory.dmp

Filesize
28KB

Download
memory/3364-4-0x0000000003270000-0x0000000003271000-memory.dmp

Filesize
4KB

Download
memory/3364-6-0x00007FFC6CBBA000-0x00007FFC6CBBB000-memory.dmp

Filesize
4KB

Download
memory/3364-11-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3364-25-0x00007FFC6DD50000-0x00007FFC6DD60000-memory.dmp

Filesize
64KB

Download
memory/3364-13-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3596-81-0x000001BD70670000-0x000001BD70677000-memory.dmp

Filesize
28KB

Download
memory/3596-84-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/4708-50-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/4708-45-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/4708-44-0x0000023205B40000-0x0000023205B47000-memory.dmp

Filesize
28KB

Download
memory/4764-64-0x000001C515A00000-0x000001C515A07000-memory.dmp

Filesize
28KB

Download
memory/4764-67-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads