dridex | 7ecf07ac53b189273246a924e5dfec00f279ef61109ef416a064ceae4363a03b

General

Target

52ab939a75757880e9bfc35fd2fa2576_JaffaCakes118.dll
Size

1.4MB
MD5

52ab939a75757880e9bfc35fd2fa2576
SHA1

3f2653d7e6126b092d0dde6b762771f69fc53bce
SHA256

7ecf07ac53b189273246a924e5dfec00f279ef61109ef416a064ceae4363a03b
SHA512

e977a0e211fd2080da59b8402f3871e260c6bb5972834116086719b61ef246a3ea7057f9561df03ada1e478f55799e77adf510774610d78f3e42d6ce9159a1c9
SSDEEP

24576:oVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8y:oV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1364-5-0x00000000025D0000-0x00000000025D1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

unregmp2.exedccw.exeslui.exe

pid process

1724 unregmp2.exe
1568 dccw.exe
2916 slui.exe
Loads dropped DLL 7 IoCs

Processes:

unregmp2.exedccw.exeslui.exe

pid process

1364
1724 unregmp2.exe
1364
1568 dccw.exe
1364
2916 slui.exe
1364

pid	process
1724	unregmp2.exe
1568	dccw.exe
2916	slui.exe

pid	process
1364
1724	unregmp2.exe
1364
1568	dccw.exe
1364
2916	slui.exe
1364

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Uxhwu = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Extensions\\PLQcuI\\dccw.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeunregmp2.exedccw.exeslui.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unregmp2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dccw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	slui.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2256	rundll32.exe
2256	rundll32.exe
2256	rundll32.exe
1364
1364
1364
1364
1364
1364
1364
1364
1364
1364
1364
1364
1364
1364
1364
1364
1364
1364
1364
1364
1364
1364
1364
1364
1364
1364
1364
1364
1364
1364
1364
1364
1364
1364
1364
1364
1364
1364
1364
1364
1364
1364
1364
1364
1364
1364
1364
1364
1364
1364
1364
1364
1364
1364
1364
1364
1364
1364
1364
1364
1364

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1364 wrote to memory of 2548	1364	unregmp2.exe
PID 1364 wrote to memory of 2548	1364	unregmp2.exe
PID 1364 wrote to memory of 2548	1364	unregmp2.exe
PID 1364 wrote to memory of 1724	1364	unregmp2.exe
PID 1364 wrote to memory of 1724	1364	unregmp2.exe
PID 1364 wrote to memory of 1724	1364	unregmp2.exe
PID 1364 wrote to memory of 836	1364	dccw.exe
PID 1364 wrote to memory of 836	1364	dccw.exe
PID 1364 wrote to memory of 836	1364	dccw.exe
PID 1364 wrote to memory of 1568	1364	dccw.exe
PID 1364 wrote to memory of 1568	1364	dccw.exe
PID 1364 wrote to memory of 1568	1364	dccw.exe
PID 1364 wrote to memory of 2288	1364	slui.exe
PID 1364 wrote to memory of 2288	1364	slui.exe
PID 1364 wrote to memory of 2288	1364	slui.exe
PID 1364 wrote to memory of 2916	1364	slui.exe
PID 1364 wrote to memory of 2916	1364	slui.exe
PID 1364 wrote to memory of 2916	1364	slui.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\52ab939a75757880e9bfc35fd2fa2576_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2256

C:\Windows\system32\unregmp2.exe
C:\Windows\system32\unregmp2.exe
1⤵
PID:2548

C:\Users\Admin\AppData\Local\TnN\unregmp2.exe
C:\Users\Admin\AppData\Local\TnN\unregmp2.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1724

C:\Windows\system32\dccw.exe
C:\Windows\system32\dccw.exe
1⤵
PID:836

C:\Users\Admin\AppData\Local\GChYXbsg\dccw.exe
C:\Users\Admin\AppData\Local\GChYXbsg\dccw.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1568

C:\Windows\system32\slui.exe
C:\Windows\system32\slui.exe
1⤵
PID:2288

C:\Users\Admin\AppData\Local\zJZm29Q5\slui.exe
C:\Users\Admin\AppData\Local\zJZm29Q5\slui.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2916

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\GChYXbsg\mscms.dll
Filesize
1.4MB

MD5
4b81ca325bdfae94f0ad2bfd1528b84f

SHA1
a37315fbf6c81a6e9a24ab050bd16fec0d01596c

SHA256
08048d0870e802b6ae995c8b4066b422d14704083baed55c403c6757ed1d3423

SHA512
a90f724653d552e8c96fbbd8787ec901fe7fbf1beb0a065797dd01527bacf88ff1e92c54b76ab779d5da0f0a158f43b8ffac0869b22f00090e414a0f894bc4f7

Download Submit
C:\Users\Admin\AppData\Local\TnN\slc.dll
Filesize
1.4MB

MD5
76ef5c8db7e684598f4e8a3cf6e91ca2

SHA1
b85ee931c287b9c97b778093290a80b978dc614d

SHA256
d463a24fb9b9dafc5b273fe5654ed8e298b4550c2f0d25ada2fb22ed9ff1a03d

SHA512
930a0923c2b2aa4e6d85f974d62b70e8ea6288a14e81e0a8dcd7cfad5aec3397f69741ca3fdbebe27302f5783fcbfe5dbcd2496c57c218179990957a05a52a65

Download Submit
C:\Users\Admin\AppData\Local\TnN\unregmp2.exe
Filesize
316KB

MD5
64b328d52dfc8cda123093e3f6e4c37c

SHA1
f68f45b21b911906f3aa982e64504e662a92e5ab

SHA256
7d6be433ba7dd4a2b8f8b79d7b87055da8daafa3e0404432d40469c39c2040e1

SHA512
e29fc068532df36f39c86b79392b5c6191de6f69b7beaba28f9ac96a26089b341b770ff29556eca14f57afd1de59a6f3726818482d6861bdd8ac556ae768df00

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dgsmy.lnk
Filesize
870B

MD5
67911b8d9e389c4f327b4f30ead134f7

SHA1
0879f8250e0ec1aa1725ed607a1cbf27a87705a7

SHA256
fb658e3a89a33384302f164bb5cc9fd0351fa837e283a043d9a8c50213b88b11

SHA512
ef2451dcc4f617aa3d49c2e31f27536aac19a730f0c9467ea74ffcf2f5c2f7a6fdad80b300a1b4945c08634c227bd4a759d52eee362d8734d6785e95c506c460

Download Submit
\Users\Admin\AppData\Local\GChYXbsg\dccw.exe
Filesize
861KB

MD5
a46cee731351eb4146db8e8a63a5c520

SHA1
8ea441e4a77642e12987ac842b36034230edd731

SHA256
283526a98a83524d21ff23f9109754c6587380b67f74cc02a9a4cd56fdb720d5

SHA512
3573c0ae21406db0c6fdda7c065fabde03235bde7f5589910822500bdfa37144f59f6e58e753e7347b899998db1dcb28050ac5a4e2c611558ae5fa405fbbc5cc

Download Submit
\Users\Admin\AppData\Local\zJZm29Q5\slc.dll
Filesize
1.4MB

MD5
4cf152006c230ddcefccf5e520c8302d

SHA1
81c5013cc4572c528535ee18653e719a7604a746

SHA256
3324575943fbc99c4ce77821ebbf2748f3159a4102f7c1d6afdf7e5163fd6274

SHA512
9c658f916c27b45416cc46c7582208b15b73f8632a9abebff5d84f72ff98cf0b9e6d977a2c4c60705e6bb3f470804404b3384dc48420d58e50fe4ae619936711

Download Submit
\Users\Admin\AppData\Local\zJZm29Q5\slui.exe
Filesize
341KB

MD5
c5ce5ce799387e82b7698a0ee5544a6d

SHA1
ed37fdb169bb539271c117d3e8a5f14fd8df1c0d

SHA256
34aa7ca0ea833263a6883827e161a5c218576c5ad97e0ce386fad4250676b42c

SHA512
79453b45e1f38d164ee3dbc232f774ff121d4394c22783140f5c8c722f184a69f499f2fb9621bdb28f565065b791883526e1a1d4abef9df82289613c2ce97a5c

Download Submit
memory/1364-34-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/1364-29-0x0000000077251000-0x0000000077252000-memory.dmp

Filesize
4KB

Download
memory/1364-15-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/1364-14-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/1364-13-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/1364-11-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/1364-10-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/1364-9-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/1364-16-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/1364-7-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/1364-12-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/1364-4-0x0000000077146000-0x0000000077147000-memory.dmp

Filesize
4KB

Download
memory/1364-33-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/1364-5-0x00000000025D0000-0x00000000025D1000-memory.dmp

Filesize
4KB

Download
memory/1364-26-0x00000000025B0000-0x00000000025B7000-memory.dmp

Filesize
28KB

Download
memory/1364-25-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/1364-8-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/1364-30-0x00000000773E0000-0x00000000773E2000-memory.dmp

Filesize
8KB

Download
memory/1364-62-0x0000000077146000-0x0000000077147000-memory.dmp

Filesize
4KB

Download
memory/1568-70-0x0000000000180000-0x0000000000187000-memory.dmp

Filesize
28KB

Download
memory/1568-77-0x0000000140000000-0x0000000140177000-memory.dmp

Filesize
1.5MB

Download
memory/1568-76-0x00000000FF180000-0x00000000FF259000-memory.dmp

Filesize
868KB

Download
memory/1724-55-0x00000000FF980000-0x00000000FF9D2000-memory.dmp

Filesize
328KB

Download
memory/1724-57-0x0000000140000000-0x0000000140177000-memory.dmp

Filesize
1.5MB

Download
memory/1724-50-0x00000000000F0000-0x00000000000F7000-memory.dmp

Filesize
28KB

Download
memory/1724-51-0x0000000140000000-0x0000000140177000-memory.dmp

Filesize
1.5MB

Download
memory/2256-40-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/2256-1-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/2256-0-0x0000000000290000-0x0000000000297000-memory.dmp

Filesize
28KB

Download
memory/2916-89-0x0000000000280000-0x0000000000287000-memory.dmp

Filesize
28KB

Download
memory/2916-95-0x0000000140000000-0x0000000140177000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads