dridex | e23c41349eeefc69c4c1f27fd1571d6fc0c6b23ef1e226ae7987399748d9f993

General

Target

58e75416d4ee4a278611094fcb4415b3_JaffaCakes118.dll
Size

1.2MB
MD5

58e75416d4ee4a278611094fcb4415b3
SHA1

cafe586e68798b0daf27326fef300343cb1b223b
SHA256

e23c41349eeefc69c4c1f27fd1571d6fc0c6b23ef1e226ae7987399748d9f993
SHA512

be53b9e6b09e6dbc8511accf9164ab7f58492533c5e4e916c34803dc1bb4950e8bf00ab0b29c82d1002d4882e5630f7987b15c5ab8104c500c499f643a64f22c
SSDEEP

24576:RVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:RV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3392-4-0x0000000002760000-0x0000000002761000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

PresentationSettings.exeSystemPropertiesPerformance.exedpapimig.exe

pid process

8 PresentationSettings.exe
3980 SystemPropertiesPerformance.exe
5032 dpapimig.exe
Loads dropped DLL 3 IoCs

Processes:

PresentationSettings.exeSystemPropertiesPerformance.exedpapimig.exe

pid process

8 PresentationSettings.exe
3980 SystemPropertiesPerformance.exe
5032 dpapimig.exe

pid	process
8	PresentationSettings.exe
3980	SystemPropertiesPerformance.exe
5032	dpapimig.exe

pid	process
8	PresentationSettings.exe
3980	SystemPropertiesPerformance.exe
5032	dpapimig.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ovnmkkvrgnxhq = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\KzsQ4ZAM\\SystemPropertiesPerformance.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exePresentationSettings.exeSystemPropertiesPerformance.exedpapimig.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	PresentationSettings.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesPerformance.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dpapimig.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
4536	rundll32.exe
4536	rundll32.exe
4536	rundll32.exe
4536	rundll32.exe
4536	rundll32.exe
4536	rundll32.exe
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3392

pid	process
3392

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3392 wrote to memory of 4164	3392	PresentationSettings.exe
PID 3392 wrote to memory of 4164	3392	PresentationSettings.exe
PID 3392 wrote to memory of 8	3392	PresentationSettings.exe
PID 3392 wrote to memory of 8	3392	PresentationSettings.exe
PID 3392 wrote to memory of 1620	3392	SystemPropertiesPerformance.exe
PID 3392 wrote to memory of 1620	3392	SystemPropertiesPerformance.exe
PID 3392 wrote to memory of 3980	3392	SystemPropertiesPerformance.exe
PID 3392 wrote to memory of 3980	3392	SystemPropertiesPerformance.exe
PID 3392 wrote to memory of 2016	3392	dpapimig.exe
PID 3392 wrote to memory of 2016	3392	dpapimig.exe
PID 3392 wrote to memory of 5032	3392	dpapimig.exe
PID 3392 wrote to memory of 5032	3392	dpapimig.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\58e75416d4ee4a278611094fcb4415b3_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4536

C:\Windows\system32\PresentationSettings.exe
C:\Windows\system32\PresentationSettings.exe
1⤵
PID:4164

C:\Users\Admin\AppData\Local\n8drM\PresentationSettings.exe
C:\Users\Admin\AppData\Local\n8drM\PresentationSettings.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:8

C:\Windows\system32\SystemPropertiesPerformance.exe
C:\Windows\system32\SystemPropertiesPerformance.exe
1⤵
PID:1620

C:\Users\Admin\AppData\Local\lLTPiu\SystemPropertiesPerformance.exe
C:\Users\Admin\AppData\Local\lLTPiu\SystemPropertiesPerformance.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3980

C:\Windows\system32\dpapimig.exe
C:\Windows\system32\dpapimig.exe
1⤵
PID:2016

C:\Users\Admin\AppData\Local\jr3\dpapimig.exe
C:\Users\Admin\AppData\Local\jr3\dpapimig.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:5032

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\jr3\DUI70.dll
Filesize
1.5MB

MD5
03121d5fac4215b394a0dc60eac9649d

SHA1
376213214912383263a20e873a4a2827ded9841e

SHA256
48782f50c94293d97c1b1f0b1263ea22a05d04ee13143654e9e17f9662d088c1

SHA512
e6f166e7e10d477f54c02f98ed075914783566bb308f2bf50ebbb2ae1bf1d43f2c3a46ef7f0869eeb8e1d9bec4313bd4679808fa882dc6b80811224f6579b974

Download Submit
C:\Users\Admin\AppData\Local\jr3\dpapimig.exe
Filesize
76KB

MD5
b6d6477a0c90a81624c6a8548026b4d0

SHA1
e6eac6941d27f76bbd306c2938c0a962dbf1ced1

SHA256
a8147d08b82609c72d588a0a604cd3c1f2076befcc719d282c7cbd6525ae89eb

SHA512
72ec8b79e3438f0f981129a323ad39db84df7dd14a796a820bdbc74ea8fa13eee843d1ea030a0c1caeda2e2d69952f14a821a73825b38dd9415047aca597b1fe

Download Submit
C:\Users\Admin\AppData\Local\lLTPiu\SYSDM.CPL
Filesize
1.2MB

MD5
ab8a90d1fe987586b94cef859130500b

SHA1
bd3a2f5079196fd65cd7d361173594cd81d3cd20

SHA256
6e9fad5c0baa627a76ba85715d85883d776d90b744b0e7f405a708483a269488

SHA512
66fd333bf268ebb87efbb9ee9caa698928ee107f4fbbf972745b4b0030f59a11b27c1b6bd50cd4bca97dbc5c76f3738c4438c1d4a8db8cf0bea94f0bcdc435b6

Download Submit
C:\Users\Admin\AppData\Local\lLTPiu\SystemPropertiesPerformance.exe
Filesize
82KB

MD5
e4fbf7cab8669c7c9cef92205d2f2ffc

SHA1
adbfa782b7998720fa85678cc85863b961975e28

SHA256
b266318d45a4245556a2e39b763f2f11eca780969105f6f103e53dd0a492bb30

SHA512
c5c62578d04133352d6cb7b018df96a7b55c18d6111ab8bf2bfe232a3315a63b07047fa5b0b88551d152085776c66169b47566242c8c4c5e0333c55adc64e1b6

Download Submit
C:\Users\Admin\AppData\Local\n8drM\PresentationSettings.exe
Filesize
219KB

MD5
790799a168c41689849310f6c15f98fa

SHA1
a5d213fc1c71a56de9441b2e35411d83770c01ec

SHA256
6e59ab1a0b4ac177dc3397a54afcf68fcea3c1ee72c33bd08c89f04a6dac64b8

SHA512
8153b79d4681f21ade7afe995841c386bff8e491ad347f8e7c287df5f9053cae7458e273339146d9a920ceaa2ba0f41cc793d7b2c0fa80efbb41477d39470866

Download Submit
C:\Users\Admin\AppData\Local\n8drM\WINMM.dll
Filesize
1.2MB

MD5
3183533f6d70a8cc78408257ce4511a0

SHA1
cac8fe68fea57d1a8bcfcb81c06e810c6a32a2fe

SHA256
0649b39e108784cf05730b2c94bb6a63be6911e1af97a73f9d3f256f17079e96

SHA512
09a375bc2900dddb2dc5b7a1bc967446cad00bca949fab506ddc08fbe772ef12bbd6644dc422a6a91217dd9687cb876afc75077c343f8c3b14bb9a6f4f93869c

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ymfrpxarx.lnk
Filesize
1008B

MD5
2bdd8ad7ceddd19f72ff21e5a0b69eee

SHA1
d9777a443cd2d5397feb0ea40cf15b1d1c5aca71

SHA256
440897a85ede2a14e0af68c6f35c8e314a4a70a9da323cab93ce1cc7787c04a4

SHA512
f6b9fb66e26288f72d22048bcff7742455e7c8896dd2720a1b0c120fb2a67687390694d261b2bce292f8de544c9e0537923ec5844c5b92b49ea5138112c2681c

Download Submit
memory/8-51-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/8-48-0x0000023B9D000000-0x0000023B9D007000-memory.dmp

Filesize
28KB

Download
memory/8-45-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/3392-33-0x0000000000720000-0x0000000000727000-memory.dmp

Filesize
28KB

Download
memory/3392-34-0x00007FFE4F870000-0x00007FFE4F880000-memory.dmp

Filesize
64KB

Download
memory/3392-10-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3392-8-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3392-7-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3392-9-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3392-6-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3392-4-0x0000000002760000-0x0000000002761000-memory.dmp

Filesize
4KB

Download
memory/3392-14-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3392-32-0x00007FFE4D9BA000-0x00007FFE4D9BB000-memory.dmp

Filesize
4KB

Download
memory/3392-11-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3392-12-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3392-35-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3392-23-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3392-13-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3980-62-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3980-65-0x00000204670B0000-0x00000204670B7000-memory.dmp

Filesize
28KB

Download
memory/3980-68-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/4536-0-0x00000264C27A0000-0x00000264C27A7000-memory.dmp

Filesize
28KB

Download
memory/4536-38-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/4536-2-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/5032-79-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/5032-82-0x000002CBAF200000-0x000002CBAF207000-memory.dmp

Filesize
28KB

Download
memory/5032-85-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads