dridex | a983b4f3efef71b513a447fa124b681a89bdd34730546eb3947a6f9150e56bf1

General

Target

59030a0053095636e952e6f479962248_JaffaCakes118.dll
Size

986KB
MD5

59030a0053095636e952e6f479962248
SHA1

d924fec422651094b1a45249a74672aed3b86f7b
SHA256

a983b4f3efef71b513a447fa124b681a89bdd34730546eb3947a6f9150e56bf1
SHA512

a17ec8fabff350d831a8c41b0c430d181cff3f95b11f8b8ea05983bea566c59127cadfa3301b944e43e3869cf491303b3e46807b8d4b25ce52bfb4ce173b98a6
SSDEEP

24576:OVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:OV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1372-5-0x0000000002A30000-0x0000000002A31000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

wscript.exepsr.exePresentationSettings.exe

pid process

2456 wscript.exe
2952 psr.exe
1904 PresentationSettings.exe
Loads dropped DLL 8 IoCs

Processes:

wscript.exepsr.exePresentationSettings.exe

pid process

1372
1372
2456 wscript.exe
1372
2952 psr.exe
1372
1904 PresentationSettings.exe
1372

pid	process
2456	wscript.exe
2952	psr.exe
1904	PresentationSettings.exe

pid	process
1372
1372
2456	wscript.exe
1372
2952	psr.exe
1372
1904	PresentationSettings.exe
1372

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Groztcac = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\4NOHrpN\\psr.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exewscript.exepsr.exePresentationSettings.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	psr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	PresentationSettings.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2960	rundll32.exe
2960	rundll32.exe
2960	rundll32.exe
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1372 wrote to memory of 2684	1372	wscript.exe
PID 1372 wrote to memory of 2684	1372	wscript.exe
PID 1372 wrote to memory of 2684	1372	wscript.exe
PID 1372 wrote to memory of 2456	1372	wscript.exe
PID 1372 wrote to memory of 2456	1372	wscript.exe
PID 1372 wrote to memory of 2456	1372	wscript.exe
PID 1372 wrote to memory of 2484	1372	psr.exe
PID 1372 wrote to memory of 2484	1372	psr.exe
PID 1372 wrote to memory of 2484	1372	psr.exe
PID 1372 wrote to memory of 2952	1372	psr.exe
PID 1372 wrote to memory of 2952	1372	psr.exe
PID 1372 wrote to memory of 2952	1372	psr.exe
PID 1372 wrote to memory of 2500	1372	PresentationSettings.exe
PID 1372 wrote to memory of 2500	1372	PresentationSettings.exe
PID 1372 wrote to memory of 2500	1372	PresentationSettings.exe
PID 1372 wrote to memory of 1904	1372	PresentationSettings.exe
PID 1372 wrote to memory of 1904	1372	PresentationSettings.exe
PID 1372 wrote to memory of 1904	1372	PresentationSettings.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\59030a0053095636e952e6f479962248_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2960

C:\Windows\system32\wscript.exe
C:\Windows\system32\wscript.exe
1⤵
PID:2684

C:\Users\Admin\AppData\Local\0KW\wscript.exe
C:\Users\Admin\AppData\Local\0KW\wscript.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2456

C:\Windows\system32\psr.exe
C:\Windows\system32\psr.exe
1⤵
PID:2484

C:\Users\Admin\AppData\Local\fVUsZkqK\psr.exe
C:\Users\Admin\AppData\Local\fVUsZkqK\psr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2952

C:\Windows\system32\PresentationSettings.exe
C:\Windows\system32\PresentationSettings.exe
1⤵
PID:2500

C:\Users\Admin\AppData\Local\HnVZs1W\PresentationSettings.exe
C:\Users\Admin\AppData\Local\HnVZs1W\PresentationSettings.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1904

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\0KW\VERSION.dll
Filesize
987KB

MD5
8e4fbfc09522efacfd9ac4bf67d95261

SHA1
17234bd3de32f009c3074181a11af11e14e3b8b7

SHA256
01e7dcc06759e2ce14f6ec0e1cff9ed0deff2e8ce4d305247c8a05d004f18e1f

SHA512
d64f4c418ba307da1f28b1139898b1861246cf47468a21c3fda6f466ed1525505b563eb8be53bb9f0ed355ead4fc8526c9100c6637890c50b3a613b128b75c6f

Download Submit
C:\Users\Admin\AppData\Local\HnVZs1W\PresentationSettings.exe
Filesize
172KB

MD5
a6f8d318f6041334889481b472000081

SHA1
b8cf08ec17b30c8811f2514246fcdff62731dd58

SHA256
208b94fd66a6ce266c3195f87029a41a0622fff47f2a5112552cb087adbb1258

SHA512
60f70fa8a19e6ea6f08f4907dd7fede3665ad3f2e013d49f6649442ea5871a967b9a53ec4d3328a06cb83b69be1b7af1bb14bf122b568bd1f8432ee1d0bfee69

Download Submit
C:\Users\Admin\AppData\Local\HnVZs1W\WINMM.dll
Filesize
991KB

MD5
2bc550df9d0bcd598026148c5b186471

SHA1
99ae2aafb2639e9b2b781914401983ec76758c50

SHA256
1405119c47eb82d71fb425ba42a38d3f676f900902b00d6219f7d916634bd99a

SHA512
e2e571d4b70c05969563641897f862801c8bf782ded9517a242c1296fe9398411b993a961062f11d61356a9272e4a97e7d25519fa2d1e18e0d7d1e5f5fbd0394

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Aqrvnhd.lnk
Filesize
971B

MD5
dcbc566d59d56defb4a4a44e335370f3

SHA1
1d4471a08bdb489b20869a88a7a7f76d5c4a5217

SHA256
04ee976c841da67c8ed3d382c7b6b38c4559e6132b523303e26192ac2cf040bc

SHA512
eb0702076759c3f7f43b1872af0f2f7ba8f5bfe2fcf07c027bb7c36e6f47079efad02ca81d5f05dec931de50ad965d009cebd590c01be1bf22dfb99155306fcd

Download Submit
\Users\Admin\AppData\Local\0KW\wscript.exe
Filesize
165KB

MD5
8886e0697b0a93c521f99099ef643450

SHA1
851bd390bf559e702b8323062dbeb251d9f2f6f7

SHA256
d73f7ee4e6e992a618d02580bdbf4fd6ba7c683d110928001092f4073341e95f

SHA512
fc4a176f49a69c5600c427af72d3d274cfeacef48612b18cda966c3b4dda0b9d59c0fe8114d5ed8e0fec780744346e2cd503d1fd15c0c908908d067214b9d837

Download Submit
\Users\Admin\AppData\Local\fVUsZkqK\OLEACC.dll
Filesize
987KB

MD5
64b8729f6bcfcde864140f773781263a

SHA1
72953c2da08a08dc8ad28d9ad4afecd3f2becc1f

SHA256
0f1f212001be9eb45e67cbd0b9e7621888bb52da3230cde0dae0d9d1e81d8dba

SHA512
5fa787ed777bff49cf4b34a7fe7d5742572f4ec39b8cb0ab16f1087870b74eab3018dcfe085aaa06cf9a4ca7b5bcc8f3d1182f9d613339020020f325e8776373

Download Submit
\Users\Admin\AppData\Local\fVUsZkqK\psr.exe
Filesize
715KB

MD5
a80527109d75cba125d940b007eea151

SHA1
facf32a9ede6abfaa09368bfdfcfec8554107272

SHA256
68910f8aae867e938b6a3b76cdf176898ba275d9ade85b4ce00b03232de4c495

SHA512
77b86a597c33af8d3fbd9711f4abe6e0ca33b86279b1d28a25dcf3545a34b221be1ad7d11004d016203809cead1ebfd4b7e889ee9df2efc100eabf77963c1774

Download Submit
memory/1372-11-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1372-13-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1372-10-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1372-14-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1372-28-0x0000000077D70000-0x0000000077D72000-memory.dmp

Filesize
8KB

Download
memory/1372-27-0x0000000077BE1000-0x0000000077BE2000-memory.dmp

Filesize
4KB

Download
memory/1372-23-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1372-24-0x0000000002A10000-0x0000000002A17000-memory.dmp

Filesize
28KB

Download
memory/1372-9-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1372-37-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1372-35-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1372-4-0x0000000077AD6000-0x0000000077AD7000-memory.dmp

Filesize
4KB

Download
memory/1372-12-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1372-5-0x0000000002A30000-0x0000000002A31000-memory.dmp

Filesize
4KB

Download
memory/1372-76-0x0000000077AD6000-0x0000000077AD7000-memory.dmp

Filesize
4KB

Download
memory/1372-8-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1372-7-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1904-92-0x0000000000390000-0x0000000000397000-memory.dmp

Filesize
28KB

Download
memory/1904-93-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/1904-98-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/2456-61-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/2456-56-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/2456-55-0x0000000001E80000-0x0000000001E87000-memory.dmp

Filesize
28KB

Download
memory/2952-77-0x0000000000710000-0x0000000000717000-memory.dmp

Filesize
28KB

Download
memory/2952-80-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/2960-0-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/2960-44-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/2960-3-0x00000000003A0000-0x00000000003A7000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads