dridex | a983b4f3efef71b513a447fa124b681a89bdd34730546eb3947a6f9150e56bf1

General

Target

59030a0053095636e952e6f479962248_JaffaCakes118.dll
Size

986KB
MD5

59030a0053095636e952e6f479962248
SHA1

d924fec422651094b1a45249a74672aed3b86f7b
SHA256

a983b4f3efef71b513a447fa124b681a89bdd34730546eb3947a6f9150e56bf1
SHA512

a17ec8fabff350d831a8c41b0c430d181cff3f95b11f8b8ea05983bea566c59127cadfa3301b944e43e3869cf491303b3e46807b8d4b25ce52bfb4ce173b98a6
SSDEEP

24576:OVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:OV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3436-4-0x0000000002C90000-0x0000000002C91000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

WMPDMC.exelpksetup.exeddodiag.exe

pid process

3952 WMPDMC.exe
4660 lpksetup.exe
4648 ddodiag.exe
Loads dropped DLL 3 IoCs

Processes:

WMPDMC.exelpksetup.exeddodiag.exe

pid process

3952 WMPDMC.exe
4660 lpksetup.exe
4648 ddodiag.exe

pid	process
3952	WMPDMC.exe
4660	lpksetup.exe
4648	ddodiag.exe

pid	process
3952	WMPDMC.exe
4660	lpksetup.exe
4648	ddodiag.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Iphtcfjrejti = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\FLASHP~1\\NwtFEc\\lpksetup.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

ddodiag.exerundll32.exeWMPDMC.exelpksetup.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ddodiag.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WMPDMC.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lpksetup.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2064	rundll32.exe
2064	rundll32.exe
2064	rundll32.exe
2064	rundll32.exe
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3436 wrote to memory of 4632	3436	WMPDMC.exe
PID 3436 wrote to memory of 4632	3436	WMPDMC.exe
PID 3436 wrote to memory of 3952	3436	WMPDMC.exe
PID 3436 wrote to memory of 3952	3436	WMPDMC.exe
PID 3436 wrote to memory of 1540	3436	lpksetup.exe
PID 3436 wrote to memory of 1540	3436	lpksetup.exe
PID 3436 wrote to memory of 4660	3436	lpksetup.exe
PID 3436 wrote to memory of 4660	3436	lpksetup.exe
PID 3436 wrote to memory of 3500	3436	ddodiag.exe
PID 3436 wrote to memory of 3500	3436	ddodiag.exe
PID 3436 wrote to memory of 4648	3436	ddodiag.exe
PID 3436 wrote to memory of 4648	3436	ddodiag.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\59030a0053095636e952e6f479962248_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2064

C:\Windows\system32\WMPDMC.exe
C:\Windows\system32\WMPDMC.exe
1⤵
PID:4632

C:\Users\Admin\AppData\Local\kCk1lWxtE\WMPDMC.exe
C:\Users\Admin\AppData\Local\kCk1lWxtE\WMPDMC.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3952

C:\Windows\system32\lpksetup.exe
C:\Windows\system32\lpksetup.exe
1⤵
PID:1540

C:\Users\Admin\AppData\Local\JnsLmms\lpksetup.exe
C:\Users\Admin\AppData\Local\JnsLmms\lpksetup.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4660

C:\Windows\system32\ddodiag.exe
C:\Windows\system32\ddodiag.exe
1⤵
PID:3500

C:\Users\Admin\AppData\Local\BTFsx\ddodiag.exe
C:\Users\Admin\AppData\Local\BTFsx\ddodiag.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4648

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\BTFsx\XmlLite.dll
Filesize
987KB

MD5
2a58037c005cb07dde81b6dceb9e3d7c

SHA1
70a8cec946679bb2a8bac70c07172505cc79d8a2

SHA256
5024165cd57188071e1343e531ed3be70f5259eb5eaadb663feedb6ecc37b7fd

SHA512
79e79b1e6083f4deb515aea077e28479a100504d9373710269700a7c06c4d661bb7bd48700f3b7d54435cd6f608521e81835f4db668eaf97cff6e52c8e44045e

Download Submit
C:\Users\Admin\AppData\Local\BTFsx\ddodiag.exe
Filesize
39KB

MD5
85feee634a6aee90f0108e26d3d9bc1f

SHA1
a7b1fa32fe7ed67bd51dea438f2f767e3fef0ca2

SHA256
99c63175504781e9278824d487da082da7c014e99f1024227af164986d3a27c6

SHA512
b81a3e1723a5180c5168cd7bb5181c631f4f57c59780bb82a502160b7874777f3eef1ebe1b14f66c97f9f1a4721af13b6fbcdff2045c8563c18b5d12540953ff

Download Submit
C:\Users\Admin\AppData\Local\JnsLmms\dpx.dll
Filesize
987KB

MD5
28776163ed2a6aa371202d4ef9d2544b

SHA1
c291d3328add1325a1c37f00c16c6d7246f4f200

SHA256
3b29b53eed3b4acf4881625e69825f2b0beead5f095d71c2f6f7ecb0a39223c2

SHA512
66e2d9dec1bf0cba1a78c7f11f55e619e383aea7ed2cd7a1920909553baf1349ef3aa8bb845a34c60bea3fb845569e3dc4c5775be0a5b29c5290ed67fe73a4b8

Download Submit
C:\Users\Admin\AppData\Local\JnsLmms\lpksetup.exe
Filesize
728KB

MD5
c75516a32e0aea02a184074d55d1a997

SHA1
f9396946c078f8b0f28e3a6e21a97eeece31d13f

SHA256
cb3cbeaaff7c07b044f70177e2899a87e80840d177238eb7dd25b8d9e20bef22

SHA512
92994fdb75b15742e33e6d7a499664b722e45b9c160d8cc42d30bc727044063d589f45853692b5b754df6ff0fd21294dc32fed985b153f93f4bcf9f8c89a5bcc

Download Submit
C:\Users\Admin\AppData\Local\kCk1lWxtE\WMPDMC.exe
Filesize
1.5MB

MD5
59ce6e554da0a622febce19eb61c4d34

SHA1
176a4a410cb97b3d4361d2aea0edbf17e15d04c7

SHA256
c36eba7186f7367fe717595f3372a49503c9613893c2ab2eff38b625a50d04ba

SHA512
e9b0d310416b66e0055381391bb6b0c19ee26bbcf0e3bb9ea7d696d5851e6efbdd9bdeb250c74638b7d73b20528ea1dfb718e75ad5977aaad77aae36cc7b7e18

Download Submit
C:\Users\Admin\AppData\Local\kCk1lWxtE\dwmapi.dll
Filesize
988KB

MD5
10553fc1c35f3351f981dc4702537123

SHA1
6b007c50cb3b57ad71680ca3938409e48e4581db

SHA256
eb84b19d09758bc92cb19b94223856c6ec0dd190dedbef882a6890006afdc03f

SHA512
57bf4ead262d6f845ba2ae894e5972c234518656296ebcdd0cbfee2c1d7e9554df14abf579266b379eb408554d05e3e9f484a34eb7bc6f69fcaa1da43adbc1b9

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Lyvwlrjkvg.lnk
Filesize
1KB

MD5
2ae9f0ccadf872d970bab4976b4c741e

SHA1
86c8d4450cf32df003ef2754671bd13f774af81d

SHA256
0a745bb7514cdc958423597c9ea9274a22d4c71cf09e6217d81a48ce6e1283ce

SHA512
0ab17fa9450b307f6858fc1aff1dba3a5caf8d45d0cf9696875dbdd0df6187f4e6c688a971dd8e8fc7aa79ed132d0ff882a5b09f096691017259d81a3caf481d

Download Submit
memory/2064-1-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/2064-3-0x00000135B3170000-0x00000135B3177000-memory.dmp

Filesize
28KB

Download
memory/2064-37-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3436-11-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3436-13-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3436-9-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3436-8-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3436-14-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3436-7-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3436-32-0x0000000000FF0000-0x0000000000FF7000-memory.dmp

Filesize
28KB

Download
memory/3436-33-0x00007FFEA7A70000-0x00007FFEA7A80000-memory.dmp

Filesize
64KB

Download
memory/3436-34-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3436-6-0x00007FFEA669A000-0x00007FFEA669B000-memory.dmp

Filesize
4KB

Download
memory/3436-4-0x0000000002C90000-0x0000000002C91000-memory.dmp

Filesize
4KB

Download
memory/3436-10-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3436-23-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3436-12-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3952-50-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3952-47-0x0000015D3DFB0000-0x0000015D3DFB7000-memory.dmp

Filesize
28KB

Download
memory/3952-44-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/4648-81-0x0000023441DD0000-0x0000023441DD7000-memory.dmp

Filesize
28KB

Download
memory/4648-84-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/4660-64-0x00000214B8CD0000-0x00000214B8CD7000-memory.dmp

Filesize
28KB

Download
memory/4660-67-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads