dridex | 1450515f58f4eb0b64380065b9b90072caec6d100c51dbf049b5c1a3ee44aa5c

General

Target

6122acd9d27d5bbb20b560bf1e1970b8_JaffaCakes118.dll
Size

1.3MB
MD5

6122acd9d27d5bbb20b560bf1e1970b8
SHA1

db4a42934bfa843a492d63f3bb0b3d5fb4862830
SHA256

1450515f58f4eb0b64380065b9b90072caec6d100c51dbf049b5c1a3ee44aa5c
SHA512

44016421b721b59d35f87b7719610e145825b1606acad2b166ab0893190a06646d7291ccaa117e6d6f1c3e4b61b474f1efa4cc9f98e7220fc3b097e6603b240b
SSDEEP

24576:xVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:xV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1196-5-0x0000000002E30000-0x0000000002E31000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

iexpress.exemsconfig.exepsr.exe

pid process

2760 iexpress.exe
1028 msconfig.exe
2484 psr.exe
Loads dropped DLL 7 IoCs

Processes:

iexpress.exemsconfig.exepsr.exe

pid process

1196
2760 iexpress.exe
1196
1028 msconfig.exe
1196
2484 psr.exe
1196

pid	process
2760	iexpress.exe
1028	msconfig.exe
2484	psr.exe

pid	process
1196
2760	iexpress.exe
1196
1028	msconfig.exe
1196
2484	psr.exe
1196

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ybhspkdtbke = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\ACCESS~1\\9EN46O1\\msconfig.exe"

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

iexpress.exemsconfig.exepsr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iexpress.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msconfig.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	psr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

regsvr32.exe

pid	process
2864	regsvr32.exe
2864	regsvr32.exe
2864	regsvr32.exe
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1196 wrote to memory of 2472	1196	iexpress.exe
PID 1196 wrote to memory of 2472	1196	iexpress.exe
PID 1196 wrote to memory of 2472	1196	iexpress.exe
PID 1196 wrote to memory of 2760	1196	iexpress.exe
PID 1196 wrote to memory of 2760	1196	iexpress.exe
PID 1196 wrote to memory of 2760	1196	iexpress.exe
PID 1196 wrote to memory of 2924	1196	msconfig.exe
PID 1196 wrote to memory of 2924	1196	msconfig.exe
PID 1196 wrote to memory of 2924	1196	msconfig.exe
PID 1196 wrote to memory of 1028	1196	msconfig.exe
PID 1196 wrote to memory of 1028	1196	msconfig.exe
PID 1196 wrote to memory of 1028	1196	msconfig.exe
PID 1196 wrote to memory of 2868	1196	psr.exe
PID 1196 wrote to memory of 2868	1196	psr.exe
PID 1196 wrote to memory of 2868	1196	psr.exe
PID 1196 wrote to memory of 2484	1196	psr.exe
PID 1196 wrote to memory of 2484	1196	psr.exe
PID 1196 wrote to memory of 2484	1196	psr.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\6122acd9d27d5bbb20b560bf1e1970b8_JaffaCakes118.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2864

C:\Windows\system32\iexpress.exe
C:\Windows\system32\iexpress.exe
1⤵
PID:2472

C:\Users\Admin\AppData\Local\9mpZSdGVg\iexpress.exe
C:\Users\Admin\AppData\Local\9mpZSdGVg\iexpress.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2760

C:\Windows\system32\msconfig.exe
C:\Windows\system32\msconfig.exe
1⤵
PID:2924

C:\Users\Admin\AppData\Local\OIAG\msconfig.exe
C:\Users\Admin\AppData\Local\OIAG\msconfig.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1028

C:\Windows\system32\psr.exe
C:\Windows\system32\psr.exe
1⤵
PID:2868

C:\Users\Admin\AppData\Local\GWtexJ\psr.exe
C:\Users\Admin\AppData\Local\GWtexJ\psr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2484

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\9mpZSdGVg\VERSION.dll
Filesize
1.3MB

MD5
5e499d441b92446f653cbe2261dc44f2

SHA1
5cb30af4543b7a6e0dc81de017b62d9677241688

SHA256
ee18299aba779e8b5358301b7f0fa5214050e93d76954a4071cf14e9ee7deb0f

SHA512
466c9d7abf681b28c8786e28f664e8c48bcc000147617f9da06bf67617193583beb3b29ebc2e6c735b6fe833be8c124f73aeb8db81550d3eb9d81493e8e07bb7

Download Submit
C:\Users\Admin\AppData\Local\GWtexJ\VERSION.dll
Filesize
1.3MB

MD5
18369a072734384701d9b63de3bedd9c

SHA1
a96569efabee69396911f15144481dff1d2d2518

SHA256
f794f737fe9140f827995d23ca37a511fcbee0cb9f33e767cc243e3821b4831e

SHA512
0832a5bb619304886fa67441d3b83759289351140b1f04d96f1bf671c4d7fe82d1eb4860391a841e172d581a63ea0425813e3231cef6a392662172e5fa0652a8

Download Submit
C:\Users\Admin\AppData\Local\OIAG\VERSION.dll
Filesize
1.3MB

MD5
c1eaea72782f603e12ce200e99b63c90

SHA1
3bb64988b21bdd1269c70272958faaaaf65798a1

SHA256
1f97179a7bf4d5964509a4fc6f6ba479bd3ddc5764117583504aa92fb4588703

SHA512
a57558babbdc2e57a2a2a4216ba4747041d4a91ff60ed6789fc96f1881ef0d162bfd3c8116e085c6a69137b9c67c080731a4523bac778d4dd61c9276c502b6eb

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Tkjddllshxzvy.lnk
Filesize
706B

MD5
b9749c26987e2cd3b28504a757aa1f3f

SHA1
af974940fc6882000142ddcce200adfd813263fc

SHA256
9e8eb59053fec38e6454bf7d014194ea8a6a32bc951e62bac13d7e359bff3ce7

SHA512
59213daf63022f02aa5353737c8d38edb83cc5aa24bc1659c0e5d19bbdb6ba6bea587543a154b172a673f08c8e721fb9bace986d4bd37a3b8b377b2da3bfb442

Download Submit
\Users\Admin\AppData\Local\9mpZSdGVg\iexpress.exe
Filesize
163KB

MD5
46fd16f9b1924a2ea8cd5c6716cc654f

SHA1
99284bc91cf829e9602b4b95811c1d72977700b6

SHA256
9f993a1f6a133fa8375eab99bf1710471dd13ef177ef713acf8921fb4ff565a3

SHA512
52c91043f514f3f8ce07f8e60357786eb7236fcf6cdcccca0dd76000b9a23d6b138cebcdec53b01823cb2313ec850fc7bece326ec01d44ed33f4052b789b7629

Download Submit
\Users\Admin\AppData\Local\GWtexJ\psr.exe
Filesize
715KB

MD5
a80527109d75cba125d940b007eea151

SHA1
facf32a9ede6abfaa09368bfdfcfec8554107272

SHA256
68910f8aae867e938b6a3b76cdf176898ba275d9ade85b4ce00b03232de4c495

SHA512
77b86a597c33af8d3fbd9711f4abe6e0ca33b86279b1d28a25dcf3545a34b221be1ad7d11004d016203809cead1ebfd4b7e889ee9df2efc100eabf77963c1774

Download Submit
\Users\Admin\AppData\Local\OIAG\msconfig.exe
Filesize
293KB

MD5
e19d102baf266f34592f7c742fbfa886

SHA1
c9c9c45b7e97bb7a180064d0a1962429f015686d

SHA256
f3c8bb430f9c33e6caf06aaebde17b7fddcc55e8bb36cec2b9379038f1fca0b1

SHA512
1b9f1880dd3c26ae790b8eead641e73264f90dc7aa2645acc530aad20ad9d247db613e1725282c85bca98c4428ac255752a4f5c9b2a97f90908b7fe4167bb283

Download Submit
memory/1028-75-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1028-72-0x00000000001B0000-0x00000000001B7000-memory.dmp

Filesize
28KB

Download
memory/1196-16-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/1196-30-0x0000000077800000-0x0000000077802000-memory.dmp

Filesize
8KB

Download
memory/1196-12-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/1196-27-0x0000000077671000-0x0000000077672000-memory.dmp

Filesize
4KB

Download
memory/1196-11-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/1196-10-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/1196-9-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/1196-26-0x0000000002E10000-0x0000000002E17000-memory.dmp

Filesize
28KB

Download
memory/1196-25-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/1196-33-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/1196-34-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/1196-4-0x0000000077466000-0x0000000077467000-memory.dmp

Filesize
4KB

Download
memory/1196-5-0x0000000002E30000-0x0000000002E31000-memory.dmp

Filesize
4KB

Download
memory/1196-13-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/1196-8-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/1196-7-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/1196-14-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/1196-61-0x0000000077466000-0x0000000077467000-memory.dmp

Filesize
4KB

Download
memory/1196-15-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/2484-90-0x0000000000520000-0x0000000000527000-memory.dmp

Filesize
28KB

Download
memory/2484-93-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/2760-56-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/2760-50-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/2760-53-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/2864-0-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/2864-42-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/2864-2-0x00000000001D0000-0x00000000001D7000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads