dridex | 7dd7b193fae1ce9d142851e38ff19d708c6da88d4be7ed02407fad768020e631

General

Target

607eb1215586e6a11411e324c2172f2e_JaffaCakes118.dll
Size

990KB
MD5

607eb1215586e6a11411e324c2172f2e
SHA1

1f678077270f6c682a875589060123ad3eedebeb
SHA256

7dd7b193fae1ce9d142851e38ff19d708c6da88d4be7ed02407fad768020e631
SHA512

5e3de8f8ba5534f0788240f03033c3ed37b778602485f22e65a44ab17aadfa791dd79af327d91fcfaeea12993d4f3c3c70c2430babc8148975d8c92b035e03df
SSDEEP

24576:rVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:rV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3360-4-0x0000000002BA0000-0x0000000002BA1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

mspaint.exeMusNotifyIcon.exeWMPDMC.exe

pid process

3060 mspaint.exe
4544 MusNotifyIcon.exe
2612 WMPDMC.exe
Loads dropped DLL 3 IoCs

Processes:

mspaint.exeMusNotifyIcon.exeWMPDMC.exe

pid process

3060 mspaint.exe
4544 MusNotifyIcon.exe
2612 WMPDMC.exe

pid	process
3060	mspaint.exe
4544	MusNotifyIcon.exe
2612	WMPDMC.exe

pid	process
3060	mspaint.exe
4544	MusNotifyIcon.exe
2612	WMPDMC.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Iphtcfjrejti = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\USERPI~1\\QmDkati\\MUSNOT~1.EXE"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

WMPDMC.exerundll32.exemspaint.exeMusNotifyIcon.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WMPDMC.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mspaint.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MusNotifyIcon.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
220	rundll32.exe
220	rundll32.exe
220	rundll32.exe
220	rundll32.exe
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3360 wrote to memory of 964	3360	mspaint.exe
PID 3360 wrote to memory of 964	3360	mspaint.exe
PID 3360 wrote to memory of 3060	3360	mspaint.exe
PID 3360 wrote to memory of 3060	3360	mspaint.exe
PID 3360 wrote to memory of 2324	3360	MusNotifyIcon.exe
PID 3360 wrote to memory of 2324	3360	MusNotifyIcon.exe
PID 3360 wrote to memory of 4544	3360	MusNotifyIcon.exe
PID 3360 wrote to memory of 4544	3360	MusNotifyIcon.exe
PID 3360 wrote to memory of 3568	3360	WMPDMC.exe
PID 3360 wrote to memory of 3568	3360	WMPDMC.exe
PID 3360 wrote to memory of 2612	3360	WMPDMC.exe
PID 3360 wrote to memory of 2612	3360	WMPDMC.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\607eb1215586e6a11411e324c2172f2e_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:220

C:\Windows\system32\mspaint.exe
C:\Windows\system32\mspaint.exe
1⤵
PID:964

C:\Users\Admin\AppData\Local\Bmu\mspaint.exe
C:\Users\Admin\AppData\Local\Bmu\mspaint.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3060

C:\Windows\system32\MusNotifyIcon.exe
C:\Windows\system32\MusNotifyIcon.exe
1⤵
PID:2324

C:\Users\Admin\AppData\Local\jJMJ24G\MusNotifyIcon.exe
C:\Users\Admin\AppData\Local\jJMJ24G\MusNotifyIcon.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4544

C:\Windows\system32\WMPDMC.exe
C:\Windows\system32\WMPDMC.exe
1⤵
PID:3568

C:\Users\Admin\AppData\Local\KP4wUJPH\WMPDMC.exe
C:\Users\Admin\AppData\Local\KP4wUJPH\WMPDMC.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2612

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Bmu\WINMM.dll
Filesize
995KB

MD5
cb65c0221e90acf58b350ad9729192b5

SHA1
4c89de7b252913769b3d57b07693083bcae360c1

SHA256
d55f749edc4ff1e8e8d277f8eb6290c073723c7af2fe7d4cba1469b0d8beffff

SHA512
40d209a709402174615e22e558de7aba31ee3dd25bc078007cc754f45cc807615e3f72dadd7f661967a46dadd851b12577c3af91fcb5f3a6e1037ba7abff5f3e

Download Submit
C:\Users\Admin\AppData\Local\Bmu\mspaint.exe
Filesize
965KB

MD5
f221a4ccafec690101c59f726c95b646

SHA1
2098e4b62eaab213cbee73ba40fe4f1b8901a782

SHA256
94aa32a2c9c1d2db78318d9c68262c2f834abe26b6e9a661700324b55fdd5709

SHA512
8e3f4e4f68565ef09f5e762d6bb41b160711bbacac9dfcbe33edea9885fd042e6ce9a248bfcc62f9cffdb8e6bbe1b04c89bd41fcd9a373a5c8bc7bbff96dceaf

Download Submit
C:\Users\Admin\AppData\Local\KP4wUJPH\WMPDMC.exe
Filesize
1.5MB

MD5
59ce6e554da0a622febce19eb61c4d34

SHA1
176a4a410cb97b3d4361d2aea0edbf17e15d04c7

SHA256
c36eba7186f7367fe717595f3372a49503c9613893c2ab2eff38b625a50d04ba

SHA512
e9b0d310416b66e0055381391bb6b0c19ee26bbcf0e3bb9ea7d696d5851e6efbdd9bdeb250c74638b7d73b20528ea1dfb718e75ad5977aaad77aae36cc7b7e18

Download Submit
C:\Users\Admin\AppData\Local\KP4wUJPH\dwmapi.dll
Filesize
992KB

MD5
0c011cca2440ce87b856c04f5f6f0bdc

SHA1
20e1eae741ebebe31c8ca77b9335106e38a81981

SHA256
2c571005d5e8ba19f937c94e9aa812e4c7bb307a0a37f45da9a55a6f6bd59638

SHA512
b91750ede4b71b5fffbeed48696b9a642e3bcec0734f5279bbb1e538ac72b81c6ae23e3347975c78c81a3a178ef722cd6ff6dff84685cbf99feb3c0c06b51fec

Download Submit
C:\Users\Admin\AppData\Local\jJMJ24G\MusNotifyIcon.exe
Filesize
629KB

MD5
c54b1a69a21e03b83ebb0aeb3758b6f7

SHA1
b32ee7e5b813554c4b8e8f96f176570e0f6e8b6c

SHA256
ac3e12011b70144cc84539bbccacdfae35bd4ea3ee61b4a9fca5f082d044d8bf

SHA512
2680ab501ffe7d40fed28eb207d812880c8a71d71a29d59ba3da27c0bae98c74893e04807d93fba7b5e673c3e13a1ad21bfaab10bdb871d83349ff4e7c614b19

Download Submit
C:\Users\Admin\AppData\Local\jJMJ24G\XmlLite.dll
Filesize
991KB

MD5
10263fe16aedc36ce044ab58f026efbc

SHA1
db2923138de3c93e979b03d099225d3f2d87b811

SHA256
27a1e8ac4c9706a517fa4f7a8f6c0920d59f1589464c9bf69cdf126d0519f647

SHA512
79a4ed5c425c5dcf11c707db491db08cb30c6bbf24e52d838cddff4ea35339378f574aadb773662e0aa40316afe7c96d5bd7a7ed52e79d644da5d7b7941ea373

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Lyvwlrjkvg.lnk
Filesize
1KB

MD5
7a99c9a17ff30c2c89645a42949b4769

SHA1
7aba0b4ab98da36db4517ca86cf923d9b45ad56d

SHA256
5306d0a12e5dee0925dfa7e2742aa3f4ff8ffd7e24b53f761264908c2076bf8a

SHA512
3c7e7f2effd980ed9a213a19cf91b2c4ef02ba74055c0c6d4c665378fd158f3346edf14d00febb919db7e1fa78ad5aa6aa11d442fd07705ada7a42a00cf42ac1

Download Submit
memory/220-3-0x0000026C9FDE0000-0x0000026C9FDE7000-memory.dmp

Filesize
28KB

Download
memory/220-37-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/220-0-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/2612-80-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/3060-48-0x000001AFA08C0000-0x000001AFA08C7000-memory.dmp

Filesize
28KB

Download
memory/3060-45-0x0000000140000000-0x00000001400FF000-memory.dmp

Filesize
1020KB

Download
memory/3060-49-0x0000000140000000-0x00000001400FF000-memory.dmp

Filesize
1020KB

Download
memory/3360-30-0x0000000000D70000-0x0000000000D77000-memory.dmp

Filesize
28KB

Download
memory/3360-31-0x00007FF90D0F0000-0x00007FF90D100000-memory.dmp

Filesize
64KB

Download
memory/3360-9-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3360-10-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3360-11-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3360-12-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3360-13-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3360-23-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3360-34-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3360-8-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3360-4-0x0000000002BA0000-0x0000000002BA1000-memory.dmp

Filesize
4KB

Download
memory/3360-7-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3360-6-0x00007FF90CF9A000-0x00007FF90CF9B000-memory.dmp

Filesize
4KB

Download
memory/3360-14-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/4544-64-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/4544-61-0x00000218D5940000-0x00000218D5947000-memory.dmp

Filesize
28KB

Download
memory/4544-58-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads