dridex | 955c85525dae7239e7014520cf100f59f9303ef86c9dcd3449d36673de364857

General

Target

60f308c539feac706dcd2c85831771cb_JaffaCakes118.exe
Size

144KB
MD5

60f308c539feac706dcd2c85831771cb
SHA1

862d8459c8114216aee8794282dc0cf457630c97
SHA256

955c85525dae7239e7014520cf100f59f9303ef86c9dcd3449d36673de364857
SHA512

ed08e61e2c1aa7659a9421dc963e047ed0ad89318388af50fbe46303cafa1d4962dee4fb97f54dc060a72b79faf6168c71158d6ffb924d7a6b4062fbb62a049b
SSDEEP

3072:Dlll3NCpoO6BfDbCgwF+a5p1n4eM2kXjSBGNREQW:DhocfDbC/Fr4PzSBGNRL

Score

10^/10

dridex botnet

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Deletes itself 1 IoCs

pid	Process
2348	svchost.exe

Discovers systems in the same network 1 TTPs 1 IoCs

discovery

Remote System Discovery

T1018

pid	Process
2572	net.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1972	60f308c539feac706dcd2c85831771cb_JaffaCakes118.exe
1972	60f308c539feac706dcd2c85831771cb_JaffaCakes118.exe
2348	svchost.exe
2348	svchost.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	2052	whoami.exe
Token: SeDebugPrivilege	2052	whoami.exe
Token: SeDebugPrivilege	2052	whoami.exe
Token: SeDebugPrivilege	2052	whoami.exe
Token: SeDebugPrivilege	2052	whoami.exe
Token: SeDebugPrivilege	2052	whoami.exe
Token: SeDebugPrivilege	2052	whoami.exe
Token: SeDebugPrivilege	2052	whoami.exe
Token: SeDebugPrivilege	2052	whoami.exe
Token: SeDebugPrivilege	2052	whoami.exe
Token: SeDebugPrivilege	2052	whoami.exe
Token: SeDebugPrivilege	2052	whoami.exe
Token: SeDebugPrivilege	2052	whoami.exe
Token: SeDebugPrivilege	2052	whoami.exe
Token: SeDebugPrivilege	2052	whoami.exe
Token: SeDebugPrivilege	2052	whoami.exe
Token: SeDebugPrivilege	2052	whoami.exe
Token: SeDebugPrivilege	2052	whoami.exe
Token: SeDebugPrivilege	2052	whoami.exe
Token: SeDebugPrivilege	2052	whoami.exe
Token: SeDebugPrivilege	2052	whoami.exe
Token: SeDebugPrivilege	2052	whoami.exe
Token: SeDebugPrivilege	2052	whoami.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 2348	1972	60f308c539feac706dcd2c85831771cb_JaffaCakes118.exe	29
PID 1972 wrote to memory of 2348	1972	60f308c539feac706dcd2c85831771cb_JaffaCakes118.exe	29
PID 1972 wrote to memory of 2348	1972	60f308c539feac706dcd2c85831771cb_JaffaCakes118.exe	29
PID 1972 wrote to memory of 2348	1972	60f308c539feac706dcd2c85831771cb_JaffaCakes118.exe	29
PID 1972 wrote to memory of 2348	1972	60f308c539feac706dcd2c85831771cb_JaffaCakes118.exe	29
PID 2348 wrote to memory of 2052	2348	svchost.exe	30
PID 2348 wrote to memory of 2052	2348	svchost.exe	30
PID 2348 wrote to memory of 2052	2348	svchost.exe	30
PID 2348 wrote to memory of 2052	2348	svchost.exe	30
PID 2348 wrote to memory of 2572	2348	svchost.exe	32
PID 2348 wrote to memory of 2572	2348	svchost.exe	32
PID 2348 wrote to memory of 2572	2348	svchost.exe	32
PID 2348 wrote to memory of 2572	2348	svchost.exe	32

C:\Users\Admin\AppData\Local\Temp\60f308c539feac706dcd2c85831771cb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\60f308c539feac706dcd2c85831771cb_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe "C:\Users\Admin\AppData\Local\Temp\60f308c539feac706dcd2c85831771cb_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2348
- - C:\Windows\SysWOW64\whoami.exe
    C:\Windows\system32\whoami.exe /all
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2052
- - C:\Windows\SysWOW64\net.exe
    C:\Windows\system32\net.exe view
    3⤵
    - Discovers systems in the same network
    PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1972-4-0x00000000001D0000-0x00000000001F5000-memory.dmp

Filesize
148KB

Download
memory/1972-1-0x0000000000130000-0x0000000000136000-memory.dmp

Filesize
24KB

Download
memory/1972-0-0x00000000001D0000-0x00000000001F5000-memory.dmp

Filesize
148KB

Download
memory/2348-9-0x0000000001E50000-0x0000000001E75000-memory.dmp

Filesize
148KB

Download
memory/2348-5-0x0000000076339000-0x000000007633A000-memory.dmp

Filesize
4KB

Download
memory/2348-8-0x0000000001E50000-0x0000000001E75000-memory.dmp

Filesize
148KB

Download
memory/2348-2-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/2348-7-0x0000000001E50000-0x0000000001E75000-memory.dmp

Filesize
148KB

Download
memory/2348-6-0x0000000001E50000-0x0000000001E75000-memory.dmp

Filesize
148KB

Download
memory/2348-13-0x0000000001E50000-0x0000000001E75000-memory.dmp

Filesize
148KB

Download
memory/2348-12-0x0000000001E50000-0x0000000001E75000-memory.dmp

Filesize
148KB

Download
memory/2348-11-0x0000000001E50000-0x0000000001E75000-memory.dmp

Filesize
148KB

Download
memory/2348-18-0x00000000762B0000-0x00000000763C0000-memory.dmp

Filesize
1.1MB

Download
memory/2348-10-0x0000000001E50000-0x0000000001E75000-memory.dmp

Filesize
148KB

Download

Analysis

Sharing