dridex | 955c85525dae7239e7014520cf100f59f9303ef86c9dcd3449d36673de364857

General

Target

60f308c539feac706dcd2c85831771cb_JaffaCakes118.exe
Size

144KB
MD5

60f308c539feac706dcd2c85831771cb
SHA1

862d8459c8114216aee8794282dc0cf457630c97
SHA256

955c85525dae7239e7014520cf100f59f9303ef86c9dcd3449d36673de364857
SHA512

ed08e61e2c1aa7659a9421dc963e047ed0ad89318388af50fbe46303cafa1d4962dee4fb97f54dc060a72b79faf6168c71158d6ffb924d7a6b4062fbb62a049b
SSDEEP

3072:Dlll3NCpoO6BfDbCgwF+a5p1n4eM2kXjSBGNREQW:DhocfDbC/Fr4PzSBGNRL

Score

10^/10

dridex botnet

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Deletes itself 1 IoCs

Processes:

svchost.exe

pid process

2348 svchost.exe
Discovers systems in the same network 1 TTPs 1 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exe

pid process

2572 net.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

60f308c539feac706dcd2c85831771cb_JaffaCakes118.exesvchost.exe

pid process

1972 60f308c539feac706dcd2c85831771cb_JaffaCakes118.exe
1972 60f308c539feac706dcd2c85831771cb_JaffaCakes118.exe
2348 svchost.exe
2348 svchost.exe

pid	process
2348	svchost.exe

pid	process
2572	net.exe

pid	process
1972	60f308c539feac706dcd2c85831771cb_JaffaCakes118.exe
1972	60f308c539feac706dcd2c85831771cb_JaffaCakes118.exe
2348	svchost.exe
2348	svchost.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

whoami.exe

description	pid	process
Token: SeDebugPrivilege	2052	whoami.exe
Token: SeDebugPrivilege	2052	whoami.exe
Token: SeDebugPrivilege	2052	whoami.exe
Token: SeDebugPrivilege	2052	whoami.exe
Token: SeDebugPrivilege	2052	whoami.exe
Token: SeDebugPrivilege	2052	whoami.exe
Token: SeDebugPrivilege	2052	whoami.exe
Token: SeDebugPrivilege	2052	whoami.exe
Token: SeDebugPrivilege	2052	whoami.exe
Token: SeDebugPrivilege	2052	whoami.exe
Token: SeDebugPrivilege	2052	whoami.exe
Token: SeDebugPrivilege	2052	whoami.exe
Token: SeDebugPrivilege	2052	whoami.exe
Token: SeDebugPrivilege	2052	whoami.exe
Token: SeDebugPrivilege	2052	whoami.exe
Token: SeDebugPrivilege	2052	whoami.exe
Token: SeDebugPrivilege	2052	whoami.exe
Token: SeDebugPrivilege	2052	whoami.exe
Token: SeDebugPrivilege	2052	whoami.exe
Token: SeDebugPrivilege	2052	whoami.exe
Token: SeDebugPrivilege	2052	whoami.exe
Token: SeDebugPrivilege	2052	whoami.exe
Token: SeDebugPrivilege	2052	whoami.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

60f308c539feac706dcd2c85831771cb_JaffaCakes118.exesvchost.exe

description	pid	process	target process
PID 1972 wrote to memory of 2348	1972	60f308c539feac706dcd2c85831771cb_JaffaCakes118.exe	svchost.exe
PID 1972 wrote to memory of 2348	1972	60f308c539feac706dcd2c85831771cb_JaffaCakes118.exe	svchost.exe
PID 1972 wrote to memory of 2348	1972	60f308c539feac706dcd2c85831771cb_JaffaCakes118.exe	svchost.exe
PID 1972 wrote to memory of 2348	1972	60f308c539feac706dcd2c85831771cb_JaffaCakes118.exe	svchost.exe
PID 1972 wrote to memory of 2348	1972	60f308c539feac706dcd2c85831771cb_JaffaCakes118.exe	svchost.exe
PID 2348 wrote to memory of 2052	2348	svchost.exe	whoami.exe
PID 2348 wrote to memory of 2052	2348	svchost.exe	whoami.exe
PID 2348 wrote to memory of 2052	2348	svchost.exe	whoami.exe
PID 2348 wrote to memory of 2052	2348	svchost.exe	whoami.exe
PID 2348 wrote to memory of 2572	2348	svchost.exe	net.exe
PID 2348 wrote to memory of 2572	2348	svchost.exe	net.exe
PID 2348 wrote to memory of 2572	2348	svchost.exe	net.exe
PID 2348 wrote to memory of 2572	2348	svchost.exe	net.exe

C:\Users\Admin\AppData\Local\Temp\60f308c539feac706dcd2c85831771cb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\60f308c539feac706dcd2c85831771cb_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1972

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe "C:\Users\Admin\AppData\Local\Temp\60f308c539feac706dcd2c85831771cb_JaffaCakes118.exe"
2⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2348

C:\Windows\SysWOW64\whoami.exe
C:\Windows\system32\whoami.exe /all
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2052

C:\Windows\SysWOW64\net.exe
C:\Windows\system32\net.exe view
3⤵
- Discovers systems in the same network
PID:2572

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1972-4-0x00000000001D0000-0x00000000001F5000-memory.dmp

Filesize
148KB

Download
memory/1972-1-0x0000000000130000-0x0000000000136000-memory.dmp

Filesize
24KB

Download
memory/1972-0-0x00000000001D0000-0x00000000001F5000-memory.dmp

Filesize
148KB

Download
memory/2348-9-0x0000000001E50000-0x0000000001E75000-memory.dmp

Filesize
148KB

Download
memory/2348-5-0x0000000076339000-0x000000007633A000-memory.dmp

Filesize
4KB

Download
memory/2348-8-0x0000000001E50000-0x0000000001E75000-memory.dmp

Filesize
148KB

Download
memory/2348-2-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/2348-7-0x0000000001E50000-0x0000000001E75000-memory.dmp

Filesize
148KB

Download
memory/2348-6-0x0000000001E50000-0x0000000001E75000-memory.dmp

Filesize
148KB

Download
memory/2348-13-0x0000000001E50000-0x0000000001E75000-memory.dmp

Filesize
148KB

Download
memory/2348-12-0x0000000001E50000-0x0000000001E75000-memory.dmp

Filesize
148KB

Download
memory/2348-11-0x0000000001E50000-0x0000000001E75000-memory.dmp

Filesize
148KB

Download
memory/2348-18-0x00000000762B0000-0x00000000763C0000-memory.dmp

Filesize
1.1MB

Download
memory/2348-10-0x0000000001E50000-0x0000000001E75000-memory.dmp

Filesize
148KB

Download

Analysis

Sharing