dridex | 955c85525dae7239e7014520cf100f59f9303ef86c9dcd3449d36673de364857

General

Target

60f308c539feac706dcd2c85831771cb_JaffaCakes118.exe
Size

144KB
MD5

60f308c539feac706dcd2c85831771cb
SHA1

862d8459c8114216aee8794282dc0cf457630c97
SHA256

955c85525dae7239e7014520cf100f59f9303ef86c9dcd3449d36673de364857
SHA512

ed08e61e2c1aa7659a9421dc963e047ed0ad89318388af50fbe46303cafa1d4962dee4fb97f54dc060a72b79faf6168c71158d6ffb924d7a6b4062fbb62a049b
SSDEEP

3072:Dlll3NCpoO6BfDbCgwF+a5p1n4eM2kXjSBGNREQW:DhocfDbC/Fr4PzSBGNRL

Score

10^/10

dridex botnet

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Deletes itself 1 IoCs

Processes:

svchost.exe

pid process

4856 svchost.exe
Discovers systems in the same network 1 TTPs 1 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exe

pid process

4608 net.exe

pid	process
4856	svchost.exe

pid	process
4608	net.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

60f308c539feac706dcd2c85831771cb_JaffaCakes118.exesvchost.exe

pid	process
3176	60f308c539feac706dcd2c85831771cb_JaffaCakes118.exe
3176	60f308c539feac706dcd2c85831771cb_JaffaCakes118.exe
3176	60f308c539feac706dcd2c85831771cb_JaffaCakes118.exe
3176	60f308c539feac706dcd2c85831771cb_JaffaCakes118.exe
4856	svchost.exe
4856	svchost.exe
4856	svchost.exe
4856	svchost.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

Processes:

whoami.exe

description	pid	process
Token: SeDebugPrivilege	2800	whoami.exe
Token: SeDebugPrivilege	2800	whoami.exe
Token: SeDebugPrivilege	2800	whoami.exe
Token: SeDebugPrivilege	2800	whoami.exe
Token: SeDebugPrivilege	2800	whoami.exe
Token: SeDebugPrivilege	2800	whoami.exe
Token: SeDebugPrivilege	2800	whoami.exe
Token: SeDebugPrivilege	2800	whoami.exe
Token: SeDebugPrivilege	2800	whoami.exe
Token: SeDebugPrivilege	2800	whoami.exe
Token: SeDebugPrivilege	2800	whoami.exe
Token: SeDebugPrivilege	2800	whoami.exe
Token: SeDebugPrivilege	2800	whoami.exe
Token: SeDebugPrivilege	2800	whoami.exe
Token: SeDebugPrivilege	2800	whoami.exe
Token: SeDebugPrivilege	2800	whoami.exe
Token: SeDebugPrivilege	2800	whoami.exe
Token: SeDebugPrivilege	2800	whoami.exe
Token: SeDebugPrivilege	2800	whoami.exe
Token: SeDebugPrivilege	2800	whoami.exe
Token: SeDebugPrivilege	2800	whoami.exe
Token: SeDebugPrivilege	2800	whoami.exe
Token: SeDebugPrivilege	2800	whoami.exe
Token: SeDebugPrivilege	2800	whoami.exe
Token: SeDebugPrivilege	2800	whoami.exe
Token: SeDebugPrivilege	2800	whoami.exe
Token: SeDebugPrivilege	2800	whoami.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

60f308c539feac706dcd2c85831771cb_JaffaCakes118.exesvchost.exe

description	pid	process	target process
PID 3176 wrote to memory of 4856	3176	60f308c539feac706dcd2c85831771cb_JaffaCakes118.exe	svchost.exe
PID 3176 wrote to memory of 4856	3176	60f308c539feac706dcd2c85831771cb_JaffaCakes118.exe	svchost.exe
PID 3176 wrote to memory of 4856	3176	60f308c539feac706dcd2c85831771cb_JaffaCakes118.exe	svchost.exe
PID 3176 wrote to memory of 4856	3176	60f308c539feac706dcd2c85831771cb_JaffaCakes118.exe	svchost.exe
PID 4856 wrote to memory of 2800	4856	svchost.exe	whoami.exe
PID 4856 wrote to memory of 2800	4856	svchost.exe	whoami.exe
PID 4856 wrote to memory of 2800	4856	svchost.exe	whoami.exe
PID 4856 wrote to memory of 4608	4856	svchost.exe	net.exe
PID 4856 wrote to memory of 4608	4856	svchost.exe	net.exe
PID 4856 wrote to memory of 4608	4856	svchost.exe	net.exe

C:\Users\Admin\AppData\Local\Temp\60f308c539feac706dcd2c85831771cb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\60f308c539feac706dcd2c85831771cb_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3176

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe "C:\Users\Admin\AppData\Local\Temp\60f308c539feac706dcd2c85831771cb_JaffaCakes118.exe"
2⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4856

C:\Windows\SysWOW64\whoami.exe
C:\Windows\system32\whoami.exe /all
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2800

C:\Windows\SysWOW64\net.exe
C:\Windows\system32\net.exe view
3⤵
- Discovers systems in the same network
PID:4608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4136 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8
1⤵
PID:656

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3176-1-0x0000000000B80000-0x0000000000B86000-memory.dmp

Filesize
24KB

Download
memory/3176-0-0x0000000000BB0000-0x0000000000BD5000-memory.dmp

Filesize
148KB

Download
memory/3176-2-0x0000000000BB0000-0x0000000000BD5000-memory.dmp

Filesize
148KB

Download
memory/4856-5-0x0000000076252000-0x0000000076253000-memory.dmp

Filesize
4KB

Download
memory/4856-3-0x0000000002C50000-0x0000000002C51000-memory.dmp

Filesize
4KB

Download
memory/4856-12-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4856-14-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4856-19-0x0000000076200000-0x00000000762F0000-memory.dmp

Filesize
960KB

Download
memory/4856-13-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4856-11-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4856-10-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4856-9-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4856-8-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4856-7-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4856-31-0x0000000076200000-0x00000000762F0000-memory.dmp

Filesize
960KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads