dridex | 297c7231333dfd8841dd8c37626db80a13c92a61552feb5a8891cceddd5699c2

General

Target

6460847e42c5eabeb93e67fece6128f7_JaffaCakes118.dll
Size

990KB
MD5

6460847e42c5eabeb93e67fece6128f7
SHA1

196bd51b56ce2588c0a91e164585f34e0939c4d7
SHA256

297c7231333dfd8841dd8c37626db80a13c92a61552feb5a8891cceddd5699c2
SHA512

2d169daa0f73627fe19d537389497e6b5c98fb0dedfb28851a72fcaaaf5525662b5a5cdf85d7f92f72ad287f7eaf3e167363c4a132e52439e5ce808009636bd2
SSDEEP

24576:hVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:hV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1188-5-0x0000000002550000-0x0000000002551000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

dwm.exefveprompt.exeBitLockerWizardElev.exe

pid process

2500 dwm.exe
1800 fveprompt.exe
2376 BitLockerWizardElev.exe
Loads dropped DLL 7 IoCs

Processes:

dwm.exefveprompt.exeBitLockerWizardElev.exe

pid process

1188
2500 dwm.exe
1188
1800 fveprompt.exe
1188
2376 BitLockerWizardElev.exe
1188

pid	process
2500	dwm.exe
1800	fveprompt.exe
2376	BitLockerWizardElev.exe

pid	process
1188
2500	dwm.exe
1188
1800	fveprompt.exe
1188
2376	BitLockerWizardElev.exe
1188

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mwyjnbrrs = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Extensions\\sWA2NiS\\fveprompt.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

dwm.exefveprompt.exeBitLockerWizardElev.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fveprompt.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BitLockerWizardElev.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1648	rundll32.exe
1648	rundll32.exe
1648	rundll32.exe
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1188 wrote to memory of 2664	1188	dwm.exe
PID 1188 wrote to memory of 2664	1188	dwm.exe
PID 1188 wrote to memory of 2664	1188	dwm.exe
PID 1188 wrote to memory of 2500	1188	dwm.exe
PID 1188 wrote to memory of 2500	1188	dwm.exe
PID 1188 wrote to memory of 2500	1188	dwm.exe
PID 1188 wrote to memory of 1324	1188	fveprompt.exe
PID 1188 wrote to memory of 1324	1188	fveprompt.exe
PID 1188 wrote to memory of 1324	1188	fveprompt.exe
PID 1188 wrote to memory of 1800	1188	fveprompt.exe
PID 1188 wrote to memory of 1800	1188	fveprompt.exe
PID 1188 wrote to memory of 1800	1188	fveprompt.exe
PID 1188 wrote to memory of 1836	1188	BitLockerWizardElev.exe
PID 1188 wrote to memory of 1836	1188	BitLockerWizardElev.exe
PID 1188 wrote to memory of 1836	1188	BitLockerWizardElev.exe
PID 1188 wrote to memory of 2376	1188	BitLockerWizardElev.exe
PID 1188 wrote to memory of 2376	1188	BitLockerWizardElev.exe
PID 1188 wrote to memory of 2376	1188	BitLockerWizardElev.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6460847e42c5eabeb93e67fece6128f7_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1648

C:\Windows\system32\dwm.exe
C:\Windows\system32\dwm.exe
1⤵
PID:2664

C:\Users\Admin\AppData\Local\NiH7\dwm.exe
C:\Users\Admin\AppData\Local\NiH7\dwm.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2500

C:\Windows\system32\fveprompt.exe
C:\Windows\system32\fveprompt.exe
1⤵
PID:1324

C:\Users\Admin\AppData\Local\eaenLR\fveprompt.exe
C:\Users\Admin\AppData\Local\eaenLR\fveprompt.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1800

C:\Windows\system32\BitLockerWizardElev.exe
C:\Windows\system32\BitLockerWizardElev.exe
1⤵
PID:1836

C:\Users\Admin\AppData\Local\9oQtQO\BitLockerWizardElev.exe
C:\Users\Admin\AppData\Local\9oQtQO\BitLockerWizardElev.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2376

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\9oQtQO\FVEWIZ.dll
Filesize
992KB

MD5
7c907bf7678f96c049b3096d138c5270

SHA1
3546b0f2e890a29ed57e09f02992979048223fdc

SHA256
2e1b2df37dcfcd728fd7c9640fb2c13d71dee39df647f87e0a9fe7de6b323279

SHA512
e64107e3c22b69b478e5c779c9e0e73114acbf55d62bc76b9d446d5d8075b3c6f8a2e81e3e292273369c543ba201b161e1e6347fae08bce584f8b67300d99f5d

Download Submit
C:\Users\Admin\AppData\Local\NiH7\UxTheme.dll
Filesize
993KB

MD5
7518351b0ed7c98bd68ea7fdde0bce38

SHA1
891a873b818fea98f40a24d9e45172355b00241c

SHA256
32f6a7ee2b03ac6e871d2456c305de80ce6ec6eb172de9a1306499ba8c42f3b6

SHA512
8ad3ab2c6e88293485d19b5e4ba4c4cc4bfc0acb79534dd8772a87edea2bd593c31645323891d91d8db93cbd265f8cdca4c153420e09e8fb2ace7f919c12db5d

Download Submit
C:\Users\Admin\AppData\Local\eaenLR\slc.dll
Filesize
992KB

MD5
5831e474979b007d8f92590eb184d949

SHA1
a3c00574c827625db577dbecf666d25b6a3e6427

SHA256
83a6f464134f4b28ac3720749de15814e725cd6ca15112a6bb741979c0a0428f

SHA512
31b7be3abfcfabe5051b132f5734e5e404284f88f071a2d45a037f0cca0b7ea0bcf076d41455cdeffe82d00fcc59ef5dbb4b69cd3768c963537059c1d5a86b7b

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Pclfpjzoauil.lnk
Filesize
1KB

MD5
2cda9cc787cf91474be69ef972646c36

SHA1
013b37d71cb329ab886f2271c09ef7eb2fd3b9ca

SHA256
7f262bdf09cfc9b755a5ff62c4d23943cc5adc4c8bf536229afa23f9d7677810

SHA512
6c65550f35437d07aebffa4ef5e0ec91dba888f397727b4aae0108d248c9e8fadab1e4c3695f9b985dedbbeadbd255de412d72d1e6331e4bc4a22b9e1f458fd0

Download Submit
\Users\Admin\AppData\Local\9oQtQO\BitLockerWizardElev.exe
Filesize
98KB

MD5
73f13d791e36d3486743244f16875239

SHA1
ed5ec55dbc6b3bda505f0a4c699c257c90c02020

SHA256
2483d2f0ad481005cca081a86a07be9060bc6d4769c4570f92ad96fa325be9b8

SHA512
911a7b532312d50cc5e7f6a046d46ab5b322aa17ce59a40477173ea50f000a95db45f169f4ea3574e3e00ae4234b9f8363ac79329d683c14ebee1d423e6e43af

Download Submit
\Users\Admin\AppData\Local\NiH7\dwm.exe
Filesize
117KB

MD5
f162d5f5e845b9dc352dd1bad8cef1bc

SHA1
35bc294b7e1f062ef5cb5fa1bd3fc942a3e37ae2

SHA256
8a7b7528db30ab123b060d8e41954d95913c07bb40cdae32e97f9edb0baf79c7

SHA512
7077e800453a4564a24af022636a2f6547bdae2c9c6f4ed080d0c98415ecc4fbf538109cbebd456e321b9b74a00613d647b63998e31925fbd841fc9d4613e851

Download Submit
\Users\Admin\AppData\Local\eaenLR\fveprompt.exe
Filesize
104KB

MD5
dc2c44a23b2cd52bd53accf389ae14b2

SHA1
e36c7b6f328aa2ab2f52478169c52c1916f04b5f

SHA256
7f5b19f2c6a94833196ee1929d48094889b33b504d73d3af88dd857ceaf67921

SHA512
ff083f74777a9cfc940d4e0cb55886397e27c85f867de9a5dd9ea2c2751d2a77bf75fe0734e424d9678c83e927788d07d0b3072024f7e5a9848c7ff1aa4090dc

Download Submit
memory/1188-35-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1188-14-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1188-25-0x0000000076DD1000-0x0000000076DD2000-memory.dmp

Filesize
4KB

Download
memory/1188-23-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1188-13-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1188-12-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1188-11-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1188-10-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1188-9-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1188-4-0x0000000076BC6000-0x0000000076BC7000-memory.dmp

Filesize
4KB

Download
memory/1188-36-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1188-5-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/1188-24-0x0000000002530000-0x0000000002537000-memory.dmp

Filesize
28KB

Download
memory/1188-28-0x0000000076F60000-0x0000000076F62000-memory.dmp

Filesize
8KB

Download
memory/1188-8-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1188-7-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1188-60-0x0000000076BC6000-0x0000000076BC7000-memory.dmp

Filesize
4KB

Download
memory/1648-44-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1648-0-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1648-3-0x00000000003A0000-0x00000000003A7000-memory.dmp

Filesize
28KB

Download
memory/1800-71-0x0000000000120000-0x0000000000127000-memory.dmp

Filesize
28KB

Download
memory/1800-74-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/2376-89-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/2376-92-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/2500-57-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/2500-55-0x00000000000A0000-0x00000000000A7000-memory.dmp

Filesize
28KB

Download
memory/2500-52-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads