dridex | 297c7231333dfd8841dd8c37626db80a13c92a61552feb5a8891cceddd5699c2

General

Target

6460847e42c5eabeb93e67fece6128f7_JaffaCakes118.dll
Size

990KB
MD5

6460847e42c5eabeb93e67fece6128f7
SHA1

196bd51b56ce2588c0a91e164585f34e0939c4d7
SHA256

297c7231333dfd8841dd8c37626db80a13c92a61552feb5a8891cceddd5699c2
SHA512

2d169daa0f73627fe19d537389497e6b5c98fb0dedfb28851a72fcaaaf5525662b5a5cdf85d7f92f72ad287f7eaf3e167363c4a132e52439e5ce808009636bd2
SSDEEP

24576:hVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:hV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3504-4-0x0000000002840000-0x0000000002841000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 4 IoCs

Processes:

Narrator.exeDevicePairingWizard.exeiexpress.exequickassist.exe

pid process

3960 Narrator.exe
2492 DevicePairingWizard.exe
4900 iexpress.exe
2004 quickassist.exe
Loads dropped DLL 3 IoCs

Processes:

DevicePairingWizard.exeiexpress.exequickassist.exe

pid process

2492 DevicePairingWizard.exe
4900 iexpress.exe
2004 quickassist.exe

pid	process
3960	Narrator.exe
2492	DevicePairingWizard.exe
4900	iexpress.exe
2004	quickassist.exe

pid	process
2492	DevicePairingWizard.exe
4900	iexpress.exe
2004	quickassist.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Hkwligutpbxhkv = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\34NKO\\iexpress.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

DevicePairingWizard.exeiexpress.exequickassist.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DevicePairingWizard.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iexpress.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	quickassist.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
4888	rundll32.exe
4888	rundll32.exe
4888	rundll32.exe
4888	rundll32.exe
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

description	pid	target process
PID 3504 wrote to memory of 4388	3504	Narrator.exe
PID 3504 wrote to memory of 4388	3504	Narrator.exe
PID 3504 wrote to memory of 4068	3504	DevicePairingWizard.exe
PID 3504 wrote to memory of 4068	3504	DevicePairingWizard.exe
PID 3504 wrote to memory of 2492	3504	DevicePairingWizard.exe
PID 3504 wrote to memory of 2492	3504	DevicePairingWizard.exe
PID 3504 wrote to memory of 4484	3504	iexpress.exe
PID 3504 wrote to memory of 4484	3504	iexpress.exe
PID 3504 wrote to memory of 4900	3504	iexpress.exe
PID 3504 wrote to memory of 4900	3504	iexpress.exe
PID 3504 wrote to memory of 1520	3504	quickassist.exe
PID 3504 wrote to memory of 1520	3504	quickassist.exe
PID 3504 wrote to memory of 2004	3504	quickassist.exe
PID 3504 wrote to memory of 2004	3504	quickassist.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6460847e42c5eabeb93e67fece6128f7_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4888

C:\Windows\system32\Narrator.exe
C:\Windows\system32\Narrator.exe
1⤵
PID:4388

C:\Users\Admin\AppData\Local\Iyn4unyWQ\Narrator.exe
C:\Users\Admin\AppData\Local\Iyn4unyWQ\Narrator.exe
1⤵
- Executes dropped EXE
PID:3960

C:\Windows\system32\DevicePairingWizard.exe
C:\Windows\system32\DevicePairingWizard.exe
1⤵
PID:4068

C:\Users\Admin\AppData\Local\4pVu67K6i\DevicePairingWizard.exe
C:\Users\Admin\AppData\Local\4pVu67K6i\DevicePairingWizard.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2492

C:\Windows\system32\iexpress.exe
C:\Windows\system32\iexpress.exe
1⤵
PID:4484

C:\Users\Admin\AppData\Local\FjduP\iexpress.exe
C:\Users\Admin\AppData\Local\FjduP\iexpress.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4900

C:\Windows\system32\quickassist.exe
C:\Windows\system32\quickassist.exe
1⤵
PID:1520

C:\Users\Admin\AppData\Local\RlsQK\quickassist.exe
C:\Users\Admin\AppData\Local\RlsQK\quickassist.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2004

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\4pVu67K6i\DevicePairingWizard.exe
Filesize
93KB

MD5
d0e40a5a0c7dad2d6e5040d7fbc37533

SHA1
b0eabbd37a97a1abcd90bd56394f5c45585699eb

SHA256
2adaf3a5d3fde149626e3fef0e943c7029a135c04688acf357b2d8d04c81981b

SHA512
1191c2efcadd53b74d085612025c44b6cd54dd69493632950e30ada650d5ed79e3468c138f389cd3bc21ea103059a63eb38d9d919a62d932a38830c93f57731f

Download Submit
C:\Users\Admin\AppData\Local\4pVu67K6i\MFC42u.dll
Filesize
1018KB

MD5
8920ff31c0c590b05fc9e703d9ac9567

SHA1
2a85b5ba8a4f1080e36d8f38c808256d95217dab

SHA256
0ec5959a2a6031b22f5e25c2473885d8864b8777c59a6a961bf72d392ed41e8e

SHA512
68793da2360ba2ccffddd07ba01fcebe52d4a1c3d18ca8e7475be5b9e3cb10341d7e94a3d3c8957c83fbbb96357cd245bfb647a20746be974d7ff7d49b5cdbac

Download Submit
C:\Users\Admin\AppData\Local\FjduP\VERSION.dll
Filesize
991KB

MD5
b960c92f407beb906ef07ebde7da69b2

SHA1
7a7a3335b96b180c495a409054f357eb35243cfd

SHA256
cb9ab166ca9560382cd13cb25056ca6c7bbef71ee6d56b99ee26579aadacf9e3

SHA512
bfa25d409cfb82a1e9506f7b900454ffbb3ee8023779d8c074999300d9e1ab2491ec38eb263ee830dfd5db79c58d888345e5b51657ab4bce4f710f150ec8d890

Download Submit
C:\Users\Admin\AppData\Local\FjduP\iexpress.exe
Filesize
166KB

MD5
17b93a43e25d821d01af40ba6babcc8c

SHA1
97c978d78056d995f751dfef1388d7cce4cc404a

SHA256
d070b79fa254c528babb73d607a7a8fd53db89795d751f42fc0a283b61a76fd3

SHA512
6b5743b37a3be8ae9ee2ab84e0749c32c60544298a7cce396470aa40bbd13f2e838d5d98159f21d500d20817c51ebce4b1d2f554e3e05f6c7fc97bc9d70ea391

Download Submit
C:\Users\Admin\AppData\Local\Iyn4unyWQ\Narrator.exe
Filesize
521KB

MD5
d92defaa4d346278480d2780325d8d18

SHA1
6494d55b2e5064ffe8add579edfcd13c3e69fffe

SHA256
69b8c93d9b262b36e2bdc223cc0d6e312cc471b49d7cc36befbba1f863a05d83

SHA512
b82c0fbc07361e4ad6e4ab171e55e1e41e9312ba995dce90696ca90f734f5d1ea11371ca046e8680ea566a1c2e0643ab86f1f6dcf6cbd05aed8448425a2830b5

Download Submit
C:\Users\Admin\AppData\Local\RlsQK\UxTheme.dll
Filesize
993KB

MD5
7fdbd6bfecafa607235049e2d79ad5e9

SHA1
605cda612a2a167b46ffe3fb36c254ae16634770

SHA256
8b308f6ff0bac3113065115eaae0ba24f1d3431de05a3fbaac6677149d12c202

SHA512
ed8adb4bd4e5be6a19285e4a783231b356bac010d22972ba12c459562812438b178476fc3783773abc3d3b58c5a57ebcf5135023e24612cc60f0e95c594d3976

Download Submit
C:\Users\Admin\AppData\Local\RlsQK\quickassist.exe
Filesize
665KB

MD5
d1216f9b9a64fd943539cc2b0ddfa439

SHA1
6fad9aeb7780bdfd88a9a5a73b35b3e843605e6c

SHA256
c1e8fda00da574e8759ba262d76b6edc1d5f4a80620730ef0be7527e0d803db2

SHA512
c5fd7d81d1d478056fcbed0ba887ce551832f0104e7c31753c3c8760b4d63f38324f74e996684042acc8f9682fce8a8c85172741a868257e87d5e0f988c4e567

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Zgbuverbplpthj.lnk
Filesize
1KB

MD5
63c3cfb0515e2e0c6fbbb38f48a93663

SHA1
080cdaf45f613d27d08a1ab7d8f58841e34c49e3

SHA256
e72a36968612a80032e206974e650e069d991cc94165b5280d4953bdd0216575

SHA512
169dc848bcb9c1c82f615f8a8c2b52ac188436b0b767f5fdef4adb8f3d4eccec019d02244937fceb79b58ed55d9701cb0edfb089eab3c93ad5c31abfec106ab8

Download Submit
memory/2004-91-0x000001F06CAA0000-0x000001F06CAA7000-memory.dmp

Filesize
28KB

Download
memory/2004-94-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/2492-58-0x0000000140000000-0x0000000140103000-memory.dmp

Filesize
1.0MB

Download
memory/2492-55-0x0000015FAC430000-0x0000015FAC437000-memory.dmp

Filesize
28KB

Download
memory/2492-52-0x0000000140000000-0x0000000140103000-memory.dmp

Filesize
1.0MB

Download
memory/3504-32-0x0000000000EB0000-0x0000000000EB7000-memory.dmp

Filesize
28KB

Download
memory/3504-13-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3504-7-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3504-4-0x0000000002840000-0x0000000002841000-memory.dmp

Filesize
4KB

Download
memory/3504-9-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3504-10-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3504-11-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3504-22-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3504-31-0x00007FFC7D63A000-0x00007FFC7D63B000-memory.dmp

Filesize
4KB

Download
memory/3504-8-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3504-34-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3504-33-0x00007FFC7D9F0000-0x00007FFC7DA00000-memory.dmp

Filesize
64KB

Download
memory/3504-6-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3504-12-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/4888-0-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/4888-37-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/4888-3-0x0000026795560000-0x0000026795567000-memory.dmp

Filesize
28KB

Download
memory/4900-77-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/4900-74-0x0000016E20040000-0x0000016E20047000-memory.dmp

Filesize
28KB

Download
memory/4900-71-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads