dridex | 1583c51d887d2afe8d31227c64761ed559c6ea6e40fe1ab4f405eecd23186215

General

Target

67dfdc85c0e897820cc793be43f93d68_JaffaCakes118.dll
Size

989KB
MD5

67dfdc85c0e897820cc793be43f93d68
SHA1

4f6aac677ab2e91a13d570e2db2832c44b064212
SHA256

1583c51d887d2afe8d31227c64761ed559c6ea6e40fe1ab4f405eecd23186215
SHA512

712df35fa47efb0a6b10076c4e5e9e1b187732acad7335ba678c770d96c966e661da11512ad4fa9910ab6fe2d4d5a44169da2e8b311c60dc51a2c6191912b2f3
SSDEEP

24576:QVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:QV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3412-4-0x0000000008100000-0x0000000008101000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

sigverif.exeApplicationFrameHost.exeUtilman.exe

pid process

1028 sigverif.exe
4632 ApplicationFrameHost.exe
2700 Utilman.exe
Loads dropped DLL 3 IoCs

Processes:

sigverif.exeApplicationFrameHost.exeUtilman.exe

pid process

1028 sigverif.exe
4632 ApplicationFrameHost.exe
2700 Utilman.exe

pid	process
1028	sigverif.exe
4632	ApplicationFrameHost.exe
2700	Utilman.exe

pid	process
1028	sigverif.exe
4632	ApplicationFrameHost.exe
2700	Utilman.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Welddizcvtwl = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\Fy5SBdY\\ApplicationFrameHost.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exesigverif.exeApplicationFrameHost.exeUtilman.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sigverif.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ApplicationFrameHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Utilman.exe

Modifies registry class 2 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
3492	rundll32.exe
3492	rundll32.exe
3492	rundll32.exe
3492	rundll32.exe
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3412
Token: SeCreatePagefilePrivilege	3412
Token: SeShutdownPrivilege	3412
Token: SeCreatePagefilePrivilege	3412
Token: SeShutdownPrivilege	3412
Token: SeCreatePagefilePrivilege	3412
Token: SeShutdownPrivilege	3412
Token: SeCreatePagefilePrivilege	3412
Token: SeShutdownPrivilege	3412
Token: SeCreatePagefilePrivilege	3412
Token: SeShutdownPrivilege	3412
Token: SeCreatePagefilePrivilege	3412
Token: SeShutdownPrivilege	3412
Token: SeCreatePagefilePrivilege	3412
Token: SeShutdownPrivilege	3412
Token: SeCreatePagefilePrivilege	3412

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

3412
3412
Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3412

pid	process
3412
3412

pid	process
3412

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3412 wrote to memory of 4664	3412	sigverif.exe
PID 3412 wrote to memory of 4664	3412	sigverif.exe
PID 3412 wrote to memory of 1028	3412	sigverif.exe
PID 3412 wrote to memory of 1028	3412	sigverif.exe
PID 3412 wrote to memory of 4760	3412	ApplicationFrameHost.exe
PID 3412 wrote to memory of 4760	3412	ApplicationFrameHost.exe
PID 3412 wrote to memory of 4632	3412	ApplicationFrameHost.exe
PID 3412 wrote to memory of 4632	3412	ApplicationFrameHost.exe
PID 3412 wrote to memory of 4836	3412	Utilman.exe
PID 3412 wrote to memory of 4836	3412	Utilman.exe
PID 3412 wrote to memory of 2700	3412	Utilman.exe
PID 3412 wrote to memory of 2700	3412	Utilman.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\67dfdc85c0e897820cc793be43f93d68_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3492

C:\Windows\system32\sigverif.exe
C:\Windows\system32\sigverif.exe
1⤵
PID:4664

C:\Users\Admin\AppData\Local\3gCXKRyr\sigverif.exe
C:\Users\Admin\AppData\Local\3gCXKRyr\sigverif.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1028

C:\Windows\system32\ApplicationFrameHost.exe
C:\Windows\system32\ApplicationFrameHost.exe
1⤵
PID:4760

C:\Users\Admin\AppData\Local\wYaBsgEI\ApplicationFrameHost.exe
C:\Users\Admin\AppData\Local\wYaBsgEI\ApplicationFrameHost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4632

C:\Windows\system32\Utilman.exe
C:\Windows\system32\Utilman.exe
1⤵
PID:4836

C:\Users\Admin\AppData\Local\k8jpIZjp\Utilman.exe
C:\Users\Admin\AppData\Local\k8jpIZjp\Utilman.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2700

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\3gCXKRyr\VERSION.dll
Filesize
990KB

MD5
7b96feb2081eff66c2eaf584b1b5bad9

SHA1
f7789f0d2f6d15da769d45952e4c333259f8c0de

SHA256
d67444b6f10dc6bc08e01e5929d73813f892bc1d5ec7689f15b1ac0ecf0f57e1

SHA512
bacf3e4787e0f164d09ce9ee063d9e7d9b1a876ad301f336d77dcbd46a5da1d23a032ab4a539475f3490cb83a154ae24431b9076436353b13383b8d25390f8fd

Download Submit
C:\Users\Admin\AppData\Local\3gCXKRyr\sigverif.exe
Filesize
77KB

MD5
2151a535274b53ba8a728e542cbc07a8

SHA1
a2304c0f2616a7d12298540dce459dd9ccf07443

SHA256
064de47877b00dc35886e829a697e4adb3d3cfdf294ddba13b6009a0f415b1bd

SHA512
e6fd520ee1bd80a5fe8a7c2ae6446dcaabd4e335a602c36356f85305abef751b7dffa7eaac1ec13c105ccd8c3e9070bd32ed4b14bc8a9e52dc5f47b936d69a9f

Download Submit
C:\Users\Admin\AppData\Local\k8jpIZjp\DUI70.dll
Filesize
1.2MB

MD5
c8c22131a0e1fbd5cef5bbb60a271f53

SHA1
428358d74a51d3eedb3dc8455e9a13834cea3dcc

SHA256
69180c1ff7a4bb33fa90d534c72549284ed7ef21ce3750cfaf8f2e85e3822ea2

SHA512
042d6871241a4fcc6e9f0e5b33bbf225bcf29f091ef4ba2ac90ba595142a4740ef6c31e445a56e1c4985998fbc82ecd55886dfef51d7bc7fbad3825ac5479ccf

Download Submit
C:\Users\Admin\AppData\Local\k8jpIZjp\Utilman.exe
Filesize
123KB

MD5
a117edc0e74ab4770acf7f7e86e573f7

SHA1
5ceffb1a5e05e52aafcbc2d44e1e8445440706f3

SHA256
b5bc4fce58403ea554691db678e6c8c448310fe59990990f0e37cd4357567d37

SHA512
72883f794ff585fe7e86e818d4d8c54fa9781cab6c3fac6f6956f58a016a91f676e70d14691cbe054ae7b7469c6b4783152fbb694e92b940d9e3595fe3f41d97

Download Submit
C:\Users\Admin\AppData\Local\wYaBsgEI\ApplicationFrameHost.exe
Filesize
76KB

MD5
d58a8a987a8dafad9dc32a548cc061e7

SHA1
f79fc9e0ab066cad530b949c2153c532a5223156

SHA256
cf58e424b86775e6f2354291052126a646f842fff811b730714dfbbd8ebc71a4

SHA512
93df28b65af23a5f82124ba644e821614e2e2074c98dbb2bd7319d1dfe9e2179b9d660d7720913c79a8e7b2f8560440789ad5e170b9d94670589885060c14265

Download Submit
C:\Users\Admin\AppData\Local\wYaBsgEI\dxgi.dll
Filesize
990KB

MD5
f283a633e13f63d31741a183da47a928

SHA1
8cabc3a8c391a556bcefbce25f629ce1bf38ba02

SHA256
83ce4324454abdf9156dbbe0f7ae378132061e1264131c8df4ffa987be3ea815

SHA512
f445d44070e1397a0e2a2dc4584ca2d2ab3529cbed273e92bdca43e90be216e4fc132f4551aa355065305361d9ba3850b5907e37a6c9ee0ed7be2b594c17d990

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Hjyomsugwtoazg.lnk
Filesize
1KB

MD5
1c21c2e868bd41b16f16cf15c72c485b

SHA1
595aca557491192af54b97d12b54ce938117cd80

SHA256
03e4505796f10682d46b5c981ffdff5739bfc18359146d052ead5af5ab0d2a61

SHA512
1ea98cf5d697800a048811e0ec6d671a3e82313cd22ab6b3ba5fbf3758222c5f3ec3f83269709c95c0ed981b45181900473efa9b44f38a7ecb0cd13a74365756

Download Submit
memory/1028-44-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1028-50-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1028-47-0x000001B5FB160000-0x000001B5FB167000-memory.dmp

Filesize
28KB

Download
memory/2700-84-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/2700-79-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/2700-78-0x00000226F8970000-0x00000226F8977000-memory.dmp

Filesize
28KB

Download
memory/3412-14-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3412-25-0x00007FFC693B0000-0x00007FFC693C0000-memory.dmp

Filesize
64KB

Download
memory/3412-8-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3412-10-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3412-11-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3412-12-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3412-24-0x00000000080E0000-0x00000000080E7000-memory.dmp

Filesize
28KB

Download
memory/3412-9-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3412-23-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3412-34-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3412-13-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3412-7-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3412-4-0x0000000008100000-0x0000000008101000-memory.dmp

Filesize
4KB

Download
memory/3412-6-0x00007FFC6799A000-0x00007FFC6799B000-memory.dmp

Filesize
4KB

Download
memory/3492-37-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3492-0-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3492-3-0x000002003A560000-0x000002003A567000-memory.dmp

Filesize
28KB

Download
memory/4632-64-0x00000215331F0000-0x00000215331F7000-memory.dmp

Filesize
28KB

Download
memory/4632-67-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads