dridex | 81f6d587116c671a4cdd471958be34ae4d7139d6cc8391630b1ea5f904fb3a82

General

Target

6a5077d2335c8edc593dcc30bd3568cb_JaffaCakes118.dll
Size

1.2MB
MD5

6a5077d2335c8edc593dcc30bd3568cb
SHA1

e7ab0416dfc603b1d26bad55ca03d7644035cef7
SHA256

81f6d587116c671a4cdd471958be34ae4d7139d6cc8391630b1ea5f904fb3a82
SHA512

acb915f6ea62c9ea7a9c709d5ec55eea6ade1602b49153f93f64640579c787a8e54a8eb4ca2fb00fc9f2be019c619ca411510069ac59594007fededce708cab6
SSDEEP

24576:cuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:U9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1188-5-0x0000000002550000-0x0000000002551000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

xpsrchvw.exeBitLockerWizardElev.exedpapimig.exe

pid process

2532 xpsrchvw.exe
2808 BitLockerWizardElev.exe
1356 dpapimig.exe
Loads dropped DLL 7 IoCs

Processes:

xpsrchvw.exeBitLockerWizardElev.exedpapimig.exe

pid process

1188
2532 xpsrchvw.exe
1188
2808 BitLockerWizardElev.exe
1188
1356 dpapimig.exe
1188

pid	process
2532	xpsrchvw.exe
2808	BitLockerWizardElev.exe
1356	dpapimig.exe

pid	process
1188
2532	xpsrchvw.exe
1188
2808	BitLockerWizardElev.exe
1188
1356	dpapimig.exe
1188

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mwyjnbrrs = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\Q6iqZ5t\\BitLockerWizardElev.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exexpsrchvw.exeBitLockerWizardElev.exedpapimig.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	xpsrchvw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BitLockerWizardElev.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dpapimig.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1648	rundll32.exe
1648	rundll32.exe
1648	rundll32.exe
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1188 wrote to memory of 2484	1188	xpsrchvw.exe
PID 1188 wrote to memory of 2484	1188	xpsrchvw.exe
PID 1188 wrote to memory of 2484	1188	xpsrchvw.exe
PID 1188 wrote to memory of 2532	1188	xpsrchvw.exe
PID 1188 wrote to memory of 2532	1188	xpsrchvw.exe
PID 1188 wrote to memory of 2532	1188	xpsrchvw.exe
PID 1188 wrote to memory of 2476	1188	BitLockerWizardElev.exe
PID 1188 wrote to memory of 2476	1188	BitLockerWizardElev.exe
PID 1188 wrote to memory of 2476	1188	BitLockerWizardElev.exe
PID 1188 wrote to memory of 2808	1188	BitLockerWizardElev.exe
PID 1188 wrote to memory of 2808	1188	BitLockerWizardElev.exe
PID 1188 wrote to memory of 2808	1188	BitLockerWizardElev.exe
PID 1188 wrote to memory of 1248	1188	dpapimig.exe
PID 1188 wrote to memory of 1248	1188	dpapimig.exe
PID 1188 wrote to memory of 1248	1188	dpapimig.exe
PID 1188 wrote to memory of 1356	1188	dpapimig.exe
PID 1188 wrote to memory of 1356	1188	dpapimig.exe
PID 1188 wrote to memory of 1356	1188	dpapimig.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6a5077d2335c8edc593dcc30bd3568cb_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1648

C:\Windows\system32\xpsrchvw.exe
C:\Windows\system32\xpsrchvw.exe
1⤵
PID:2484

C:\Users\Admin\AppData\Local\Dxt\xpsrchvw.exe
C:\Users\Admin\AppData\Local\Dxt\xpsrchvw.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2532

C:\Windows\system32\BitLockerWizardElev.exe
C:\Windows\system32\BitLockerWizardElev.exe
1⤵
PID:2476

C:\Users\Admin\AppData\Local\d3L\BitLockerWizardElev.exe
C:\Users\Admin\AppData\Local\d3L\BitLockerWizardElev.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2808

C:\Windows\system32\dpapimig.exe
C:\Windows\system32\dpapimig.exe
1⤵
PID:1248

C:\Users\Admin\AppData\Local\FDQ45\dpapimig.exe
C:\Users\Admin\AppData\Local\FDQ45\dpapimig.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1356

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Dxt\WINMM.dll
Filesize
1.2MB

MD5
81ca6de13f753ca3404f335b83ec8560

SHA1
2114d3f3ed79b6aecc6abe167bf9af523a5647b9

SHA256
a52ab51185b2032a50214357466118d51052980b32c1f1eb011751a8a5defe18

SHA512
8640ae124728582016594ca7d42e4b3e41300a142675f5446c6932c4f9d10aece5f251e78a84033c5fde50ca0d5a05c5fc7a13b72facb1c3182adf761ba2654b

Download Submit
C:\Users\Admin\AppData\Local\Dxt\xpsrchvw.exe
Filesize
4.6MB

MD5
492cb6a624d5dad73ee0294b5db37dd6

SHA1
e74806af04a5147ccabfb5b167eb95a0177c43b3

SHA256
ccb4ecd48561ce024ea176b7036f0f2713b98bc82aa37347a30d8187762a8784

SHA512
63bf2931764efe767fb42f9576702dd585a032f74ad2be2481eaf309f34950f05974d77b5cb220a3ff89c92af0c7693dc558f8e3a3ee2a0be6c5c07171d03835

Download Submit
C:\Users\Admin\AppData\Local\FDQ45\DUI70.dll
Filesize
1.4MB

MD5
3418bcb04dfd3a2ce999ca850899fc3e

SHA1
84979bc066ae669379061bed119aa33ea97d260c

SHA256
ebf4dea3b76a48307cb58741e36937d741b08305af077ac2193bd3d9724dbe99

SHA512
665191202f65bd06d472708d6716d21eaa88528b222ca01b7fb7d8a9697a8cb1ebe7079d54958ea21030b7f050eb0565bac92fbfd9c88cbe2004926d1da691ea

Download Submit
C:\Users\Admin\AppData\Local\FDQ45\dpapimig.exe
Filesize
73KB

MD5
0e8b8abea4e23ddc9a70614f3f651303

SHA1
6d332ba4e7a78039f75b211845514ab35ab467b2

SHA256
66fc6b68e54b8840a38b4de980cc22aed21009afc1494a9cc68e892329f076a1

SHA512
4feded78f9b953472266693e0943030d00f82a5cc8559df60ae0479de281164155e19687afc67cba74d04bb9ad092f5c7732f2d2f9b06274ca2ae87dc2d4a6dc

Download Submit
C:\Users\Admin\AppData\Local\d3L\FVEWIZ.dll
Filesize
1.2MB

MD5
339204e24f08b234cba995210bbd24aa

SHA1
9683d8d1b2e90004956c97e00cc4448bfdb9d65b

SHA256
484fed115efed56cca0c9c5863e07dfcd40e8534e527574e685d4e996104cc67

SHA512
27d63e84a95f0606513c9bf25c00dc5f913992e47e03b6e8b021bcedb7955af6256badfb9c28f2974f3e608ac0e47360fc8b5c6faf92514be28a5cc1e39646f6

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Pclfpjzoauil.lnk
Filesize
1KB

MD5
c2eaef7a89244c1c613758a4fb78b15a

SHA1
902e5420eeff45eb5f08a3e647bc8469979a7a03

SHA256
03486edc224b0bd383c694c6b0d3aa8adc1ac095b14496b34b38a34343f2a905

SHA512
b5aa5d7c9cbd400647b865ecd04038c83dee26b807a004fb6e1a5e89d45174ba7dfafebac7bdcc481a4737a4e966c5c73886431472229f6c0945741fae5f0e82

Download Submit
\Users\Admin\AppData\Local\d3L\BitLockerWizardElev.exe
Filesize
98KB

MD5
73f13d791e36d3486743244f16875239

SHA1
ed5ec55dbc6b3bda505f0a4c699c257c90c02020

SHA256
2483d2f0ad481005cca081a86a07be9060bc6d4769c4570f92ad96fa325be9b8

SHA512
911a7b532312d50cc5e7f6a046d46ab5b322aa17ce59a40477173ea50f000a95db45f169f4ea3574e3e00ae4234b9f8363ac79329d683c14ebee1d423e6e43af

Download Submit
memory/1188-29-0x0000000076DD1000-0x0000000076DD2000-memory.dmp

Filesize
4KB

Download
memory/1188-9-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/1188-30-0x0000000076F60000-0x0000000076F62000-memory.dmp

Filesize
8KB

Download
memory/1188-4-0x0000000076BC6000-0x0000000076BC7000-memory.dmp

Filesize
4KB

Download
memory/1188-27-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/1188-18-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/1188-17-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/1188-39-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/1188-16-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/1188-14-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/1188-13-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/1188-12-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/1188-11-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/1188-10-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/1188-28-0x0000000002530000-0x0000000002537000-memory.dmp

Filesize
28KB

Download
memory/1188-40-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/1188-5-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/1188-19-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/1188-15-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/1188-77-0x0000000076BC6000-0x0000000076BC7000-memory.dmp

Filesize
4KB

Download
memory/1188-8-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/1188-7-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/1356-93-0x000007FEF5D40000-0x000007FEF5EA8000-memory.dmp

Filesize
1.4MB

Download
memory/1356-98-0x000007FEF5D40000-0x000007FEF5EA8000-memory.dmp

Filesize
1.4MB

Download
memory/1648-48-0x000007FEF5D70000-0x000007FEF5EA4000-memory.dmp

Filesize
1.2MB

Download
memory/1648-0-0x000007FEF5D70000-0x000007FEF5EA4000-memory.dmp

Filesize
1.2MB

Download
memory/1648-3-0x0000000000220000-0x0000000000227000-memory.dmp

Filesize
28KB

Download
memory/2532-62-0x000007FEF5D70000-0x000007FEF5EA6000-memory.dmp

Filesize
1.2MB

Download
memory/2532-59-0x00000000001A0000-0x00000000001A7000-memory.dmp

Filesize
28KB

Download
memory/2532-56-0x000007FEF5D70000-0x000007FEF5EA6000-memory.dmp

Filesize
1.2MB

Download
memory/2808-74-0x000007FEF5D70000-0x000007FEF5EA5000-memory.dmp

Filesize
1.2MB

Download
memory/2808-78-0x0000000000120000-0x0000000000127000-memory.dmp

Filesize
28KB

Download
memory/2808-81-0x000007FEF5D70000-0x000007FEF5EA5000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads