dridex | 81f6d587116c671a4cdd471958be34ae4d7139d6cc8391630b1ea5f904fb3a82

General

Target

6a5077d2335c8edc593dcc30bd3568cb_JaffaCakes118.dll
Size

1.2MB
MD5

6a5077d2335c8edc593dcc30bd3568cb
SHA1

e7ab0416dfc603b1d26bad55ca03d7644035cef7
SHA256

81f6d587116c671a4cdd471958be34ae4d7139d6cc8391630b1ea5f904fb3a82
SHA512

acb915f6ea62c9ea7a9c709d5ec55eea6ade1602b49153f93f64640579c787a8e54a8eb4ca2fb00fc9f2be019c619ca411510069ac59594007fededce708cab6
SSDEEP

24576:cuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:U9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3368-4-0x00000000030D0000-0x00000000030D1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

wscript.exerstrui.exeSystemPropertiesComputerName.exe

pid process

4164 wscript.exe
4608 rstrui.exe
616 SystemPropertiesComputerName.exe
Loads dropped DLL 3 IoCs

Processes:

wscript.exerstrui.exeSystemPropertiesComputerName.exe

pid process

4164 wscript.exe
4608 rstrui.exe
616 SystemPropertiesComputerName.exe

pid	process
4164	wscript.exe
4608	rstrui.exe
616	SystemPropertiesComputerName.exe

pid	process
4164	wscript.exe
4608	rstrui.exe
616	SystemPropertiesComputerName.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Eeaxmqtu = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\An2jTQ3Cd1H\\rstrui.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

wscript.exerstrui.exeSystemPropertiesComputerName.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rstrui.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesComputerName.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Modifies registry class 2 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
3052	rundll32.exe
3052	rundll32.exe
3052	rundll32.exe
3052	rundll32.exe
3052	rundll32.exe
3052	rundll32.exe
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368
3368

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3368
Token: SeCreatePagefilePrivilege	3368
Token: SeShutdownPrivilege	3368
Token: SeCreatePagefilePrivilege	3368

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3368

pid	process
3368

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3368 wrote to memory of 1744	3368	wscript.exe
PID 3368 wrote to memory of 1744	3368	wscript.exe
PID 3368 wrote to memory of 4164	3368	wscript.exe
PID 3368 wrote to memory of 4164	3368	wscript.exe
PID 3368 wrote to memory of 2168	3368	rstrui.exe
PID 3368 wrote to memory of 2168	3368	rstrui.exe
PID 3368 wrote to memory of 4608	3368	rstrui.exe
PID 3368 wrote to memory of 4608	3368	rstrui.exe
PID 3368 wrote to memory of 628	3368	SystemPropertiesComputerName.exe
PID 3368 wrote to memory of 628	3368	SystemPropertiesComputerName.exe
PID 3368 wrote to memory of 616	3368	SystemPropertiesComputerName.exe
PID 3368 wrote to memory of 616	3368	SystemPropertiesComputerName.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6a5077d2335c8edc593dcc30bd3568cb_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3052

C:\Windows\system32\wscript.exe
C:\Windows\system32\wscript.exe
1⤵
PID:1744

C:\Users\Admin\AppData\Local\QZqqOFq\wscript.exe
C:\Users\Admin\AppData\Local\QZqqOFq\wscript.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4164

C:\Windows\system32\rstrui.exe
C:\Windows\system32\rstrui.exe
1⤵
PID:2168

C:\Users\Admin\AppData\Local\a9ujxbf\rstrui.exe
C:\Users\Admin\AppData\Local\a9ujxbf\rstrui.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4608

C:\Windows\system32\SystemPropertiesComputerName.exe
C:\Windows\system32\SystemPropertiesComputerName.exe
1⤵
PID:628

C:\Users\Admin\AppData\Local\slHrV\SystemPropertiesComputerName.exe
C:\Users\Admin\AppData\Local\slHrV\SystemPropertiesComputerName.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:616

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\QZqqOFq\VERSION.dll
Filesize
1.2MB

MD5
74c93365d526102d776f29b48766c989

SHA1
4c4fb66ce5333b194cb247e350bb88c058d8c3fc

SHA256
5b7c419ed8f82a3ed95702b145fbb349b9e23bd11a12a2ac05aeb6c4d1059b07

SHA512
e41e4769f7cda92f12adb5d0b00454682686c3f3d824ea99db4b21a4617a7941090a7b292f8146c7e9e813b2b9106376f964d03c05ee7e513109a5bbbc27eec0

Download Submit
C:\Users\Admin\AppData\Local\QZqqOFq\wscript.exe
Filesize
166KB

MD5
a47cbe969ea935bdd3ab568bb126bc80

SHA1
15f2facfd05daf46d2c63912916bf2887cebd98a

SHA256
34008e2057df8842df210246995385a0441dc1e081d60ad15bd481e062e7f100

SHA512
f5c81e6dc4d916944304fc85136e1ff6dee29a21e50a54fe6280a475343eccbfe094171d62475db5f38e07898c061126158c34d48b9d8f4f57f76d49e564e3fc

Download Submit
C:\Users\Admin\AppData\Local\a9ujxbf\SPP.dll
Filesize
1.2MB

MD5
cf06fb228a2f1694cffd2367fba1dd89

SHA1
3156bfdad2cffa0357dda6af84d376bb9c0ef400

SHA256
e06d469fbb56f9678a9784cb8dcd57ef7710afe415d092c1e9a0968f78763b1b

SHA512
ebdb1a0c683325b586dc6630f3dd452bcbd265627c927c63e12b045b55bfe478f8916daebd216d29f97e89251afb53d251ad9f1ae491fd75dc28487dbd4b627f

Download Submit
C:\Users\Admin\AppData\Local\a9ujxbf\rstrui.exe
Filesize
268KB

MD5
4cad10846e93e85790865d5c0ab6ffd9

SHA1
8a223f4bab28afa4c7ed630f29325563c5dcda1a

SHA256
9ddcfcaf2ebc810cc2e593446681bc4ccbad39756b1712cf045db8dee6310b4b

SHA512
c0db44de0d35a70277f8621a318c5099378da675376e47545cfbfa7412e70a870fd05c92e0d6523ea2e0139d54d9eeaed14973762341fa3154406ae36f4ce7c6

Download Submit
C:\Users\Admin\AppData\Local\slHrV\SYSDM.CPL
Filesize
1.2MB

MD5
c566dd329b183c64bb3512310fb8d391

SHA1
5d77cb1c2c31d37fdc9847c5750d41546ca6354e

SHA256
dc450085abc787fba198f034be10aac98e4a9d464795714ebe3de04f388a719d

SHA512
64c8af1702a72b8e28991561a47a63be255bc650b6fc7a51ccfa561fb45a076288d05a50612340528985e4776dacdba5822aace0939bad9465818b54a89c7274

Download Submit
C:\Users\Admin\AppData\Local\slHrV\SystemPropertiesComputerName.exe
Filesize
82KB

MD5
6711765f323289f5008a6a2a04b6f264

SHA1
d8116fdf73608b4b254ad83c74f2232584d24144

SHA256
bd3a97327326e2245938ec6099f20059b446ff0fe1c10b9317d15d1a1dd5331e

SHA512
438abd282d9d1c0e7e5db2ce027ff9522c3980278b32b2eae09c595884a8dcbfd5178bc5926b1d15f03174303382e13f5d5ecab9a5d8e31fc07ef39e66c012e8

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Rkjap.lnk
Filesize
1KB

MD5
1628d4304957b06b4376c4d47a9e1631

SHA1
8a9fd29cea6a6b0a39177ef19bde2a14e9f0ef5e

SHA256
ca8fbd5729bcf251d5f1f5d435e96963843ac56ae703be5b48260037c4bbaa1f

SHA512
b061f59b61250138eb6748a89fcd33c4f370f37519c0a94d98077dfde850fce379d015585ce9e89eb0ef008fd51b833157bc17f15846fa5676ed3e9e53bb9bb9

Download Submit
memory/616-88-0x00007FFD9DEB0000-0x00007FFD9DFE5000-memory.dmp

Filesize
1.2MB

Download
memory/616-85-0x00000298519B0000-0x00000298519B7000-memory.dmp

Filesize
28KB

Download
memory/3052-41-0x00007FFDADEA0000-0x00007FFDADFD4000-memory.dmp

Filesize
1.2MB

Download
memory/3052-3-0x000002D1A9D70000-0x000002D1A9D77000-memory.dmp

Filesize
28KB

Download
memory/3052-0-0x00007FFDADEA0000-0x00007FFDADFD4000-memory.dmp

Filesize
1.2MB

Download
memory/3368-35-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/3368-17-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/3368-13-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/3368-12-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/3368-11-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/3368-10-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/3368-9-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/3368-8-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/3368-7-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/3368-16-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/3368-18-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/3368-14-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/3368-4-0x00000000030D0000-0x00000000030D1000-memory.dmp

Filesize
4KB

Download
memory/3368-6-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/3368-15-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/3368-36-0x00007FFDBAEEA000-0x00007FFDBAEEB000-memory.dmp

Filesize
4KB

Download
memory/3368-40-0x00007FFDBC6F0000-0x00007FFDBC700000-memory.dmp

Filesize
64KB

Download
memory/3368-26-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/3368-39-0x0000000003090000-0x0000000003097000-memory.dmp

Filesize
28KB

Download
memory/4164-54-0x00007FFD9DEB0000-0x00007FFD9DFE5000-memory.dmp

Filesize
1.2MB

Download
memory/4164-49-0x00007FFD9DEB0000-0x00007FFD9DFE5000-memory.dmp

Filesize
1.2MB

Download
memory/4164-48-0x00000255F4C80000-0x00000255F4C87000-memory.dmp

Filesize
28KB

Download
memory/4608-71-0x00007FFD9DEB0000-0x00007FFD9DFE5000-memory.dmp

Filesize
1.2MB

Download
memory/4608-66-0x0000025DDB790000-0x0000025DDB797000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads