dridex | 29acca7bc56a613ab6050dc39976f8dab90d3db95730dd08573dd5cba29366c6

General

Target

6a455e38d08eeb77d0b4a7114aed1d2a_JaffaCakes118.dll
Size

1.2MB
MD5

6a455e38d08eeb77d0b4a7114aed1d2a
SHA1

1cac68762f6c3051a28acb5e7319f01048783f9f
SHA256

29acca7bc56a613ab6050dc39976f8dab90d3db95730dd08573dd5cba29366c6
SHA512

645aad07a9e27cb5defc8aa4c588393207a89e013c0bfd4756365ea8db09d15f504529b67d941b3723ccba58df2c507f940aff750b8e07021d05cee440ed7980
SSDEEP

24576:7uYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:l9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1256-5-0x0000000002A50000-0x0000000002A51000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

WFS.exeSystemPropertiesRemote.exetaskmgr.exe

pid process

2556 WFS.exe
1700 SystemPropertiesRemote.exe
2860 taskmgr.exe
Loads dropped DLL 7 IoCs

Processes:

WFS.exeSystemPropertiesRemote.exetaskmgr.exe

pid process

1256
2556 WFS.exe
1256
1700 SystemPropertiesRemote.exe
1256
2860 taskmgr.exe
1256

pid	process
2556	WFS.exe
1700	SystemPropertiesRemote.exe
2860	taskmgr.exe

pid	process
1256
2556	WFS.exe
1256
1700	SystemPropertiesRemote.exe
1256
2860	taskmgr.exe
1256

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ybhspkdtbke = "C:\\Users\\Admin\\AppData\\Roaming\\Identities\\{45E326BF-F8A0-4351-9E0C-6D4A9315502F}\\gkqEy4Jn\\SystemPropertiesRemote.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeWFS.exeSystemPropertiesRemote.exetaskmgr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WFS.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesRemote.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1712	rundll32.exe
1712	rundll32.exe
1712	rundll32.exe
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1256 wrote to memory of 2608	1256	WFS.exe
PID 1256 wrote to memory of 2608	1256	WFS.exe
PID 1256 wrote to memory of 2608	1256	WFS.exe
PID 1256 wrote to memory of 2556	1256	WFS.exe
PID 1256 wrote to memory of 2556	1256	WFS.exe
PID 1256 wrote to memory of 2556	1256	WFS.exe
PID 1256 wrote to memory of 2396	1256	SystemPropertiesRemote.exe
PID 1256 wrote to memory of 2396	1256	SystemPropertiesRemote.exe
PID 1256 wrote to memory of 2396	1256	SystemPropertiesRemote.exe
PID 1256 wrote to memory of 1700	1256	SystemPropertiesRemote.exe
PID 1256 wrote to memory of 1700	1256	SystemPropertiesRemote.exe
PID 1256 wrote to memory of 1700	1256	SystemPropertiesRemote.exe
PID 1256 wrote to memory of 2748	1256	taskmgr.exe
PID 1256 wrote to memory of 2748	1256	taskmgr.exe
PID 1256 wrote to memory of 2748	1256	taskmgr.exe
PID 1256 wrote to memory of 2860	1256	taskmgr.exe
PID 1256 wrote to memory of 2860	1256	taskmgr.exe
PID 1256 wrote to memory of 2860	1256	taskmgr.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6a455e38d08eeb77d0b4a7114aed1d2a_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1712

C:\Windows\system32\WFS.exe
C:\Windows\system32\WFS.exe
1⤵
PID:2608

C:\Users\Admin\AppData\Local\hMl\WFS.exe
C:\Users\Admin\AppData\Local\hMl\WFS.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2556

C:\Windows\system32\SystemPropertiesRemote.exe
C:\Windows\system32\SystemPropertiesRemote.exe
1⤵
PID:2396

C:\Users\Admin\AppData\Local\9Zfb3Qe\SystemPropertiesRemote.exe
C:\Users\Admin\AppData\Local\9Zfb3Qe\SystemPropertiesRemote.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1700

C:\Windows\system32\taskmgr.exe
C:\Windows\system32\taskmgr.exe
1⤵
PID:2748

C:\Users\Admin\AppData\Local\pxOkfBRY\taskmgr.exe
C:\Users\Admin\AppData\Local\pxOkfBRY\taskmgr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2860

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\9Zfb3Qe\SYSDM.CPL
Filesize
1.2MB

MD5
2a553c4da174ec84ebaeaa810e2355de

SHA1
74cc3a3738401f6863f7714a562e20ae373550d0

SHA256
d2b0bb8db9854d65c75e50d3497dfadae5600fd0602dfc337612931ab0753358

SHA512
2b5ef76dd617f0732f1ad17a1765e2a456163d4c893dbd7d07fbea0a3d890cb0580989565f0ea705be0ff7842e4294df663f1a41a295ab94f4b25afa0a4b00f2

Download Submit
C:\Users\Admin\AppData\Local\pxOkfBRY\UxTheme.dll
Filesize
1.2MB

MD5
a924282fa96125e60804f1854397588b

SHA1
f430dc60fa7a84e2f67060fec0a208a79a6233ab

SHA256
ca04738374fceb473857730f9cab9cf522b38c5a4f8bb6b00cc34d33b65b3a20

SHA512
cb61f1d73e99ed5e6f2de4684f69288f872847cc54ac9bdb5a74972e09b99a50ca56b048b7a47fea2ab2f3be4db2e724f86b89e2b3b8b87630951898ac4e3174

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Tkjddllshxzvy.lnk
Filesize
1KB

MD5
9a80713c643fcb151555408ba8bfa081

SHA1
43eb89a6427091e2a480215541d615776acf636d

SHA256
b23c00e4e58340208e9e877d7c3b0c87493882c79115d4e93bd6c7b12ff205fc

SHA512
0ff18a0a482e1a5036dee9f77b6b5e393a5e6ad1b9f5bb95f80ac19dde3c4e337ff2257537a7d5c3e2f7990c44833134ea5ab7c07e50e26a2e90bf71bdc6eb32

Download Submit
\Users\Admin\AppData\Local\9Zfb3Qe\SystemPropertiesRemote.exe
Filesize
80KB

MD5
d0d7ac869aa4e179da2cc333f0440d71

SHA1
e7b9a58f5bfc1ec321f015641a60978c0c683894

SHA256
5762e1570de6ca4ff4254d03c8f6e572f3b9c065bf5c78fd5a9ea3769c33818a

SHA512
1808b10dc85f8755a0074d1ea00794b46b4254573b6862c2813a89ca171ad94f95262e8b59a8f9a596c9bd6a724f440a14a813eab93aa140e818ee97af106db7

Download Submit
\Users\Admin\AppData\Local\hMl\WFS.exe
Filesize
951KB

MD5
a943d670747778c7597987a4b5b9a679

SHA1
c48b760ff9762205386563b93e8884352645ef40

SHA256
1a582ebe780abc1143baccaf4910714d3e9f4195edd86939499d03ed6e756610

SHA512
3d926ddead8afcb32b52b3eb3c416d197c15e5fff6ba9fa03a31a07522bdb9088b32500fc8b98d82af657071571d09cd336a65cf45c485ebcc145dea70b3a934

Download Submit
\Users\Admin\AppData\Local\hMl\credui.dll
Filesize
1.2MB

MD5
1ffae3b5cb517c3a7ad87fe18a9372b9

SHA1
d494b7095488a7d86adb4c6c4dc228a77387c5eb

SHA256
157b72e3312f0c86160aba239bdbc5c8be07845bd7957a0914e1a575675fa3e6

SHA512
e9aecbc967f12078e23f0d0625a6630db2fc80f07eaf6a42625b0faf9edfa500c6f4ce11d67af48d43cb0da8c34ebe2639740c1dbdc0a58a97303af607859bca

Download Submit
\Users\Admin\AppData\Local\pxOkfBRY\taskmgr.exe
Filesize
251KB

MD5
09f7401d56f2393c6ca534ff0241a590

SHA1
e8b4d84a28e5ea17272416ec45726964fdf25883

SHA256
6766717b8afafe46b5fd66c7082ccce6b382cbea982c73cb651e35dc8187ace1

SHA512
7187a27cd32c1b295c74e36e1b6148a31d602962448b18395a44a721d17daa7271d0cd198edb2ed05ace439746517ffb1bcc11c7f682e09b025c950ea7b83192

Download Submit
memory/1256-27-0x0000000002A30000-0x0000000002A37000-memory.dmp

Filesize
28KB

Download
memory/1256-8-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1256-18-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1256-26-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1256-16-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1256-15-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1256-28-0x0000000077301000-0x0000000077302000-memory.dmp

Filesize
4KB

Download
memory/1256-13-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1256-12-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1256-11-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1256-9-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1256-4-0x00000000771F6000-0x00000000771F7000-memory.dmp

Filesize
4KB

Download
memory/1256-31-0x0000000077490000-0x0000000077492000-memory.dmp

Filesize
8KB

Download
memory/1256-39-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1256-38-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1256-5-0x0000000002A50000-0x0000000002A51000-memory.dmp

Filesize
4KB

Download
memory/1256-17-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1256-14-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1256-7-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1256-10-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1256-66-0x00000000771F6000-0x00000000771F7000-memory.dmp

Filesize
4KB

Download
memory/1700-77-0x0000000000120000-0x0000000000127000-memory.dmp

Filesize
28KB

Download
memory/1700-80-0x000007FEF61D0000-0x000007FEF6312000-memory.dmp

Filesize
1.3MB

Download
memory/1712-47-0x000007FEF61D0000-0x000007FEF6311000-memory.dmp

Filesize
1.3MB

Download
memory/1712-1-0x000007FEF61D0000-0x000007FEF6311000-memory.dmp

Filesize
1.3MB

Download
memory/1712-0-0x0000000000390000-0x0000000000397000-memory.dmp

Filesize
28KB

Download
memory/2556-55-0x00000000003B0000-0x00000000003B7000-memory.dmp

Filesize
28KB

Download
memory/2556-56-0x000007FEF61D0000-0x000007FEF6312000-memory.dmp

Filesize
1.3MB

Download
memory/2556-61-0x000007FEF61D0000-0x000007FEF6312000-memory.dmp

Filesize
1.3MB

Download
memory/2860-92-0x0000000000130000-0x0000000000137000-memory.dmp

Filesize
28KB

Download
memory/2860-98-0x000007FEF61D0000-0x000007FEF6312000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads