dridex | 29acca7bc56a613ab6050dc39976f8dab90d3db95730dd08573dd5cba29366c6

General

Target

6a455e38d08eeb77d0b4a7114aed1d2a_JaffaCakes118.dll
Size

1.2MB
MD5

6a455e38d08eeb77d0b4a7114aed1d2a
SHA1

1cac68762f6c3051a28acb5e7319f01048783f9f
SHA256

29acca7bc56a613ab6050dc39976f8dab90d3db95730dd08573dd5cba29366c6
SHA512

645aad07a9e27cb5defc8aa4c588393207a89e013c0bfd4756365ea8db09d15f504529b67d941b3723ccba58df2c507f940aff750b8e07021d05cee440ed7980
SSDEEP

24576:7uYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:l9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3532-4-0x0000000000980000-0x0000000000981000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

msconfig.exeUtilman.exeupfc.exe

pid process

2268 msconfig.exe
3008 Utilman.exe
2280 upfc.exe
Loads dropped DLL 3 IoCs

Processes:

msconfig.exeUtilman.exeupfc.exe

pid process

2268 msconfig.exe
3008 Utilman.exe
2280 upfc.exe

pid	process
2268	msconfig.exe
3008	Utilman.exe
2280	upfc.exe

pid	process
2268	msconfig.exe
3008	Utilman.exe
2280	upfc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Zyaxxifxvt = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Vault\\hBU1AqGP\\Utilman.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exemsconfig.exeUtilman.exeupfc.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msconfig.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Utilman.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	upfc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
3796	rundll32.exe
3796	rundll32.exe
3796	rundll32.exe
3796	rundll32.exe
3796	rundll32.exe
3796	rundll32.exe
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532
3532

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3532

pid	process
3532

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3532 wrote to memory of 1060	3532	msconfig.exe
PID 3532 wrote to memory of 1060	3532	msconfig.exe
PID 3532 wrote to memory of 2268	3532	msconfig.exe
PID 3532 wrote to memory of 2268	3532	msconfig.exe
PID 3532 wrote to memory of 3184	3532	Utilman.exe
PID 3532 wrote to memory of 3184	3532	Utilman.exe
PID 3532 wrote to memory of 3008	3532	Utilman.exe
PID 3532 wrote to memory of 3008	3532	Utilman.exe
PID 3532 wrote to memory of 2020	3532	upfc.exe
PID 3532 wrote to memory of 2020	3532	upfc.exe
PID 3532 wrote to memory of 2280	3532	upfc.exe
PID 3532 wrote to memory of 2280	3532	upfc.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6a455e38d08eeb77d0b4a7114aed1d2a_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3796

C:\Windows\system32\msconfig.exe
C:\Windows\system32\msconfig.exe
1⤵
PID:1060

C:\Users\Admin\AppData\Local\5UU3RI7\msconfig.exe
C:\Users\Admin\AppData\Local\5UU3RI7\msconfig.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2268

C:\Windows\system32\Utilman.exe
C:\Windows\system32\Utilman.exe
1⤵
PID:3184

C:\Users\Admin\AppData\Local\G4CTz8wPF\Utilman.exe
C:\Users\Admin\AppData\Local\G4CTz8wPF\Utilman.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3008

C:\Windows\system32\upfc.exe
C:\Windows\system32\upfc.exe
1⤵
PID:2020

C:\Users\Admin\AppData\Local\cPjeLVICy\upfc.exe
C:\Users\Admin\AppData\Local\cPjeLVICy\upfc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2280

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\5UU3RI7\MFC42u.dll
Filesize
1.2MB

MD5
8d8f0e42e7aeef0782f62613786acc81

SHA1
024c99c3f6ed8ca548f5a6b87fe8d9c25886baa2

SHA256
6c564a18fe406fba59a7dfb6019301a08d5949aca4fa3f8622db92ee21e8958a

SHA512
4b14b24bd75e165768d2968ff697565f985fb93f08df622e4c280c5367dd0f6cbc280f586af6cb8f4e5b4e257d42bdb59749448e34eb1ddbad51e320f1b61af0

Download Submit
C:\Users\Admin\AppData\Local\5UU3RI7\msconfig.exe
Filesize
193KB

MD5
39009536cafe30c6ef2501fe46c9df5e

SHA1
6ff7b4d30f31186de899665c704a105227704b72

SHA256
93d2604f7fdf7f014ac5bef63ab177b6107f3cfc26da6cbd9a7ab50c96564a04

SHA512
95c9a8bc61c79108634f5578825544323e3d980ae97a105a325c58bc0e44b1d500637459969602f08d6d23d346baec6acd07d8351803981000c797190d48f03a

Download Submit
C:\Users\Admin\AppData\Local\G4CTz8wPF\DUser.dll
Filesize
1.2MB

MD5
2d1d973522162a7fbfac634a285897d7

SHA1
431481ce831a604c4ddf8f6413697b7fc159d76b

SHA256
cdd8a2a1a8dcaf2cb735692172a23f431e00ff7305be7851636d06b5fe321722

SHA512
50ffd93699bdd9e6efa888e8933efe9332b6f953fe56dec9246c99464dacfb3d0e1f19de5f17b1457d4ed62947cfb973a781bff410f1c17021329764edad737e

Download Submit
C:\Users\Admin\AppData\Local\G4CTz8wPF\Utilman.exe
Filesize
123KB

MD5
a117edc0e74ab4770acf7f7e86e573f7

SHA1
5ceffb1a5e05e52aafcbc2d44e1e8445440706f3

SHA256
b5bc4fce58403ea554691db678e6c8c448310fe59990990f0e37cd4357567d37

SHA512
72883f794ff585fe7e86e818d4d8c54fa9781cab6c3fac6f6956f58a016a91f676e70d14691cbe054ae7b7469c6b4783152fbb694e92b940d9e3595fe3f41d97

Download Submit
C:\Users\Admin\AppData\Local\cPjeLVICy\XmlLite.dll
Filesize
1.2MB

MD5
6cb597d7ba72673f60c05e94de2a7968

SHA1
81358777d1bb17f1bea617db38ed80e98e05af41

SHA256
76728f4a4578efd1e1d2f04ed7388f06cbc50159dedddd548225fafb5424e63a

SHA512
ddc155c4c8f73354f0eb3a9b71610c16f52f7ad032a9d864beb1515ccc774dba2dc6cd4af5691ea37ff4556ff1468e2ae1513aa7d8aa35de736324142a242053

Download Submit
C:\Users\Admin\AppData\Local\cPjeLVICy\upfc.exe
Filesize
118KB

MD5
299ea296575ccb9d2c1a779062535d5c

SHA1
2497169c13b0ba46a6be8a1fe493b250094079b7

SHA256
ee44fe14df89c4e5eaf8398f8fb4823fd910c5a94d913653d6b9e831254f6cc2

SHA512
02fc2b25167ebd7dfcc7b8aa74613e7004fdf33dfccccba6c3427434cca981c2eb50f4a801969b3a40c495a9bb0eac8176f4f2ec9091916cf3509a7f909b30fa

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Kscubvdexgimjec.lnk
Filesize
1KB

MD5
0bb6375b57e8b5367c946c2da0502b03

SHA1
aefa82aa8068bc225b678c87957978efe252d590

SHA256
f051603643ab7b97c1ac37f84e85d2e09ed063108def90908019f377a2b56719

SHA512
c641cad9395bc4181fa686848bcb3411cdcb7498b16ee35945a6abb7379e592959ba1b717cf8102eb93b464569c974662319293229015afb9e2f6b7292f19af5

Download Submit
memory/2268-50-0x000002657ECF0000-0x000002657ECF7000-memory.dmp

Filesize
28KB

Download
memory/2268-47-0x00007FFAE1A00000-0x00007FFAE1B48000-memory.dmp

Filesize
1.3MB

Download
memory/2268-53-0x00007FFAE1A00000-0x00007FFAE1B48000-memory.dmp

Filesize
1.3MB

Download
memory/2280-82-0x00007FFAE1A00000-0x00007FFAE1B42000-memory.dmp

Filesize
1.3MB

Download
memory/2280-84-0x0000014303310000-0x0000014303317000-memory.dmp

Filesize
28KB

Download
memory/2280-87-0x00007FFAE1A00000-0x00007FFAE1B42000-memory.dmp

Filesize
1.3MB

Download
memory/3008-64-0x00007FFAE04E0000-0x00007FFAE0623000-memory.dmp

Filesize
1.3MB

Download
memory/3008-67-0x0000020C099E0000-0x0000020C099E7000-memory.dmp

Filesize
28KB

Download
memory/3008-70-0x00007FFAE04E0000-0x00007FFAE0623000-memory.dmp

Filesize
1.3MB

Download
memory/3532-38-0x0000000000940000-0x0000000000947000-memory.dmp

Filesize
28KB

Download
memory/3532-18-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/3532-26-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/3532-8-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/3532-6-0x00007FFAFD21A000-0x00007FFAFD21B000-memory.dmp

Filesize
4KB

Download
memory/3532-11-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/3532-12-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/3532-13-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/3532-14-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/3532-15-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/3532-17-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/3532-9-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/3532-4-0x0000000000980000-0x0000000000981000-memory.dmp

Filesize
4KB

Download
memory/3532-35-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/3532-39-0x00007FFAFF070000-0x00007FFAFF080000-memory.dmp

Filesize
64KB

Download
memory/3532-16-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/3532-7-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/3532-10-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/3796-0-0x00007FFAF0700000-0x00007FFAF0841000-memory.dmp

Filesize
1.3MB

Download
memory/3796-40-0x00007FFAF0700000-0x00007FFAF0841000-memory.dmp

Filesize
1.3MB

Download
memory/3796-3-0x0000014C24EC0000-0x0000014C24EC7000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads