dridex | a4028b0f6604c7aeecc2330ee67997f99ffe70e21215f9aeedf017967be7d9e2

General

Target

6bea9c1a003870ad52df8b2eb97fe986_JaffaCakes118.dll
Size

1.4MB
MD5

6bea9c1a003870ad52df8b2eb97fe986
SHA1

06ba82c8b99a00e35eee2bdda767680958e14cb8
SHA256

a4028b0f6604c7aeecc2330ee67997f99ffe70e21215f9aeedf017967be7d9e2
SHA512

2756a44868022d3706703628aba56cc8b2ce687e0adace62248b33576fed7b7d9d289a33aa3cae5e16120d3504f8d57d770cd503ce3d35674d76fe004c296689
SSDEEP

24576:RVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:RV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3384-4-0x0000000002E20000-0x0000000002E21000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

SystemPropertiesPerformance.exeiexpress.exeBitLockerWizardElev.exe

pid process

460 SystemPropertiesPerformance.exe
448 iexpress.exe
5536 BitLockerWizardElev.exe
Loads dropped DLL 3 IoCs

Processes:

SystemPropertiesPerformance.exeiexpress.exeBitLockerWizardElev.exe

pid process

460 SystemPropertiesPerformance.exe
448 iexpress.exe
5536 BitLockerWizardElev.exe

pid	process
460	SystemPropertiesPerformance.exe
448	iexpress.exe
5536	BitLockerWizardElev.exe

pid	process
460	SystemPropertiesPerformance.exe
448	iexpress.exe
5536	BitLockerWizardElev.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Pruztwesow = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\SendTo\\On1CCNAl9\\iexpress.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

iexpress.exeBitLockerWizardElev.exerundll32.exeSystemPropertiesPerformance.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iexpress.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BitLockerWizardElev.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesPerformance.exe

Modifies registry class 2 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
4712	rundll32.exe
4712	rundll32.exe
4712	rundll32.exe
4712	rundll32.exe
4712	rundll32.exe
4712	rundll32.exe
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384
3384

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3384
Token: SeCreatePagefilePrivilege	3384
Token: SeShutdownPrivilege	3384
Token: SeCreatePagefilePrivilege	3384

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3384

pid	process
3384

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3384 wrote to memory of 2744	3384	SystemPropertiesPerformance.exe
PID 3384 wrote to memory of 2744	3384	SystemPropertiesPerformance.exe
PID 3384 wrote to memory of 460	3384	SystemPropertiesPerformance.exe
PID 3384 wrote to memory of 460	3384	SystemPropertiesPerformance.exe
PID 3384 wrote to memory of 2192	3384	iexpress.exe
PID 3384 wrote to memory of 2192	3384	iexpress.exe
PID 3384 wrote to memory of 448	3384	iexpress.exe
PID 3384 wrote to memory of 448	3384	iexpress.exe
PID 3384 wrote to memory of 948	3384	BitLockerWizardElev.exe
PID 3384 wrote to memory of 948	3384	BitLockerWizardElev.exe
PID 3384 wrote to memory of 5536	3384	BitLockerWizardElev.exe
PID 3384 wrote to memory of 5536	3384	BitLockerWizardElev.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6bea9c1a003870ad52df8b2eb97fe986_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4712

C:\Windows\system32\SystemPropertiesPerformance.exe
C:\Windows\system32\SystemPropertiesPerformance.exe
1⤵
PID:2744

C:\Users\Admin\AppData\Local\TxOjhd\SystemPropertiesPerformance.exe
C:\Users\Admin\AppData\Local\TxOjhd\SystemPropertiesPerformance.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:460

C:\Windows\system32\iexpress.exe
C:\Windows\system32\iexpress.exe
1⤵
PID:2192

C:\Users\Admin\AppData\Local\q1Tgr\iexpress.exe
C:\Users\Admin\AppData\Local\q1Tgr\iexpress.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:448

C:\Windows\system32\BitLockerWizardElev.exe
C:\Windows\system32\BitLockerWizardElev.exe
1⤵
PID:948

C:\Users\Admin\AppData\Local\VYX2Z\BitLockerWizardElev.exe
C:\Users\Admin\AppData\Local\VYX2Z\BitLockerWizardElev.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:5536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TxOjhd\SYSDM.CPL
Filesize
1.4MB

MD5
bac2f422c160400be8cbd4155ba42a8a

SHA1
6cf0ee4c033d4603872417aee4623e1262f5f9d5

SHA256
5be055e96a4e943b561d8aa38220bfc875757340c99078e9f2de07cee2958a3b

SHA512
e67e3def33c47404891f42aa18e7956ea593805082e3ad9d4f14c02edfbe2dd4a1d03c91fafb49d708edced36709558dd3b2f51013343553e4590de1fb2e6098

Download Submit
C:\Users\Admin\AppData\Local\TxOjhd\SystemPropertiesPerformance.exe
Filesize
82KB

MD5
e4fbf7cab8669c7c9cef92205d2f2ffc

SHA1
adbfa782b7998720fa85678cc85863b961975e28

SHA256
b266318d45a4245556a2e39b763f2f11eca780969105f6f103e53dd0a492bb30

SHA512
c5c62578d04133352d6cb7b018df96a7b55c18d6111ab8bf2bfe232a3315a63b07047fa5b0b88551d152085776c66169b47566242c8c4c5e0333c55adc64e1b6

Download Submit
C:\Users\Admin\AppData\Local\VYX2Z\BitLockerWizardElev.exe
Filesize
100KB

MD5
8ac5a3a20cf18ae2308c64fd707eeb81

SHA1
31f2f0bdc2eb3e0d2a6cd626ea8ed71262865544

SHA256
803eb37617d450704766cb167dc9766e82102a94940a26a988ad26ab8be3f2f5

SHA512
85d0e28e4bffec709f26b2f0d20eb76373134af43bcaa70b97a03efa273b77dd4fbd4f6ee026774ce4029ab5a983aea057111efcd234ab1686a9bd0f7202748b

Download Submit
C:\Users\Admin\AppData\Local\VYX2Z\FVEWIZ.dll
Filesize
1.4MB

MD5
60b9edbf3d3f6d57dda273dbed952264

SHA1
9f462b6d9ced194c68d8f9c11a3ce41bdc20aeb5

SHA256
9f87964ecbfc391cdb99d7f7733cb9d9f02cebbad9068c69846075bf2febea16

SHA512
0f8a7b8ba1708619ee31f28362800ee76ad760b31a22da3c07bf7b4d25c05763bdce9cfc763cfda9aca826419af9f676547fd0c674feafe0b893686abfb43cc7

Download Submit
C:\Users\Admin\AppData\Local\q1Tgr\VERSION.dll
Filesize
1.4MB

MD5
c57031f03ba562945c49b93bc63d3ec4

SHA1
817776469a0b9413e8ff3115fc17513f89554a17

SHA256
208db1c0be7056da4de1f6fb0d0aadc2572e4def10acd216263bf2aac40425ca

SHA512
728619afd75ffe6c784889e09fd73bcf955fe2fc85a7b06e7e909ba73064ae574a43fb6c99ad35f71450dcdb85a490836a37e7528eadbc2554a39c2b5005342e

Download Submit
C:\Users\Admin\AppData\Local\q1Tgr\iexpress.exe
Filesize
166KB

MD5
17b93a43e25d821d01af40ba6babcc8c

SHA1
97c978d78056d995f751dfef1388d7cce4cc404a

SHA256
d070b79fa254c528babb73d607a7a8fd53db89795d751f42fc0a283b61a76fd3

SHA512
6b5743b37a3be8ae9ee2ab84e0749c32c60544298a7cce396470aa40bbd13f2e838d5d98159f21d500d20817c51ebce4b1d2f554e3e05f6c7fc97bc9d70ea391

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Arcabpqqvo.lnk
Filesize
1KB

MD5
358423a82053acafca44cfc86e9e6934

SHA1
d5161841078087f5decc77ddebc50ed9ade4ab73

SHA256
c9c239d41ad13ca48b9bc3f604b3f3027eef7cc3554de8c759de774b628b54b4

SHA512
92a50d8856f04c2751c9dd3a561c7230adf4644405d7a69ae7097831c82920dc71fd47e0e60baad488633624d95051ad1cae59333a161490b94c98d0e413725e

Download Submit
memory/448-70-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/448-67-0x0000022F3DC50000-0x0000022F3DC57000-memory.dmp

Filesize
28KB

Download
memory/460-48-0x000001D8511D0000-0x000001D8511D7000-memory.dmp

Filesize
28KB

Download
memory/460-51-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/460-45-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/3384-35-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/3384-7-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/3384-10-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/3384-9-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/3384-8-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/3384-6-0x00007FFA208BA000-0x00007FFA208BB000-memory.dmp

Filesize
4KB

Download
memory/3384-13-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/3384-15-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/3384-24-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/3384-33-0x0000000000F60000-0x0000000000F67000-memory.dmp

Filesize
28KB

Download
memory/3384-4-0x0000000002E20000-0x0000000002E21000-memory.dmp

Filesize
4KB

Download
memory/3384-34-0x00007FFA21790000-0x00007FFA217A0000-memory.dmp

Filesize
64KB

Download
memory/3384-14-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/3384-12-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/3384-11-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/4712-1-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/4712-38-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/4712-0-0x00000142FAAE0000-0x00000142FAAE7000-memory.dmp

Filesize
28KB

Download
memory/5536-84-0x000002348F8A0000-0x000002348F8A7000-memory.dmp

Filesize
28KB

Download
memory/5536-87-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads