dridex | 578c92f464be0b7adac38b2599735835b874fb81bed5394ffa65d572facf4ed5

General

Target

6d29291670d613e73991f0ddb06f428c_JaffaCakes118.dll
Size

1.2MB
MD5

6d29291670d613e73991f0ddb06f428c
SHA1

19706380dcc284baf80bc7f38ed2b04db059d6f3
SHA256

578c92f464be0b7adac38b2599735835b874fb81bed5394ffa65d572facf4ed5
SHA512

292c88c08fce72512f0dc8efb961657356b8987310307338748bb4597cf8e828de60eaf8e6e730d2df7c294e593af5112402c571eff1579a18bf2393b2625d6b
SSDEEP

24576:xVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8/:xV8hf6STw1ZlQauvzSq01ICe6zvmc

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3436-4-0x0000000002D90000-0x0000000002D91000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

CloudNotifications.exeGamePanel.exetcmsetup.exe

pid process

2600 CloudNotifications.exe
2328 GamePanel.exe
4408 tcmsetup.exe
Loads dropped DLL 3 IoCs

Processes:

CloudNotifications.exeGamePanel.exetcmsetup.exe

pid process

2600 CloudNotifications.exe
2328 GamePanel.exe
4408 tcmsetup.exe

pid	process
2600	CloudNotifications.exe
2328	GamePanel.exe
4408	tcmsetup.exe

pid	process
2600	CloudNotifications.exe
2328	GamePanel.exe
4408	tcmsetup.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Eeaxmqtu = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\FWj25qsK6\\GamePanel.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeCloudNotifications.exeGamePanel.exetcmsetup.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	CloudNotifications.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	GamePanel.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	tcmsetup.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2856	rundll32.exe
2856	rundll32.exe
2856	rundll32.exe
2856	rundll32.exe
2856	rundll32.exe
2856	rundll32.exe
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3436

pid	process
3436

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3436 wrote to memory of 4884	3436	CloudNotifications.exe
PID 3436 wrote to memory of 4884	3436	CloudNotifications.exe
PID 3436 wrote to memory of 2600	3436	CloudNotifications.exe
PID 3436 wrote to memory of 2600	3436	CloudNotifications.exe
PID 3436 wrote to memory of 4680	3436	GamePanel.exe
PID 3436 wrote to memory of 4680	3436	GamePanel.exe
PID 3436 wrote to memory of 2328	3436	GamePanel.exe
PID 3436 wrote to memory of 2328	3436	GamePanel.exe
PID 3436 wrote to memory of 4296	3436	tcmsetup.exe
PID 3436 wrote to memory of 4296	3436	tcmsetup.exe
PID 3436 wrote to memory of 4408	3436	tcmsetup.exe
PID 3436 wrote to memory of 4408	3436	tcmsetup.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6d29291670d613e73991f0ddb06f428c_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2856

C:\Windows\system32\CloudNotifications.exe
C:\Windows\system32\CloudNotifications.exe
1⤵
PID:4884

C:\Users\Admin\AppData\Local\UoYJl\CloudNotifications.exe
C:\Users\Admin\AppData\Local\UoYJl\CloudNotifications.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2600

C:\Windows\system32\GamePanel.exe
C:\Windows\system32\GamePanel.exe
1⤵
PID:4680

C:\Users\Admin\AppData\Local\ODSA\GamePanel.exe
C:\Users\Admin\AppData\Local\ODSA\GamePanel.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2328

C:\Windows\system32\tcmsetup.exe
C:\Windows\system32\tcmsetup.exe
1⤵
PID:4296

C:\Users\Admin\AppData\Local\wPd\tcmsetup.exe
C:\Users\Admin\AppData\Local\wPd\tcmsetup.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4408

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ODSA\GamePanel.exe
Filesize
1.2MB

MD5
266f6a62c16f6a889218800762b137be

SHA1
31b9bd85a37bf0cbb38a1c30147b83671458fa72

SHA256
71f8f11f26f3a7c1498373f20f0f4cc960513d0383fe24906eeb1bc9678beecd

SHA512
b21d9b0656ab6bd3b158922722a332f07096ddd4215c802776c5807c9cf6ece40082dd986ea6867bdc8d22878ce035a5c8dfcc26cfae94aeee059701b6bf1e68

Download Submit
C:\Users\Admin\AppData\Local\ODSA\dwmapi.dll
Filesize
1.2MB

MD5
d622a0fc8db8943a6b9d009f414228d7

SHA1
029a0cdd8a4d7ce21605743ca36d191d656a2823

SHA256
63754a17f4fe84ac06a8892c89fd325741202815b17e5b8bba6658499a4e0e25

SHA512
4f339c30d64d98b5d49c1b7cf3a5d9fd2b0d1716c3c9d503495a783f3635d004578f5c6f9c92e3b09b157f5ff1421cc4d37d5f8b5c7f42645278aa41198090f2

Download Submit
C:\Users\Admin\AppData\Local\UoYJl\CloudNotifications.exe
Filesize
59KB

MD5
b50dca49bc77046b6f480db6444c3d06

SHA1
cc9b38240b0335b1763badcceac37aa9ce547f9e

SHA256
96e7e1a3f0f4f6fc6bda3527ab8a739d6dfcab8e534aa7a02b023daebb3c0775

SHA512
2a0504ca336e86b92b2f5eff1c458ebd9df36c496331a7247ef0bb8b82eabd86ade7559ddb47ca4169e8365a97e80e5f1d3c1fc330364dea2450608bd692b1d3

Download Submit
C:\Users\Admin\AppData\Local\UoYJl\UxTheme.dll
Filesize
1.2MB

MD5
b090bf801d7662b86b54499435ae7e4a

SHA1
5c7c05eaffcba13728d2104a5a4ebd7cd1a4e7fe

SHA256
2657bb18dd4ccc33ee98f0b5cfec5b2b9d5f34b3b2d77ddc4c2e0958a1fe78ef

SHA512
083f778ab15672865f2586da2e8e31a94b4de85d44e26fb6610214812d8257037d84586b0d4da15e5156900d6cb97a93398d09ec5c36b68e05d2dd37b7571104

Download Submit
C:\Users\Admin\AppData\Local\wPd\TAPI32.dll
Filesize
1.2MB

MD5
14189a7dcb2610a09aff74996c94c85d

SHA1
1ffb541fda0b7afe9ddcd5df2bca591ed191cce1

SHA256
ab1527deff5d14d6b16b877d0740f7b73279a699e119ce3fff93ed210416b149

SHA512
6312e6d70d7c3363dd8a2011ed10bafef26fd17ee037749e809cf3894471bca9db60d81584e46ba792eac3684be95b5de8729c2e4f74a03cfc45820cada4ce46

Download Submit
C:\Users\Admin\AppData\Local\wPd\tcmsetup.exe
Filesize
16KB

MD5
58f3b915b9ae7d63431772c2616b0945

SHA1
6346e837da3b0f551becb7cac6d160e3063696e9

SHA256
e243501ba2ef7a6f04f51410bb916faffe0ec23450a4d030ce6bfe747e544b39

SHA512
7b09192af460c502d1a94989a0d06191c8c7a058ce3a4541e3f45960a1e12529d0cdaff9da3d5bacfdceed57aeb6dc9a159c6c0a95675c438f99bf7e418c6dc5

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Rkjap.lnk
Filesize
1KB

MD5
b8623bd21e48fca410acee1b59d31cc7

SHA1
26a92865a55c74027f4dd96ee1618430cffdccbc

SHA256
fea389052722980428a6cdd8aadecf7ca07d8d6aa9a0c9ca50b1a8a8a4717057

SHA512
634c61fcc2c8e309c83787930f81054bcdf3332451c0053bbd6918f84c4a7ef36914f165e50703fc95ccb8a9064d70b6edd3a2bd7bf5fa7065d97b24fba98e84

Download Submit
memory/2328-69-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/2328-66-0x0000026E04850000-0x0000026E04857000-memory.dmp

Filesize
28KB

Download
memory/2600-52-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/2600-47-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/2600-46-0x00000145445B0000-0x00000145445B7000-memory.dmp

Filesize
28KB

Download
memory/2856-0-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/2856-39-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/2856-3-0x00000225078B0000-0x00000225078B7000-memory.dmp

Filesize
28KB

Download
memory/3436-33-0x0000000000B40000-0x0000000000B47000-memory.dmp

Filesize
28KB

Download
memory/3436-32-0x00007FFAACD1A000-0x00007FFAACD1B000-memory.dmp

Filesize
4KB

Download
memory/3436-14-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3436-7-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3436-8-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3436-9-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3436-10-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3436-11-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3436-12-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3436-24-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3436-34-0x00007FFAAD270000-0x00007FFAAD280000-memory.dmp

Filesize
64KB

Download
memory/3436-36-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3436-15-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3436-13-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3436-6-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3436-4-0x0000000002D90000-0x0000000002D91000-memory.dmp

Filesize
4KB

Download
memory/4408-85-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/4408-80-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads