dridex | e88df4131fdd98a0b85a2b9d25e7772767d4629c64ac2af981fa6d23132df183

General

Target

6f1137c2ea734e22e0224e97c063e7f7_JaffaCakes118.dll
Size

1.3MB
MD5

6f1137c2ea734e22e0224e97c063e7f7
SHA1

b5e75a87e673e2951bae329aaca82a6cc3890dd0
SHA256

e88df4131fdd98a0b85a2b9d25e7772767d4629c64ac2af981fa6d23132df183
SHA512

aacc73ce0eb9846248effeb16bb3937480f2a06406b34ec3fe21be50c1ff6c5753dc4444da681884c39c3c05f5fd3ab31cab421626e967797670e21a722f6df6
SSDEEP

24576:WVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:WV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3572-4-0x0000000002A40000-0x0000000002A41000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 4 IoCs

Processes:

SppExtComObj.Exeomadmclient.exeNarrator.exeApplySettingsTemplateCatalog.exe

pid process

4524 SppExtComObj.Exe
2004 omadmclient.exe
4044 Narrator.exe
3464 ApplySettingsTemplateCatalog.exe
Loads dropped DLL 5 IoCs

Processes:

SppExtComObj.Exeomadmclient.exeApplySettingsTemplateCatalog.exe

pid process

4524 SppExtComObj.Exe
2004 omadmclient.exe
2004 omadmclient.exe
2004 omadmclient.exe
3464 ApplySettingsTemplateCatalog.exe

pid	process
4524	SppExtComObj.Exe
2004	omadmclient.exe
4044	Narrator.exe
3464	ApplySettingsTemplateCatalog.exe

pid	process
4524	SppExtComObj.Exe
2004	omadmclient.exe
2004	omadmclient.exe
2004	omadmclient.exe
3464	ApplySettingsTemplateCatalog.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Pruztwesow = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Forms\\43UPkmx3ql\\omadmclient.exe"

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

ApplySettingsTemplateCatalog.exeSppExtComObj.Exeomadmclient.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ApplySettingsTemplateCatalog.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SppExtComObj.Exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	omadmclient.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

regsvr32.exe

pid	process
2676	regsvr32.exe
2676	regsvr32.exe
2676	regsvr32.exe
2676	regsvr32.exe
2676	regsvr32.exe
2676	regsvr32.exe
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572
3572

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3572

pid	process
3572

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

description	pid	target process
PID 3572 wrote to memory of 3304	3572	SppExtComObj.Exe
PID 3572 wrote to memory of 3304	3572	SppExtComObj.Exe
PID 3572 wrote to memory of 4524	3572	SppExtComObj.Exe
PID 3572 wrote to memory of 4524	3572	SppExtComObj.Exe
PID 3572 wrote to memory of 2524	3572	omadmclient.exe
PID 3572 wrote to memory of 2524	3572	omadmclient.exe
PID 3572 wrote to memory of 2004	3572	omadmclient.exe
PID 3572 wrote to memory of 2004	3572	omadmclient.exe
PID 3572 wrote to memory of 4892	3572	Narrator.exe
PID 3572 wrote to memory of 4892	3572	Narrator.exe
PID 3572 wrote to memory of 2596	3572	ApplySettingsTemplateCatalog.exe
PID 3572 wrote to memory of 2596	3572	ApplySettingsTemplateCatalog.exe
PID 3572 wrote to memory of 3464	3572	ApplySettingsTemplateCatalog.exe
PID 3572 wrote to memory of 3464	3572	ApplySettingsTemplateCatalog.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\6f1137c2ea734e22e0224e97c063e7f7_JaffaCakes118.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2676

C:\Windows\system32\SppExtComObj.Exe
C:\Windows\system32\SppExtComObj.Exe
1⤵
PID:3304

C:\Users\Admin\AppData\Local\nvOawj\SppExtComObj.Exe
C:\Users\Admin\AppData\Local\nvOawj\SppExtComObj.Exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4524

C:\Windows\system32\omadmclient.exe
C:\Windows\system32\omadmclient.exe
1⤵
PID:2524

C:\Users\Admin\AppData\Local\UWJH\omadmclient.exe
C:\Users\Admin\AppData\Local\UWJH\omadmclient.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2004

C:\Windows\system32\Narrator.exe
C:\Windows\system32\Narrator.exe
1⤵
PID:4892

C:\Users\Admin\AppData\Local\1wN\Narrator.exe
C:\Users\Admin\AppData\Local\1wN\Narrator.exe
1⤵
- Executes dropped EXE
PID:4044

C:\Windows\system32\ApplySettingsTemplateCatalog.exe
C:\Windows\system32\ApplySettingsTemplateCatalog.exe
1⤵
PID:2596

C:\Users\Admin\AppData\Local\Lcq\ApplySettingsTemplateCatalog.exe
C:\Users\Admin\AppData\Local\Lcq\ApplySettingsTemplateCatalog.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3464

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\1wN\Narrator.exe
Filesize
521KB

MD5
d92defaa4d346278480d2780325d8d18

SHA1
6494d55b2e5064ffe8add579edfcd13c3e69fffe

SHA256
69b8c93d9b262b36e2bdc223cc0d6e312cc471b49d7cc36befbba1f863a05d83

SHA512
b82c0fbc07361e4ad6e4ab171e55e1e41e9312ba995dce90696ca90f734f5d1ea11371ca046e8680ea566a1c2e0643ab86f1f6dcf6cbd05aed8448425a2830b5

Download Submit
C:\Users\Admin\AppData\Local\Lcq\ACTIVEDS.dll
Filesize
1.3MB

MD5
550317e44c25199bdf0022b905c9a069

SHA1
b5f053d772fb8ddac01bc75aca64b969ba9baaeb

SHA256
f843169251eee8137d4b410bd9b3d5510b56738627669f8db2b0a12926ab959d

SHA512
37e5edcfce1a0234ba8a491952a6680f3618ad2fb3cfa5db4526ecdae895bfe9182daac6d88498b1e658d9375ba46ef3333cd2a6aae02260ae5d2a71b8667163

Download Submit
C:\Users\Admin\AppData\Local\Lcq\ApplySettingsTemplateCatalog.exe
Filesize
1.1MB

MD5
13af41b1c1c53c7360cd582a82ec2093

SHA1
7425f893d1245e351483ab4a20a5f59d114df4e1

SHA256
a462f29efaaa3c30411e76f32608a2ba5b7d21af3b9804e5dda99e342ba8c429

SHA512
c7c82acef623d964c520f1a458dbfe34099981de0b781fb56e14b1f82632e3a8437db6434e7c20988aa3b39efde47aab8d188e80845e841a13e74b079285706a

Download Submit
C:\Users\Admin\AppData\Local\UWJH\XmlLite.dll
Filesize
1.3MB

MD5
4a85d2aea7347f02cab799e4d3a2ee98

SHA1
9ec6814ace1918335df9b44aab3d3b5199343bb8

SHA256
a3147fecd0a359cd0444a807e66fbd3af49b7eab24b47126e70be6616857b4a5

SHA512
8d14e930fe95369361b7c4b7545de2fdb4926c949dbd3cc1659d921c6b1e4c774159ba13b5bb9cb9d4ff41188d2435595e46402a7a56fd0cfee786f65fd716b1

Download Submit
C:\Users\Admin\AppData\Local\UWJH\omadmclient.exe
Filesize
425KB

MD5
8992b5b28a996eb83761dafb24959ab4

SHA1
697ecb33b8ff5b0e73ef29ce471153b368b1b729

SHA256
e0c6c1b082c5d61be95b7fad95155b7cb2e516d6dcd51b8e1554a176876699e7

SHA512
4ab0d71f6f9e5a5d0870d8e6eaa4b5db74ea6148de0a00603e3e56303d0fec4722172e0207b9678a5bd0136f2d43d43b9d34907183369ab3b9b9c1484034fe3d

Download Submit
C:\Users\Admin\AppData\Local\nvOawj\ACTIVEDS.dll
Filesize
1.3MB

MD5
8242b524e84e6ff1a65a93d20b235a34

SHA1
5ed0a860eb1faaac43b46c9aefe2d35090a59a43

SHA256
e81482a67dfcabfec17104f83978b1d324fc2489dc3b2889afe552f74e0f3342

SHA512
76e12858752dc10a561b4702060de98168d18558defcc9e81cde46396d5c296c6a185ce4574feb5cd426437efa539a17911af1d5cbce6f4455ee6b87cc283667

Download Submit
C:\Users\Admin\AppData\Local\nvOawj\SppExtComObj.Exe
Filesize
559KB

MD5
728a78909aa69ca0e976e94482350700

SHA1
6508dfcbf37df25cae8ae68cf1fcd4b78084abb7

SHA256
2a6581576305771044f07ea0fef27f77859996dbf66c2017e938f90bfc1e010c

SHA512
22bf985e71afa58a1365cc733c0aa03dabd4b44e7c6a136eb5f9b870db14470201b4ef88a19fa3864af6c44e79e1a01d6f8806062d9d4861ba7dac77d82074f1

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Arcabpqqvo.lnk
Filesize
1KB

MD5
180c1df50a866c671398e7339c8c3ec0

SHA1
f3a0114e11ea473513a3341fb50148404a537dc8

SHA256
26b586aa2076c2a42bcabb959461a98e6a4cb81b595b0fc5d3ca2d98eb0cd02e

SHA512
8203ff29fcf6e666ebc45bfe6fc5e03c188ae5f2d30d33f2cc743eccd97401f41b1d70a081f50f6037e855a3a5b724a34816d58d07dde8d8a22be4d3be7aaae3

Download Submit
memory/2004-70-0x0000020EB4E80000-0x0000020EB4E87000-memory.dmp

Filesize
28KB

Download
memory/2004-71-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/2676-39-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/2676-0-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/2676-3-0x0000000002600000-0x0000000002607000-memory.dmp

Filesize
28KB

Download
memory/3464-95-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/3572-35-0x00007FFF9AB50000-0x00007FFF9AB60000-memory.dmp

Filesize
64KB

Download
memory/3572-36-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/3572-10-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/3572-7-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/3572-16-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/3572-8-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/3572-25-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/3572-6-0x00007FFF993CA000-0x00007FFF993CB000-memory.dmp

Filesize
4KB

Download
memory/3572-4-0x0000000002A40000-0x0000000002A41000-memory.dmp

Filesize
4KB

Download
memory/3572-13-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/3572-11-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/3572-12-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/3572-34-0x0000000000CA0000-0x0000000000CA7000-memory.dmp

Filesize
28KB

Download
memory/3572-9-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/3572-15-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/3572-14-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/4524-52-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/4524-47-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/4524-46-0x0000021149610000-0x0000021149617000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads