dridex | 4b3d199a8271663812b5e8a440180946e7e49ed1a06cd0cc71a0bcb0ac17652e

General

Target

735987d7f53d7ef2e1bf1a55e1e1d8ce_JaffaCakes118.dll
Size

987KB
MD5

735987d7f53d7ef2e1bf1a55e1e1d8ce
SHA1

13119a072097873309619feaf6a6736587d3d944
SHA256

4b3d199a8271663812b5e8a440180946e7e49ed1a06cd0cc71a0bcb0ac17652e
SHA512

a60be5e0ed5e70d5af73762a9948a8608f9b96ef74fb4b24fb78de123bc8ec7e5f26719da8f470ad96c36fc1ca0d99b45d7708faa0c696119551e5f7e43c1819
SSDEEP

24576:6VHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:6V8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1368-5-0x00000000029E0000-0x00000000029E1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

BitLockerWizard.exeUtilman.exemblctr.exe

pid process

2412 BitLockerWizard.exe
788 Utilman.exe
340 mblctr.exe
Loads dropped DLL 7 IoCs

Processes:

BitLockerWizard.exeUtilman.exemblctr.exe

pid process

1368
2412 BitLockerWizard.exe
1368
788 Utilman.exe
1368
340 mblctr.exe
1368

pid	process
2412	BitLockerWizard.exe
788	Utilman.exe
340	mblctr.exe

pid	process
1368
2412	BitLockerWizard.exe
1368
788	Utilman.exe
1368
340	mblctr.exe
1368

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Uxhwu = "C:\\Users\\Admin\\AppData\\Roaming\\MACROM~1\\FLASHP~1\\#SHARE~1\\oHV3be\\Utilman.exe"

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

BitLockerWizard.exeUtilman.exemblctr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BitLockerWizard.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Utilman.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mblctr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

regsvr32.exe

pid	process
2752	regsvr32.exe
2752	regsvr32.exe
2752	regsvr32.exe
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1368 wrote to memory of 2468	1368	BitLockerWizard.exe
PID 1368 wrote to memory of 2468	1368	BitLockerWizard.exe
PID 1368 wrote to memory of 2468	1368	BitLockerWizard.exe
PID 1368 wrote to memory of 2412	1368	BitLockerWizard.exe
PID 1368 wrote to memory of 2412	1368	BitLockerWizard.exe
PID 1368 wrote to memory of 2412	1368	BitLockerWizard.exe
PID 1368 wrote to memory of 588	1368	Utilman.exe
PID 1368 wrote to memory of 588	1368	Utilman.exe
PID 1368 wrote to memory of 588	1368	Utilman.exe
PID 1368 wrote to memory of 788	1368	Utilman.exe
PID 1368 wrote to memory of 788	1368	Utilman.exe
PID 1368 wrote to memory of 788	1368	Utilman.exe
PID 1368 wrote to memory of 1208	1368	mblctr.exe
PID 1368 wrote to memory of 1208	1368	mblctr.exe
PID 1368 wrote to memory of 1208	1368	mblctr.exe
PID 1368 wrote to memory of 340	1368	mblctr.exe
PID 1368 wrote to memory of 340	1368	mblctr.exe
PID 1368 wrote to memory of 340	1368	mblctr.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\735987d7f53d7ef2e1bf1a55e1e1d8ce_JaffaCakes118.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2752

C:\Windows\system32\BitLockerWizard.exe
C:\Windows\system32\BitLockerWizard.exe
1⤵
PID:2468

C:\Users\Admin\AppData\Local\4P2NVWxn\BitLockerWizard.exe
C:\Users\Admin\AppData\Local\4P2NVWxn\BitLockerWizard.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2412

C:\Windows\system32\Utilman.exe
C:\Windows\system32\Utilman.exe
1⤵
PID:588

C:\Users\Admin\AppData\Local\MoRKm\Utilman.exe
C:\Users\Admin\AppData\Local\MoRKm\Utilman.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:788

C:\Windows\system32\mblctr.exe
C:\Windows\system32\mblctr.exe
1⤵
PID:1208

C:\Users\Admin\AppData\Local\Rjt\mblctr.exe
C:\Users\Admin\AppData\Local\Rjt\mblctr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:340

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\4P2NVWxn\FVEWIZ.dll
Filesize
989KB

MD5
404942eddb31f4451ddde546cbdf703f

SHA1
7e686dda48bbb1ead71fefecb18b557113ab98c8

SHA256
de891c9d5d81ed6a740d679e780015cd8eebb244d12aafd417aa383d89aa7d67

SHA512
3ba8f69aed15dfe7444c4559815886bc354fabb98664fa6d096fe3506f96c9a31c481f1cedf4c3ac38c90bd504fa7183432ce0c0a04603e2a92fc742063d1f34

Download Submit
C:\Users\Admin\AppData\Local\MoRKm\DUI70.dll
Filesize
1.2MB

MD5
a29018fb154ef002938303186adbbd79

SHA1
721b3b6b5e67a18c00ce38859adf929af55c89d3

SHA256
9dffbe87acdebcec08ce232d54b442c62580a5f25b029664f74d0b930c4d4bda

SHA512
b219a83c05f18e5ec291002ca1c961077d7b630f47429da13f3458ea05969aa1c896f1d834be0c3c305bcbb270022d6bd6e0d8eb2945b00e69f65bd330dc2e76

Download Submit
C:\Users\Admin\AppData\Local\Rjt\WINMM.dll
Filesize
992KB

MD5
5e027ce651f2f2d0385c93941ad6a595

SHA1
1c75970f4c36e61467b810a42b8f49d4b47ef1e6

SHA256
a560c2bab5c176f3eb6f60b3b84745c632132d04e0d46e4459d82defd380d7a8

SHA512
40b5100b6f9759732ce97f2b600a113060081aaeadda10e84cb72b4b71d99fe4d324489d2425db74ba51d540f7a73096eeca099035e23080a597aa4c52c6f4df

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dgsmy.lnk
Filesize
1KB

MD5
0df19a8b5061f1de0458f83c39e7e96f

SHA1
104506409e29cc1c87d10d14434a233e1fc3765c

SHA256
ccd02f53a875f2b7b89a9ebb83d39e8d223eb7fed23fb78eb1f934cbad415dfa

SHA512
fb95bf8f7f7d38857b714d8606e5870323f1b31964e183b39925d511d0a178f6778739b62990503b98e8fc304e02a5fc726ff862ac3d79ae6dc7957fd95b9ac6

Download Submit
\Users\Admin\AppData\Local\4P2NVWxn\BitLockerWizard.exe
Filesize
98KB

MD5
08a761595ad21d152db2417d6fdb239a

SHA1
d84c1bc2e8c9afce9fb79916df9bca169f93a936

SHA256
ec0b9e5f29a43f9db44fa76b85701058f26776ab974044c1d4741591b74d0620

SHA512
8b07828e9c0edf09277f89294b8e1a54816f6f3d1fe132b3eb70370b81feb82d056ec31566793bd6f451725f79c3b4aeedb15a83216115e00943e0c19cab37c9

Download Submit
\Users\Admin\AppData\Local\MoRKm\Utilman.exe
Filesize
1.3MB

MD5
32c5ee55eadfc071e57851e26ac98477

SHA1
8f8d0aee344e152424143da49ce2c7badabb8f9d

SHA256
7ca90616e68bc851f14658a366d80f21ddb7a7dd8a866049e54651158784a9ea

SHA512
e0943efa81f3087c84a5909c72a436671ee8cc3cc80154901430e83ec7966aac800ad4b26f4a174a0071da617c0982ceda584686c6e2056e1a83e864aca6c975

Download Submit
\Users\Admin\AppData\Local\Rjt\mblctr.exe
Filesize
935KB

MD5
fa4c36b574bf387d9582ed2c54a347a8

SHA1
149077715ee56c668567e3a9cb9842284f4fe678

SHA256
b71cdf708d4a4f045f784de5e5458ebf9a4fa2b188c3f7422e2fbfe19310be3f

SHA512
1f04ce0440eec7477153ebc2ce56eaabcbbac58d9d703c03337f030e160d22cd635ae201752bc2962643c75bbf2036afdd69d97e8cbc81260fd0e2f55946bb55

Download Submit
memory/340-90-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/340-84-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/788-71-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/788-66-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/788-65-0x0000000000090000-0x0000000000097000-memory.dmp

Filesize
28KB

Download
memory/1368-11-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1368-5-0x00000000029E0000-0x00000000029E1000-memory.dmp

Filesize
4KB

Download
memory/1368-30-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1368-29-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1368-27-0x00000000774A1000-0x00000000774A2000-memory.dmp

Filesize
4KB

Download
memory/1368-24-0x0000000002200000-0x0000000002207000-memory.dmp

Filesize
28KB

Download
memory/1368-4-0x0000000077396000-0x0000000077397000-memory.dmp

Filesize
4KB

Download
memory/1368-23-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1368-8-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1368-12-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1368-7-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1368-28-0x0000000077630000-0x0000000077632000-memory.dmp

Filesize
8KB

Download
memory/1368-10-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1368-14-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1368-9-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1368-64-0x0000000077396000-0x0000000077397000-memory.dmp

Filesize
4KB

Download
memory/1368-13-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/2412-52-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/2412-47-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/2412-46-0x00000000000F0000-0x00000000000F7000-memory.dmp

Filesize
28KB

Download
memory/2752-1-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/2752-36-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/2752-0-0x00000000004A0000-0x00000000004A7000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads