dridex | 4b3d199a8271663812b5e8a440180946e7e49ed1a06cd0cc71a0bcb0ac17652e

General

Target

735987d7f53d7ef2e1bf1a55e1e1d8ce_JaffaCakes118.dll
Size

987KB
MD5

735987d7f53d7ef2e1bf1a55e1e1d8ce
SHA1

13119a072097873309619feaf6a6736587d3d944
SHA256

4b3d199a8271663812b5e8a440180946e7e49ed1a06cd0cc71a0bcb0ac17652e
SHA512

a60be5e0ed5e70d5af73762a9948a8608f9b96ef74fb4b24fb78de123bc8ec7e5f26719da8f470ad96c36fc1ca0d99b45d7708faa0c696119551e5f7e43c1819
SSDEEP

24576:6VHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:6V8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3504-4-0x0000000006BE0000-0x0000000006BE1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

SystemPropertiesRemote.exeEaseOfAccessDialog.exerstrui.exe

pid process

1380 SystemPropertiesRemote.exe
3308 EaseOfAccessDialog.exe
4012 rstrui.exe
Loads dropped DLL 3 IoCs

Processes:

SystemPropertiesRemote.exeEaseOfAccessDialog.exerstrui.exe

pid process

1380 SystemPropertiesRemote.exe
3308 EaseOfAccessDialog.exe
4012 rstrui.exe

pid	process
1380	SystemPropertiesRemote.exe
3308	EaseOfAccessDialog.exe
4012	rstrui.exe

pid	process
1380	SystemPropertiesRemote.exe
3308	EaseOfAccessDialog.exe
4012	rstrui.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Esxju = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\LEgk\\EaseOfAccessDialog.exe"

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

SystemPropertiesRemote.exeEaseOfAccessDialog.exerstrui.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesRemote.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	EaseOfAccessDialog.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rstrui.exe

Modifies registry class 2 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

regsvr32.exe

pid	process
4916	regsvr32.exe
4916	regsvr32.exe
4916	regsvr32.exe
4916	regsvr32.exe
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504
3504

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3504
Token: SeCreatePagefilePrivilege	3504
Token: SeShutdownPrivilege	3504
Token: SeCreatePagefilePrivilege	3504
Token: SeShutdownPrivilege	3504
Token: SeCreatePagefilePrivilege	3504
Token: SeShutdownPrivilege	3504
Token: SeCreatePagefilePrivilege	3504
Token: SeShutdownPrivilege	3504
Token: SeCreatePagefilePrivilege	3504

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

3504
3504
Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3504

pid	process
3504
3504

pid	process
3504

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3504 wrote to memory of 1524	3504	SystemPropertiesRemote.exe
PID 3504 wrote to memory of 1524	3504	SystemPropertiesRemote.exe
PID 3504 wrote to memory of 1380	3504	SystemPropertiesRemote.exe
PID 3504 wrote to memory of 1380	3504	SystemPropertiesRemote.exe
PID 3504 wrote to memory of 844	3504	EaseOfAccessDialog.exe
PID 3504 wrote to memory of 844	3504	EaseOfAccessDialog.exe
PID 3504 wrote to memory of 3308	3504	EaseOfAccessDialog.exe
PID 3504 wrote to memory of 3308	3504	EaseOfAccessDialog.exe
PID 3504 wrote to memory of 2156	3504	rstrui.exe
PID 3504 wrote to memory of 2156	3504	rstrui.exe
PID 3504 wrote to memory of 4012	3504	rstrui.exe
PID 3504 wrote to memory of 4012	3504	rstrui.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\735987d7f53d7ef2e1bf1a55e1e1d8ce_JaffaCakes118.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4024,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=4104 /prefetch:8
1⤵
PID:2972

C:\Windows\system32\SystemPropertiesRemote.exe
C:\Windows\system32\SystemPropertiesRemote.exe
1⤵
PID:1524

C:\Users\Admin\AppData\Local\mFhfeqp\SystemPropertiesRemote.exe
C:\Users\Admin\AppData\Local\mFhfeqp\SystemPropertiesRemote.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1380

C:\Windows\system32\EaseOfAccessDialog.exe
C:\Windows\system32\EaseOfAccessDialog.exe
1⤵
PID:844

C:\Users\Admin\AppData\Local\sIbhgwMi\EaseOfAccessDialog.exe
C:\Users\Admin\AppData\Local\sIbhgwMi\EaseOfAccessDialog.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3308

C:\Windows\system32\rstrui.exe
C:\Windows\system32\rstrui.exe
1⤵
PID:2156

C:\Users\Admin\AppData\Local\XGOUkIBK\rstrui.exe
C:\Users\Admin\AppData\Local\XGOUkIBK\rstrui.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4012

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\XGOUkIBK\SRCORE.dll
Filesize
988KB

MD5
7d6c65148e71d11a71246536738a8f32

SHA1
a2daa5aeda08d91e0d375488ab7e61ec5b7ae94f

SHA256
63853a14b50c2f3de7da735f14b60060206dbbf3f210b022097e8776358853ac

SHA512
0e8d52b7913737b465b243889499bf6959e7a0837852ef7f62edc5ab3313e775766f5164213461124352e5082fc51e4f567ea3f49da33cd6c02675d02ed459fe

Download Submit
C:\Users\Admin\AppData\Local\XGOUkIBK\rstrui.exe
Filesize
268KB

MD5
4cad10846e93e85790865d5c0ab6ffd9

SHA1
8a223f4bab28afa4c7ed630f29325563c5dcda1a

SHA256
9ddcfcaf2ebc810cc2e593446681bc4ccbad39756b1712cf045db8dee6310b4b

SHA512
c0db44de0d35a70277f8621a318c5099378da675376e47545cfbfa7412e70a870fd05c92e0d6523ea2e0139d54d9eeaed14973762341fa3154406ae36f4ce7c6

Download Submit
C:\Users\Admin\AppData\Local\mFhfeqp\SYSDM.CPL
Filesize
988KB

MD5
ef360e9fbfa521206fc7c71451042eb3

SHA1
6a30818bc5be5afd1a047b6367262633c34eb1d7

SHA256
27b90da20ff82117fcfc331bf3be0e206ae8244a03852845964d36c722fe6dff

SHA512
4ee2df16980d67d91d122b6c1e8ef39667979ee898effd78b696195dc7e12a071948cd389bfbdc7643cb836c857eab160af7152c99c56dfb09a139e8948618c3

Download Submit
C:\Users\Admin\AppData\Local\mFhfeqp\SystemPropertiesRemote.exe
Filesize
82KB

MD5
cdce1ee7f316f249a3c20cc7a0197da9

SHA1
dadb23af07827758005ec0235ac1573ffcea0da6

SHA256
7984e2bff295c8dbcbd3cd296d0741e3a6844b8db9f962abdbc8d333e9a83932

SHA512
f1dc529ebfed814adcf3e68041243ee02ba33b56c356a63eba5ef2cb6ede1eda192e03349f6a200d34dfab67263df79cf295be3706f4197b9008ccdc53410c26

Download Submit
C:\Users\Admin\AppData\Local\sIbhgwMi\EaseOfAccessDialog.exe
Filesize
123KB

MD5
e75ee992c1041341f709a517c8723c87

SHA1
471021260055eac0021f0abffa2d0ba77a2f380e

SHA256
0b1731562413eaa972b373cd7388c644a3059940ce67eb89668e4073f3e068dc

SHA512
48c3a8531df6bcc5077367cdf32af104c94cf7701118a85e8beabba2e9c4f511ae14e47b6d1b57d11a2bc1e8b4f6d5bacae27a8d16fcd09a8f9e0018f5a6370a

Download Submit
C:\Users\Admin\AppData\Local\sIbhgwMi\OLEACC.dll
Filesize
988KB

MD5
3f884eac1b3a15253728bbdea3a5ff69

SHA1
403d175d8a5064e792e91f6338ecf49462ca73d4

SHA256
8475ab229524dfc1208ab94210b330ac8715ebc7ffc4e64f0c57d4d4e7225b17

SHA512
6d5508974ce2b5c6abb09d3ac4c874f2d8d2096b0ae36f7201b9ac558bb9b19c7065fa9c6dbc652630a940046ed2b2520e90d160bd71dd0c8fe42af17d48b4eb

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Xpqmtuztdhk.lnk
Filesize
1KB

MD5
793f08a6f803a2de7aee9c58bae41b56

SHA1
08c2f785387bf14fa49b509cd941803003418b31

SHA256
3d7c5ac1098ac26c68afdf72ce8454957d24d3d634e1c773060b5cbc3175f692

SHA512
4cdcaa0db68f61e45ce722449a9ee040398557125795dc8bb1230dbc4cc90ece2f8335361bca74260813d2792a88f8316f93eafa4f7da9126177f80baddf1170

Download Submit
memory/1380-50-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1380-45-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1380-44-0x000001C381A00000-0x000001C381A07000-memory.dmp

Filesize
28KB

Download
memory/3308-67-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3308-64-0x00000231B4690000-0x00000231B4697000-memory.dmp

Filesize
28KB

Download
memory/3504-33-0x00007FF9B07D0000-0x00007FF9B07E0000-memory.dmp

Filesize
64KB

Download
memory/3504-23-0x00000000028F0000-0x00000000028F7000-memory.dmp

Filesize
28KB

Download
memory/3504-34-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3504-7-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3504-4-0x0000000006BE0000-0x0000000006BE1000-memory.dmp

Filesize
4KB

Download
memory/3504-9-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3504-10-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3504-12-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3504-13-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3504-8-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3504-6-0x00007FF9AF94A000-0x00007FF9AF94B000-memory.dmp

Filesize
4KB

Download
memory/3504-24-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3504-14-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3504-11-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/4012-81-0x0000029C25FA0000-0x0000029C25FA7000-memory.dmp

Filesize
28KB

Download
memory/4012-84-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/4916-0-0x0000000000920000-0x0000000000927000-memory.dmp

Filesize
28KB

Download
memory/4916-37-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/4916-1-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads