dridex | f2cc03bcfda9a68e8701f34c643a255c1dc72115abf2c260f0a2ca83ec455c81

General

Target

70f2afce62d2845fe5b7fabff4224525_JaffaCakes118.dll
Size

992KB
MD5

70f2afce62d2845fe5b7fabff4224525
SHA1

dec3518e540edac940c041da3be9c975b2c2aeae
SHA256

f2cc03bcfda9a68e8701f34c643a255c1dc72115abf2c260f0a2ca83ec455c81
SHA512

8281d550445f0354f7f0c95905cea6b6c399787c4ad43b6880cc042f9ccd1b5bc0ace1dabe39feb631628a62b9031e827abe8df462f0759f7ee69a6ddf921ef2
SSDEEP

24576:4VHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:4V8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3544-4-0x0000000002C50000-0x0000000002C51000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 4 IoCs

Processes:

Narrator.exemfpmp.execmstp.exeWMPDMC.exe

pid process

3800 Narrator.exe
3744 mfpmp.exe
3476 cmstp.exe
3520 WMPDMC.exe
Loads dropped DLL 4 IoCs

Processes:

mfpmp.execmstp.exeWMPDMC.exe

pid process

3744 mfpmp.exe
3476 cmstp.exe
3476 cmstp.exe
3520 WMPDMC.exe

pid	process
3800	Narrator.exe
3744	mfpmp.exe
3476	cmstp.exe
3520	WMPDMC.exe

pid	process
3744	mfpmp.exe
3476	cmstp.exe
3476	cmstp.exe
3520	WMPDMC.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Pruztwesow = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\AddIns\\9Es6EImJ0j\\cmstp.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

cmstp.exeWMPDMC.exerundll32.exemfpmp.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmstp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WMPDMC.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mfpmp.exe

Modifies registry class 1 IoCs

Processes:

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
3248	rundll32.exe
3248	rundll32.exe
3248	rundll32.exe
3248	rundll32.exe
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3544
Token: SeCreatePagefilePrivilege	3544
Token: SeShutdownPrivilege	3544
Token: SeCreatePagefilePrivilege	3544

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

3544
3544
Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3544

pid	process
3544
3544

pid	process
3544

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

description	pid	target process
PID 3544 wrote to memory of 3160	3544	Narrator.exe
PID 3544 wrote to memory of 3160	3544	Narrator.exe
PID 3544 wrote to memory of 4132	3544	mfpmp.exe
PID 3544 wrote to memory of 4132	3544	mfpmp.exe
PID 3544 wrote to memory of 3744	3544	mfpmp.exe
PID 3544 wrote to memory of 3744	3544	mfpmp.exe
PID 3544 wrote to memory of 3636	3544	cmstp.exe
PID 3544 wrote to memory of 3636	3544	cmstp.exe
PID 3544 wrote to memory of 3476	3544	cmstp.exe
PID 3544 wrote to memory of 3476	3544	cmstp.exe
PID 3544 wrote to memory of 2156	3544	WMPDMC.exe
PID 3544 wrote to memory of 2156	3544	WMPDMC.exe
PID 3544 wrote to memory of 3520	3544	WMPDMC.exe
PID 3544 wrote to memory of 3520	3544	WMPDMC.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\70f2afce62d2845fe5b7fabff4224525_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3248

C:\Windows\system32\Narrator.exe
C:\Windows\system32\Narrator.exe
1⤵
PID:3160

C:\Users\Admin\AppData\Local\dV7iv\Narrator.exe
C:\Users\Admin\AppData\Local\dV7iv\Narrator.exe
1⤵
- Executes dropped EXE
PID:3800

C:\Windows\system32\mfpmp.exe
C:\Windows\system32\mfpmp.exe
1⤵
PID:4132

C:\Users\Admin\AppData\Local\qHd\mfpmp.exe
C:\Users\Admin\AppData\Local\qHd\mfpmp.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3744

C:\Windows\system32\cmstp.exe
C:\Windows\system32\cmstp.exe
1⤵
PID:3636

C:\Users\Admin\AppData\Local\aKV\cmstp.exe
C:\Users\Admin\AppData\Local\aKV\cmstp.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3476

C:\Windows\system32\WMPDMC.exe
C:\Windows\system32\WMPDMC.exe
1⤵
PID:2156

C:\Users\Admin\AppData\Local\iXigaXhC\WMPDMC.exe
C:\Users\Admin\AppData\Local\iXigaXhC\WMPDMC.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3520

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\aKV\VERSION.dll
Filesize
993KB

MD5
4792c7d0a09a7aa837f216682830e352

SHA1
cbba5ae6c4f17dba242573d64f7ba97b811ae5f7

SHA256
be2fc0a6ec9db1d6e420c16ffa54ee40fdd6e05d9b6dda3c23c1eeb27afe6295

SHA512
315377e371b21cca76c586d1e5da8135d9500b944c5b9212699bcf0c873f06a6c345820b146ddc31fe64ea422c1961bbc439f0f5f85ca05dff79a8ea331f45a2

Download Submit
C:\Users\Admin\AppData\Local\aKV\cmstp.exe
Filesize
96KB

MD5
4cc43fe4d397ff79fa69f397e016df52

SHA1
8fd6cf81ad40c9b123cd75611860a8b95c72869c

SHA256
f2d3905ee38b2b5c0b724d582f14eb1db7621ffb8f3826df686a20784341614c

SHA512
851ef9fa5a03ec8b9fea0094c6e4bfa0b9e71cee3412ee86b2dfc34682aa5fb6455fefe7fc0092b711956d7c880cf8a5761b63ee990aa8e72f3473086ac0f157

Download Submit
C:\Users\Admin\AppData\Local\dV7iv\Narrator.exe
Filesize
521KB

MD5
d92defaa4d346278480d2780325d8d18

SHA1
6494d55b2e5064ffe8add579edfcd13c3e69fffe

SHA256
69b8c93d9b262b36e2bdc223cc0d6e312cc471b49d7cc36befbba1f863a05d83

SHA512
b82c0fbc07361e4ad6e4ab171e55e1e41e9312ba995dce90696ca90f734f5d1ea11371ca046e8680ea566a1c2e0643ab86f1f6dcf6cbd05aed8448425a2830b5

Download Submit
C:\Users\Admin\AppData\Local\iXigaXhC\OLEACC.dll
Filesize
993KB

MD5
70dca81f39a2aa35127f536b5d700c7c

SHA1
b151bee1c6ec3823172c87be9fa235f4bfb79485

SHA256
68127c92facb8cba8efc774e087e298db9bec6951a290116e94f26f7e38c01b4

SHA512
4f977cfade7d133fdb4e1e44de65b1eebca01806435bcac53726f3660d0c5a5c447280918f1d48f5c8745eb1a74500e1e1396259cb335b2a2e331dbfaacc476c

Download Submit
C:\Users\Admin\AppData\Local\iXigaXhC\WMPDMC.exe
Filesize
1.5MB

MD5
59ce6e554da0a622febce19eb61c4d34

SHA1
176a4a410cb97b3d4361d2aea0edbf17e15d04c7

SHA256
c36eba7186f7367fe717595f3372a49503c9613893c2ab2eff38b625a50d04ba

SHA512
e9b0d310416b66e0055381391bb6b0c19ee26bbcf0e3bb9ea7d696d5851e6efbdd9bdeb250c74638b7d73b20528ea1dfb718e75ad5977aaad77aae36cc7b7e18

Download Submit
C:\Users\Admin\AppData\Local\qHd\MFPlat.DLL
Filesize
1000KB

MD5
dd7af17405725194b505227b56385edb

SHA1
9cac62b6ac109296c39d161fa01bdec0ac3ccd59

SHA256
b44d92bb5961f8a0fc82cb60586b16bf460fcdb9a902794c0ebd9eb7019f5c5f

SHA512
c46443afea4c8f892c92ecf3b5aca5d9a081060146a537e718c14e716af621ba80778e88b7647870ed73b016b2f690ab713f786b58852ea25596ecb4f0f289ed

Download Submit
C:\Users\Admin\AppData\Local\qHd\mfpmp.exe
Filesize
46KB

MD5
8f8fd1988973bac0c5244431473b96a5

SHA1
ce81ea37260d7cafe27612606cf044921ad1304c

SHA256
27287ac874cef86be03aee7b6d34fdc3bd208070ed20e44621a305865fb7579e

SHA512
a91179e1561168b3b58f5ca893bce425d35f4a02aec20ac3d6fb944f5eb3c06b0a1b9d9f3fb9ea87869d65671d2b89b4ae19acf794372bdbd27f5e9756c5a8ab

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Arcabpqqvo.lnk
Filesize
1KB

MD5
bfc611d9e2866de8dcae46296fbba2e7

SHA1
e96f87b7609dc2c70ec7e0e18bf0b586676f83fb

SHA256
23b5c2ffe3364042cef356c1e4668fb800e3219ed0eb08e1e88fbeade0cf12ee

SHA512
c33ebb8eba993555ab3af3c6d43457e7bafd71a02c3892b3afa363e39a4ab90e3bb0e03bce88d993849c4ba79460982b1663811730cd3774fcf4daa230a48851

Download Submit
memory/3248-37-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3248-0-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3248-3-0x00000235E7B90000-0x00000235E7B97000-memory.dmp

Filesize
28KB

Download
memory/3476-76-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3476-73-0x0000028695030000-0x0000028695037000-memory.dmp

Filesize
28KB

Download
memory/3476-70-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3520-93-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3520-90-0x000001ECEB210000-0x000001ECEB217000-memory.dmp

Filesize
28KB

Download
memory/3544-34-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3544-6-0x00007FFEB48BA000-0x00007FFEB48BB000-memory.dmp

Filesize
4KB

Download
memory/3544-33-0x00007FFEB5410000-0x00007FFEB5420000-memory.dmp

Filesize
64KB

Download
memory/3544-23-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3544-10-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3544-9-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3544-8-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3544-12-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3544-13-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3544-14-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3544-7-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3544-11-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3544-4-0x0000000002C50000-0x0000000002C51000-memory.dmp

Filesize
4KB

Download
memory/3544-32-0x0000000002C30000-0x0000000002C37000-memory.dmp

Filesize
28KB

Download
memory/3744-58-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/3744-55-0x0000019DE8040000-0x0000019DE8047000-memory.dmp

Filesize
28KB

Download
memory/3744-52-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads