dridex | 46c447cd6bab5cf7dc2a900f657f9c7757b531ebe05e186f7d0770f8f8319e3c

General

Target

72608747a45a7319e8a366c80c12b5f1_JaffaCakes118.dll
Size

992KB
MD5

72608747a45a7319e8a366c80c12b5f1
SHA1

211042d8e9ba7565645574feaef38139f279b517
SHA256

46c447cd6bab5cf7dc2a900f657f9c7757b531ebe05e186f7d0770f8f8319e3c
SHA512

13147d62893262189621788d4de4ed4b35ff2b9e5e2f36bfcd46aa8b0f4ff3eb78b1637d0028398a0b80c1b8ef816f832d9bc6cf445986b1ff243c7ab100d2e4
SSDEEP

24576:NVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:NV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1184-5-0x0000000002DD0000-0x0000000002DD1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

SystemPropertiesDataExecutionPrevention.exemsdt.exemsinfo32.exe

pid process

2664 SystemPropertiesDataExecutionPrevention.exe
2556 msdt.exe
1512 msinfo32.exe
Loads dropped DLL 7 IoCs

Processes:

SystemPropertiesDataExecutionPrevention.exemsdt.exemsinfo32.exe

pid process

1184
2664 SystemPropertiesDataExecutionPrevention.exe
1184
2556 msdt.exe
1184
1512 msinfo32.exe
1184

pid	process
2664	SystemPropertiesDataExecutionPrevention.exe
2556	msdt.exe
1512	msinfo32.exe

pid	process
1184
2664	SystemPropertiesDataExecutionPrevention.exe
1184
2556	msdt.exe
1184
1512	msinfo32.exe
1184

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\Gdussggr = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\ZJUQp62pB9X\\msdt.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeSystemPropertiesDataExecutionPrevention.exemsdt.exemsinfo32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesDataExecutionPrevention.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msdt.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msinfo32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1960	rundll32.exe
1960	rundll32.exe
1960	rundll32.exe
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1184 wrote to memory of 2784	1184	SystemPropertiesDataExecutionPrevention.exe
PID 1184 wrote to memory of 2784	1184	SystemPropertiesDataExecutionPrevention.exe
PID 1184 wrote to memory of 2784	1184	SystemPropertiesDataExecutionPrevention.exe
PID 1184 wrote to memory of 2664	1184	SystemPropertiesDataExecutionPrevention.exe
PID 1184 wrote to memory of 2664	1184	SystemPropertiesDataExecutionPrevention.exe
PID 1184 wrote to memory of 2664	1184	SystemPropertiesDataExecutionPrevention.exe
PID 1184 wrote to memory of 2516	1184	msdt.exe
PID 1184 wrote to memory of 2516	1184	msdt.exe
PID 1184 wrote to memory of 2516	1184	msdt.exe
PID 1184 wrote to memory of 2556	1184	msdt.exe
PID 1184 wrote to memory of 2556	1184	msdt.exe
PID 1184 wrote to memory of 2556	1184	msdt.exe
PID 1184 wrote to memory of 1628	1184	msinfo32.exe
PID 1184 wrote to memory of 1628	1184	msinfo32.exe
PID 1184 wrote to memory of 1628	1184	msinfo32.exe
PID 1184 wrote to memory of 1512	1184	msinfo32.exe
PID 1184 wrote to memory of 1512	1184	msinfo32.exe
PID 1184 wrote to memory of 1512	1184	msinfo32.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\72608747a45a7319e8a366c80c12b5f1_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1960

C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
1⤵
PID:2784

C:\Users\Admin\AppData\Local\P72XHGR\SystemPropertiesDataExecutionPrevention.exe
C:\Users\Admin\AppData\Local\P72XHGR\SystemPropertiesDataExecutionPrevention.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2664

C:\Windows\system32\msdt.exe
C:\Windows\system32\msdt.exe
1⤵
PID:2516

C:\Users\Admin\AppData\Local\YYAQHw4U\msdt.exe
C:\Users\Admin\AppData\Local\YYAQHw4U\msdt.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2556

C:\Windows\system32\msinfo32.exe
C:\Windows\system32\msinfo32.exe
1⤵
PID:1628

C:\Users\Admin\AppData\Local\KlZItu0\msinfo32.exe
C:\Users\Admin\AppData\Local\KlZItu0\msinfo32.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1512

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\YYAQHw4U\DUser.dll
Filesize
995KB

MD5
f33cc6f7ac62331dcfdca59ff476ab92

SHA1
3c0c1a24dddf07bf906f39745553c1ca0b2fa8f1

SHA256
f75e24a9b708cf997b6228419b2d50dbf5e2607ffa3d725b78d96adf2ac32699

SHA512
33364e590c5957add796ae3f1fc654141d2b37710e2d9636544c53a1ee3c96fae2633151b6168b1a572470fe3331081697707997af4c977295699d10c65f367b

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Smfbypnq.lnk
Filesize
1KB

MD5
318aae46697032c752ce6aa80b39a274

SHA1
83b1f53eae0bd1e560e0804eb7caab7c72c0ff78

SHA256
65b0865dda739a01c51530e6bb84c664323de2d4ccceb1d0dfe3e3647af50e79

SHA512
cac161c0dfc69c4fe50b9ac02653500390fbdbdfe1ef1a27173321be491f3b9457a05b794ca1fdc1fe264db58fe4de610ab72e788501ee3183aec3d46d0e7eaf

Download Submit
\Users\Admin\AppData\Local\KlZItu0\MFC42u.dll
Filesize
1019KB

MD5
12d14c83046106316b9b645f03e4d12d

SHA1
fe9bbb1081333aeaf80007a4af27367847f9d549

SHA256
cfa773e8ea0fe2716a892f64e24a308c1def5585054b2a896a316c95089757c7

SHA512
8383b8d93f25c429952008b580697c488dce71f478fbecccaa223d7942685845fef4c89e56a2456e7e3bfa4e5743eb173744ab4cea624306736da0a23213cc6d

Download Submit
\Users\Admin\AppData\Local\KlZItu0\msinfo32.exe
Filesize
370KB

MD5
d291620d4c51c5f5ffa62ccdc52c5c13

SHA1
2081c97f15b1c2a2eadce366baf3c510da553cc7

SHA256
76e959dd7db31726c040d46cfa86b681479967aea36db5f625e80bd36422e8ae

SHA512
75f9bcce4c596dae1f4d78e13d9d53b0c31988d2170c3d9f5db352b8c8a1c8ca58f4a002b30a4b328b8f4769008b750b8a1c9fda44a582e11c3adc38345c334b

Download Submit
\Users\Admin\AppData\Local\P72XHGR\SYSDM.CPL
Filesize
992KB

MD5
20a683e5a0c7dbcce19190e9bc44abab

SHA1
f8eb07df192da4952bed72c12031f512dc9f9b3c

SHA256
a9a7213d9a8e5f8f6303922d243e7a53372d548b56dc8557d9152d6f7543ce41

SHA512
73b81c44e5d0f1abe34cf22af5f121873b909194b66a29b1acb297ad27840915f619ac3f83f740107a11870bd6ac2bd2b377e628f29bcd2d959f37a3ccfef892

Download Submit
\Users\Admin\AppData\Local\P72XHGR\SystemPropertiesDataExecutionPrevention.exe
Filesize
80KB

MD5
e43ff7785fac643093b3b16a9300e133

SHA1
a30688e84c0b0a22669148fe87680b34fcca2fba

SHA256
c8e1b3ecce673035a934d65b25c43ec23416f5bbf52d772e24e48e6fd3e77e9b

SHA512
61260999bb57817dea2d404bcf093820679e597298c752d38db181fe9963b5fa47e070d6a3c7c970905035b396389bb02946b44869dc8b9560acc419b065999a

Download Submit
\Users\Admin\AppData\Local\YYAQHw4U\msdt.exe
Filesize
1.0MB

MD5
aecb7b09566b1f83f61d5a4b44ae9c7e

SHA1
3a4a2338c6b5ac833dc87497e04fe89c5481e289

SHA256
fbdbe7a2027cab237c4635ef71c1a93cf7afc4b79d56b63a119b7f8e3029ccf5

SHA512
6e14200262e0729ebcab2226c3eac729ab5af2a4c6f4f9c3e2950cc203387d9a0a447cf38665c724d4397353931fd10064dc067e043a3579538a6144e33e4746

Download Submit
memory/1184-11-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1184-19-0x0000000002DB0000-0x0000000002DB7000-memory.dmp

Filesize
28KB

Download
memory/1184-10-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1184-9-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1184-8-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1184-7-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1184-26-0x0000000077320000-0x0000000077322000-memory.dmp

Filesize
8KB

Download
memory/1184-25-0x0000000077191000-0x0000000077192000-memory.dmp

Filesize
4KB

Download
memory/1184-24-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1184-35-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1184-36-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1184-4-0x0000000077086000-0x0000000077087000-memory.dmp

Filesize
4KB

Download
memory/1184-12-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1184-5-0x0000000002DD0000-0x0000000002DD1000-memory.dmp

Filesize
4KB

Download
memory/1184-72-0x0000000077086000-0x0000000077087000-memory.dmp

Filesize
4KB

Download
memory/1184-14-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1184-13-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1512-87-0x0000000140000000-0x0000000140103000-memory.dmp

Filesize
1.0MB

Download
memory/1512-90-0x00000000000A0000-0x00000000000A7000-memory.dmp

Filesize
28KB

Download
memory/1512-93-0x0000000140000000-0x0000000140103000-memory.dmp

Filesize
1.0MB

Download
memory/1960-1-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1960-44-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1960-3-0x0000000000120000-0x0000000000127000-memory.dmp

Filesize
28KB

Download
memory/2556-75-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/2664-57-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/2664-52-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads