dridex | 46c447cd6bab5cf7dc2a900f657f9c7757b531ebe05e186f7d0770f8f8319e3c

General

Target

72608747a45a7319e8a366c80c12b5f1_JaffaCakes118.dll
Size

992KB
MD5

72608747a45a7319e8a366c80c12b5f1
SHA1

211042d8e9ba7565645574feaef38139f279b517
SHA256

46c447cd6bab5cf7dc2a900f657f9c7757b531ebe05e186f7d0770f8f8319e3c
SHA512

13147d62893262189621788d4de4ed4b35ff2b9e5e2f36bfcd46aa8b0f4ff3eb78b1637d0028398a0b80c1b8ef816f832d9bc6cf445986b1ff243c7ab100d2e4
SSDEEP

24576:NVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:NV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3448-4-0x0000000007DB0000-0x0000000007DB1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

isoburn.exeUtilman.exeisoburn.exe

pid process

4980 isoburn.exe
1336 Utilman.exe
4424 isoburn.exe
Loads dropped DLL 3 IoCs

Processes:

isoburn.exeUtilman.exeisoburn.exe

pid process

4980 isoburn.exe
1336 Utilman.exe
4424 isoburn.exe

pid	process
4980	isoburn.exe
1336	Utilman.exe
4424	isoburn.exe

pid	process
4980	isoburn.exe
1336	Utilman.exe
4424	isoburn.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ihmks = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\WH8TG7~1\\Utilman.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

isoburn.exerundll32.exeisoburn.exeUtilman.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	isoburn.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	isoburn.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Utilman.exe

Modifies registry class 1 IoCs

Processes:

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
4524	rundll32.exe
4524	rundll32.exe
4524	rundll32.exe
4524	rundll32.exe
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448
3448

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3448
Token: SeCreatePagefilePrivilege	3448
Token: SeShutdownPrivilege	3448
Token: SeCreatePagefilePrivilege	3448
Token: SeShutdownPrivilege	3448
Token: SeCreatePagefilePrivilege	3448
Token: SeShutdownPrivilege	3448
Token: SeCreatePagefilePrivilege	3448
Token: SeShutdownPrivilege	3448
Token: SeCreatePagefilePrivilege	3448
Token: SeShutdownPrivilege	3448
Token: SeCreatePagefilePrivilege	3448

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

3448
3448
Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3448

pid	process
3448
3448

pid	process
3448

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3448 wrote to memory of 3900	3448	isoburn.exe
PID 3448 wrote to memory of 3900	3448	isoburn.exe
PID 3448 wrote to memory of 4980	3448	isoburn.exe
PID 3448 wrote to memory of 4980	3448	isoburn.exe
PID 3448 wrote to memory of 2040	3448	Utilman.exe
PID 3448 wrote to memory of 2040	3448	Utilman.exe
PID 3448 wrote to memory of 1336	3448	Utilman.exe
PID 3448 wrote to memory of 1336	3448	Utilman.exe
PID 3448 wrote to memory of 456	3448	isoburn.exe
PID 3448 wrote to memory of 456	3448	isoburn.exe
PID 3448 wrote to memory of 4424	3448	isoburn.exe
PID 3448 wrote to memory of 4424	3448	isoburn.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\72608747a45a7319e8a366c80c12b5f1_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4524

C:\Windows\system32\isoburn.exe
C:\Windows\system32\isoburn.exe
1⤵
PID:3900

C:\Users\Admin\AppData\Local\XFvRbC\isoburn.exe
C:\Users\Admin\AppData\Local\XFvRbC\isoburn.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4980

C:\Windows\system32\Utilman.exe
C:\Windows\system32\Utilman.exe
1⤵
PID:2040

C:\Users\Admin\AppData\Local\wBo\Utilman.exe
C:\Users\Admin\AppData\Local\wBo\Utilman.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1336

C:\Windows\system32\isoburn.exe
C:\Windows\system32\isoburn.exe
1⤵
PID:456

C:\Users\Admin\AppData\Local\1PWR5\isoburn.exe
C:\Users\Admin\AppData\Local\1PWR5\isoburn.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\1PWR5\UxTheme.dll

Filesize
995KB

MD5
cd997e8740aa6c7ffaaad3889da430db

SHA1
ce4675e1569ae12b293ddf770d6aaa35c3e2af4b

SHA256
cf7edca9f2a91785f03d51df0332929b09d6e5b6e8bb8707031d5db3660640df

SHA512
0e8e4449de561fa5eed84be5ce61dc822c6efccdb2a4b5b2b95675d38efb317da0713ec434fb8351cf27034e7ca44d72d89ff23ea09cebbad6949551a7d5c71e

Download Submit
C:\Users\Admin\AppData\Local\XFvRbC\UxTheme.dll

Filesize
995KB

MD5
81181d3a04d12c2bc8f6407a130a5a91

SHA1
c7538c69d1b9d15253fe80b08418af1e121c1697

SHA256
767a540c060632e1d1e5619e2636d46a0523e88718393272457a93d01bae17ee

SHA512
216d6c2380ebfdb9b95acf2f4a1736f64744003e775a01a6bfe430ed36da936f311412b0f328a46e45074f10893f6563e99852056c2ab273dc059d166ab4f2c3

Download Submit
C:\Users\Admin\AppData\Local\XFvRbC\isoburn.exe

Filesize
119KB

MD5
68078583d028a4873399ae7f25f64bad

SHA1
a3c928fe57856a10aed7fee17670627fe663e6fe

SHA256
9478c095afe212bce91d2de1a3c3647109f2d54e46b9bf70843e839324458567

SHA512
25503a47c53fe83eeb56726b5a5eec5cb01bc783e866306f92242a7a8cbafa20a3209217e0f4561febfec78d2f64f1725727a6b2d3ee6da512618984d0bb0bc1

Download Submit
C:\Users\Admin\AppData\Local\wBo\DUser.dll

Filesize
996KB

MD5
1c289951ec0c1574b1c1701f026e5ec7

SHA1
35c1d615d1b8d36b116476fe2eec7fe4861436c3

SHA256
99c0f3f0461ca055ad46a2179b156569418b3a6b32bbd31ed864fd609931a182

SHA512
990efdd2fb03897f100a621a4a6e569d0a4eb53d5b10a78f308c434bf5397bb0bb8e57b146c58175648aabd0e248805e6d7095c944c6638ab83200b4fb68a36d

Download Submit
C:\Users\Admin\AppData\Local\wBo\Utilman.exe

Filesize
123KB

MD5
a117edc0e74ab4770acf7f7e86e573f7

SHA1
5ceffb1a5e05e52aafcbc2d44e1e8445440706f3

SHA256
b5bc4fce58403ea554691db678e6c8c448310fe59990990f0e37cd4357567d37

SHA512
72883f794ff585fe7e86e818d4d8c54fa9781cab6c3fac6f6956f58a016a91f676e70d14691cbe054ae7b7469c6b4783152fbb694e92b940d9e3595fe3f41d97

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yvephsk.lnk

Filesize
1KB

MD5
a6dea3d6a92265705d31fbd7fb6b9667

SHA1
e57820c4c6df72fd04fa0b5ba72aac67c50d50ca

SHA256
777c07ddedae2e9e419a5be84e32478b6f1dda7d3bac0c3c3d898f792f99dffc

SHA512
f33a0ef5e9312c63759fc20216606ba2a9bac31a640c1a960023ed3399d8b8567ce4906a041eaac6e8aa999cc7d672ac8457fe106cdd7c2d2c6bcd8ae2736107

Download Submit
memory/1336-67-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/1336-61-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/1336-64-0x000001A02F180000-0x000001A02F187000-memory.dmp

Filesize
28KB

Download
memory/3448-6-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3448-36-0x00007FFA8A4D0000-0x00007FFA8A4E0000-memory.dmp

Filesize
64KB

Download
memory/3448-7-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3448-23-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3448-8-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3448-12-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3448-4-0x0000000007DB0000-0x0000000007DB1000-memory.dmp

Filesize
4KB

Download
memory/3448-13-0x00007FFA8A2AA000-0x00007FFA8A2AB000-memory.dmp

Filesize
4KB

Download
memory/3448-10-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3448-11-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3448-9-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3448-35-0x0000000007D90000-0x0000000007D97000-memory.dmp

Filesize
28KB

Download
memory/3448-32-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3448-14-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/4424-81-0x0000024D05440000-0x0000024D05447000-memory.dmp

Filesize
28KB

Download
memory/4424-84-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/4524-37-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/4524-3-0x000001F1D1860000-0x000001F1D1867000-memory.dmp

Filesize
28KB

Download
memory/4524-0-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/4980-50-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/4980-47-0x0000022485E70000-0x0000022485E77000-memory.dmp

Filesize
28KB

Download
memory/4980-44-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads