dridex | c83732ddabc264f9189e924b6644cbc263292ffd804a71a6ae270cd35d271f6f

General

Target

75041e080029f4260716ff47118a17c9_JaffaCakes118.dll
Size

994KB
MD5

75041e080029f4260716ff47118a17c9
SHA1

fdc117f6d7d18d6598fc9567ede55f1e7d8ff660
SHA256

c83732ddabc264f9189e924b6644cbc263292ffd804a71a6ae270cd35d271f6f
SHA512

0f290adb6563ef04f7201fb8291f66b234aad9509ec4b99e1d9298e394934fce9460a701f28eac75575a1cec03bc7c83084ab2dc14d079ba474b92b6368c6e64
SSDEEP

24576:lVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:lV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1208-5-0x0000000002550000-0x0000000002551000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

dccw.exemsconfig.exeTpmInit.exe

pid process

2700 dccw.exe
1988 msconfig.exe
3016 TpmInit.exe
Loads dropped DLL 7 IoCs

Processes:

dccw.exemsconfig.exeTpmInit.exe

pid process

1208
2700 dccw.exe
1208
1988 msconfig.exe
1208
3016 TpmInit.exe
1208

pid	process
2700	dccw.exe
1988	msconfig.exe
3016	TpmInit.exe

pid	process
1208
2700	dccw.exe
1208
1988	msconfig.exe
1208
3016	TpmInit.exe
1208

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mwyjnbrrs = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-481678230-3773327859-3495911762-1000\\U4Ytd\\msconfig.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exedccw.exemsconfig.exeTpmInit.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dccw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msconfig.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	TpmInit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2288	rundll32.exe
2288	rundll32.exe
2288	rundll32.exe
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1208 wrote to memory of 2576	1208	dccw.exe
PID 1208 wrote to memory of 2576	1208	dccw.exe
PID 1208 wrote to memory of 2576	1208	dccw.exe
PID 1208 wrote to memory of 2700	1208	dccw.exe
PID 1208 wrote to memory of 2700	1208	dccw.exe
PID 1208 wrote to memory of 2700	1208	dccw.exe
PID 1208 wrote to memory of 2424	1208	msconfig.exe
PID 1208 wrote to memory of 2424	1208	msconfig.exe
PID 1208 wrote to memory of 2424	1208	msconfig.exe
PID 1208 wrote to memory of 1988	1208	msconfig.exe
PID 1208 wrote to memory of 1988	1208	msconfig.exe
PID 1208 wrote to memory of 1988	1208	msconfig.exe
PID 1208 wrote to memory of 2744	1208	TpmInit.exe
PID 1208 wrote to memory of 2744	1208	TpmInit.exe
PID 1208 wrote to memory of 2744	1208	TpmInit.exe
PID 1208 wrote to memory of 3016	1208	TpmInit.exe
PID 1208 wrote to memory of 3016	1208	TpmInit.exe
PID 1208 wrote to memory of 3016	1208	TpmInit.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\75041e080029f4260716ff47118a17c9_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2288

C:\Windows\system32\dccw.exe
C:\Windows\system32\dccw.exe
1⤵
PID:2576

C:\Users\Admin\AppData\Local\u9Mq\dccw.exe
C:\Users\Admin\AppData\Local\u9Mq\dccw.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2700

C:\Windows\system32\msconfig.exe
C:\Windows\system32\msconfig.exe
1⤵
PID:2424

C:\Users\Admin\AppData\Local\8hH6\msconfig.exe
C:\Users\Admin\AppData\Local\8hH6\msconfig.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1988

C:\Windows\system32\TpmInit.exe
C:\Windows\system32\TpmInit.exe
1⤵
PID:2744

C:\Users\Admin\AppData\Local\WZ8yL53\TpmInit.exe
C:\Users\Admin\AppData\Local\WZ8yL53\TpmInit.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3016

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\8hH6\MFC42u.dll
Filesize
1022KB

MD5
9ce21544bfbd2c289d63a481f77ac440

SHA1
9ef39222d23f48950c363c588f03c6519246022b

SHA256
b4ee55f723d277e5d10cf1eee576bbba825f23c295f615b579370a0425da9394

SHA512
fef6f23f7cbfeca460ef8866705dbcad97339eba1fd161b944def6d7277b5ed9dc1be1acd4bd8262871febc7320dafd04462ddca0e10eb31e00a7cdb61c98ede

Download Submit
C:\Users\Admin\AppData\Local\WZ8yL53\ACTIVEDS.dll
Filesize
995KB

MD5
0379be1cd8f2a5e416b40355e4aed1fa

SHA1
7c0a1d9c285d8d2f1e06a339cc0ea0aeb40a842d

SHA256
ad9e2eaf6956fb133b8d6513b7601acdd07f989ff2df21927d979b5fba006662

SHA512
c640d12d6fae9f9f4af598e108a314f4b90630344ecefc16f859f2317fb1f66ba5c1cddc47a278e29b82a0ec6001a93c11d30abbd694df3912b143069b1e11a4

Download Submit
C:\Users\Admin\AppData\Local\u9Mq\dccw.exe
Filesize
861KB

MD5
a46cee731351eb4146db8e8a63a5c520

SHA1
8ea441e4a77642e12987ac842b36034230edd731

SHA256
283526a98a83524d21ff23f9109754c6587380b67f74cc02a9a4cd56fdb720d5

SHA512
3573c0ae21406db0c6fdda7c065fabde03235bde7f5589910822500bdfa37144f59f6e58e753e7347b899998db1dcb28050ac5a4e2c611558ae5fa405fbbc5cc

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Pclfpjzoauil.lnk
Filesize
998B

MD5
fc2d5aa2114eb7cc1e61dec28b776b96

SHA1
de859d6c8b9ec387f443332f695963eaa8046458

SHA256
090559b5723795fdd97531bca05cacb346e26a503a540ff65a51a1b7a7f7bb7c

SHA512
376d8e2dfed31bc066d0c9c28a0c3a3ba720f834aba47fad224131a18cf267322604600367cf84b20dc400665e6a33868ca00ef84b927f43a61212886e9d27a3

Download Submit
\Users\Admin\AppData\Local\8hH6\msconfig.exe
Filesize
293KB

MD5
e19d102baf266f34592f7c742fbfa886

SHA1
c9c9c45b7e97bb7a180064d0a1962429f015686d

SHA256
f3c8bb430f9c33e6caf06aaebde17b7fddcc55e8bb36cec2b9379038f1fca0b1

SHA512
1b9f1880dd3c26ae790b8eead641e73264f90dc7aa2645acc530aad20ad9d247db613e1725282c85bca98c4428ac255752a4f5c9b2a97f90908b7fe4167bb283

Download Submit
\Users\Admin\AppData\Local\WZ8yL53\TpmInit.exe
Filesize
112KB

MD5
8b5eb38e08a678afa129e23129ca1e6d

SHA1
a27d30bb04f9fabdb5c92d5150661a75c5c7bc42

SHA256
4befa614e1b434b2f58c9e7ce947a946b1cf1834b219caeff42b3e36f22fd97c

SHA512
a7245cde299c68db85370ae1bdf32a26208e2cda1311afd06b0efd410664f36cafb62bf4b7ce058e203dcc515c45ebdef01543779ead864f3154175b7b36647d

Download Submit
\Users\Admin\AppData\Local\u9Mq\mscms.dll
Filesize
998KB

MD5
ba1949eb075e5081211435c95cc90915

SHA1
752d6ed7b5c228a7afd8eeac063de7388109eafb

SHA256
30095ede5247aab9a55ae8208c4ae9869ca793ce57d841abf30750991c7f0266

SHA512
cea501d5b981cab27e970b703c286905cb711e663df9e5a9705f97716aa673e46bc97edee1a2ab564b15c8f4ec1dc25fb7f0f6a95c4735b700eae04ef234de08

Download Submit
memory/1208-37-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/1208-77-0x0000000077A86000-0x0000000077A87000-memory.dmp

Filesize
4KB

Download
memory/1208-26-0x0000000077B91000-0x0000000077B92000-memory.dmp

Filesize
4KB

Download
memory/1208-15-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/1208-14-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/1208-36-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/1208-13-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/1208-12-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/1208-11-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/1208-10-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/1208-8-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/1208-4-0x0000000077A86000-0x0000000077A87000-memory.dmp

Filesize
4KB

Download
memory/1208-5-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/1208-24-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/1208-27-0x0000000077D20000-0x0000000077D22000-memory.dmp

Filesize
8KB

Download
memory/1208-7-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/1208-9-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/1208-25-0x0000000002530000-0x0000000002537000-memory.dmp

Filesize
28KB

Download
memory/1988-74-0x0000000140000000-0x0000000140105000-memory.dmp

Filesize
1.0MB

Download
memory/1988-78-0x0000000000120000-0x0000000000127000-memory.dmp

Filesize
28KB

Download
memory/1988-81-0x0000000140000000-0x0000000140105000-memory.dmp

Filesize
1.0MB

Download
memory/2288-45-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/2288-0-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/2288-3-0x00000000003A0000-0x00000000003A7000-memory.dmp

Filesize
28KB

Download
memory/2700-53-0x0000000140000000-0x00000001400FF000-memory.dmp

Filesize
1020KB

Download
memory/2700-56-0x0000000000430000-0x0000000000437000-memory.dmp

Filesize
28KB

Download
memory/2700-58-0x0000000140000000-0x00000001400FF000-memory.dmp

Filesize
1020KB

Download
memory/3016-96-0x0000000000290000-0x0000000000297000-memory.dmp

Filesize
28KB

Download
memory/3016-99-0x0000000140000000-0x00000001400FF000-memory.dmp

Filesize
1020KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads