dridex | c374dfc39dd2bf0ef434458bbfd67713b224790ac0555d7f9e27707a8951d6cf

General

Target

7596189221cc1444abc71fd71e5b14c4_JaffaCakes118.dll
Size

1.2MB
MD5

7596189221cc1444abc71fd71e5b14c4
SHA1

f69891c14dd3c9a5c3a8d5f68140ba66e0d54978
SHA256

c374dfc39dd2bf0ef434458bbfd67713b224790ac0555d7f9e27707a8951d6cf
SHA512

1e586b41eb3a757536d61bab08e319959980b2a8502e4d86b75cb443acd0287014ab39363ede54924bac2618cf1e617ea876d05ac3b13a8a46315a1291dfda3a
SSDEEP

24576:FVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:FV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1204-5-0x0000000002550000-0x0000000002551000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

msconfig.exespinstall.exeFXSCOVER.exe

pid process

2524 msconfig.exe
2536 spinstall.exe
1036 FXSCOVER.exe
Loads dropped DLL 7 IoCs

Processes:

msconfig.exespinstall.exeFXSCOVER.exe

pid process

1204
2524 msconfig.exe
1204
2536 spinstall.exe
1204
1036 FXSCOVER.exe
1204

pid	process
2524	msconfig.exe
2536	spinstall.exe
1036	FXSCOVER.exe

pid	process
1204
2524	msconfig.exe
1204
2536	spinstall.exe
1204
1036	FXSCOVER.exe
1204

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Tonqjizj = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\FLASHP~1\\69\\SPINST~1.EXE"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

msconfig.exespinstall.exeFXSCOVER.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msconfig.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spinstall.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	FXSCOVER.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2904	rundll32.exe
2904	rundll32.exe
2904	rundll32.exe
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1204 wrote to memory of 2636	1204	msconfig.exe
PID 1204 wrote to memory of 2636	1204	msconfig.exe
PID 1204 wrote to memory of 2636	1204	msconfig.exe
PID 1204 wrote to memory of 2524	1204	msconfig.exe
PID 1204 wrote to memory of 2524	1204	msconfig.exe
PID 1204 wrote to memory of 2524	1204	msconfig.exe
PID 1204 wrote to memory of 2004	1204	spinstall.exe
PID 1204 wrote to memory of 2004	1204	spinstall.exe
PID 1204 wrote to memory of 2004	1204	spinstall.exe
PID 1204 wrote to memory of 2536	1204	spinstall.exe
PID 1204 wrote to memory of 2536	1204	spinstall.exe
PID 1204 wrote to memory of 2536	1204	spinstall.exe
PID 1204 wrote to memory of 1296	1204	FXSCOVER.exe
PID 1204 wrote to memory of 1296	1204	FXSCOVER.exe
PID 1204 wrote to memory of 1296	1204	FXSCOVER.exe
PID 1204 wrote to memory of 1036	1204	FXSCOVER.exe
PID 1204 wrote to memory of 1036	1204	FXSCOVER.exe
PID 1204 wrote to memory of 1036	1204	FXSCOVER.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7596189221cc1444abc71fd71e5b14c4_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2904

C:\Windows\system32\msconfig.exe
C:\Windows\system32\msconfig.exe
1⤵
PID:2636

C:\Users\Admin\AppData\Local\M9TRd\msconfig.exe
C:\Users\Admin\AppData\Local\M9TRd\msconfig.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2524

C:\Windows\system32\spinstall.exe
C:\Windows\system32\spinstall.exe
1⤵
PID:2004

C:\Users\Admin\AppData\Local\ryWQ\spinstall.exe
C:\Users\Admin\AppData\Local\ryWQ\spinstall.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2536

C:\Windows\system32\FXSCOVER.exe
C:\Windows\system32\FXSCOVER.exe
1⤵
PID:1296

C:\Users\Admin\AppData\Local\W7dIpkN1g\FXSCOVER.exe
C:\Users\Admin\AppData\Local\W7dIpkN1g\FXSCOVER.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\M9TRd\MFC42u.dll

Filesize
1.3MB

MD5
c386ceab5ddca775965487d1f92830b2

SHA1
ec747418e6cdd417991014b6143ddbe5dc8a0a53

SHA256
d3230e073ad7ce058d02ddb97635a43562ebfecc7901628ecfdb124b8a654e13

SHA512
e468b2586e97c38c3a32b4ac3c466822ea7e185524b12c7ee03c0729c1d1478719b54c5721d77c26669889b2d1541d4cdd110e376d5eab4a1897c640ec291504

Download Submit
C:\Users\Admin\AppData\Local\W7dIpkN1g\FXSCOVER.exe

Filesize
261KB

MD5
5e2c61be8e093dbfe7fc37585be42869

SHA1
ed46cda4ece3ef187b0cf29ca843a6c6735af6c0

SHA256
3d1719c1caa5d6b0358830a30713c43a9710fbf7bcedca20815be54d24aa9121

SHA512
90bf180c8f6e3d0286a19fcd4727f23925a39c90113db979e1b4bbf8f0491471ad26c877a6e2cf49638b14050d952a9ee02a3c1293129843ec6bba01bc325d0b

Download Submit
C:\Users\Admin\AppData\Local\W7dIpkN1g\MFC42u.dll

Filesize
1.3MB

MD5
8a3266f6cfc424fc9393a425fc50b68a

SHA1
bfabb93f707574375731d0b46b088614f0c110cb

SHA256
5454d1fd5a58ea1e51b011aa9752e20a74d334f2402b591c3d3cea2d520db269

SHA512
84a7d5de9f16f0e06fc28d3ff1cc629856d751cb1479d59b9447952016e9aadb45a6947ec7fe39848772370b0836f3aac93bce32ae9d1959426db6c357312e0b

Download Submit
C:\Users\Admin\AppData\Local\ryWQ\WINBRAND.dll

Filesize
1.2MB

MD5
dfe5f4a9599074e4feb551c949c28676

SHA1
ff8e8a933eb293ac56f78574c6532d0ed50ccdce

SHA256
6091c79ad7c108ca03ccbe28c28875fd43c24e45fb68b072ed0eab31fa476dd9

SHA512
e77b15bb32df7675552fe435356972f0f7e22bc02299957158da3808d15d8ce523aade376e19535fe30327a1f08d4d77ce380050188cec8193325a3324d58eaa

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Mewsro.lnk

Filesize
976B

MD5
055f55fdbda8e3539077949687e56a35

SHA1
e0c9078d9fd891cbb8135a5ce220e7fec885fe10

SHA256
1db1e18cf9616950080094fa8d7e76761d88a286731f564c5408897afd5e5eea

SHA512
938a8ee6cf748da4bccd5985f6d6ee3afb104c24ee73864d36ee0a13af7c28355c868586366a1d5e46b1659811ad31d315fe2031c0b35c7ca9b9056c0b77929d

Download Submit
\Users\Admin\AppData\Local\M9TRd\msconfig.exe

Filesize
293KB

MD5
e19d102baf266f34592f7c742fbfa886

SHA1
c9c9c45b7e97bb7a180064d0a1962429f015686d

SHA256
f3c8bb430f9c33e6caf06aaebde17b7fddcc55e8bb36cec2b9379038f1fca0b1

SHA512
1b9f1880dd3c26ae790b8eead641e73264f90dc7aa2645acc530aad20ad9d247db613e1725282c85bca98c4428ac255752a4f5c9b2a97f90908b7fe4167bb283

Download Submit
\Users\Admin\AppData\Local\ryWQ\spinstall.exe

Filesize
584KB

MD5
29c1d5b330b802efa1a8357373bc97fe

SHA1
90797aaa2c56fc2a667c74475996ea1841bc368f

SHA256
048bd22abf158346ab991a377cc6e9d2b20b4d73ccee7656c96a41f657e7be7f

SHA512
66f4f75a04340a1dd55dfdcc3ff1103ea34a55295f56c12e88d38d1a41e5be46b67c98bd66ac9f878ce79311773e374ed2bce4dd70e8bb5543e4ec1dd56625ee

Download Submit
memory/1036-97-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/1036-94-0x00000000000F0000-0x00000000000F7000-memory.dmp

Filesize
28KB

Download
memory/1204-15-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/1204-26-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/1204-13-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/1204-12-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/1204-11-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/1204-10-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/1204-9-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/1204-28-0x00000000771E0000-0x00000000771E2000-memory.dmp

Filesize
8KB

Download
memory/1204-27-0x0000000077051000-0x0000000077052000-memory.dmp

Filesize
4KB

Download
memory/1204-37-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/1204-38-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/1204-4-0x0000000076F46000-0x0000000076F47000-memory.dmp

Filesize
4KB

Download
memory/1204-5-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/1204-14-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/1204-7-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/1204-8-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/1204-75-0x0000000076F46000-0x0000000076F47000-memory.dmp

Filesize
4KB

Download
memory/1204-16-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/1204-25-0x0000000002530000-0x0000000002537000-memory.dmp

Filesize
28KB

Download
memory/2524-60-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/2524-55-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/2524-54-0x00000000002A0000-0x00000000002A7000-memory.dmp

Filesize
28KB

Download
memory/2536-72-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2536-76-0x0000000000500000-0x0000000000507000-memory.dmp

Filesize
28KB

Download
memory/2536-79-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2904-0-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/2904-46-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/2904-3-0x00000000003A0000-0x00000000003A7000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads