dridex | c374dfc39dd2bf0ef434458bbfd67713b224790ac0555d7f9e27707a8951d6cf

General

Target

7596189221cc1444abc71fd71e5b14c4_JaffaCakes118.dll
Size

1.2MB
MD5

7596189221cc1444abc71fd71e5b14c4
SHA1

f69891c14dd3c9a5c3a8d5f68140ba66e0d54978
SHA256

c374dfc39dd2bf0ef434458bbfd67713b224790ac0555d7f9e27707a8951d6cf
SHA512

1e586b41eb3a757536d61bab08e319959980b2a8502e4d86b75cb443acd0287014ab39363ede54924bac2618cf1e617ea876d05ac3b13a8a46315a1291dfda3a
SSDEEP

24576:FVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:FV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3456-4-0x0000000008230000-0x0000000008231000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

recdisc.exetcmsetup.exebdechangepin.exe

pid process

3340 recdisc.exe
1884 tcmsetup.exe
4300 bdechangepin.exe
Loads dropped DLL 3 IoCs

Processes:

recdisc.exetcmsetup.exebdechangepin.exe

pid process

3340 recdisc.exe
1884 tcmsetup.exe
4300 bdechangepin.exe

pid	process
3340	recdisc.exe
1884	tcmsetup.exe
4300	bdechangepin.exe

pid	process
3340	recdisc.exe
1884	tcmsetup.exe
4300	bdechangepin.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Pruztwesow = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\RRWIHS~1\\tcmsetup.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exerecdisc.exetcmsetup.exebdechangepin.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	recdisc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	tcmsetup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bdechangepin.exe

Modifies registry class 1 IoCs

Processes:

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2816	rundll32.exe
2816	rundll32.exe
2816	rundll32.exe
2816	rundll32.exe
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456
3456

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3456
Token: SeCreatePagefilePrivilege	3456
Token: SeShutdownPrivilege	3456
Token: SeCreatePagefilePrivilege	3456

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

3456
3456
Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3456

pid	process
3456
3456

pid	process
3456

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3456 wrote to memory of 3984	3456	recdisc.exe
PID 3456 wrote to memory of 3984	3456	recdisc.exe
PID 3456 wrote to memory of 3340	3456	recdisc.exe
PID 3456 wrote to memory of 3340	3456	recdisc.exe
PID 3456 wrote to memory of 432	3456	tcmsetup.exe
PID 3456 wrote to memory of 432	3456	tcmsetup.exe
PID 3456 wrote to memory of 1884	3456	tcmsetup.exe
PID 3456 wrote to memory of 1884	3456	tcmsetup.exe
PID 3456 wrote to memory of 3352	3456	bdechangepin.exe
PID 3456 wrote to memory of 3352	3456	bdechangepin.exe
PID 3456 wrote to memory of 4300	3456	bdechangepin.exe
PID 3456 wrote to memory of 4300	3456	bdechangepin.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7596189221cc1444abc71fd71e5b14c4_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2816

C:\Windows\system32\recdisc.exe
C:\Windows\system32\recdisc.exe
1⤵
PID:3984

C:\Users\Admin\AppData\Local\0p0u8\recdisc.exe
C:\Users\Admin\AppData\Local\0p0u8\recdisc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3340

C:\Windows\system32\tcmsetup.exe
C:\Windows\system32\tcmsetup.exe
1⤵
PID:432

C:\Users\Admin\AppData\Local\O32V\tcmsetup.exe
C:\Users\Admin\AppData\Local\O32V\tcmsetup.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1884

C:\Windows\system32\bdechangepin.exe
C:\Windows\system32\bdechangepin.exe
1⤵
PID:3352

C:\Users\Admin\AppData\Local\cAgFPW5I\bdechangepin.exe
C:\Users\Admin\AppData\Local\cAgFPW5I\bdechangepin.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\0p0u8\ReAgent.dll

Filesize
1.2MB

MD5
2ff7fbc8a98106cc32e3c8270faf62ad

SHA1
6fb61a54dc6d6df6e17aed85b68aa398daeed3c0

SHA256
0f5dc3ad737ac9bcfe2e7fd62a51d88dab576dc6721190bf55e969717f87a28a

SHA512
cf21d4e5acf9a350c4cdcea06eeab9ad9e97f6fbac8cc6fa38214b0f973f6d5eb71afba4c92720b9563219e425d89adc7bc8cddf36645ad011a5b93f611b3bfc

Download Submit
C:\Users\Admin\AppData\Local\0p0u8\recdisc.exe

Filesize
193KB

MD5
18afee6824c84bf5115bada75ff0a3e7

SHA1
d10f287a7176f57b3b2b315a5310d25b449795aa

SHA256
0787b37cf197595b8149ffe3784f9c59eacde3616011f185513ff5c075a5ac4e

SHA512
517356165b401dbebf15437d3b17746aef5a6a4cc62a0afe45966abc92b4cf377eee4514a36ee28b1e88e55a22a2f8a6c997df45971e7f354b66ac7d9e141845

Download Submit
C:\Users\Admin\AppData\Local\O32V\TAPI32.dll

Filesize
1.2MB

MD5
77eb13927b545476f835efa21d230a0a

SHA1
eabf8cc470b5a1a4cfa0e0774d84ae8d5b3e6ce1

SHA256
3d5f76a32ca0afc4815a6bd6a7d77fe27ecee79c98345a57a6ee4c89c89235c4

SHA512
81ac5af30de55be24913c54449aa8c2d35fd0b409c3ac7db289d75f9fd4a391d5bdf3ced5d76af4467640b45a2b7eaf05fdc914c8a70e2848c85e0353632fc37

Download Submit
C:\Users\Admin\AppData\Local\O32V\tcmsetup.exe

Filesize
16KB

MD5
58f3b915b9ae7d63431772c2616b0945

SHA1
6346e837da3b0f551becb7cac6d160e3063696e9

SHA256
e243501ba2ef7a6f04f51410bb916faffe0ec23450a4d030ce6bfe747e544b39

SHA512
7b09192af460c502d1a94989a0d06191c8c7a058ce3a4541e3f45960a1e12529d0cdaff9da3d5bacfdceed57aeb6dc9a159c6c0a95675c438f99bf7e418c6dc5

Download Submit
C:\Users\Admin\AppData\Local\cAgFPW5I\DUI70.dll

Filesize
1.5MB

MD5
43a5648997c20b6b41a275ee61d74177

SHA1
6e957aea4343d3efcc6dc6c3017e2a3171c6001b

SHA256
2427682fd5df901e15e3f3ac4e0d94b23da6cfb14efbadd10476c9fd1308c314

SHA512
98afb22840a33e845990e77f522e5982978133227289f200ed375bab91f4ff3cb8c0307ae62d77c0bd469bfc91a50ee0827892cdaec02e95350670b2af689b39

Download Submit
C:\Users\Admin\AppData\Local\cAgFPW5I\bdechangepin.exe

Filesize
373KB

MD5
601a28eb2d845d729ddd7330cbae6fd6

SHA1
5cf9f6f9135c903d42a7756c638333db8621e642

SHA256
4d43f37576a0ebbaf97024cd5597d968ffe59c871b483554aea302dccb7253f6

SHA512
1687044612ceb705f79c806b176f885fd01449251b0097c2df70280b7d10a2b830ee30ac0f645a7e8d8067892f6562d933624de694295e22318863260222859d

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Arcabpqqvo.lnk

Filesize
1KB

MD5
6fc23575edc9d55b9cbf158f4c79e9dc

SHA1
4b31262800e2a1f1a416226fa4ca8ab25c6f58f9

SHA256
29a4ff10b6c93c5ad2aff8d87e78d3b1b6ae613d1ddf0121f42735b580651e9f

SHA512
ec34d93fa925c5e2af9c1722f7c073ee93377c1a3946d0a3329549dcbeb5f796c55bca115ace1597c292497a76962a6eb4b1553f9002aab51c153435ab5521b8

Download Submit
memory/1884-69-0x0000000140000000-0x0000000140146000-memory.dmp

Filesize
1.3MB

Download
memory/1884-63-0x0000000140000000-0x0000000140146000-memory.dmp

Filesize
1.3MB

Download
memory/1884-66-0x0000016AE7EB0000-0x0000016AE7EB7000-memory.dmp

Filesize
28KB

Download
memory/2816-3-0x0000022AC38D0000-0x0000022AC38D7000-memory.dmp

Filesize
28KB

Download
memory/2816-39-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/2816-1-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/3340-52-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/3340-49-0x000001B273D50000-0x000001B273D57000-memory.dmp

Filesize
28KB

Download
memory/3340-46-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/3456-30-0x00007FFF85070000-0x00007FFF85080000-memory.dmp

Filesize
64KB

Download
memory/3456-28-0x0000000008210000-0x0000000008217000-memory.dmp

Filesize
28KB

Download
memory/3456-9-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/3456-10-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/3456-11-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/3456-13-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/3456-14-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/3456-15-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/3456-16-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/3456-7-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/3456-36-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/3456-25-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/3456-12-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/3456-8-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/3456-4-0x0000000008230000-0x0000000008231000-memory.dmp

Filesize
4KB

Download
memory/3456-6-0x00007FFF8452A000-0x00007FFF8452B000-memory.dmp

Filesize
4KB

Download
memory/4300-80-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/4300-86-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/4300-83-0x0000018A8CB20000-0x0000018A8CB27000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads