dridex | 61d82c261caf4346ce16385a69192ff356f9bb1455d34802d362f6efdfc199e1

General

Target

791ccdb6ee9aec99c283d3aa5abaf42c_JaffaCakes118.dll
Size

990KB
MD5

791ccdb6ee9aec99c283d3aa5abaf42c
SHA1

aa96e92baa5a5fc4cfb9963bebd1c32ed0b1969b
SHA256

61d82c261caf4346ce16385a69192ff356f9bb1455d34802d362f6efdfc199e1
SHA512

55b4a90eeec621f460b46f91ce478d22f7d9808f2c8e7f18cc89a9af77ee3173a176f3b6e6538a7618b52e74a0879615db9fd54209ff8b584e0884256d8f64db
SSDEEP

24576:SVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:SV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3576-4-0x0000000002830000-0x0000000002831000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

WFS.exemfpmp.exeSystemPropertiesPerformance.exe

pid process

4408 WFS.exe
2280 mfpmp.exe
1360 SystemPropertiesPerformance.exe
Loads dropped DLL 3 IoCs

Processes:

WFS.exemfpmp.exeSystemPropertiesPerformance.exe

pid process

4408 WFS.exe
2280 mfpmp.exe
1360 SystemPropertiesPerformance.exe

pid	process
4408	WFS.exe
2280	mfpmp.exe
1360	SystemPropertiesPerformance.exe

pid	process
4408	WFS.exe
2280	mfpmp.exe
1360	SystemPropertiesPerformance.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Hkwligutpbxhkv = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\sY\\mfpmp.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeWFS.exemfpmp.exeSystemPropertiesPerformance.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WFS.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mfpmp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesPerformance.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2880	rundll32.exe
2880	rundll32.exe
2880	rundll32.exe
2880	rundll32.exe
3576
3576
3576
3576
3576
3576
3576
3576
3576
3576
3576
3576
3576
3576
3576
3576
3576
3576
3576
3576
3576
3576
3576
3576
3576
3576
3576
3576
3576
3576
3576
3576
3576
3576
3576
3576
3576
3576
3576
3576
3576
3576
3576
3576
3576
3576
3576
3576
3576
3576
3576
3576
3576
3576
3576
3576
3576
3576
3576
3576

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3576 wrote to memory of 4904	3576	WFS.exe
PID 3576 wrote to memory of 4904	3576	WFS.exe
PID 3576 wrote to memory of 4408	3576	WFS.exe
PID 3576 wrote to memory of 4408	3576	WFS.exe
PID 3576 wrote to memory of 4948	3576	mfpmp.exe
PID 3576 wrote to memory of 4948	3576	mfpmp.exe
PID 3576 wrote to memory of 2280	3576	mfpmp.exe
PID 3576 wrote to memory of 2280	3576	mfpmp.exe
PID 3576 wrote to memory of 4952	3576	SystemPropertiesPerformance.exe
PID 3576 wrote to memory of 4952	3576	SystemPropertiesPerformance.exe
PID 3576 wrote to memory of 1360	3576	SystemPropertiesPerformance.exe
PID 3576 wrote to memory of 1360	3576	SystemPropertiesPerformance.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\791ccdb6ee9aec99c283d3aa5abaf42c_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2880

C:\Windows\system32\WFS.exe
C:\Windows\system32\WFS.exe
1⤵
PID:4904

C:\Users\Admin\AppData\Local\seQn\WFS.exe
C:\Users\Admin\AppData\Local\seQn\WFS.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4408

C:\Windows\system32\mfpmp.exe
C:\Windows\system32\mfpmp.exe
1⤵
PID:4948

C:\Users\Admin\AppData\Local\mP7Ve\mfpmp.exe
C:\Users\Admin\AppData\Local\mP7Ve\mfpmp.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2280

C:\Windows\system32\SystemPropertiesPerformance.exe
C:\Windows\system32\SystemPropertiesPerformance.exe
1⤵
PID:4952

C:\Users\Admin\AppData\Local\uWB\SystemPropertiesPerformance.exe
C:\Users\Admin\AppData\Local\uWB\SystemPropertiesPerformance.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1360

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\mP7Ve\MFPlat.DLL
Filesize
998KB

MD5
6c182c264967690b432a53607372a215

SHA1
a5482e423c098a96a7e96199ae5be5914786ae1c

SHA256
c46d20f2c72f569d02236f73bdf5404dfca28c1d179aaf7d4d3679ab2f1223b0

SHA512
ad509ea9b9443e840ffc78f6723e070bd7839d1207a8cd7c1da4f87bf1713aa7cf08e4adaf2183a56355da903ae7acfa8def031950afa08c4ba0ee2212b8e11e

Download Submit
C:\Users\Admin\AppData\Local\mP7Ve\mfpmp.exe
Filesize
46KB

MD5
8f8fd1988973bac0c5244431473b96a5

SHA1
ce81ea37260d7cafe27612606cf044921ad1304c

SHA256
27287ac874cef86be03aee7b6d34fdc3bd208070ed20e44621a305865fb7579e

SHA512
a91179e1561168b3b58f5ca893bce425d35f4a02aec20ac3d6fb944f5eb3c06b0a1b9d9f3fb9ea87869d65671d2b89b4ae19acf794372bdbd27f5e9756c5a8ab

Download Submit
C:\Users\Admin\AppData\Local\seQn\WFS.exe
Filesize
944KB

MD5
3cbc8d0f65e3db6c76c119ed7c2ffd85

SHA1
e74f794d86196e3bbb852522479946cceeed7e01

SHA256
e23e4182efe7ed61aaf369696e1ce304c3818df33d1663872b6d3c75499d81f4

SHA512
26ae5845a804b9eb752078f1ffa80a476648a8a9508b4f7ba56c94acd4198f3ba59c77add4feb7e0420070222af56521ca5f6334f466d5db272c816930513f0a

Download Submit
C:\Users\Admin\AppData\Local\seQn\WINMM.dll
Filesize
995KB

MD5
3d36b83d5450c4429c8b14bf825b5bff

SHA1
d16eae3de8f4c4e5cef5e1f7e20ba934eb10a06c

SHA256
09c7516ff804cf7579d9350cc3b5e1ad115868d64f087488b4cd841b170e9677

SHA512
f3db27353daf84252c32a6388f696d42c4bda95096b197c6aaefccc795324db9af836ec3b2ba2dee178fe35b9ac8358a33fe6b626d586e8e707ad46d9d9a2546

Download Submit
C:\Users\Admin\AppData\Local\uWB\SYSDM.CPL
Filesize
990KB

MD5
d7bca383f97bcf39c33e591285f38e89

SHA1
7882d07b9c272bc3943fec34b0bb7517a91e8356

SHA256
240a5af8db226396b40a0dd50d3798811e22c30152c8a7c6d88cc713b8aaffad

SHA512
12010fe5fa11f55743d8ebdf942572d3cdf5ae74370e0d4cc7d105c0d1878083cd732ff9810bac8fabc503711909a397a7450aa6f61ad6809f9a79748eedba65

Download Submit
C:\Users\Admin\AppData\Local\uWB\SystemPropertiesPerformance.exe
Filesize
82KB

MD5
e4fbf7cab8669c7c9cef92205d2f2ffc

SHA1
adbfa782b7998720fa85678cc85863b961975e28

SHA256
b266318d45a4245556a2e39b763f2f11eca780969105f6f103e53dd0a492bb30

SHA512
c5c62578d04133352d6cb7b018df96a7b55c18d6111ab8bf2bfe232a3315a63b07047fa5b0b88551d152085776c66169b47566242c8c4c5e0333c55adc64e1b6

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Zgbuverbplpthj.lnk
Filesize
1KB

MD5
438a23acbcd050fc3265d4dd9083d162

SHA1
a25603b2e45b5aa1efd8c880ee110de68613c5a1

SHA256
b66262ccddc2cb8d04fb8a6f94dd33b5b4b2728308c8245808f465713160e2fc

SHA512
6c423a709faffe29c8530521ef2f202eebf8da0ec5fb89e48c17830a763814718e3c64dad0e467bdf2491d94648af9435334c61de5d253f063889dd80140c2f3

Download Submit
memory/1360-84-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1360-78-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1360-81-0x000001A8F0AB0000-0x000001A8F0AB7000-memory.dmp

Filesize
28KB

Download
memory/2280-67-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/2280-61-0x000001F5377A0000-0x000001F5377A7000-memory.dmp

Filesize
28KB

Download
memory/2880-37-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/2880-0-0x000001FDBCC00000-0x000001FDBCC07000-memory.dmp

Filesize
28KB

Download
memory/2880-1-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3576-32-0x0000000000C20000-0x0000000000C27000-memory.dmp

Filesize
28KB

Download
memory/3576-12-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3576-9-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3576-10-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3576-7-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3576-4-0x0000000002830000-0x0000000002831000-memory.dmp

Filesize
4KB

Download
memory/3576-6-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3576-11-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3576-13-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3576-31-0x00007FF92016A000-0x00007FF92016B000-memory.dmp

Filesize
4KB

Download
memory/3576-8-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3576-33-0x00007FF9218D0000-0x00007FF9218E0000-memory.dmp

Filesize
64KB

Download
memory/3576-22-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3576-34-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/4408-50-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/4408-47-0x0000012C8F600000-0x0000012C8F607000-memory.dmp

Filesize
28KB

Download
memory/4408-44-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads