dridex | 19c4a9564a46442c3034f30e9175124a304eff0398e72c39e739f94ac8566e2c

General

Target

7d3637031005ca4e7d31d0035afba188_JaffaCakes118.dll
Size

1.2MB
MD5

7d3637031005ca4e7d31d0035afba188
SHA1

343c4fdf5714552ee078fd09c094425c3d8b048b
SHA256

19c4a9564a46442c3034f30e9175124a304eff0398e72c39e739f94ac8566e2c
SHA512

2251467cdaaa88c8c7a8d9b61a23a098f07341bc67700492238a5ab2ba030de8243dd9815e190110075ba8ef528427bc39afd5d344abd1fecf3050036ba52f53
SSDEEP

24576:vyTonNVlKTt/Q5ECvVP7hpJMvjtKpvPf9+m6kLRqgSyI0:vyWRKTt/QlPVp3h9d

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1068-5-0x0000000002E50000-0x0000000002E51000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

xpsrchvw.exesethc.exePresentationSettings.exe

pid process

2444 xpsrchvw.exe
1264 sethc.exe
2648 PresentationSettings.exe
Loads dropped DLL 7 IoCs

Processes:

xpsrchvw.exesethc.exePresentationSettings.exe

pid process

1068
2444 xpsrchvw.exe
1068
1264 sethc.exe
1068
2648 PresentationSettings.exe
1068

pid	process
2444	xpsrchvw.exe
1264	sethc.exe
2648	PresentationSettings.exe

pid	process
1068
2444	xpsrchvw.exe
1068
1264	sethc.exe
1068
2648	PresentationSettings.exe
1068

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ydmmtcuy = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-2721934792-624042501-2768869379-1000\\1pvzP\\sethc.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

sethc.exePresentationSettings.exerundll32.exexpsrchvw.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sethc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	PresentationSettings.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	xpsrchvw.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2196	rundll32.exe
2196	rundll32.exe
2196	rundll32.exe
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068
1068

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1068 wrote to memory of 2556	1068	xpsrchvw.exe
PID 1068 wrote to memory of 2556	1068	xpsrchvw.exe
PID 1068 wrote to memory of 2556	1068	xpsrchvw.exe
PID 1068 wrote to memory of 2444	1068	xpsrchvw.exe
PID 1068 wrote to memory of 2444	1068	xpsrchvw.exe
PID 1068 wrote to memory of 2444	1068	xpsrchvw.exe
PID 1068 wrote to memory of 1244	1068	sethc.exe
PID 1068 wrote to memory of 1244	1068	sethc.exe
PID 1068 wrote to memory of 1244	1068	sethc.exe
PID 1068 wrote to memory of 1264	1068	sethc.exe
PID 1068 wrote to memory of 1264	1068	sethc.exe
PID 1068 wrote to memory of 1264	1068	sethc.exe
PID 1068 wrote to memory of 2204	1068	PresentationSettings.exe
PID 1068 wrote to memory of 2204	1068	PresentationSettings.exe
PID 1068 wrote to memory of 2204	1068	PresentationSettings.exe
PID 1068 wrote to memory of 2648	1068	PresentationSettings.exe
PID 1068 wrote to memory of 2648	1068	PresentationSettings.exe
PID 1068 wrote to memory of 2648	1068	PresentationSettings.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7d3637031005ca4e7d31d0035afba188_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2196

C:\Windows\system32\xpsrchvw.exe
C:\Windows\system32\xpsrchvw.exe
1⤵
PID:2556

C:\Users\Admin\AppData\Local\QrgxnT\xpsrchvw.exe
C:\Users\Admin\AppData\Local\QrgxnT\xpsrchvw.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2444

C:\Windows\system32\sethc.exe
C:\Windows\system32\sethc.exe
1⤵
PID:1244

C:\Users\Admin\AppData\Local\wwBD\sethc.exe
C:\Users\Admin\AppData\Local\wwBD\sethc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1264

C:\Windows\system32\PresentationSettings.exe
C:\Windows\system32\PresentationSettings.exe
1⤵
PID:2204

C:\Users\Admin\AppData\Local\J7nSO4O\PresentationSettings.exe
C:\Users\Admin\AppData\Local\J7nSO4O\PresentationSettings.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2648

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\J7nSO4O\Secur32.dll
Filesize
1.2MB

MD5
69e2ef77c3f76bdc7336b35e4b51bc44

SHA1
368df25d49f78902b964ad6fe0fadf3861a5b0bf

SHA256
e0e039f197ffa95be5eb217609a1b1c3ef371bb1723ad97564ffef77f2044b37

SHA512
6b6448ed8086c2c5673a8a1ebaa8508a57cc627385d9ced11b6ba8a78bbccbc320500efcbd818ada71f2acd422903f17c9b30e2010893db219af5221a476f517

Download Submit
C:\Users\Admin\AppData\Local\QrgxnT\WINMM.dll
Filesize
1.2MB

MD5
a782bbdcbdc374c28f2cf82a064b6d08

SHA1
b378c9df7cf494850c3c28eec3c8cc9272ba8334

SHA256
ca21e7d00ddb4d07b4ec5e00ed0684868adebc2b2389a11b4891a4de464a890e

SHA512
6c6c86d8ae673f90e0456e1f9fa98294a221800a9bc81045200969f0d8ac4ce9e2854506913e84e04a17a9787c0d2c25420369091ee91ea54911b54c18e288ec

Download Submit
C:\Users\Admin\AppData\Local\QrgxnT\xpsrchvw.exe
Filesize
4.6MB

MD5
492cb6a624d5dad73ee0294b5db37dd6

SHA1
e74806af04a5147ccabfb5b167eb95a0177c43b3

SHA256
ccb4ecd48561ce024ea176b7036f0f2713b98bc82aa37347a30d8187762a8784

SHA512
63bf2931764efe767fb42f9576702dd585a032f74ad2be2481eaf309f34950f05974d77b5cb220a3ff89c92af0c7693dc558f8e3a3ee2a0be6c5c07171d03835

Download Submit
C:\Users\Admin\AppData\Local\wwBD\DUI70.dll
Filesize
1.4MB

MD5
85b6ea9d33c06fcb09482dfa1ea11d82

SHA1
1a98c80fe9ed061cfd1a70d86c528360aac09007

SHA256
905d2fa7824b1007dd70c3ace580ba6428dc2da981885172d8232570d2b22edb

SHA512
ec41a4051d4318b3f68418018214f9681274c32a73b6fc3686adc8bb09581a78d66c2f5699ccff4eab840982ea266f8eab3de81e65d5c4015804d3643bcd14c7

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Piadwmdtymfdd.lnk
Filesize
1KB

MD5
6539356c1f116102aeb10b3d778dc296

SHA1
5686e816741d07e1660d539aee3a3035d68fd46f

SHA256
9003052794688a767cdba1190082690cc071b33c8d8a7855334dc2e4fd3cd21c

SHA512
1663ba5dbdc4dcee6111cffc636a3ee258ed5a823ef4d1b9a3e1d2a1e9a887a57489649006f22aba3d99cc364259a76fc595151cf5ae9821e717af027fa51e15

Download Submit
\Users\Admin\AppData\Local\J7nSO4O\PresentationSettings.exe
Filesize
172KB

MD5
a6f8d318f6041334889481b472000081

SHA1
b8cf08ec17b30c8811f2514246fcdff62731dd58

SHA256
208b94fd66a6ce266c3195f87029a41a0622fff47f2a5112552cb087adbb1258

SHA512
60f70fa8a19e6ea6f08f4907dd7fede3665ad3f2e013d49f6649442ea5871a967b9a53ec4d3328a06cb83b69be1b7af1bb14bf122b568bd1f8432ee1d0bfee69

Download Submit
\Users\Admin\AppData\Local\wwBD\sethc.exe
Filesize
272KB

MD5
3bcb70da9b5a2011e01e35ed29a3f3f3

SHA1
9daecb1ee5d7cbcf46ee154dd642fcd993723a9b

SHA256
dd94bf73f0e3652b76cfb774b419ceaa2082bc7f30cc34e28dfa51952fa9ccb5

SHA512
69d231132f488fd7033349f232db1207f88f1d5cb84f5422adf0dd5fb7b373dada8fdfac7760b8845e5aab00a7ae56f24d66bbb8aa70c3c8de6ec5c31982b4df

Download Submit
memory/1068-28-0x0000000077860000-0x0000000077862000-memory.dmp

Filesize
8KB

Download
memory/1068-15-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1068-4-0x00000000774C6000-0x00000000774C7000-memory.dmp

Filesize
4KB

Download
memory/1068-27-0x00000000776D1000-0x00000000776D2000-memory.dmp

Filesize
4KB

Download
memory/1068-14-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1068-13-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1068-12-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1068-11-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1068-10-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1068-26-0x0000000002E30000-0x0000000002E37000-memory.dmp

Filesize
28KB

Download
memory/1068-25-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1068-34-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1068-33-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1068-5-0x0000000002E50000-0x0000000002E51000-memory.dmp

Filesize
4KB

Download
memory/1068-9-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1068-16-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1068-74-0x00000000774C6000-0x00000000774C7000-memory.dmp

Filesize
4KB

Download
memory/1068-8-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1068-7-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1264-75-0x00000000001A0000-0x00000000001A7000-memory.dmp

Filesize
28KB

Download
memory/1264-76-0x0000000140000000-0x0000000140165000-memory.dmp

Filesize
1.4MB

Download
memory/1264-81-0x0000000140000000-0x0000000140165000-memory.dmp

Filesize
1.4MB

Download
memory/2196-42-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/2196-3-0x0000000000120000-0x0000000000127000-memory.dmp

Filesize
28KB

Download
memory/2196-0-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/2444-55-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/2444-50-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/2444-53-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download
memory/2648-93-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/2648-98-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads