dridex | dc8f78c6a53282cabb3e927485a34e2dcf018d3493baf07635cac74cb908ba39

General

Target

803482d842575c5bcb8cd5082d09f034_JaffaCakes118.dll
Size

1.2MB
MD5

803482d842575c5bcb8cd5082d09f034
SHA1

b84814b784597703a722edc11563e49dc0c16515
SHA256

dc8f78c6a53282cabb3e927485a34e2dcf018d3493baf07635cac74cb908ba39
SHA512

4e7303b8bbbd09ae8c41f3899a29c437c96931fda762d380dceb4156c168bdb9ce66533720a7dadb9802039cb79e5fd18b34fbf99ff18ab9477ca0c9fdf4b121
SSDEEP

24576:NyTonNVlKTt/Q5ECvVP7hpJMvjtKpvPf9+m6kLRqgSyI:NyWRKTt/QlPVp3h9

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1172-5-0x0000000002DE0000-0x0000000002DE1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

isoburn.exemsinfo32.exedwm.exe

pid process

2544 isoburn.exe
2768 msinfo32.exe
1860 dwm.exe
Loads dropped DLL 7 IoCs

Processes:

isoburn.exemsinfo32.exedwm.exe

pid process

1172
2544 isoburn.exe
1172
2768 msinfo32.exe
1172
1860 dwm.exe
1172

pid	process
2544	isoburn.exe
2768	msinfo32.exe
1860	dwm.exe

pid	process
1172
2544	isoburn.exe
1172
2768	msinfo32.exe
1172
1860	dwm.exe
1172

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mwyjnbrrs = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\Xf1FXGB\\msinfo32.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeisoburn.exemsinfo32.exedwm.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	isoburn.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1884	rundll32.exe
1884	rundll32.exe
1884	rundll32.exe
1172
1172
1172
1172
1172
1172
1172
1172
1172
1172
1172
1172
1172
1172
1172
1172
1172
1172
1172
1172
1172
1172
1172
1172
1172
1172
1172
1172
1172
1172
1172
1172
1172
1172
1172
1172
1172
1172
1172
1172
1172
1172
1172
1172
1172
1172
1172
1172
1172
1172
1172
1172
1172
1172
1172
1172
1172
1172
1172
1172
1172

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1172 wrote to memory of 2504	1172	isoburn.exe
PID 1172 wrote to memory of 2504	1172	isoburn.exe
PID 1172 wrote to memory of 2504	1172	isoburn.exe
PID 1172 wrote to memory of 2544	1172	isoburn.exe
PID 1172 wrote to memory of 2544	1172	isoburn.exe
PID 1172 wrote to memory of 2544	1172	isoburn.exe
PID 1172 wrote to memory of 2780	1172	msinfo32.exe
PID 1172 wrote to memory of 2780	1172	msinfo32.exe
PID 1172 wrote to memory of 2780	1172	msinfo32.exe
PID 1172 wrote to memory of 2768	1172	msinfo32.exe
PID 1172 wrote to memory of 2768	1172	msinfo32.exe
PID 1172 wrote to memory of 2768	1172	msinfo32.exe
PID 1172 wrote to memory of 300	1172	dwm.exe
PID 1172 wrote to memory of 300	1172	dwm.exe
PID 1172 wrote to memory of 300	1172	dwm.exe
PID 1172 wrote to memory of 1860	1172	dwm.exe
PID 1172 wrote to memory of 1860	1172	dwm.exe
PID 1172 wrote to memory of 1860	1172	dwm.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\803482d842575c5bcb8cd5082d09f034_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1884

C:\Windows\system32\isoburn.exe
C:\Windows\system32\isoburn.exe
1⤵
PID:2504

C:\Users\Admin\AppData\Local\EftBOp\isoburn.exe
C:\Users\Admin\AppData\Local\EftBOp\isoburn.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2544

C:\Windows\system32\msinfo32.exe
C:\Windows\system32\msinfo32.exe
1⤵
PID:2780

C:\Users\Admin\AppData\Local\Ga7IKLZ\msinfo32.exe
C:\Users\Admin\AppData\Local\Ga7IKLZ\msinfo32.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2768

C:\Windows\system32\dwm.exe
C:\Windows\system32\dwm.exe
1⤵
PID:300

C:\Users\Admin\AppData\Local\kBqse\dwm.exe
C:\Users\Admin\AppData\Local\kBqse\dwm.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1860

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\EftBOp\UxTheme.dll
Filesize
1.2MB

MD5
50ff27122f33560660387b05bd68cf34

SHA1
f49eb0e91c82918d9c71b81a382f07f45bb10e03

SHA256
59c16059e6820c7a772f0a7d4cbf8ddef0c3480e49ebb5e3553478753b36b7dc

SHA512
8435222af50bf112d5e560583a0a5f3736f78829873c8ef98a55c00f5fbfd4ec132f026719626be3cfef3014ffa509ee77dc624c6bf996eab3940fadc0680fd9

Download Submit
C:\Users\Admin\AppData\Local\EftBOp\isoburn.exe
Filesize
89KB

MD5
f8051f06e1c4aa3f2efe4402af5919b1

SHA1
bbcf3711501dfb22b04b1a6f356d95a6d5998790

SHA256
50dcb4be409f50d26c0fc32dd9cdbf96bff4e19bf624221cb566ebeb3e09ce1a

SHA512
5f664d937abe4426ee7e0d8491a395f9ef4ffe7a51dba05b54b7ba27e80c9be37833400911c5878d3dec659f4fa1579ec8ba4cfc485fb2ce24dd37c321006daa

Download Submit
C:\Users\Admin\AppData\Local\Ga7IKLZ\MFC42u.dll
Filesize
1.3MB

MD5
c27aa0e16e693d8de781a8fa411b30b0

SHA1
7cfdcf8ee1b81948f420648fa9b366f871677a34

SHA256
cb4c280d3cc01340fb32d2877d9a6dcab13710c7aeb544d8f4f916e1804a37ea

SHA512
f8fa771017d0935f20ea0982114ea5e7fd7339f330b185614ee4b6381115607d5ec651107dd2896c34a83cb77a7d7b88537e1a757df9f73ce6e1af925acd3d38

Download Submit
C:\Users\Admin\AppData\Local\Ga7IKLZ\msinfo32.exe
Filesize
370KB

MD5
d291620d4c51c5f5ffa62ccdc52c5c13

SHA1
2081c97f15b1c2a2eadce366baf3c510da553cc7

SHA256
76e959dd7db31726c040d46cfa86b681479967aea36db5f625e80bd36422e8ae

SHA512
75f9bcce4c596dae1f4d78e13d9d53b0c31988d2170c3d9f5db352b8c8a1c8ca58f4a002b30a4b328b8f4769008b750b8a1c9fda44a582e11c3adc38345c334b

Download Submit
C:\Users\Admin\AppData\Local\kBqse\UxTheme.dll
Filesize
1.2MB

MD5
80a3a9d8c510548485384928c3c20df7

SHA1
873d2887acc1f217b5863925abe4aeecc695443d

SHA256
11e4ce6f73a2e3a364e7c4b8c7d766caee8b99e1763b95dc3d50377fe386438a

SHA512
dfc70dbcf57aa35d98c1ee02d0b1ad577dea78bff8b59ab885df45091c4d54bd0d098410db2c962cb28910edc78b75a2b0451015b6e2e9e6981827ab7de5ebcc

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Pclfpjzoauil.lnk
Filesize
1KB

MD5
ca4419a8f351b4fe6b404b06e03339b5

SHA1
c2f7403cc85af26181faecda8c279bba356c5a61

SHA256
856057c0722a1e16d2fcced0e765dcf32d2f296c55c76af9d1c3458261cf2fd2

SHA512
6d4ac0892fe7aca1de543547dd2e933a99e3dde6d96a1bd6543217ad020276c591edba265372be575e253e77e7cce50f3bc273aa29ed8967f4628e79674acf26

Download Submit
\Users\Admin\AppData\Local\kBqse\dwm.exe
Filesize
117KB

MD5
f162d5f5e845b9dc352dd1bad8cef1bc

SHA1
35bc294b7e1f062ef5cb5fa1bd3fc942a3e37ae2

SHA256
8a7b7528db30ab123b060d8e41954d95913c07bb40cdae32e97f9edb0baf79c7

SHA512
7077e800453a4564a24af022636a2f6547bdae2c9c6f4ed080d0c98415ecc4fbf538109cbebd456e321b9b74a00613d647b63998e31925fbd841fc9d4613e851

Download Submit
memory/1172-10-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1172-14-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1172-27-0x0000000076FF0000-0x0000000076FF2000-memory.dmp

Filesize
8KB

Download
memory/1172-24-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1172-26-0x0000000076E61000-0x0000000076E62000-memory.dmp

Filesize
4KB

Download
memory/1172-25-0x0000000002DC0000-0x0000000002DC7000-memory.dmp

Filesize
28KB

Download
memory/1172-15-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1172-12-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1172-11-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1172-4-0x0000000076C56000-0x0000000076C57000-memory.dmp

Filesize
4KB

Download
memory/1172-37-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1172-36-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1172-5-0x0000000002DE0000-0x0000000002DE1000-memory.dmp

Filesize
4KB

Download
memory/1172-13-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1172-8-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1172-74-0x0000000076C56000-0x0000000076C57000-memory.dmp

Filesize
4KB

Download
memory/1172-7-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1172-9-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1860-93-0x0000000000320000-0x0000000000327000-memory.dmp

Filesize
28KB

Download
memory/1860-94-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1884-45-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1884-0-0x0000000000120000-0x0000000000127000-memory.dmp

Filesize
28KB

Download
memory/1884-1-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/2544-59-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/2544-54-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/2544-53-0x0000000000290000-0x0000000000297000-memory.dmp

Filesize
28KB

Download
memory/2768-71-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/2768-77-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads