dridex | dc8f78c6a53282cabb3e927485a34e2dcf018d3493baf07635cac74cb908ba39

General

Target

803482d842575c5bcb8cd5082d09f034_JaffaCakes118.dll
Size

1.2MB
MD5

803482d842575c5bcb8cd5082d09f034
SHA1

b84814b784597703a722edc11563e49dc0c16515
SHA256

dc8f78c6a53282cabb3e927485a34e2dcf018d3493baf07635cac74cb908ba39
SHA512

4e7303b8bbbd09ae8c41f3899a29c437c96931fda762d380dceb4156c168bdb9ce66533720a7dadb9802039cb79e5fd18b34fbf99ff18ab9477ca0c9fdf4b121
SSDEEP

24576:NyTonNVlKTt/Q5ECvVP7hpJMvjtKpvPf9+m6kLRqgSyI:NyWRKTt/QlPVp3h9

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3424-4-0x0000000007890000-0x0000000007891000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

ProximityUxHost.exesystemreset.exewbengine.exe

pid process

1092 ProximityUxHost.exe
1844 systemreset.exe
3824 wbengine.exe
Loads dropped DLL 3 IoCs

Processes:

ProximityUxHost.exesystemreset.exewbengine.exe

pid process

1092 ProximityUxHost.exe
1844 systemreset.exe
3824 wbengine.exe

pid	process
1092	ProximityUxHost.exe
1844	systemreset.exe
3824	wbengine.exe

pid	process
1092	ProximityUxHost.exe
1844	systemreset.exe
3824	wbengine.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Eeaxmqtu = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\FLASHP~1\\NATIVE~1\\frhkw\\SYSTEM~1.EXE"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeProximityUxHost.exesystemreset.exewbengine.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ProximityUxHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	systemreset.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wbengine.exe

Modifies registry class 1 IoCs

Processes:

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1208	rundll32.exe
1208	rundll32.exe
1208	rundll32.exe
1208	rundll32.exe
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424
3424

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3424
Token: SeCreatePagefilePrivilege	3424
Token: SeShutdownPrivilege	3424
Token: SeCreatePagefilePrivilege	3424

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

3424
3424
Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3424

pid	process
3424
3424

pid	process
3424

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3424 wrote to memory of 3508	3424	ProximityUxHost.exe
PID 3424 wrote to memory of 3508	3424	ProximityUxHost.exe
PID 3424 wrote to memory of 1092	3424	ProximityUxHost.exe
PID 3424 wrote to memory of 1092	3424	ProximityUxHost.exe
PID 3424 wrote to memory of 4772	3424	systemreset.exe
PID 3424 wrote to memory of 4772	3424	systemreset.exe
PID 3424 wrote to memory of 1844	3424	systemreset.exe
PID 3424 wrote to memory of 1844	3424	systemreset.exe
PID 3424 wrote to memory of 1468	3424	wbengine.exe
PID 3424 wrote to memory of 1468	3424	wbengine.exe
PID 3424 wrote to memory of 3824	3424	wbengine.exe
PID 3424 wrote to memory of 3824	3424	wbengine.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\803482d842575c5bcb8cd5082d09f034_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1208

C:\Windows\system32\ProximityUxHost.exe
C:\Windows\system32\ProximityUxHost.exe
1⤵
PID:3508

C:\Users\Admin\AppData\Local\06o\ProximityUxHost.exe
C:\Users\Admin\AppData\Local\06o\ProximityUxHost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1092

C:\Windows\system32\systemreset.exe
C:\Windows\system32\systemreset.exe
1⤵
PID:4772

C:\Users\Admin\AppData\Local\zFowW5g\systemreset.exe
C:\Users\Admin\AppData\Local\zFowW5g\systemreset.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1844

C:\Windows\system32\wbengine.exe
C:\Windows\system32\wbengine.exe
1⤵
PID:1468

C:\Users\Admin\AppData\Local\NiMJ\wbengine.exe
C:\Users\Admin\AppData\Local\NiMJ\wbengine.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3824

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\06o\ProximityUxHost.exe
Filesize
263KB

MD5
9ea326415b83d77295c70a35feb75577

SHA1
f8fc6a4f7f97b242f35066f61d305e278155b8a8

SHA256
192bfde77bf280e48f92d1eceacdc7ec4bf31cda46f7d577c7d7c3ec3ac89d8f

SHA512
2b1943600f97abcd18778101e33eac00c2bd360a3eff62fef65f668a084d8fa38c3bbdedfc6c2b7e8410aa7c9c3df2734705dc502b4754259121adc9198c3692

Download Submit
C:\Users\Admin\AppData\Local\06o\dwmapi.dll
Filesize
1.2MB

MD5
e0a72ec2285b5b794c8dde41109a069b

SHA1
04cec3f682f65ad37282f3fef91926b5abfcaf7b

SHA256
47fbb9bec4f2ad79c768616171dca20eaae84a1ff49c94a6866b49fb9136a465

SHA512
b0bb6f784f61a216a3e60b3e59241c05bbcab885d87b5ec92602be35345e50d586b8f28e02358d4ea5f95ca486934b38bb00c59746d0980a89be7f27108c35c1

Download Submit
C:\Users\Admin\AppData\Local\NiMJ\XmlLite.dll
Filesize
1.2MB

MD5
190030840102737dd315dd21cd615d9b

SHA1
a70dbbf2640ac849db5d5a6c958f7e752a76842f

SHA256
13a2a4cfcd20a5edabde05cd33aaf6545c334a296c63e031f6991cf732e51ddc

SHA512
751496f1a6d0c22dc19d6c22473cb173634e4e5543a1c9ee749ecc0724780f15934452efb2262a06f126b793c87517876d937c83729e336ff4354746a02bc998

Download Submit
C:\Users\Admin\AppData\Local\NiMJ\wbengine.exe
Filesize
1.5MB

MD5
17270a354a66590953c4aac1cf54e507

SHA1
715babcc8e46b02ac498f4f06df7937904d9798d

SHA256
9954394b43783061f9290706320cc65597c29176d5b8e7a26fa1d6b3536832b4

SHA512
6be0ba6be84d01ab47f5a4ca98a6b940c43bd2d1e1a273d41c3e88aca47da11d932024b007716d1a6ffe6cee396b0e3e6971ab2afc293e72472f2e61c17b2a89

Download Submit
C:\Users\Admin\AppData\Local\zFowW5g\DUI70.dll
Filesize
1.5MB

MD5
47b8ca62bd56be29a94e2bf286b3bfdf

SHA1
a71167066930538ce54cc1327eee5fb961f8f9c5

SHA256
8e6545c2f2cd00bf35c985e0b080553ecdb4395a5fe78e4b2d7828c45e85a3df

SHA512
d4207cc0248c2b44fa6f1b878f0f031d466de295660f2a3a442ae8fd0eeff926250a210bece96258c887664b1a1909cde1959e7e2e38f09754caf25b2ce2ad97

Download Submit
C:\Users\Admin\AppData\Local\zFowW5g\systemreset.exe
Filesize
508KB

MD5
325ff647506adb89514defdd1c372194

SHA1
84234ff97d6ddc8a4ea21303ea842aa76a74e0ea

SHA256
ebff6159a7627234f94f606afa2e55e98e1548fd197d22779a5fcff24aa477ad

SHA512
8a9758f4af0264be08d684125827ef11efe651138059f6b463c52476f8a8e1bed94d093042f85893cb3e37c5f3ba7b55c6ce9394595001e661bccbc578da3868

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Rkjap.lnk
Filesize
1KB

MD5
bd016aecd18606ae8ce9ff8fc58e592c

SHA1
c5564deeb28ae6ddabed6b74ec6e453192436f02

SHA256
4e0b4a72b8070c71e575ed5e52a312ce414afc29896316d22ed6c4d6eb6b0e8a

SHA512
0997656d97c4b5230204c87de90c5e824bf0d2abbd05072039a9db1f5aa5a2c3a8cf4a8b5778a3077913c50455c85025cb6c3a5d23e8df926f661cf3438288ff

Download Submit
memory/1092-48-0x000002190F330000-0x000002190F337000-memory.dmp

Filesize
28KB

Download
memory/1092-51-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1092-45-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1208-0-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1208-38-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1208-3-0x000001B79BFB0000-0x000001B79BFB7000-memory.dmp

Filesize
28KB

Download
memory/1844-65-0x000002278CB80000-0x000002278CB87000-memory.dmp

Filesize
28KB

Download
memory/1844-62-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/1844-68-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/3424-23-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3424-12-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3424-6-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3424-7-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3424-8-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3424-9-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3424-10-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3424-4-0x0000000007890000-0x0000000007891000-memory.dmp

Filesize
4KB

Download
memory/3424-13-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3424-27-0x00007FFD9908A000-0x00007FFD9908B000-memory.dmp

Filesize
4KB

Download
memory/3424-28-0x0000000007870000-0x0000000007877000-memory.dmp

Filesize
28KB

Download
memory/3424-35-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3424-29-0x00007FFD9A570000-0x00007FFD9A580000-memory.dmp

Filesize
64KB

Download
memory/3424-14-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3424-11-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3824-84-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads