dridex | 4b25b71b0279a338fc387043f74376f4d3d9b8151df7238b3c02b90fc9a69251

General

Target

88ddb49e0375d67f2af8e44d70096880_JaffaCakes118.dll
Size

987KB
MD5

88ddb49e0375d67f2af8e44d70096880
SHA1

a2b8b6a7f7f3361f2a8180d6060dc6e8b6d3e2a2
SHA256

4b25b71b0279a338fc387043f74376f4d3d9b8151df7238b3c02b90fc9a69251
SHA512

df5bd61c1a39a83b3ab9ab6f9b49bc5109fb17d437ef97140ef576b6d742d3a28f2f3002a123f1e761f0c53a97e136b7ce573ae8135503ca34fcbad26f699053
SSDEEP

24576:sVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL89:sV8hf6STw1ZlQauvzSq01ICe6zvm6

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3544-4-0x0000000002ED0000-0x0000000002ED1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

WFS.exepsr.exedxgiadaptercache.exe

pid process

2344 WFS.exe
648 psr.exe
3572 dxgiadaptercache.exe
Loads dropped DLL 4 IoCs

Processes:

WFS.exepsr.exedxgiadaptercache.exe

pid process

2344 WFS.exe
648 psr.exe
648 psr.exe
3572 dxgiadaptercache.exe

pid	process
2344	WFS.exe
648	psr.exe
3572	dxgiadaptercache.exe

pid	process
2344	WFS.exe
648	psr.exe
648	psr.exe
3572	dxgiadaptercache.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Welddizcvtwl = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Templates\\2LsNmlxm\\psr.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

psr.exedxgiadaptercache.exerundll32.exeWFS.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	psr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dxgiadaptercache.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WFS.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
4080	rundll32.exe
4080	rundll32.exe
4080	rundll32.exe
4080	rundll32.exe
4080	rundll32.exe
4080	rundll32.exe
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544
3544

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3544

pid	process
3544

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3544 wrote to memory of 1228	3544	WFS.exe
PID 3544 wrote to memory of 1228	3544	WFS.exe
PID 3544 wrote to memory of 2344	3544	WFS.exe
PID 3544 wrote to memory of 2344	3544	WFS.exe
PID 3544 wrote to memory of 468	3544	psr.exe
PID 3544 wrote to memory of 468	3544	psr.exe
PID 3544 wrote to memory of 648	3544	psr.exe
PID 3544 wrote to memory of 648	3544	psr.exe
PID 3544 wrote to memory of 2320	3544	dxgiadaptercache.exe
PID 3544 wrote to memory of 2320	3544	dxgiadaptercache.exe
PID 3544 wrote to memory of 3572	3544	dxgiadaptercache.exe
PID 3544 wrote to memory of 3572	3544	dxgiadaptercache.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\88ddb49e0375d67f2af8e44d70096880_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4080

C:\Windows\system32\WFS.exe
C:\Windows\system32\WFS.exe
1⤵
PID:1228

C:\Users\Admin\AppData\Local\425\WFS.exe
C:\Users\Admin\AppData\Local\425\WFS.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2344

C:\Windows\system32\psr.exe
C:\Windows\system32\psr.exe
1⤵
PID:468

C:\Users\Admin\AppData\Local\Q6ps\psr.exe
C:\Users\Admin\AppData\Local\Q6ps\psr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:648

C:\Windows\system32\dxgiadaptercache.exe
C:\Windows\system32\dxgiadaptercache.exe
1⤵
PID:2320

C:\Users\Admin\AppData\Local\2QAE\dxgiadaptercache.exe
C:\Users\Admin\AppData\Local\2QAE\dxgiadaptercache.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3572

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\2QAE\dxgi.dll
Filesize
988KB

MD5
8a08a2b995c60b08afdf24392e8f1cbc

SHA1
c31ba950fa0baeaf7380fd11e0406e246ed30d0d

SHA256
d293c4e3bcc7b96f28afa54a91e4b0ab1f289479d6600ec2094102e3678ddec7

SHA512
f842096205345390f106d15a2521c2b1418c41bfe267e27507d5b1c83a1694bad4215035959365da532c3d128679fbb914541f691698fdbc4775a162610726c2

Download Submit
C:\Users\Admin\AppData\Local\2QAE\dxgiadaptercache.exe
Filesize
230KB

MD5
e62f89130b7253f7780a862ed9aff294

SHA1
b031e64a36e93f95f2061be5b0383069efac2070

SHA256
4bea9f741fe4ca9d6262477849896b9fa6377326d11af044561c31bde2d994b5

SHA512
05649d38a0b5d825bb8442549427b0ff77b139c9dd297b04d6c0fb1415504c95ed750cd79efea2ff514abfc5d1003e6251a3cd871d352dcea06be0cdeb0304f7

Download Submit
C:\Users\Admin\AppData\Local\425\WFS.exe
Filesize
944KB

MD5
3cbc8d0f65e3db6c76c119ed7c2ffd85

SHA1
e74f794d86196e3bbb852522479946cceeed7e01

SHA256
e23e4182efe7ed61aaf369696e1ce304c3818df33d1663872b6d3c75499d81f4

SHA512
26ae5845a804b9eb752078f1ffa80a476648a8a9508b4f7ba56c94acd4198f3ba59c77add4feb7e0420070222af56521ca5f6334f466d5db272c816930513f0a

Download Submit
C:\Users\Admin\AppData\Local\425\credui.dll
Filesize
988KB

MD5
fe370dabf2f06750e1cec8dcd4b5a370

SHA1
6baaf27ebbf66f7e7ad8a736d4140408fb3d89b9

SHA256
3d327276ca0ca5cc03451a68149117b7243345c946769173c1943ed576af2e27

SHA512
456dd8b29e9378b870ea962799fa682fe4da190a71b8c23c9d6166facb0ad982a829c1309ebfd775ffcd1d842887104233fd959396b7da35ca8a8897c7852224

Download Submit
C:\Users\Admin\AppData\Local\Q6ps\VERSION.dll
Filesize
988KB

MD5
55d4d1f94207358d888901ae8d64a337

SHA1
827e8b50afd4439e42a2750b6b218cf10cbfa317

SHA256
cf7f287e51ecd82896eb24f55f90a21fc9cd2bb170252da097f77501f303cc95

SHA512
630b61759a58bd67883667c1331ff70611b98f67aa0c3a9ce00de50ddf6721e7cbf9a7962baa42f064b10375bb933c3d7ee78d1bb761279933b39fc38e39c483

Download Submit
C:\Users\Admin\AppData\Local\Q6ps\psr.exe
Filesize
232KB

MD5
ad53ead5379985081b7c3f1f357e545a

SHA1
6f5aa32c1d15fbf073558fadafd046d97b60184e

SHA256
4f0144f0e3e721b44babbf41b513942e4117f730546105480571f9c8fce56a1f

SHA512
433098bd74c34fbadfa447ef45cfa9dc076aef4cf7f2a0a6fe79d5e67f2504eebe8aa31fc1b7a4c5eeb20ede2c5485f75ad0fd77b4ecba3d68ca63313e6f6ea0

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Hjyomsugwtoazg.lnk
Filesize
1KB

MD5
4bd2ca94a10959fd3f4f2de67fb3710e

SHA1
ab917ccf596bee361a7a9a437dcff58820a8dd79

SHA256
835b357b3ffcac2ba14f0dc18caad57991496dddb0c5bbf4255c3b34ea4f08a5

SHA512
022e43fcfd4bc7c780f64462d0939e3e7556f00c9a080eedbfac938a989793601f84e3d20ceb8936258b9e0a55bdb33510d28331104e8d83d9675537711b1307

Download Submit
memory/648-68-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/648-62-0x0000018E91850000-0x0000018E91857000-memory.dmp

Filesize
28KB

Download
memory/2344-44-0x000002BB7D6B0000-0x000002BB7D6B7000-memory.dmp

Filesize
28KB

Download
memory/2344-45-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/2344-50-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3544-32-0x0000000002C70000-0x0000000002C77000-memory.dmp

Filesize
28KB

Download
memory/3544-31-0x00007FFC44BCA000-0x00007FFC44BCB000-memory.dmp

Filesize
4KB

Download
memory/3544-6-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3544-35-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3544-4-0x0000000002ED0000-0x0000000002ED1000-memory.dmp

Filesize
4KB

Download
memory/3544-8-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3544-9-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3544-10-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3544-13-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3544-7-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3544-11-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3544-33-0x00007FFC459B0000-0x00007FFC459C0000-memory.dmp

Filesize
64KB

Download
memory/3544-22-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3544-12-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3572-82-0x00000265BB0E0000-0x00000265BB0E7000-memory.dmp

Filesize
28KB

Download
memory/3572-85-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/4080-1-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/4080-37-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/4080-3-0x00000233A9170000-0x00000233A9177000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads