dridex | 23af8a04d56b123342384a11c863a934154029823ee3e5e744a9fbedbb4dac12

General

Target

890585cd2e7a7240f8717a699df466c6_JaffaCakes118.dll
Size

1.2MB
MD5

890585cd2e7a7240f8717a699df466c6
SHA1

905cc34008102e2497e9dbb3e11a1cd0a5b591ba
SHA256

23af8a04d56b123342384a11c863a934154029823ee3e5e744a9fbedbb4dac12
SHA512

3135756a9194a05256d9caf0ecf06ea3abe15c080e7c2b09b4419d8a95c4856a500cb5ab2e0afb0a1f2ade9c51877c56064b29148542dbc7da51e203dc1562d2
SSDEEP

24576:5uYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:r9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1204-5-0x0000000002990000-0x0000000002991000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

WFS.exewinlogon.exeosk.exe

pid process

2368 WFS.exe
1960 winlogon.exe
1768 osk.exe
Loads dropped DLL 7 IoCs

Processes:

WFS.exewinlogon.exeosk.exe

pid process

1204
2368 WFS.exe
1204
1960 winlogon.exe
1204
1768 osk.exe
1204

pid	process
2368	WFS.exe
1960	winlogon.exe
1768	osk.exe

pid	process
1204
2368	WFS.exe
1204
1960	winlogon.exe
1204
1768	osk.exe
1204

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Uxhwu = "C:\\Users\\Admin\\AppData\\Roaming\\Macromedia\\8DzdBvb2TEk\\winlogon.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

osk.exerundll32.exeWFS.exewinlogon.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	osk.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WFS.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2612	rundll32.exe
2612	rundll32.exe
2612	rundll32.exe
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1204 wrote to memory of 1564	1204	WFS.exe
PID 1204 wrote to memory of 1564	1204	WFS.exe
PID 1204 wrote to memory of 1564	1204	WFS.exe
PID 1204 wrote to memory of 2368	1204	WFS.exe
PID 1204 wrote to memory of 2368	1204	WFS.exe
PID 1204 wrote to memory of 2368	1204	WFS.exe
PID 1204 wrote to memory of 1808	1204	winlogon.exe
PID 1204 wrote to memory of 1808	1204	winlogon.exe
PID 1204 wrote to memory of 1808	1204	winlogon.exe
PID 1204 wrote to memory of 1960	1204	winlogon.exe
PID 1204 wrote to memory of 1960	1204	winlogon.exe
PID 1204 wrote to memory of 1960	1204	winlogon.exe
PID 1204 wrote to memory of 2284	1204	osk.exe
PID 1204 wrote to memory of 2284	1204	osk.exe
PID 1204 wrote to memory of 2284	1204	osk.exe
PID 1204 wrote to memory of 1768	1204	osk.exe
PID 1204 wrote to memory of 1768	1204	osk.exe
PID 1204 wrote to memory of 1768	1204	osk.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\890585cd2e7a7240f8717a699df466c6_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2612

C:\Windows\system32\WFS.exe
C:\Windows\system32\WFS.exe
1⤵
PID:1564

C:\Users\Admin\AppData\Local\NMfx2\WFS.exe
C:\Users\Admin\AppData\Local\NMfx2\WFS.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2368

C:\Windows\system32\winlogon.exe
C:\Windows\system32\winlogon.exe
1⤵
PID:1808

C:\Users\Admin\AppData\Local\l6Tzd\winlogon.exe
C:\Users\Admin\AppData\Local\l6Tzd\winlogon.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1960

C:\Windows\system32\osk.exe
C:\Windows\system32\osk.exe
1⤵
PID:2284

C:\Users\Admin\AppData\Local\7pups\osk.exe
C:\Users\Admin\AppData\Local\7pups\osk.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1768

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\7pups\osk.exe
Filesize
676KB

MD5
b918311a8e59fb8ccf613a110024deba

SHA1
a9a64a53d2d1c023d058cfe23db4c9b4fbe59d1b

SHA256
e1f7612086c2d01f15f2e74f1c22bc6abeb56f18e6bda058edce8d780aebb353

SHA512
e3a2480e546bf31509d6e0ffb5ce9dc5da3eb93a1a06d8e89b68165f2dd9ad520edac52af4c485c93fe6028dffaf7fcaadaafb04e524954dd117551afff87cf1

Download Submit
C:\Users\Admin\AppData\Local\NMfx2\MFC42u.dll
Filesize
1.2MB

MD5
fa90450f5e6137787248c021446ea10a

SHA1
f21b8760781683be5fcb6306bbb9c687f7e69590

SHA256
617407796aafff4db97160ceced104aec644e2497337e63d0ac5d15ed36702f4

SHA512
c9064677d9052d20952d10ef697de48608a7a8bf6bb94249cfb9c2f2282012697e927d79907c9b078f2ed7ce268cf817cb77ba7f8a50deb77aff8b660a711554

Download Submit
C:\Users\Admin\AppData\Local\NMfx2\WFS.exe
Filesize
951KB

MD5
a943d670747778c7597987a4b5b9a679

SHA1
c48b760ff9762205386563b93e8884352645ef40

SHA256
1a582ebe780abc1143baccaf4910714d3e9f4195edd86939499d03ed6e756610

SHA512
3d926ddead8afcb32b52b3eb3c416d197c15e5fff6ba9fa03a31a07522bdb9088b32500fc8b98d82af657071571d09cd336a65cf45c485ebcc145dea70b3a934

Download Submit
C:\Users\Admin\AppData\Local\l6Tzd\WINSTA.dll
Filesize
1.2MB

MD5
04252d269d2c555f9cc572db89791d08

SHA1
e0a6bc9a187fbb7f38b4eccc43a9c209960484bf

SHA256
c0b8a76c41dac14ec05ac385a05633c088f7afbe85bfff8f5e0d549cd0315808

SHA512
86f88708fc8854887a4954ce7101ad46c650380cf77ef25cb8dd9043f7fc47848db0753e4e952572a8b34cef24f2ee67c1e8d018c248640d00a7456c27689e96

Download Submit
C:\Users\Admin\AppData\Local\l6Tzd\winlogon.exe
Filesize
381KB

MD5
1151b1baa6f350b1db6598e0fea7c457

SHA1
434856b834baf163c5ea4d26434eeae775a507fb

SHA256
b1506e0a7e826eff0f5252ef5026070c46e2235438403a9a24d73ee69c0b8a49

SHA512
df728d06238da1dece96f8b8d67a2423ed4dcb344b42d5958768d23bd570a79e7189e7c5ba783c1628fe8ddd1deaebeacb1b471c59c8a7c9beb21b4f1eb9edab

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dgsmy.lnk
Filesize
1KB

MD5
47e7dad1a424803ace6eb86437eca6a2

SHA1
cc7c9e7ea73a3439ce3c81d1cd0f5dbfebe62c58

SHA256
d997cbfa18426cc756c78e94f4b42599609f2f18d067e4864c4650364b035774

SHA512
221d3edf76034cb678850c2ef7c704f011e4ea6d8390025a0c30e6e19dd09b3cc8df6e4f279ae1643940ed7059ba4528ac017e1318b6d3c87c3b0e285d131f9b

Download Submit
\Users\Admin\AppData\Local\7pups\WMsgAPI.dll
Filesize
1.2MB

MD5
34b502b4ae3c6ecde86475663d544a5c

SHA1
667ad14446337367fd2744933bc9ae3ece358368

SHA256
f619f78136d417f7e5818aec0cb35fe2041dc045853e385072285963f46463e0

SHA512
9d3202dcbf04c26a02a4350ddaaa4dac2aa256d29f4e27fc61b21e6797f46d27dfbb729152659edb3df8b89b77fcf8d341d43104889519308220117373891179

Download Submit
memory/1204-17-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/1204-26-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/1204-18-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/1204-4-0x0000000077866000-0x0000000077867000-memory.dmp

Filesize
4KB

Download
memory/1204-16-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/1204-14-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/1204-13-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/1204-12-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/1204-11-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/1204-10-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/1204-9-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/1204-8-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/1204-15-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/1204-5-0x0000000002990000-0x0000000002991000-memory.dmp

Filesize
4KB

Download
memory/1204-36-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/1204-35-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/1204-31-0x0000000077B00000-0x0000000077B02000-memory.dmp

Filesize
8KB

Download
memory/1204-30-0x0000000077971000-0x0000000077972000-memory.dmp

Filesize
4KB

Download
memory/1204-7-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/1204-27-0x0000000002210000-0x0000000002217000-memory.dmp

Filesize
28KB

Download
memory/1204-61-0x0000000077866000-0x0000000077867000-memory.dmp

Filesize
4KB

Download
memory/1768-87-0x0000000000090000-0x0000000000097000-memory.dmp

Filesize
28KB

Download
memory/1768-89-0x000007FEF68C0000-0x000007FEF6A01000-memory.dmp

Filesize
1.3MB

Download
memory/1768-93-0x000007FEF68C0000-0x000007FEF6A01000-memory.dmp

Filesize
1.3MB

Download
memory/1960-69-0x000007FEF68C0000-0x000007FEF6A02000-memory.dmp

Filesize
1.3MB

Download
memory/1960-72-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download
memory/1960-75-0x000007FEF68C0000-0x000007FEF6A02000-memory.dmp

Filesize
1.3MB

Download
memory/2368-56-0x000007FEF7820000-0x000007FEF7967000-memory.dmp

Filesize
1.3MB

Download
memory/2368-54-0x00000000000F0000-0x00000000000F7000-memory.dmp

Filesize
28KB

Download
memory/2368-51-0x000007FEF7820000-0x000007FEF7967000-memory.dmp

Filesize
1.3MB

Download
memory/2612-32-0x000007FEF68D0000-0x000007FEF6A10000-memory.dmp

Filesize
1.2MB

Download
memory/2612-0-0x000007FEF68D0000-0x000007FEF6A10000-memory.dmp

Filesize
1.2MB

Download
memory/2612-3-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads