dridex | 7eea846ab556737ba4219e9371522dace997e9efefee4cb9031e42aff5712ee4

General

Target

8ceef4b694cc0cc7d712ff04e07963f3_JaffaCakes118.dll
Size

993KB
MD5

8ceef4b694cc0cc7d712ff04e07963f3
SHA1

ef0c4d98f1f41416bbb6772bca8801ee93a9b0b8
SHA256

7eea846ab556737ba4219e9371522dace997e9efefee4cb9031e42aff5712ee4
SHA512

a3926becb4c7f4b74f17a2e94f9fb1c3559a3d74bf64e0a2cf269853b258312f70fff49328617a33597140e77e67916ed04710b092e2f35e2da9312541c1ab40
SSDEEP

24576:TVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:TV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1200-5-0x0000000002DA0000-0x0000000002DA1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

osk.exeAdapterTroubleshooter.execttune.exe

pid process

2652 osk.exe
2960 AdapterTroubleshooter.exe
2968 cttune.exe
Loads dropped DLL 7 IoCs

Processes:

osk.exeAdapterTroubleshooter.execttune.exe

pid process

1200
2652 osk.exe
1200
2960 AdapterTroubleshooter.exe
1200
2968 cttune.exe
1200

pid	process
2652	osk.exe
2960	AdapterTroubleshooter.exe
2968	cttune.exe

pid	process
1200
2652	osk.exe
1200
2960	AdapterTroubleshooter.exe
1200
2968	cttune.exe
1200

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mqdbvnnwgmqj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\efAIy9tSQX\\AdapterTroubleshooter.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeosk.exeAdapterTroubleshooter.execttune.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	osk.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	AdapterTroubleshooter.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cttune.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1084	rundll32.exe
1084	rundll32.exe
1084	rundll32.exe
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1200 wrote to memory of 2996	1200	osk.exe
PID 1200 wrote to memory of 2996	1200	osk.exe
PID 1200 wrote to memory of 2996	1200	osk.exe
PID 1200 wrote to memory of 2652	1200	osk.exe
PID 1200 wrote to memory of 2652	1200	osk.exe
PID 1200 wrote to memory of 2652	1200	osk.exe
PID 1200 wrote to memory of 2356	1200	AdapterTroubleshooter.exe
PID 1200 wrote to memory of 2356	1200	AdapterTroubleshooter.exe
PID 1200 wrote to memory of 2356	1200	AdapterTroubleshooter.exe
PID 1200 wrote to memory of 2960	1200	AdapterTroubleshooter.exe
PID 1200 wrote to memory of 2960	1200	AdapterTroubleshooter.exe
PID 1200 wrote to memory of 2960	1200	AdapterTroubleshooter.exe
PID 1200 wrote to memory of 2908	1200	cttune.exe
PID 1200 wrote to memory of 2908	1200	cttune.exe
PID 1200 wrote to memory of 2908	1200	cttune.exe
PID 1200 wrote to memory of 2968	1200	cttune.exe
PID 1200 wrote to memory of 2968	1200	cttune.exe
PID 1200 wrote to memory of 2968	1200	cttune.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\8ceef4b694cc0cc7d712ff04e07963f3_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1084

C:\Windows\system32\osk.exe
C:\Windows\system32\osk.exe
1⤵
PID:2996

C:\Users\Admin\AppData\Local\7HaDP\osk.exe
C:\Users\Admin\AppData\Local\7HaDP\osk.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2652

C:\Windows\system32\AdapterTroubleshooter.exe
C:\Windows\system32\AdapterTroubleshooter.exe
1⤵
PID:2356

C:\Users\Admin\AppData\Local\GKpTopB\AdapterTroubleshooter.exe
C:\Users\Admin\AppData\Local\GKpTopB\AdapterTroubleshooter.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2960

C:\Windows\system32\cttune.exe
C:\Windows\system32\cttune.exe
1⤵
PID:2908

C:\Users\Admin\AppData\Local\4r9F4HeNJ\cttune.exe
C:\Users\Admin\AppData\Local\4r9F4HeNJ\cttune.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2968

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\4r9F4HeNJ\UxTheme.dll
Filesize
996KB

MD5
6aa9488ae65ced9a2ca61c47f2b72572

SHA1
207a0ebd5f780ce9035e0f12d244311289c3e0c0

SHA256
2a62ab86e9f5ef8e747d340150285a97372c2d7c439867b3272350d7ec74975b

SHA512
3d136d9574b2faa7f78986f54cc2420e4282284c4ccfd0f52e7733a8d624b6ecdc5110993c5a6171e4321adb84bf62a9743ed00acde2b75abcd71ca874304c3b

Download Submit
C:\Users\Admin\AppData\Local\7HaDP\UxTheme.dll
Filesize
996KB

MD5
60c094cf700c42af4ad7d9298b57faf7

SHA1
c5bc7a7acce83a82c71b09271a2dc41bcdd7db59

SHA256
ab7fc8ad8b487d840173ea9880854143b38411f4ca3de824fa7ff01df704ea57

SHA512
d199a29be2b6624cab03b4f2b99fd9d2ac9263ff7ee4dfc49eafc671b47c4348b7284506f4c6a98655758212efeda48f5330539322f87d4019e4680b29006686

Download Submit
C:\Users\Admin\AppData\Local\GKpTopB\d3d9.dll
Filesize
994KB

MD5
18c805a9e6618cdf409e5a9770deefb3

SHA1
803f801c2f259136d634d12e1b509ace8b85bb5c

SHA256
3568ef9ec22bce88f5f9d54f3c1d3218f9be3db4d872f4bdde5ba2a0c21a3266

SHA512
253d69b6df1a6a2864548b45e6b2590da94cebfefd1b81a01b6ef18b48c18fe1ae5a6497640e014d9e1241c8b6aeca30a900196f97b1a1c0e3efe596dbec09f4

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Gemerzbimpg.lnk
Filesize
1KB

MD5
23070dd570f17b0e9147e60b84cd706c

SHA1
fe179d3097e1eb8126ca7630c37582914a198944

SHA256
231ae3c61fb686e82612f33ac94a2603a9b54d22ce3fc65c12259e4e6b13af1d

SHA512
62f634a4ecb8bd976f3a61f72371058f07b30dc8ef0b3080c496eb4b29f0f80a9840680140bcd915378426073e0bff2c5e08cad0207ac78bc477e9ce527ff0ed

Download Submit
\Users\Admin\AppData\Local\4r9F4HeNJ\cttune.exe
Filesize
314KB

MD5
7116848fd23e6195fcbbccdf83ce9af4

SHA1
35fb16a0b68f8a84d5dfac8c110ef5972f1bee93

SHA256
39937665f72725bdb3b82389a5dbd906c63f4c14208312d7f7a59d6067e1cfa6

SHA512
e38bf57eee5836b8598dd88dc3d266f497d911419a8426f73df6dcaa503611a965aabbd746181cb19bc38eebdb48db778a17f781a8f9e706cbd7a6ebec38f894

Download Submit
\Users\Admin\AppData\Local\7HaDP\osk.exe
Filesize
676KB

MD5
b918311a8e59fb8ccf613a110024deba

SHA1
a9a64a53d2d1c023d058cfe23db4c9b4fbe59d1b

SHA256
e1f7612086c2d01f15f2e74f1c22bc6abeb56f18e6bda058edce8d780aebb353

SHA512
e3a2480e546bf31509d6e0ffb5ce9dc5da3eb93a1a06d8e89b68165f2dd9ad520edac52af4c485c93fe6028dffaf7fcaadaafb04e524954dd117551afff87cf1

Download Submit
\Users\Admin\AppData\Local\GKpTopB\AdapterTroubleshooter.exe
Filesize
39KB

MD5
d4170c9ff5b2f85b0ce0246033d26919

SHA1
a76118e8775e16237cf00f2fb79718be0dc84db1

SHA256
d05e010a2570cdd5a67f62c99483aeeecb6a8d5ecc523cd49b158a460c9be5da

SHA512
9c85a9ea4002bd55cf9c51e470dd1bec527ff04b5d0d6f83094a998c541416cd47c9f42c6ca7e35ffa2842877f79e3c2e989489b9bf81644c5c57bb406b89608

Download Submit
memory/1084-44-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1084-0-0x0000000000120000-0x0000000000127000-memory.dmp

Filesize
28KB

Download
memory/1084-1-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1200-14-0x0000000002D80000-0x0000000002D87000-memory.dmp

Filesize
28KB

Download
memory/1200-15-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1200-9-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1200-28-0x0000000077800000-0x0000000077802000-memory.dmp

Filesize
8KB

Download
memory/1200-27-0x0000000077671000-0x0000000077672000-memory.dmp

Filesize
4KB

Download
memory/1200-24-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1200-35-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1200-36-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1200-13-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1200-70-0x0000000077566000-0x0000000077567000-memory.dmp

Filesize
4KB

Download
memory/1200-11-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1200-12-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1200-4-0x0000000077566000-0x0000000077567000-memory.dmp

Filesize
4KB

Download
memory/1200-5-0x0000000002DA0000-0x0000000002DA1000-memory.dmp

Filesize
4KB

Download
memory/1200-10-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1200-8-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1200-7-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/2652-52-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/2652-56-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/2652-53-0x0000000000160000-0x0000000000167000-memory.dmp

Filesize
28KB

Download
memory/2960-77-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/2960-71-0x0000000000290000-0x0000000000297000-memory.dmp

Filesize
28KB

Download
memory/2968-93-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download
memory/2968-95-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads