dridex | 1e40b83aa9fd11b7a5f1ee17496c217882b5b0faab433efcd69cb2c6fb40f704

General

Target

909d13887bb69f31030b77aed5290a46_JaffaCakes118.dll
Size

986KB
MD5

909d13887bb69f31030b77aed5290a46
SHA1

7f31628f6675c319a6ddd6473cf87a2a2dc38f7f
SHA256

1e40b83aa9fd11b7a5f1ee17496c217882b5b0faab433efcd69cb2c6fb40f704
SHA512

cc549dec063c91a336136a5beac0e14d2077a43933a1aef3465e4f4543080120b6a8734bacff2a579a7bf80389c56539ded7cc364f3fe0dce82039d4764ca12e
SSDEEP

24576:0VHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:0V8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1196-5-0x0000000002EF0000-0x0000000002EF1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

cmstp.exemmc.exeSystemPropertiesProtection.exe

pid process

2480 cmstp.exe
2936 mmc.exe
1544 SystemPropertiesProtection.exe
Loads dropped DLL 7 IoCs

Processes:

cmstp.exemmc.exeSystemPropertiesProtection.exe

pid process

1196
2480 cmstp.exe
1196
2936 mmc.exe
1196
1544 SystemPropertiesProtection.exe
1196

pid	process
2480	cmstp.exe
2936	mmc.exe
1544	SystemPropertiesProtection.exe

pid	process
1196
2480	cmstp.exe
1196
2936	mmc.exe
1196
1544	SystemPropertiesProtection.exe
1196

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Yyeybzteybdsbj = "C:\\Users\\Admin\\AppData\\Roaming\\MACROM~1\\FLASHP~1\\MACROM~1.COM\\support\\FLASHP~1\\sys\\kHofa2\\mmc.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.execmstp.exemmc.exeSystemPropertiesProtection.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmstp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mmc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesProtection.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2168	rundll32.exe
2168	rundll32.exe
2168	rundll32.exe
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1196 wrote to memory of 2436	1196	cmstp.exe
PID 1196 wrote to memory of 2436	1196	cmstp.exe
PID 1196 wrote to memory of 2436	1196	cmstp.exe
PID 1196 wrote to memory of 2480	1196	cmstp.exe
PID 1196 wrote to memory of 2480	1196	cmstp.exe
PID 1196 wrote to memory of 2480	1196	cmstp.exe
PID 1196 wrote to memory of 2832	1196	mmc.exe
PID 1196 wrote to memory of 2832	1196	mmc.exe
PID 1196 wrote to memory of 2832	1196	mmc.exe
PID 1196 wrote to memory of 2936	1196	mmc.exe
PID 1196 wrote to memory of 2936	1196	mmc.exe
PID 1196 wrote to memory of 2936	1196	mmc.exe
PID 1196 wrote to memory of 328	1196	SystemPropertiesProtection.exe
PID 1196 wrote to memory of 328	1196	SystemPropertiesProtection.exe
PID 1196 wrote to memory of 328	1196	SystemPropertiesProtection.exe
PID 1196 wrote to memory of 1544	1196	SystemPropertiesProtection.exe
PID 1196 wrote to memory of 1544	1196	SystemPropertiesProtection.exe
PID 1196 wrote to memory of 1544	1196	SystemPropertiesProtection.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\909d13887bb69f31030b77aed5290a46_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2168

C:\Windows\system32\cmstp.exe
C:\Windows\system32\cmstp.exe
1⤵
PID:2436

C:\Users\Admin\AppData\Local\y1zj3bo\cmstp.exe
C:\Users\Admin\AppData\Local\y1zj3bo\cmstp.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2480

C:\Windows\system32\mmc.exe
C:\Windows\system32\mmc.exe
1⤵
PID:2832

C:\Users\Admin\AppData\Local\yaDwL\mmc.exe
C:\Users\Admin\AppData\Local\yaDwL\mmc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2936

C:\Windows\system32\SystemPropertiesProtection.exe
C:\Windows\system32\SystemPropertiesProtection.exe
1⤵
PID:328

C:\Users\Admin\AppData\Local\pJ7aBC\SystemPropertiesProtection.exe
C:\Users\Admin\AppData\Local\pJ7aBC\SystemPropertiesProtection.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\pJ7aBC\SYSDM.CPL

Filesize
986KB

MD5
47e9614abc5499ad55fd8e39ea0f686b

SHA1
1679b915b46c30b3aa9971d97a4d20ca1f18bed0

SHA256
961466ce555336954f0b4d0d0d642e0f3b00388ca69e372e732fa5f348aedd25

SHA512
4e21c9874451f2d4a249cacdc50aa5fe9d9e71ca827aa2e6c9626d0a2eea250892704c1c54fc8d8cdfca100a14f43401eecbd12c3977356ae3b713af26817693

Download Submit
C:\Users\Admin\AppData\Local\y1zj3bo\VERSION.dll

Filesize
986KB

MD5
f590c9cecb315044e50329d163b4e956

SHA1
5091afa426bbe48d2563a6e65a4f93b83246b80f

SHA256
910135225ffb41995c1f61ee545c59208ffcf9fa910110eb2a1ff29f7316531c

SHA512
2f077b3d02886750802a1ad57aee33cf84a827d43d2528b8e24bfdef251c1a21c2d75b1abd4501f0104a04de797a9aee2ae9283b86e84743c3b7bd131ce91ef9

Download Submit
C:\Users\Admin\AppData\Local\yaDwL\UxTheme.dll

Filesize
988KB

MD5
b94b94354709bb79339386f27a3f70f9

SHA1
12f91a7a8ed36bf9be9bed4bf67e0e7058737a75

SHA256
e2546534f0b4145a054bd7c6d550763897cb17e54d846af0a2e92762e3c40d3b

SHA512
d534cfb8731177ba2847a16452f8697b983b9ce05a45a1a051dc6c0dbadf8b768ee717c87d348bf0deb34ae7f3b741f9d65fc1f1951f3fe78bfd42bf90c1014b

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Omdqupblcei.lnk

Filesize
1KB

MD5
2b83a6dbd4b4cab3ef873be5c601b496

SHA1
222c53555f6c601c49cfab198382471f14c7d716

SHA256
668714ce98df0554bbc82f46a17bcd41152c360687ea392440ac33c2ebfa386c

SHA512
62b5b2a722ec2e596143994910541232f4287a4e6c36b2176a6ee82beb1c5fd7e56cabad20c1e3dfaea41b509f8b72d3c3a1f0ef40c262f0ed2200c00914ff56

Download Submit
\Users\Admin\AppData\Local\pJ7aBC\SystemPropertiesProtection.exe

Filesize
80KB

MD5
05138d8f952d3fff1362f7c50158bc38

SHA1
780bc59fcddf06a7494d09771b8340acffdcc720

SHA256
753a43d8aa74341d06582bd6b3784dc5f8c6f46174c2a306cf284de238a9c6bd

SHA512
27fa8c0af3d01f0816852d04693087f3c25d1307d8857a7ea75b0bb3e0ac927d262f5ac5a335afee150142fa3187354d33ebbcf6c3cd5cc33cb4e6cd00c50255

Download Submit
\Users\Admin\AppData\Local\y1zj3bo\cmstp.exe

Filesize
90KB

MD5
74c6da5522f420c394ae34b2d3d677e3

SHA1
ba135738ef1fb2f4c2c6c610be2c4e855a526668

SHA256
51d298b1a8a2d00d5c608c52dba0655565d021e9798ee171d7fa92cc0de729a6

SHA512
bfd76b1c3e677292748f88bf595bfef0b536eb22f2583b028cbf08f6ae4eda1aa3787c4e892aad12b7681fc2363f99250430a0e7019a7498e24db391868e787a

Download Submit
\Users\Admin\AppData\Local\yaDwL\mmc.exe

Filesize
2.0MB

MD5
9fea051a9585f2a303d55745b4bf63aa

SHA1
f5dc12d658402900a2b01af2f018d113619b96b8

SHA256
b212e59e4c7fe77f6f189138d9d8b151e50eb83a35d6eadfb1e4bb0b4262c484

SHA512
beba79f0b6710929871fbdf378d3c0a41f230ac30cbfa87173f7b77c35e06425f48db42ed3b16d5d9bcb7ef0098dffcd0d2947da8fb7ec1136ea62205f1afc76

Download Submit
memory/1196-36-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1196-14-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1196-23-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1196-25-0x0000000077721000-0x0000000077722000-memory.dmp

Filesize
4KB

Download
memory/1196-12-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1196-11-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1196-9-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1196-8-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1196-26-0x00000000778B0000-0x00000000778B2000-memory.dmp

Filesize
8KB

Download
memory/1196-4-0x0000000077516000-0x0000000077517000-memory.dmp

Filesize
4KB

Download
memory/1196-35-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1196-7-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1196-13-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1196-24-0x0000000002B10000-0x0000000002B17000-memory.dmp

Filesize
28KB

Download
memory/1196-5-0x0000000002EF0000-0x0000000002EF1000-memory.dmp

Filesize
4KB

Download
memory/1196-10-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1196-63-0x0000000077516000-0x0000000077517000-memory.dmp

Filesize
4KB

Download
memory/1544-92-0x0000000000290000-0x0000000000297000-memory.dmp

Filesize
28KB

Download
memory/1544-95-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/2168-44-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/2168-0-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/2168-3-0x00000000001A0000-0x00000000001A7000-memory.dmp

Filesize
28KB

Download
memory/2480-58-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/2480-55-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/2480-52-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/2936-71-0x0000000001C20000-0x0000000001C27000-memory.dmp

Filesize
28KB

Download
memory/2936-77-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads