dridex | 059d1b17a6ca578711f0f2cd12a71b4d9349fbbb0e4ab273c29ef464aa776354

General

Target

90d39f9ec98db742751322a9a5548598_JaffaCakes118.dll
Size

994KB
MD5

90d39f9ec98db742751322a9a5548598
SHA1

b952239166fce6b42c30fd9225d67e404593f9a7
SHA256

059d1b17a6ca578711f0f2cd12a71b4d9349fbbb0e4ab273c29ef464aa776354
SHA512

edb620dbe08ab02d95d60b7fc9cc925c7e6e04f98d159120a2178ad07d65646571e5ebabac60f06cac963ade15ae5126958963c3f9852f211e0fb94891f847c9
SSDEEP

24576:zVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:zV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1208-5-0x0000000003050000-0x0000000003051000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

UI0Detect.exeSoundRecorder.exeNetplwiz.exe

pid process

2620 UI0Detect.exe
1960 SoundRecorder.exe
1132 Netplwiz.exe
Loads dropped DLL 7 IoCs

Processes:

UI0Detect.exeSoundRecorder.exeNetplwiz.exe

pid process

1208
2620 UI0Detect.exe
1208
1960 SoundRecorder.exe
1208
1132 Netplwiz.exe
1208

pid	process
2620	UI0Detect.exe
1960	SoundRecorder.exe
1132	Netplwiz.exe

pid	process
1208
2620	UI0Detect.exe
1208
1960	SoundRecorder.exe
1208
1132	Netplwiz.exe
1208

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Aknlhzir = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\ACCESS~1\\SYSTEM~1\\1Xi95\\SOUNDR~1.EXE"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeUI0Detect.exeSoundRecorder.exeNetplwiz.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	UI0Detect.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SoundRecorder.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Netplwiz.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1276	rundll32.exe
1276	rundll32.exe
1276	rundll32.exe
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1208 wrote to memory of 2588	1208	UI0Detect.exe
PID 1208 wrote to memory of 2588	1208	UI0Detect.exe
PID 1208 wrote to memory of 2588	1208	UI0Detect.exe
PID 1208 wrote to memory of 2620	1208	UI0Detect.exe
PID 1208 wrote to memory of 2620	1208	UI0Detect.exe
PID 1208 wrote to memory of 2620	1208	UI0Detect.exe
PID 1208 wrote to memory of 1992	1208	SoundRecorder.exe
PID 1208 wrote to memory of 1992	1208	SoundRecorder.exe
PID 1208 wrote to memory of 1992	1208	SoundRecorder.exe
PID 1208 wrote to memory of 1960	1208	SoundRecorder.exe
PID 1208 wrote to memory of 1960	1208	SoundRecorder.exe
PID 1208 wrote to memory of 1960	1208	SoundRecorder.exe
PID 1208 wrote to memory of 2548	1208	Netplwiz.exe
PID 1208 wrote to memory of 2548	1208	Netplwiz.exe
PID 1208 wrote to memory of 2548	1208	Netplwiz.exe
PID 1208 wrote to memory of 1132	1208	Netplwiz.exe
PID 1208 wrote to memory of 1132	1208	Netplwiz.exe
PID 1208 wrote to memory of 1132	1208	Netplwiz.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\90d39f9ec98db742751322a9a5548598_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1276

C:\Windows\system32\UI0Detect.exe
C:\Windows\system32\UI0Detect.exe
1⤵
PID:2588

C:\Users\Admin\AppData\Local\etBip\UI0Detect.exe
C:\Users\Admin\AppData\Local\etBip\UI0Detect.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2620

C:\Windows\system32\SoundRecorder.exe
C:\Windows\system32\SoundRecorder.exe
1⤵
PID:1992

C:\Users\Admin\AppData\Local\8Jlg\SoundRecorder.exe
C:\Users\Admin\AppData\Local\8Jlg\SoundRecorder.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1960

C:\Windows\system32\Netplwiz.exe
C:\Windows\system32\Netplwiz.exe
1⤵
PID:2548

C:\Users\Admin\AppData\Local\wug4c\Netplwiz.exe
C:\Users\Admin\AppData\Local\wug4c\Netplwiz.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\8Jlg\UxTheme.dll

Filesize
996KB

MD5
0852abd25873b18488b3825fe344b473

SHA1
e5469004962690d288fdf1329515cb473f97dd50

SHA256
b4a543e76bb07b52ae15676fb5261aab5f858dc6ce787a999210a2125a53bbff

SHA512
98caa42ac9cab84ec022afff1caaa609530b935b17125e503deb01cef0df7a4a3f27050c7182c0b808b74f0348849790184252ad75ee1d693d556c8af50ed9b8

Download Submit
C:\Users\Admin\AppData\Local\etBip\WINSTA.dll

Filesize
999KB

MD5
83200010b6b9c42d9b781698961490ef

SHA1
aea5114a7b67682b013b66bb24fe28caac7e6a3a

SHA256
4daf6a5af2fd854484adf054453da511909638f409838b35375a298cbd472d42

SHA512
3c79cababe069b8a119ebdd5a0628df03c428d6bd9f30f61ea15ccb149c2f440646b6064aaeb15499329e5a9b22b3e52833560b1f4fcebfe1e511167462e224c

Download Submit
C:\Users\Admin\AppData\Local\wug4c\NETPLWIZ.dll

Filesize
994KB

MD5
fea3195f2897d690c7ba3b7775ba72f4

SHA1
2d499ceb9941e7011e80ccf9ed019757c72472ce

SHA256
5f6bec04232b137499b7c1e9c1cf6534f538ecb54a2c6132d99a27ea8ca7df84

SHA512
a8dd99d6b71a2eb60114ea8ef00cd52d0d7816507d228b7c5609e326fd421a3079e9d8bf93a399d16d5a44d55478144a56a08d1d99bd3b542fe5535091b7457e

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Qscjinkjzo.lnk

Filesize
1KB

MD5
86b92f3722dccbe632ea62ac34ced4e7

SHA1
68e5a345c12d320a1df7d563d8bc787da41a9046

SHA256
a191a5a7fd78b6cbaf85639113b036ab34453142c472d27b66a068618125236a

SHA512
581a6be59c54bf9b116a3f81e8c79865a6e8412fd6a7866634b4b204db379a8caf0b4219a4b11c6a8fefbfa85c474d4ef31f4dcb8ebc50f4ddce08504f16399b

Download Submit
\Users\Admin\AppData\Local\8Jlg\SoundRecorder.exe

Filesize
139KB

MD5
47f0f526ad4982806c54b845b3289de1

SHA1
8420ea488a2e187fe1b7fcfb53040d10d5497236

SHA256
e81b11fe30b16fa4e3f08810513c245248adce8566355a8f2a19c63b1143ff5b

SHA512
4c9a1aa5ed55087538c91a77d7420932263b69e59dc57b1db738e59624265b734bf29e2b6ed8d0adb2e0dec5763bfbf86876fd7d1139c21e829001c7868d515d

Download Submit
\Users\Admin\AppData\Local\etBip\UI0Detect.exe

Filesize
40KB

MD5
3cbdec8d06b9968aba702eba076364a1

SHA1
6e0fcaccadbdb5e3293aa3523ec1006d92191c58

SHA256
b8dab8aa804fc23021bfebd7ae4d40fbe648d6c6ba21cc008e26d1c084972f9b

SHA512
a8e434c925ef849ecef0efcb4873dbb95eea2821c967b05afbbe5733071cc2293fc94e7fdf1fdaee51cbcf9885b3b72bfd4d690f23af34558b056920263e465d

Download Submit
\Users\Admin\AppData\Local\wug4c\Netplwiz.exe

Filesize
26KB

MD5
e43ec3c800d4c0716613392e81fba1d9

SHA1
37de6a235e978ecf3bb0fc2c864016c5b0134348

SHA256
636606415a85a16a7e6c5c8fcbdf35494991bce1c37dfc19c75ecb7ce12dc65c

SHA512
176c6d8b87bc5a9ca06698e2542ff34d474bcbbf21278390127981366eda89769bd9dd712f3b34f4dd8332a0b40ee0e609276400f16b51999471c8ff24522a08

Download Submit
memory/1132-96-0x0000000140000000-0x00000001400FF000-memory.dmp

Filesize
1020KB

Download
memory/1132-90-0x00000000001A0000-0x00000000001A7000-memory.dmp

Filesize
28KB

Download
memory/1208-36-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/1208-9-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/1208-7-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/1208-25-0x00000000029C0000-0x00000000029C7000-memory.dmp

Filesize
28KB

Download
memory/1208-29-0x0000000077120000-0x0000000077122000-memory.dmp

Filesize
8KB

Download
memory/1208-28-0x0000000076F91000-0x0000000076F92000-memory.dmp

Filesize
4KB

Download
memory/1208-24-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/1208-13-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/1208-37-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/1208-10-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/1208-8-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/1208-11-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/1208-12-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/1208-71-0x0000000076D86000-0x0000000076D87000-memory.dmp

Filesize
4KB

Download
memory/1208-4-0x0000000076D86000-0x0000000076D87000-memory.dmp

Filesize
4KB

Download
memory/1208-5-0x0000000003050000-0x0000000003051000-memory.dmp

Filesize
4KB

Download
memory/1208-14-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/1208-15-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/1276-0-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/1276-45-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/1276-3-0x0000000001D00000-0x0000000001D07000-memory.dmp

Filesize
28KB

Download
memory/1960-72-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/1960-78-0x0000000140000000-0x00000001400FF000-memory.dmp

Filesize
1020KB

Download
memory/1960-73-0x0000000140000000-0x00000001400FF000-memory.dmp

Filesize
1020KB

Download
memory/2620-59-0x0000000140000000-0x0000000140100000-memory.dmp

Filesize
1024KB

Download
memory/2620-53-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download
memory/2620-54-0x0000000140000000-0x0000000140100000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads