dridex | 059d1b17a6ca578711f0f2cd12a71b4d9349fbbb0e4ab273c29ef464aa776354

General

Target

90d39f9ec98db742751322a9a5548598_JaffaCakes118.dll
Size

994KB
MD5

90d39f9ec98db742751322a9a5548598
SHA1

b952239166fce6b42c30fd9225d67e404593f9a7
SHA256

059d1b17a6ca578711f0f2cd12a71b4d9349fbbb0e4ab273c29ef464aa776354
SHA512

edb620dbe08ab02d95d60b7fc9cc925c7e6e04f98d159120a2178ad07d65646571e5ebabac60f06cac963ade15ae5126958963c3f9852f211e0fb94891f847c9
SSDEEP

24576:zVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:zV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3412-4-0x0000000003170000-0x0000000003171000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

sessionmsg.exeSysResetErr.exesessionmsg.exe

pid process

540 sessionmsg.exe
3592 SysResetErr.exe
2556 sessionmsg.exe
Loads dropped DLL 3 IoCs

Processes:

sessionmsg.exeSysResetErr.exesessionmsg.exe

pid process

540 sessionmsg.exe
3592 SysResetErr.exe
2556 sessionmsg.exe

pid	process
540	sessionmsg.exe
3592	SysResetErr.exe
2556	sessionmsg.exe

pid	process
540	sessionmsg.exe
3592	SysResetErr.exe
2556	sessionmsg.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Pruztwesow = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\NETWOR~1\\a0ZMrX\\SYSRES~1.EXE"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exesessionmsg.exeSysResetErr.exesessionmsg.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sessionmsg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SysResetErr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sessionmsg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
4964	rundll32.exe
4964	rundll32.exe
4964	rundll32.exe
4964	rundll32.exe
4964	rundll32.exe
4964	rundll32.exe
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412
3412

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3412

pid	process
3412

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3412 wrote to memory of 508	3412	sessionmsg.exe
PID 3412 wrote to memory of 508	3412	sessionmsg.exe
PID 3412 wrote to memory of 540	3412	sessionmsg.exe
PID 3412 wrote to memory of 540	3412	sessionmsg.exe
PID 3412 wrote to memory of 3364	3412	SysResetErr.exe
PID 3412 wrote to memory of 3364	3412	SysResetErr.exe
PID 3412 wrote to memory of 3592	3412	SysResetErr.exe
PID 3412 wrote to memory of 3592	3412	SysResetErr.exe
PID 3412 wrote to memory of 4980	3412	sessionmsg.exe
PID 3412 wrote to memory of 4980	3412	sessionmsg.exe
PID 3412 wrote to memory of 2556	3412	sessionmsg.exe
PID 3412 wrote to memory of 2556	3412	sessionmsg.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\90d39f9ec98db742751322a9a5548598_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4964

C:\Windows\system32\sessionmsg.exe
C:\Windows\system32\sessionmsg.exe
1⤵
PID:508

C:\Users\Admin\AppData\Local\CHPfXbuB8\sessionmsg.exe
C:\Users\Admin\AppData\Local\CHPfXbuB8\sessionmsg.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:540

C:\Windows\system32\SysResetErr.exe
C:\Windows\system32\SysResetErr.exe
1⤵
PID:3364

C:\Users\Admin\AppData\Local\iQxtZz9hp\SysResetErr.exe
C:\Users\Admin\AppData\Local\iQxtZz9hp\SysResetErr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3592

C:\Windows\system32\sessionmsg.exe
C:\Windows\system32\sessionmsg.exe
1⤵
PID:4980

C:\Users\Admin\AppData\Local\SjZE2\sessionmsg.exe
C:\Users\Admin\AppData\Local\SjZE2\sessionmsg.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2556

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\CHPfXbuB8\DUI70.dll
Filesize
1.2MB

MD5
4248a660d028071272b7438169245d27

SHA1
4375f384363fdb3f9e1fac3275d4ad80a2c65463

SHA256
7628f6223e5ef727c9ec03d9747fd721ba637ffd48b2a3346179ece555655951

SHA512
e562b6ea709d9f7a1af2e5d6e0b5784c1c891dad2685b11a84f9864311c09768146b98b46ffaa6af79b9e4b6c58960d509973fc782bf3285c55d37784d7ff661

Download Submit
C:\Users\Admin\AppData\Local\CHPfXbuB8\sessionmsg.exe
Filesize
85KB

MD5
480f710806b68dfe478ca1ec7d7e79cc

SHA1
b4fc97fed2dbff9c4874cb65ede7b50699db37cd

SHA256
2416cd4aa577dbb2f8790a61e36fbab2b30bff81a4e1f67a5151c2fec29585bc

SHA512
29d3d234ebc45049a533b6a91b246ac043a56b9af67276aaf493b014ae34d73000f99a6b0c0b85d2dfb7fba54811cf8bbdfd167a9eed01a8617b7f05bf2971db

Download Submit
C:\Users\Admin\AppData\Local\SjZE2\DUI70.dll
Filesize
1.2MB

MD5
4a9298a938f748d48aa2694ae7ea159f

SHA1
f20d101d835242e1d27a74dceebb50a8c2668e17

SHA256
3d18c84f226605089c39c869998df33cc4e363e8b5b1eab7e67bd4fcaa8645f1

SHA512
bdf5cd6975f915f6b2e3563aa2c2273c5d7e7235aa304d731a2ee408c3e8c4a4bb18ce0d071f7175077f598b2cb326076f5b6f53fe21c77e6e62873546d86407

Download Submit
C:\Users\Admin\AppData\Local\iQxtZz9hp\DUI70.dll
Filesize
1.2MB

MD5
02d38035ad724d35b0a5dbefaeb85c24

SHA1
86edd692bab1acc771d2788e8d06e353b820ffe2

SHA256
ed6e2f7c5b69e9280445b10a50065049f1c92408cdc2e1d457329deafac48552

SHA512
6ff7e7ee3a3dda1ded731343c2cb6ed86b21cedb3beffb8462ddd33c5f2157110d5c7c1caf7cb06aa30a6b281de948bbe181a0ac8a2bf3044fc90628f72c7717

Download Submit
C:\Users\Admin\AppData\Local\iQxtZz9hp\SysResetErr.exe
Filesize
41KB

MD5
090c6f458d61b7ddbdcfa54e761b8b57

SHA1
c5a93e9d6eca4c3842156cc0262933b334113864

SHA256
a324e3ba7309164f215645a6db3e74ed35c7034cc07a011ebed2fa60fda4d9cd

SHA512
c9ef79397f3a843dcf2bcb5f761d90a4bdadb08e2ca85a35d8668cb13c308b275ed6aa2c8b9194a1f29964e0754ad05e89589025a0b670656386a8d448a1f542

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Arcabpqqvo.lnk
Filesize
1KB

MD5
14d7e88c112bcce45a6f73b66d3959b1

SHA1
3c448a78170cf5b59468d0786f9a152d8195df9d

SHA256
102d5ddf161f4fc91d70e070f4c3a03233e47c24a6723fb8385b48fde51c8a15

SHA512
c8319e6eaac3494698aec6fd1157a8b168e77ceccc31910084f4cdf7980256661eae23c25f6a5570904c03b7cf90aeb93ab54156e9b857f24f230d7e4a870259

Download Submit
memory/540-51-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/540-45-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/540-48-0x00000277481C0000-0x00000277481C7000-memory.dmp

Filesize
28KB

Download
memory/2556-85-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/2556-82-0x0000024763480000-0x0000024763487000-memory.dmp

Filesize
28KB

Download
memory/3412-36-0x0000000001180000-0x0000000001187000-memory.dmp

Filesize
28KB

Download
memory/3412-35-0x00007FFADDECA000-0x00007FFADDECB000-memory.dmp

Filesize
4KB

Download
memory/3412-14-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/3412-8-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/3412-7-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/3412-6-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/3412-4-0x0000000003170000-0x0000000003171000-memory.dmp

Filesize
4KB

Download
memory/3412-10-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/3412-11-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/3412-9-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/3412-32-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/3412-12-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/3412-37-0x00007FFADEF10000-0x00007FFADEF20000-memory.dmp

Filesize
64KB

Download
memory/3412-23-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/3412-13-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/3592-68-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/3592-62-0x00000285226C0000-0x00000285226C7000-memory.dmp

Filesize
28KB

Download
memory/4964-1-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/4964-38-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/4964-3-0x00000182E6AD0000-0x00000182E6AD7000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads