dridex | 439fb687b9a2d78aa8385a756084b8c76c40972a59030daa92153cc60b8fa7d1

General

Target

a03c427291b7a95b1aab3b2d9839a4ac_JaffaCakes118.dll
Size

1.2MB
MD5

a03c427291b7a95b1aab3b2d9839a4ac
SHA1

f65ffc2a7a1d263bfa112d9bade412e2907a06fb
SHA256

439fb687b9a2d78aa8385a756084b8c76c40972a59030daa92153cc60b8fa7d1
SHA512

504fcbed01f3c79a4a32bf3646f5ac7d4933e2b0f374a8782b7d227cee484c929c6021c7359e707158d669bbe6fa1a8f887a063b03cb50b45d1e4562adbee208
SSDEEP

24576:WVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:WV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1200-5-0x0000000002CF0000-0x0000000002CF1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

fvenotify.exeFXSCOVER.execmstp.exe

pid process

2664 fvenotify.exe
3052 FXSCOVER.exe
636 cmstp.exe
Loads dropped DLL 7 IoCs

Processes:

fvenotify.exeFXSCOVER.execmstp.exe

pid process

1200
2664 fvenotify.exe
1200
3052 FXSCOVER.exe
1200
636 cmstp.exe
1200

pid	process
2664	fvenotify.exe
3052	FXSCOVER.exe
636	cmstp.exe

pid	process
1200
2664	fvenotify.exe
1200
3052	FXSCOVER.exe
1200
636	cmstp.exe
1200

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ytaumll = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\UwQ\\FXSCOVER.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exefvenotify.exeFXSCOVER.execmstp.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fvenotify.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	FXSCOVER.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmstp.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2432	rundll32.exe
2432	rundll32.exe
2432	rundll32.exe
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1200 wrote to memory of 2548	1200	fvenotify.exe
PID 1200 wrote to memory of 2548	1200	fvenotify.exe
PID 1200 wrote to memory of 2548	1200	fvenotify.exe
PID 1200 wrote to memory of 2664	1200	fvenotify.exe
PID 1200 wrote to memory of 2664	1200	fvenotify.exe
PID 1200 wrote to memory of 2664	1200	fvenotify.exe
PID 1200 wrote to memory of 2276	1200	FXSCOVER.exe
PID 1200 wrote to memory of 2276	1200	FXSCOVER.exe
PID 1200 wrote to memory of 2276	1200	FXSCOVER.exe
PID 1200 wrote to memory of 3052	1200	FXSCOVER.exe
PID 1200 wrote to memory of 3052	1200	FXSCOVER.exe
PID 1200 wrote to memory of 3052	1200	FXSCOVER.exe
PID 1200 wrote to memory of 1300	1200	cmstp.exe
PID 1200 wrote to memory of 1300	1200	cmstp.exe
PID 1200 wrote to memory of 1300	1200	cmstp.exe
PID 1200 wrote to memory of 636	1200	cmstp.exe
PID 1200 wrote to memory of 636	1200	cmstp.exe
PID 1200 wrote to memory of 636	1200	cmstp.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a03c427291b7a95b1aab3b2d9839a4ac_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2432

C:\Windows\system32\fvenotify.exe
C:\Windows\system32\fvenotify.exe
1⤵
PID:2548

C:\Users\Admin\AppData\Local\NMoIH\fvenotify.exe
C:\Users\Admin\AppData\Local\NMoIH\fvenotify.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2664

C:\Windows\system32\FXSCOVER.exe
C:\Windows\system32\FXSCOVER.exe
1⤵
PID:2276

C:\Users\Admin\AppData\Local\WaRd6Hi\FXSCOVER.exe
C:\Users\Admin\AppData\Local\WaRd6Hi\FXSCOVER.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3052

C:\Windows\system32\cmstp.exe
C:\Windows\system32\cmstp.exe
1⤵
PID:1300

C:\Users\Admin\AppData\Local\1tiQMKd\cmstp.exe
C:\Users\Admin\AppData\Local\1tiQMKd\cmstp.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:636

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\1tiQMKd\VERSION.dll
Filesize
1.2MB

MD5
2c4e1b3dbdb9253712defcb0ffd76b37

SHA1
be8ebbfccefa4fa05e243854a8dcb2817ef194f7

SHA256
35ed86777989940c2251d21b1bffdffdb060ae206ca45e07838b70f9a2d98511

SHA512
22ad969a65b4b8d1fff46250082bfcd7ca8c16ec09ef06e8638d51f23cafb5e6e2474a52cf182113632d24ff6739c0427a6f99e38f1ca394a9603d05b97e23db

Download Submit
C:\Users\Admin\AppData\Local\NMoIH\slc.dll
Filesize
1.2MB

MD5
05350b65a50e512b803fa21b0d3ced2d

SHA1
81216b93f7fef670656bb88e2f665e59d714d330

SHA256
11a418f75cf13630cd140912aacc69046914ec89c923a20d1e5dab6aa8e0b020

SHA512
8273bae7493af57f8ad0641a1ef75b13b46e7b313c0c4962b1d0d8f2e376e6b0728a8b5643c5760a94d56fd021684279c82bd038f6b117297778d45c7f8d4a30

Download Submit
C:\Users\Admin\AppData\Local\WaRd6Hi\MFC42u.dll
Filesize
1.3MB

MD5
c3eda57652c9ae49f7d95a2a2acf8fac

SHA1
1de46b303b572db531de2c6177e8ca6274ce40a2

SHA256
0c83349ea1a49c474faef531b3e5c0efe6f4604fe008c3c520accba857475ffa

SHA512
9021d9334a109f68219c1ce42c7a0204513eea265e8e50bbf9e32d38ba83388c1cb33d81b3ed6a1dbd2002a9b8d92b93b7d3d5228f009ee0ed376d080409ae5d

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Auushichw.lnk
Filesize
1KB

MD5
c03309d321bba318188c7287b332f918

SHA1
11516533b12c0909cee3bab23e4f230944c38b0c

SHA256
51d68b1b17d8813b2fdbfc62dd2aea69a97e92b11e02833e0768108c39141673

SHA512
747183f746ee8eeb097e726c90d02b7099bc3bc564adc4335710dce78db0d2c1a22894c08dcb1ef87626caeeae99f7f80fa5353297a12276ca1f43a7d92933b3

Download Submit
\Users\Admin\AppData\Local\1tiQMKd\cmstp.exe
Filesize
90KB

MD5
74c6da5522f420c394ae34b2d3d677e3

SHA1
ba135738ef1fb2f4c2c6c610be2c4e855a526668

SHA256
51d298b1a8a2d00d5c608c52dba0655565d021e9798ee171d7fa92cc0de729a6

SHA512
bfd76b1c3e677292748f88bf595bfef0b536eb22f2583b028cbf08f6ae4eda1aa3787c4e892aad12b7681fc2363f99250430a0e7019a7498e24db391868e787a

Download Submit
\Users\Admin\AppData\Local\NMoIH\fvenotify.exe
Filesize
117KB

MD5
e61d644998e07c02f0999388808ac109

SHA1
183130ad81ff4c7997582a484e759bf7769592d6

SHA256
15a85cd6fbcb1ec57d78f986d6dd8908bd56231ce0cf65775075512303f7e5fa

SHA512
310141b73394ae12a35f8d4f0c097868ee8a8045a62dd402a5dfbe2151980dd4fe18409ae3ca9422e3b88b2fa9afb04c1acbf8ec23a937a0a242b32a9a1e9272

Download Submit
\Users\Admin\AppData\Local\WaRd6Hi\FXSCOVER.exe
Filesize
261KB

MD5
5e2c61be8e093dbfe7fc37585be42869

SHA1
ed46cda4ece3ef187b0cf29ca843a6c6735af6c0

SHA256
3d1719c1caa5d6b0358830a30713c43a9710fbf7bcedca20815be54d24aa9121

SHA512
90bf180c8f6e3d0286a19fcd4727f23925a39c90113db979e1b4bbf8f0491471ad26c877a6e2cf49638b14050d952a9ee02a3c1293129843ec6bba01bc325d0b

Download Submit
memory/636-96-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/636-90-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download
memory/1200-24-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1200-64-0x00000000774E6000-0x00000000774E7000-memory.dmp

Filesize
4KB

Download
memory/1200-14-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1200-13-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1200-12-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1200-37-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1200-36-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1200-33-0x0000000077880000-0x0000000077882000-memory.dmp

Filesize
8KB

Download
memory/1200-28-0x00000000776F1000-0x00000000776F2000-memory.dmp

Filesize
4KB

Download
memory/1200-25-0x0000000002CD0000-0x0000000002CD7000-memory.dmp

Filesize
28KB

Download
memory/1200-8-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1200-5-0x0000000002CF0000-0x0000000002CF1000-memory.dmp

Filesize
4KB

Download
memory/1200-11-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1200-15-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1200-9-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1200-4-0x00000000774E6000-0x00000000774E7000-memory.dmp

Filesize
4KB

Download
memory/1200-7-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1200-10-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/2432-3-0x00000000001A0000-0x00000000001A7000-memory.dmp

Filesize
28KB

Download
memory/2432-0-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/2432-45-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/2664-53-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/2664-59-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/2664-56-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/3052-78-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/3052-73-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/3052-72-0x0000000000170000-0x0000000000177000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads