dridex | e8d148be0eda983cddc2216ca6ce0e6deeb783cfcab645d9911801b52d0b07ef

General

Target

a13f7f0d72b6bd47eca1422df6227d36_JaffaCakes118.dll
Size

1.2MB
MD5

a13f7f0d72b6bd47eca1422df6227d36
SHA1

38dcf9b51fd87e88a508e91c4e46906d612ef050
SHA256

e8d148be0eda983cddc2216ca6ce0e6deeb783cfcab645d9911801b52d0b07ef
SHA512

ac93d5d89f0b145c4b20c4ba9f3c42aca4a46fda925c19aaf772a28f0106fc38829d242d4fd9366ba63d2d33122f4640471f51c1327f0863df2562a0d99743e9
SSDEEP

24576:3VHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:3V8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3452-4-0x0000000002C20000-0x0000000002C21000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

SysResetErr.exesigverif.exeie4ushowIE.exe

pid process

3668 SysResetErr.exe
2992 sigverif.exe
3740 ie4ushowIE.exe
Loads dropped DLL 3 IoCs

Processes:

SysResetErr.exesigverif.exeie4ushowIE.exe

pid process

3668 SysResetErr.exe
2992 sigverif.exe
3740 ie4ushowIE.exe

pid	process
3668	SysResetErr.exe
2992	sigverif.exe
3740	ie4ushowIE.exe

pid	process
3668	SysResetErr.exe
2992	sigverif.exe
3740	ie4ushowIE.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rnerhfezerqab = "C:\\Users\\Admin\\AppData\\Roaming\\Sun\\Java\\Deployment\\6q9oMsLf\\sigverif.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeSysResetErr.exesigverif.exeie4ushowIE.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SysResetErr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sigverif.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ie4ushowIE.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
4864	rundll32.exe
4864	rundll32.exe
4864	rundll32.exe
4864	rundll32.exe
4864	rundll32.exe
4864	rundll32.exe
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452
3452

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3452

pid	process
3452

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3452 wrote to memory of 1476	3452	SysResetErr.exe
PID 3452 wrote to memory of 1476	3452	SysResetErr.exe
PID 3452 wrote to memory of 3668	3452	SysResetErr.exe
PID 3452 wrote to memory of 3668	3452	SysResetErr.exe
PID 3452 wrote to memory of 1248	3452	sigverif.exe
PID 3452 wrote to memory of 1248	3452	sigverif.exe
PID 3452 wrote to memory of 2992	3452	sigverif.exe
PID 3452 wrote to memory of 2992	3452	sigverif.exe
PID 3452 wrote to memory of 4788	3452	ie4ushowIE.exe
PID 3452 wrote to memory of 4788	3452	ie4ushowIE.exe
PID 3452 wrote to memory of 3740	3452	ie4ushowIE.exe
PID 3452 wrote to memory of 3740	3452	ie4ushowIE.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a13f7f0d72b6bd47eca1422df6227d36_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4864

C:\Windows\system32\SysResetErr.exe
C:\Windows\system32\SysResetErr.exe
1⤵
PID:1476

C:\Users\Admin\AppData\Local\bp5jrNkwJ\SysResetErr.exe
C:\Users\Admin\AppData\Local\bp5jrNkwJ\SysResetErr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3668

C:\Windows\system32\sigverif.exe
C:\Windows\system32\sigverif.exe
1⤵
PID:1248

C:\Users\Admin\AppData\Local\53176\sigverif.exe
C:\Users\Admin\AppData\Local\53176\sigverif.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2992

C:\Windows\system32\ie4ushowIE.exe
C:\Windows\system32\ie4ushowIE.exe
1⤵
PID:4788

C:\Users\Admin\AppData\Local\SW6m\ie4ushowIE.exe
C:\Users\Admin\AppData\Local\SW6m\ie4ushowIE.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3740

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\53176\VERSION.dll
Filesize
1.2MB

MD5
53a51b077ba247a470dcacc30413f453

SHA1
1e8eb25f1d6db339ac5203f06b779a76fe14b6aa

SHA256
2e476d5d72407ec13a5d63db62eb8447b96482a6ad892d0d5bba3fc3db2a5321

SHA512
6488fa7ff4fbdb1f705fe179d1822d058aa2e20d81d88aa153918c922848eddf2cfd0081276dafa221f12060e9acd47878d8cb87fbe13ea7ab24561cd555c2f3

Download Submit
C:\Users\Admin\AppData\Local\53176\sigverif.exe
Filesize
77KB

MD5
2151a535274b53ba8a728e542cbc07a8

SHA1
a2304c0f2616a7d12298540dce459dd9ccf07443

SHA256
064de47877b00dc35886e829a697e4adb3d3cfdf294ddba13b6009a0f415b1bd

SHA512
e6fd520ee1bd80a5fe8a7c2ae6446dcaabd4e335a602c36356f85305abef751b7dffa7eaac1ec13c105ccd8c3e9070bd32ed4b14bc8a9e52dc5f47b936d69a9f

Download Submit
C:\Users\Admin\AppData\Local\SW6m\VERSION.dll
Filesize
1.2MB

MD5
2a543043f309ea534d785921b4f2545a

SHA1
a5f02e3bdd964a850d3181a2e54625771bad669b

SHA256
cb89eb86a6da58d86f9988e143823993e9880bef4e4c07a857a270750a3f8e71

SHA512
9472edd33673113db827a2c447cd816286bfe93bf75d04adf551b8f5089ecb4bc77100cb7f2a0a623764b0eca2bb8de3f0caf03e6b46ed5709ebd47935df2952

Download Submit
C:\Users\Admin\AppData\Local\SW6m\ie4ushowIE.exe
Filesize
76KB

MD5
9de952f476abab0cd62bfd81e20a3deb

SHA1
109cc4467b78dad4b12a3225020ea590bccee3e6

SHA256
e9cb6336359ac6f71ac75af2836efb28daa3bafd10a1f0b775dcdc2ec8850a6b

SHA512
3cbe50a146ca50b0657a78a2d89a34630c69823005668906785b2d2015cc6139c8dbbf7aefa5fe55957ef55ae06e758933b3b41eaf822e49dba3b7700582e2c9

Download Submit
C:\Users\Admin\AppData\Local\bp5jrNkwJ\DUI70.dll
Filesize
1.5MB

MD5
b3f52c8555fd58ede7c2e532d3704523

SHA1
978c83e40f5c8e0a748b10d9669ac72940036f1e

SHA256
213ff31f5da8becd5e065148f8ff5b765fbce9fbf6f2967775e03b059d13be6f

SHA512
12b49a7487a1d8cbf20f822d9643de732dddf58530b2fd8376b058f05b76bf4f9a93c778990f9bb5560ecf4ac2ae89eaf6fe9cf5e20358e09cd4a1e58d1cddac

Download Submit
C:\Users\Admin\AppData\Local\bp5jrNkwJ\SysResetErr.exe
Filesize
41KB

MD5
090c6f458d61b7ddbdcfa54e761b8b57

SHA1
c5a93e9d6eca4c3842156cc0262933b334113864

SHA256
a324e3ba7309164f215645a6db3e74ed35c7034cc07a011ebed2fa60fda4d9cd

SHA512
c9ef79397f3a843dcf2bcb5f761d90a4bdadb08e2ca85a35d8668cb13c308b275ed6aa2c8b9194a1f29964e0754ad05e89589025a0b670656386a8d448a1f542

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Shhkphqwzh.lnk
Filesize
1KB

MD5
0016067af30e27604629a8f341bcbed2

SHA1
8f3dd2ee950edf04d8d4d3273d6e5c97fed6ceec

SHA256
c8cdb9b371fe7a9945bd4c65a36febe10d8ebdb40a32b14a4fed03d34ddad33a

SHA512
ded11fa636d4d4cd539bc7a3365f48b7e4edd0aa24d670c667ebeab1cc95604d839ff26ef6da65c30baf77595efdaee305ce0d3ade5bd76330620faebaca1434

Download Submit
memory/2992-68-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/2992-64-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/2992-63-0x000001E283CD0000-0x000001E283CD7000-memory.dmp

Filesize
28KB

Download
memory/3452-34-0x00007FFB1183A000-0x00007FFB1183B000-memory.dmp

Filesize
4KB

Download
memory/3452-38-0x00007FFB11E10000-0x00007FFB11E20000-memory.dmp

Filesize
64KB

Download
memory/3452-11-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3452-10-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3452-9-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3452-8-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3452-24-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3452-7-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3452-4-0x0000000002C20000-0x0000000002C21000-memory.dmp

Filesize
4KB

Download
memory/3452-13-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3452-33-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3452-6-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3452-15-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3452-14-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3452-12-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3452-36-0x0000000002BD0000-0x0000000002BD7000-memory.dmp

Filesize
28KB

Download
memory/3668-52-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/3668-49-0x000001B3BB330000-0x000001B3BB337000-memory.dmp

Filesize
28KB

Download
memory/3668-46-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/3740-82-0x0000021F6E690000-0x0000021F6E697000-memory.dmp

Filesize
28KB

Download
memory/3740-83-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/4864-0-0x000001E9220A0000-0x000001E9220A7000-memory.dmp

Filesize
28KB

Download
memory/4864-39-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/4864-2-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads