dridex | 240a3850e0e1a7ab754fd9325e11cf6fcf5251e2b3f329f2de2930b39792f2d6

General

Target

a95463c4c15657eea00d42c7f5f4d0cd_JaffaCakes118.dll
Size

986KB
MD5

a95463c4c15657eea00d42c7f5f4d0cd
SHA1

5c44e306351f8055a871c4ba85fa48502dac3d1e
SHA256

240a3850e0e1a7ab754fd9325e11cf6fcf5251e2b3f329f2de2930b39792f2d6
SHA512

c29799b71728c6547515a805aacaee6908641ed54ffafc862cd0da9e3d548f58fb6740dd72cdb84e99886a331d4b69cfd75acf2ffb17988293f041c04fdaa68c
SSDEEP

24576:oVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:oV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1160-5-0x0000000002A20000-0x0000000002A21000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

sigverif.exeicardagt.exewinlogon.exe

pid process

2392 sigverif.exe
2636 icardagt.exe
1660 winlogon.exe
Loads dropped DLL 7 IoCs

Processes:

sigverif.exeicardagt.exewinlogon.exe

pid process

1160
2392 sigverif.exe
1160
2636 icardagt.exe
1160
1660 winlogon.exe
1160

pid	process
2392	sigverif.exe
2636	icardagt.exe
1660	winlogon.exe

pid	process
1160
2392	sigverif.exe
1160
2636	icardagt.exe
1160
1660	winlogon.exe
1160

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Javhf = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\rP4fCQu3\\icardagt.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exesigverif.exeicardagt.exewinlogon.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sigverif.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	icardagt.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2952	rundll32.exe
2952	rundll32.exe
2952	rundll32.exe
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160
1160

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1160 wrote to memory of 2504	1160	sigverif.exe
PID 1160 wrote to memory of 2504	1160	sigverif.exe
PID 1160 wrote to memory of 2504	1160	sigverif.exe
PID 1160 wrote to memory of 2392	1160	sigverif.exe
PID 1160 wrote to memory of 2392	1160	sigverif.exe
PID 1160 wrote to memory of 2392	1160	sigverif.exe
PID 1160 wrote to memory of 2648	1160	icardagt.exe
PID 1160 wrote to memory of 2648	1160	icardagt.exe
PID 1160 wrote to memory of 2648	1160	icardagt.exe
PID 1160 wrote to memory of 2636	1160	icardagt.exe
PID 1160 wrote to memory of 2636	1160	icardagt.exe
PID 1160 wrote to memory of 2636	1160	icardagt.exe
PID 1160 wrote to memory of 2896	1160	winlogon.exe
PID 1160 wrote to memory of 2896	1160	winlogon.exe
PID 1160 wrote to memory of 2896	1160	winlogon.exe
PID 1160 wrote to memory of 1660	1160	winlogon.exe
PID 1160 wrote to memory of 1660	1160	winlogon.exe
PID 1160 wrote to memory of 1660	1160	winlogon.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a95463c4c15657eea00d42c7f5f4d0cd_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2952

C:\Windows\system32\sigverif.exe
C:\Windows\system32\sigverif.exe
1⤵
PID:2504

C:\Users\Admin\AppData\Local\LcCPxAj\sigverif.exe
C:\Users\Admin\AppData\Local\LcCPxAj\sigverif.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2392

C:\Windows\system32\icardagt.exe
C:\Windows\system32\icardagt.exe
1⤵
PID:2648

C:\Users\Admin\AppData\Local\BZzo\icardagt.exe
C:\Users\Admin\AppData\Local\BZzo\icardagt.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2636

C:\Windows\system32\winlogon.exe
C:\Windows\system32\winlogon.exe
1⤵
PID:2896

C:\Users\Admin\AppData\Local\4IdeoKWkv\winlogon.exe
C:\Users\Admin\AppData\Local\4IdeoKWkv\winlogon.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1660

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\4IdeoKWkv\WINSTA.dll
Filesize
991KB

MD5
6fd28d62454b7418ba7034192784e229

SHA1
c8fae55e394836d87d50ec9f08bb00a9e1e466a0

SHA256
2a6961f0ee9d36a6ac2f89d8a8f8a868d4dffaf4c59d905b8e5dbf29a5934f41

SHA512
534662290ea8ee24d40decc26f22cc2052c0039359bcd9f967dd521d9d733c1221b4eba9ce72a67e39d538386b9efabf6f489664101903b0cea7a5aeaa80ea4e

Download Submit
C:\Users\Admin\AppData\Local\BZzo\UxTheme.dll
Filesize
988KB

MD5
d19ae21a43dc7ffd8e4b76c70530b250

SHA1
5eb9560b9237d04d14761d5d9897883cd8787ff2

SHA256
91407c01c9eef2b21781f2a7b1018f99646735f35b666bb7c9c5927e72553c27

SHA512
bcae2f3d5450b3843529f110a73d789f80ec3664b47b5464e560b38c0f12317f7310c3b7bae9fc0fdee85d7382a60a3fa229c0ac709c7ccb8879eebffd33dbd1

Download Submit
C:\Users\Admin\AppData\Local\LcCPxAj\VERSION.dll
Filesize
986KB

MD5
60d0322427c56b1c501396428af9f3f8

SHA1
1a530b98e5c1b41cb81e2bef4880b0f80d4a6a9e

SHA256
0b3445ccfe467673d83c29ceb0bdfd5ebcfc3095ec8ac4246553b9017d612578

SHA512
c803da17fde315bab91437f42a3fa0c30585f2df9a4914e9f3e8665cd1c99c1aa646c7da67a94a8b17c7eb78a8a67c8974a19b82c5943e319d2ca70265a37c11

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Xwtifesqpwfy.lnk
Filesize
1KB

MD5
fdf3421f81fa3545ce13483c5d2cada3

SHA1
1655ffb852b9c4935fb303c0d2fc7b1d164d0a25

SHA256
5fd1ffa4bed746ec62165b68e38b742d66090a7628c210e499b4a5550d0e4cdc

SHA512
cd9f9f15584ce9e9e90ded2a7157f497a590768e5ef83dda3311a61d7fbd0e84b8fa42be19a1c65dd0481a40861c0af72e6ebd545551e8b1fcfafac6362ca699

Download Submit
\Users\Admin\AppData\Local\4IdeoKWkv\winlogon.exe
Filesize
381KB

MD5
1151b1baa6f350b1db6598e0fea7c457

SHA1
434856b834baf163c5ea4d26434eeae775a507fb

SHA256
b1506e0a7e826eff0f5252ef5026070c46e2235438403a9a24d73ee69c0b8a49

SHA512
df728d06238da1dece96f8b8d67a2423ed4dcb344b42d5958768d23bd570a79e7189e7c5ba783c1628fe8ddd1deaebeacb1b471c59c8a7c9beb21b4f1eb9edab

Download Submit
\Users\Admin\AppData\Local\BZzo\icardagt.exe
Filesize
1.3MB

MD5
2fe97a3052e847190a9775431292a3a3

SHA1
43edc451ac97365600391fa4af15476a30423ff6

SHA256
473d17e571d6947ce93103454f1e9fe27136403125152b97acb6cad5cc2a9ac7

SHA512
93ed1f9ef6fb256b53df9c6f2ce03301c0d3a0ef49c3f0604872653e4ba3fce369256f50604dd8386f543e1ea9231f5700213e683d3ea9af9e4d6c427a19117a

Download Submit
\Users\Admin\AppData\Local\LcCPxAj\sigverif.exe
Filesize
73KB

MD5
e8e95ae5534553fc055051cee99a7f55

SHA1
4e0f668849fd546edd083d5981ed685d02a68df4

SHA256
9e107fd99892d08b15c223ac17c49af75a4cbca41b5e939bb91c9dca9f0d0bec

SHA512
5d3c32d136a264b6d2cfba4602e4d8f75e55ba0e199e0e81d7a515c34d8b9237db29647c10ab79081173010ff8e2c6a59b652c0a9cfa796433aed2d200f02da6

Download Submit
memory/1160-14-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1160-24-0x0000000002A00000-0x0000000002A07000-memory.dmp

Filesize
28KB

Download
memory/1160-13-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1160-11-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1160-10-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1160-26-0x0000000077620000-0x0000000077622000-memory.dmp

Filesize
8KB

Download
memory/1160-25-0x0000000077491000-0x0000000077492000-memory.dmp

Filesize
4KB

Download
memory/1160-9-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1160-8-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1160-38-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1160-36-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1160-4-0x0000000077386000-0x0000000077387000-memory.dmp

Filesize
4KB

Download
memory/1160-23-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1160-5-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/1160-73-0x0000000077386000-0x0000000077387000-memory.dmp

Filesize
4KB

Download
memory/1160-7-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1160-12-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1660-89-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/1660-92-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/2392-58-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/2392-53-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/2392-52-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/2636-74-0x0000000000570000-0x0000000000577000-memory.dmp

Filesize
28KB

Download
memory/2636-77-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/2952-0-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/2952-44-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/2952-3-0x0000000000480000-0x0000000000487000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads