dridex | 64f22c7a2ed309028e20b2fbe5fe093112ee81893877c6308846342020c855b7

General

Target

aa742ad016ba5eda435c40d9f81a71b3_JaffaCakes118.dll
Size

987KB
MD5

aa742ad016ba5eda435c40d9f81a71b3
SHA1

65b0997bc86db191897e2a157be2534aa2edac28
SHA256

64f22c7a2ed309028e20b2fbe5fe093112ee81893877c6308846342020c855b7
SHA512

105cf6705de994afe6ad873f2a30641edf9e7795e9e4bb3cc5f35fff7a0d430b854d1689972fc60d1038972a408281b6d4e5dd429f87f0b5ab6ce07a9f1adcb2
SSDEEP

24576:YVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8W:YV8hf6STw1ZlQauvzSq01ICe6zvmN

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1192-5-0x0000000002B50000-0x0000000002B51000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

wisptis.exeMagnify.exeDxpserver.exe

pid process

2340 wisptis.exe
1480 Magnify.exe
2576 Dxpserver.exe
Loads dropped DLL 7 IoCs

Processes:

wisptis.exeMagnify.exeDxpserver.exe

pid process

1192
2340 wisptis.exe
1192
1480 Magnify.exe
1192
2576 Dxpserver.exe
1192

pid	process
2340	wisptis.exe
1480	Magnify.exe
2576	Dxpserver.exe

pid	process
1192
2340	wisptis.exe
1192
1480	Magnify.exe
1192
2576	Dxpserver.exe
1192

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\Gqwtkfbnxxlbs = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\20e4lg8C\\Magnify.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

Dxpserver.exerundll32.exewisptis.exeMagnify.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Dxpserver.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wisptis.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Magnify.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2916	rundll32.exe
2916	rundll32.exe
2916	rundll32.exe
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1192 wrote to memory of 2688	1192	wisptis.exe
PID 1192 wrote to memory of 2688	1192	wisptis.exe
PID 1192 wrote to memory of 2688	1192	wisptis.exe
PID 1192 wrote to memory of 2340	1192	wisptis.exe
PID 1192 wrote to memory of 2340	1192	wisptis.exe
PID 1192 wrote to memory of 2340	1192	wisptis.exe
PID 1192 wrote to memory of 948	1192	Magnify.exe
PID 1192 wrote to memory of 948	1192	Magnify.exe
PID 1192 wrote to memory of 948	1192	Magnify.exe
PID 1192 wrote to memory of 1480	1192	Magnify.exe
PID 1192 wrote to memory of 1480	1192	Magnify.exe
PID 1192 wrote to memory of 1480	1192	Magnify.exe
PID 1192 wrote to memory of 2536	1192	Dxpserver.exe
PID 1192 wrote to memory of 2536	1192	Dxpserver.exe
PID 1192 wrote to memory of 2536	1192	Dxpserver.exe
PID 1192 wrote to memory of 2576	1192	Dxpserver.exe
PID 1192 wrote to memory of 2576	1192	Dxpserver.exe
PID 1192 wrote to memory of 2576	1192	Dxpserver.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\aa742ad016ba5eda435c40d9f81a71b3_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2916

C:\Windows\system32\wisptis.exe
C:\Windows\system32\wisptis.exe
1⤵
PID:2688

C:\Users\Admin\AppData\Local\qKytlid\wisptis.exe
C:\Users\Admin\AppData\Local\qKytlid\wisptis.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2340

C:\Windows\system32\Magnify.exe
C:\Windows\system32\Magnify.exe
1⤵
PID:948

C:\Users\Admin\AppData\Local\Fj7p\Magnify.exe
C:\Users\Admin\AppData\Local\Fj7p\Magnify.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1480

C:\Windows\system32\Dxpserver.exe
C:\Windows\system32\Dxpserver.exe
1⤵
PID:2536

C:\Users\Admin\AppData\Local\OPss2OB8\Dxpserver.exe
C:\Users\Admin\AppData\Local\OPss2OB8\Dxpserver.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2576

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\qKytlid\OLEACC.dll
Filesize
988KB

MD5
f48e6d94bc9b58ddc9188d020dc7dfb1

SHA1
365bb50b88fa7cf91c5b2c773040abb11d926998

SHA256
68dc3bdd94b83bd8f14cba9cc658f6e05dd52b34eea01611530f9ae6691ebc07

SHA512
ac7185d34f3fdaed7695650f7824f5ec07307e8ce1375c4ea3caed06fb30a34e0ab254d4296efa2c87861ed02fe9129617ed3f87fc43bb254a6c8767ed346542

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Egmip.lnk
Filesize
1KB

MD5
b14c0c25d8d971dc93da15dc85924545

SHA1
64e28b386edc46e72cb2c92abdb2b0bb977aaf12

SHA256
77f5ad7e75aa8aee5bee1aee9c822016ae6c0dcb387795d70868fca5e90d7a48

SHA512
85e1c51641390c5448849c684c449d7bfef4c5ef0781dd1fa9159f3552e82c966b53f931ef07a52b6f4c8c3689995fda2a6899454cd81caa2d40fa1fe0dfae8a

Download Submit
\Users\Admin\AppData\Local\Fj7p\MAGNIFICATION.dll
Filesize
988KB

MD5
17678264a50243d7eb38fd153be1e00c

SHA1
cd5b417920fda88cdbac5bb54a812f9135d87145

SHA256
1531c2ce7b5048b64df2acc83289f884dcc8775d318e7053cbdbe9e7f179ecb2

SHA512
e975cf26c5996d9130e71d2acfcde5871335ae8ca81b1d5a6dd77e0ef21ce4501633542ae5150578793969308aa1859d8f03e8e6ae6ccfff3daba4f09c9b2a89

Download Submit
\Users\Admin\AppData\Local\Fj7p\Magnify.exe
Filesize
637KB

MD5
233b45ddf77bd45e53872881cff1839b

SHA1
d4b8cafce4664bb339859a90a9dd1506f831756d

SHA256
adfd109ec03cd57e44dbd5fd1c4d8c47f8f58f887f690ba3c92f744b670fd75a

SHA512
6fb5f730633bfb2d063e6bc8cf37a7624bdcde2bd1d0c92b6b9a557484e7acf5d3a2be354808cade751f7ac5c5fe936e765f6494ef54b4fdb2725179f0d0fe39

Download Submit
\Users\Admin\AppData\Local\OPss2OB8\Dxpserver.exe
Filesize
259KB

MD5
4d38389fb92e43c77a524fd96dbafd21

SHA1
08014e52f6894cad4f1d1e6fc1a703732e9acd19

SHA256
070bc95c486c15d2edc3548ba416dc9565ead401cb03a0472f719fb55ac94e73

SHA512
02d8d130cff2b8de15139d309e1cd74a2148bb786fd749e5f22775d45e193b0f75adf40274375cabce33576480ff20456f25172d29a034cd134b8084d40a67ba

Download Submit
\Users\Admin\AppData\Local\OPss2OB8\XmlLite.dll
Filesize
988KB

MD5
a22577fa85e9708d1d4c01e1ebbf3d5d

SHA1
231315aa5f7b4c2144c0f4e33c07f2ed87477eae

SHA256
b959c689e92200909348f49aa8fbf13d926e6372847f5dbd9fe2a78c463b0096

SHA512
a0d9b4bedf77d18c53a5f7d203f48a4660b4d6f22bf035647db1c7cec9bdb0570bf93305b2c1b4498ca1ee03628d10416ffb309c22b35908d70587f9b239ebae

Download Submit
\Users\Admin\AppData\Local\qKytlid\wisptis.exe
Filesize
396KB

MD5
02e20372d9d6d28e37ba9704edc90b67

SHA1
d7d18ba0df95c3507bf20be8d72e25c5d11ab40c

SHA256
3338129ddf6fb53d6e743c10bc39ec372d9b2c39c607cbe8a71cff929f854144

SHA512
bcad8894614dcfc1429be04829c217e7c8ac3c40ea3927073de3421d96d9815739ee1b84f0200eb18b3b8406b972bd934204b7b31638c9fe7c297fb201ed4200

Download Submit
memory/1192-11-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1192-25-0x0000000077821000-0x0000000077822000-memory.dmp

Filesize
4KB

Download
memory/1192-23-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1192-13-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1192-12-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1192-28-0x00000000779B0000-0x00000000779B2000-memory.dmp

Filesize
8KB

Download
memory/1192-10-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1192-9-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1192-8-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1192-24-0x0000000002B30000-0x0000000002B37000-memory.dmp

Filesize
28KB

Download
memory/1192-32-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1192-33-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1192-14-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1192-7-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1192-5-0x0000000002B50000-0x0000000002B51000-memory.dmp

Filesize
4KB

Download
memory/1192-4-0x0000000077616000-0x0000000077617000-memory.dmp

Filesize
4KB

Download
memory/1192-52-0x0000000077616000-0x0000000077617000-memory.dmp

Filesize
4KB

Download
memory/1480-64-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/1480-70-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/2340-54-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/2340-53-0x00000000001A0000-0x00000000001A7000-memory.dmp

Filesize
28KB

Download
memory/2340-49-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/2576-87-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/2916-0-0x0000000000290000-0x0000000000297000-memory.dmp

Filesize
28KB

Download
memory/2916-29-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/2916-1-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads