dridex | 1db857ac660020f99c43fea4c4eeef9a36ee5586d70588b072fb0e730dd6073a

General

Target

b03a89f91de77550a6def73999903440_JaffaCakes118.dll
Size

1.4MB
MD5

b03a89f91de77550a6def73999903440
SHA1

120f0618be088d54dde945c38ed5b2b02151eab3
SHA256

1db857ac660020f99c43fea4c4eeef9a36ee5586d70588b072fb0e730dd6073a
SHA512

821437cc214b295ceb5dc970b30c4e289583e2611105debbfaa112a95b95173bb60c925d8d76ff44759f567008ec7ca9f3c60f1db327314aebfe6290eade96be
SSDEEP

24576:CuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:K9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3564-4-0x0000000000F90000-0x0000000000F91000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

SystemPropertiesHardware.exeprintfilterpipelinesvc.exesdclt.exe

pid process

4668 SystemPropertiesHardware.exe
4176 printfilterpipelinesvc.exe
4580 sdclt.exe
Loads dropped DLL 5 IoCs

Processes:

SystemPropertiesHardware.exeprintfilterpipelinesvc.exesdclt.exe

pid process

4668 SystemPropertiesHardware.exe
4176 printfilterpipelinesvc.exe
4176 printfilterpipelinesvc.exe
4176 printfilterpipelinesvc.exe
4580 sdclt.exe

pid	process
4668	SystemPropertiesHardware.exe
4176	printfilterpipelinesvc.exe
4580	sdclt.exe

pid	process
4668	SystemPropertiesHardware.exe
4176	printfilterpipelinesvc.exe
4176	printfilterpipelinesvc.exe
4176	printfilterpipelinesvc.exe
4580	sdclt.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ehsiuzwuc = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Extensions\\qdZcjdHf\\printfilterpipelinesvc.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

printfilterpipelinesvc.exesdclt.exerundll32.exeSystemPropertiesHardware.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	printfilterpipelinesvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sdclt.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesHardware.exe

Modifies registry class 1 IoCs

Processes:

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2716	rundll32.exe
2716	rundll32.exe
2716	rundll32.exe
2716	rundll32.exe
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564
3564

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3564
Token: SeCreatePagefilePrivilege	3564
Token: SeShutdownPrivilege	3564
Token: SeCreatePagefilePrivilege	3564
Token: SeShutdownPrivilege	3564
Token: SeCreatePagefilePrivilege	3564
Token: SeShutdownPrivilege	3564
Token: SeCreatePagefilePrivilege	3564

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

3564
3564

pid	process
3564
3564

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3564 wrote to memory of 2024	3564	SystemPropertiesHardware.exe
PID 3564 wrote to memory of 2024	3564	SystemPropertiesHardware.exe
PID 3564 wrote to memory of 4668	3564	SystemPropertiesHardware.exe
PID 3564 wrote to memory of 4668	3564	SystemPropertiesHardware.exe
PID 3564 wrote to memory of 688	3564	printfilterpipelinesvc.exe
PID 3564 wrote to memory of 688	3564	printfilterpipelinesvc.exe
PID 3564 wrote to memory of 4176	3564	printfilterpipelinesvc.exe
PID 3564 wrote to memory of 4176	3564	printfilterpipelinesvc.exe
PID 3564 wrote to memory of 1684	3564	sdclt.exe
PID 3564 wrote to memory of 1684	3564	sdclt.exe
PID 3564 wrote to memory of 4580	3564	sdclt.exe
PID 3564 wrote to memory of 4580	3564	sdclt.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b03a89f91de77550a6def73999903440_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2716

C:\Windows\system32\SystemPropertiesHardware.exe
C:\Windows\system32\SystemPropertiesHardware.exe
1⤵
PID:2024

C:\Users\Admin\AppData\Local\kYM0\SystemPropertiesHardware.exe
C:\Users\Admin\AppData\Local\kYM0\SystemPropertiesHardware.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4668

C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe
1⤵
PID:688

C:\Users\Admin\AppData\Local\BEpWM8T\printfilterpipelinesvc.exe
C:\Users\Admin\AppData\Local\BEpWM8T\printfilterpipelinesvc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4176

C:\Windows\system32\sdclt.exe
C:\Windows\system32\sdclt.exe
1⤵
PID:1684

C:\Users\Admin\AppData\Local\Gur4OE1\sdclt.exe
C:\Users\Admin\AppData\Local\Gur4OE1\sdclt.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4580

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\BEpWM8T\XmlLite.dll
Filesize
1.4MB

MD5
0bfae6278958f9456262fc26ce8a50bb

SHA1
fec4d07273aba7d64271fc0bdd7509afe5ae365e

SHA256
2eccbbe0f73bdeb854c11e24d552ac695e6564a9caba4832468a0ea0521fd89f

SHA512
695839d22d4c2561e9b2044cb6efd6fb12513d17e02de6d0fd81188c2fc7555446d79e9bf84ed914217e8d15f807a0e40568e1422301a02019758fb64b5a38d5

Download Submit
C:\Users\Admin\AppData\Local\BEpWM8T\printfilterpipelinesvc.exe
Filesize
813KB

MD5
331a40eabaa5870e316b401bd81c4861

SHA1
ddff65771ca30142172c0d91d5bfff4eb1b12b73

SHA256
105099819555ed87ef3dab70a2eaf2cb61076f453266cec57ffccb8f4c00df88

SHA512
29992dbf10f327d77865af5e6ebbe66b937a5b4ad04c68cafbf4e6adbd6c6532c8a82ac7e638d97c1f053353a7c8a6d7e379f389af15443c94a1e8f9b16be5f8

Download Submit
C:\Users\Admin\AppData\Local\Gur4OE1\ReAgent.dll
Filesize
1.4MB

MD5
38e84dcd121c2050f6ffa1fa85d4e0c9

SHA1
0f76dfb18939128875da4556663c88fea6824bb6

SHA256
4f58b538bc6000d9585244e1e5b4b58fe9f3898f24457ce54604544c54306248

SHA512
622e585e13aeef0f64eae30a068df931818817c4b6217d83b065b4425194a494571d54e2826358b9cc9ce4d9b90d3cd1522df49dd85e9db1b9d54fb9fade1251

Download Submit
C:\Users\Admin\AppData\Local\Gur4OE1\sdclt.exe
Filesize
1.2MB

MD5
e09d48f225e7abcab14ebd3b8a9668ec

SHA1
1c5b9322b51c09a407d182df481609f7cb8c425d

SHA256
efd238ea79b93d07852d39052f1411618c36e7597e8af0966c4a3223f0021dc3

SHA512
384d606b90c4803e5144b4de24edc537cb22dd59336a18a58d229500ed36aec92c8467cae6d3f326647bd044d8074931da553c7809727fb70227e99c257df0b4

Download Submit
C:\Users\Admin\AppData\Local\kYM0\SYSDM.CPL
Filesize
1.4MB

MD5
1d6e9ea0d1bc43eaba8d1019b1fb9ce4

SHA1
50504f652785b348ec3c0adcb79c12ce138b209d

SHA256
5c6a7fdf09e4398423ad593f78c6b6a473d0ab9202a38501796d112385ae968f

SHA512
ebd037990e1a87e0eff36ff00f9ed42ba131bf267f78f3f5ec2d2ec1019e92d391ab8c090acb4d950f0a0cf8e321aa0b2944d2ad2d4b40238443fbcd4c09becd

Download Submit
C:\Users\Admin\AppData\Local\kYM0\SystemPropertiesHardware.exe
Filesize
82KB

MD5
bf5bc0d70a936890d38d2510ee07a2cd

SHA1
69d5971fd264d8128f5633db9003afef5fad8f10

SHA256
c8ebd920399ebcf3ab72bd325b71a6b4c6119dfecea03f25059a920c4d32acc7

SHA512
0e129044777cbbf5ea995715159c50773c1818fc5e8faa5c827fd631b44c086b34dfdcbe174b105891ccc3882cc63a8664d189fb6a631d8f589de4e01a862f51

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Jbphew.lnk
Filesize
1KB

MD5
b1053beab79c8597da8b6a9f24275beb

SHA1
9eab5f40f1d4e730c9946961be797c9e453a4277

SHA256
515b5a5367633583e455bd0d04a3c029630412fe1136bcd4cc2f44dc87260019

SHA512
f975b8fce2566d952a7509d3f7ec951f84963d0d9c470de391472694dceaf8d4346a0ac65e28cb4834900700e15a8d26a99887ddc7a602c9bb6c89629d4918e3

Download Submit
memory/2716-41-0x00007FFCCCE20000-0x00007FFCCCF8E000-memory.dmp

Filesize
1.4MB

Download
memory/2716-3-0x0000018072C70000-0x0000018072C77000-memory.dmp

Filesize
28KB

Download
memory/2716-1-0x00007FFCCCE20000-0x00007FFCCCF8E000-memory.dmp

Filesize
1.4MB

Download
memory/3564-36-0x0000000000D20000-0x0000000000D27000-memory.dmp

Filesize
28KB

Download
memory/3564-38-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/3564-17-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/3564-15-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/3564-14-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/3564-13-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/3564-12-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/3564-10-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/3564-9-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/3564-8-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/3564-7-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/3564-35-0x00007FFCDD2DA000-0x00007FFCDD2DB000-memory.dmp

Filesize
4KB

Download
memory/3564-37-0x00007FFCDE350000-0x00007FFCDE360000-memory.dmp

Filesize
64KB

Download
memory/3564-18-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/3564-4-0x0000000000F90000-0x0000000000F91000-memory.dmp

Filesize
4KB

Download
memory/3564-11-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/3564-6-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/3564-26-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/3564-16-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/4176-67-0x0000028FE4790000-0x0000028FE4797000-memory.dmp

Filesize
28KB

Download
memory/4176-68-0x00007FFCCEB10000-0x00007FFCCEC7F000-memory.dmp

Filesize
1.4MB

Download
memory/4176-73-0x00007FFCCEB10000-0x00007FFCCEC7F000-memory.dmp

Filesize
1.4MB

Download
memory/4580-89-0x00007FFCCEDD0000-0x00007FFCCEF3F000-memory.dmp

Filesize
1.4MB

Download
memory/4668-54-0x00007FFCCEDD0000-0x00007FFCCEF3F000-memory.dmp

Filesize
1.4MB

Download
memory/4668-49-0x00007FFCCEDD0000-0x00007FFCCEF3F000-memory.dmp

Filesize
1.4MB

Download
memory/4668-48-0x00000227A5F60000-0x00000227A5F67000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads