dridex | 58a7b50c5201c447d6259a1dcd04e0f0d54ad73cf5a4a9cbe7bc2d7eb1ca8887

General

Target

ad83edd17de18486efe22dc738daeae5_JaffaCakes118.dll
Size

990KB
MD5

ad83edd17de18486efe22dc738daeae5
SHA1

d02937cc07297a06bd372334a4b01cf19f34740a
SHA256

58a7b50c5201c447d6259a1dcd04e0f0d54ad73cf5a4a9cbe7bc2d7eb1ca8887
SHA512

9aa535f0ada29522f228732ea1808d60e3a819d4172ba6f704e3d893f655deb2cfd245d9738259dba6ec86fe56fbbbedcc59ed4e7db09d4a1c01b4f9a5a64b9d
SSDEEP

24576:SVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:SV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3484-4-0x00000000026B0000-0x00000000026B1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

osk.exeLockScreenContentServer.exemsinfo32.exe

pid process

1940 osk.exe
4980 LockScreenContentServer.exe
3820 msinfo32.exe
Loads dropped DLL 3 IoCs

Processes:

osk.exeLockScreenContentServer.exemsinfo32.exe

pid process

1940 osk.exe
4980 LockScreenContentServer.exe
3820 msinfo32.exe

pid	process
1940	osk.exe
4980	LockScreenContentServer.exe
3820	msinfo32.exe

pid	process
1940	osk.exe
4980	LockScreenContentServer.exe
3820	msinfo32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tyoytnnsf = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\7Yzt\\LOCKSC~1.EXE"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

osk.exeLockScreenContentServer.exemsinfo32.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	osk.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	LockScreenContentServer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1508	rundll32.exe
1508	rundll32.exe
1508	rundll32.exe
1508	rundll32.exe
1508	rundll32.exe
1508	rundll32.exe
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484
3484

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3484

pid	process
3484

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3484 wrote to memory of 3620	3484	osk.exe
PID 3484 wrote to memory of 3620	3484	osk.exe
PID 3484 wrote to memory of 1940	3484	osk.exe
PID 3484 wrote to memory of 1940	3484	osk.exe
PID 3484 wrote to memory of 4564	3484	LockScreenContentServer.exe
PID 3484 wrote to memory of 4564	3484	LockScreenContentServer.exe
PID 3484 wrote to memory of 4980	3484	LockScreenContentServer.exe
PID 3484 wrote to memory of 4980	3484	LockScreenContentServer.exe
PID 3484 wrote to memory of 3788	3484	msinfo32.exe
PID 3484 wrote to memory of 3788	3484	msinfo32.exe
PID 3484 wrote to memory of 3820	3484	msinfo32.exe
PID 3484 wrote to memory of 3820	3484	msinfo32.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ad83edd17de18486efe22dc738daeae5_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1508

C:\Windows\system32\osk.exe
C:\Windows\system32\osk.exe
1⤵
PID:3620

C:\Users\Admin\AppData\Local\8SSW8fOO\osk.exe
C:\Users\Admin\AppData\Local\8SSW8fOO\osk.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1940

C:\Windows\system32\LockScreenContentServer.exe
C:\Windows\system32\LockScreenContentServer.exe
1⤵
PID:4564

C:\Users\Admin\AppData\Local\zhsA63ohS\LockScreenContentServer.exe
C:\Users\Admin\AppData\Local\zhsA63ohS\LockScreenContentServer.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4980

C:\Windows\system32\msinfo32.exe
C:\Windows\system32\msinfo32.exe
1⤵
PID:3788

C:\Users\Admin\AppData\Local\M5rKZxh\msinfo32.exe
C:\Users\Admin\AppData\Local\M5rKZxh\msinfo32.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3820

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\8SSW8fOO\DUser.dll
Filesize
995KB

MD5
44ebee56e5ccd2e3c3c2aa2822539711

SHA1
94fc4e5c84e451562d3006cc6cf4d55d38c75d1e

SHA256
8bb682001825d71a4763e6ef9db10e5e9e3fb0c7e043d68e15b54ca43b27818a

SHA512
2ab5cd7d6bba87019b413f7a6e618713a2463ef8dd0daab3ca55f661714f1439915840db87e2e8a2122ed36468ec1c7c3a1398fe0f23dad72f869fe2e1f4b21b

Download Submit
C:\Users\Admin\AppData\Local\8SSW8fOO\osk.exe
Filesize
638KB

MD5
745f2df5beed97b8c751df83938cb418

SHA1
2f9fc33b1bf28e0f14fd75646a7b427ddbe14d25

SHA256
f67ef6e31fa0eaed44bfbab5b908be06b56cbc7d5a16ab2a72334d91f2bb6a51

SHA512
2125d021e6f45a81bd75c9129f4b098ad9aa15c25d270051f4da42458a9737bff44d6adf17aa1f2547715d159fb621829f7cd3b9d42f1521c919549cc7deb228

Download Submit
C:\Users\Admin\AppData\Local\M5rKZxh\MFC42u.dll
Filesize
1018KB

MD5
06d8e013a18115c69e417b0f883747cd

SHA1
3e508e0e5881f4bd56a57d8ec888c4736d974342

SHA256
c369c0d455a6e012a3ed56786044a6723d05c91b1b73790ceaee444db86cc968

SHA512
cd5f18d71822b7cf7ef4eebe56541008990710fb5d3b608d7e5426ce7d4e5e9e306b6cec532fb38c862bd5cb59fb2933e14b34c646c8a2b6e5469c1fa3270aca

Download Submit
C:\Users\Admin\AppData\Local\M5rKZxh\msinfo32.exe
Filesize
376KB

MD5
0aed91da63713bf9f881b03a604a1c9d

SHA1
b1b2d292cb1a4c13dc243b5eab13afb316a28b9a

SHA256
5cf1604d2473661266e08fc0e4e144ea98f99b7584c43585eb2b01551130fd14

SHA512
04bca9b321d702122b6e72c2ad15b7cd98924e5dfc3b8dd0e907ea28fd7826d3f72b98c67242b6698594df648d3c2b6b0952bb52a2363b687bbe44a66e830c03

Download Submit
C:\Users\Admin\AppData\Local\zhsA63ohS\DUI70.dll
Filesize
1.2MB

MD5
a2bc246e02e25832e28bd529ce995cc7

SHA1
71670d7d1c4b585440f4bda939b362e0dea3ec73

SHA256
0912985259dcc3986d485d3ab5475953167bb963f857216ea0d7d569a0ce9327

SHA512
b2079d1f4a823d9b9d4783a01a99183d38d4ed3442bc001be34eb7f83b9a086c20cc1d0cd4d63139db47583b69ed1084a3124a18dbe6a8a1a51227df9f46d2ec

Download Submit
C:\Users\Admin\AppData\Local\zhsA63ohS\LockScreenContentServer.exe
Filesize
47KB

MD5
a0b7513c98cf46ca2cea3a567fec137c

SHA1
2307fc8e3fc620ea3c2fdc6248ad4658479ba995

SHA256
cb2278884f04fd34753f7a20e5865ef5fc4fa47c28df9ac14ad6e922713af8c6

SHA512
3928485a60ffa7f2d2b7d0be51863e1f8197578cfb397f1086a1ab5132843a23bbc4042b04b5d01fafad04878bd839161fa492d0cf1a6bac6be92023cdee3d15

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Fotgztfwispj.lnk
Filesize
1KB

MD5
eea5bc734aa35916c1a6538ae49a988b

SHA1
3b7712bda45e190b9f9793d41d4e9dcdbeb233ae

SHA256
87b3a175a755c7a6f8295a0769c5e3dfe03f29497e21940f23688ecb4b43b95e

SHA512
b1ee31c3c3477001cae6617606a4493746dc723ebb639595f197121a42f86315fab2db7b8350f99d584956b39b0a247c6711c22acf5332da47e43998cc251b6c

Download Submit
memory/1508-38-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1508-1-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/1508-3-0x000002A6CC070000-0x000002A6CC077000-memory.dmp

Filesize
28KB

Download
memory/1940-49-0x0000000140000000-0x00000001400FF000-memory.dmp

Filesize
1020KB

Download
memory/1940-48-0x00000267F95F0000-0x00000267F95F7000-memory.dmp

Filesize
28KB

Download
memory/1940-45-0x0000000140000000-0x00000001400FF000-memory.dmp

Filesize
1020KB

Download
memory/3484-35-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3484-26-0x00007FFBA108A000-0x00007FFBA108B000-memory.dmp

Filesize
4KB

Download
memory/3484-7-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3484-6-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3484-9-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3484-10-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3484-23-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3484-11-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3484-14-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3484-27-0x0000000000970000-0x0000000000977000-memory.dmp

Filesize
28KB

Download
memory/3484-28-0x00007FFBA12B0000-0x00007FFBA12C0000-memory.dmp

Filesize
64KB

Download
memory/3484-8-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3484-4-0x00000000026B0000-0x00000000026B1000-memory.dmp

Filesize
4KB

Download
memory/3484-12-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3484-13-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3820-79-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/3820-82-0x0000024BD4E00000-0x0000024BD4E07000-memory.dmp

Filesize
28KB

Download
memory/3820-85-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/4980-68-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/4980-65-0x000002247BE10000-0x000002247BE17000-memory.dmp

Filesize
28KB

Download
memory/4980-62-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads