dridex | cffddf0df20a62148836e66becc88ad43e55cf66175c19277a3c9dddf9faeaea

General

Target

b5589e5a3385a3f1ff553658fa81ecb2_JaffaCakes118.dll
Size

1.2MB
MD5

b5589e5a3385a3f1ff553658fa81ecb2
SHA1

b9e8de230bcbae3350b46b3a1f6d7ad71133d5a4
SHA256

cffddf0df20a62148836e66becc88ad43e55cf66175c19277a3c9dddf9faeaea
SHA512

c5581bfc136312bc8d606a9ed1392eee11b7f0c52557a5d640bb51158986adea812cc0a7d9a6118e7cd9587e4744622564cfea159fa20b5cc0d09f5cf387bece
SSDEEP

24576:fuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:h9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1232-5-0x00000000025D0000-0x00000000025D1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

EhStorAuthn.exeSystemPropertiesComputerName.exeAdapterTroubleshooter.exe

pid process

2476 EhStorAuthn.exe
2500 SystemPropertiesComputerName.exe
1660 AdapterTroubleshooter.exe
Loads dropped DLL 7 IoCs

Processes:

EhStorAuthn.exeSystemPropertiesComputerName.exeAdapterTroubleshooter.exe

pid process

1232
2476 EhStorAuthn.exe
1232
2500 SystemPropertiesComputerName.exe
1232
1660 AdapterTroubleshooter.exe
1232

pid	process
2476	EhStorAuthn.exe
2500	SystemPropertiesComputerName.exe
1660	AdapterTroubleshooter.exe

pid	process
1232
2476	EhStorAuthn.exe
1232
2500	SystemPropertiesComputerName.exe
1232
1660	AdapterTroubleshooter.exe
1232

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nnwuocalikj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1340930862-1405011213-2821322012-1000\\6w0ljO2Fi\\SystemPropertiesComputerName.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeEhStorAuthn.exeSystemPropertiesComputerName.exeAdapterTroubleshooter.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	EhStorAuthn.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesComputerName.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	AdapterTroubleshooter.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1208	rundll32.exe
1208	rundll32.exe
1208	rundll32.exe
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1232 wrote to memory of 2616	1232	EhStorAuthn.exe
PID 1232 wrote to memory of 2616	1232	EhStorAuthn.exe
PID 1232 wrote to memory of 2616	1232	EhStorAuthn.exe
PID 1232 wrote to memory of 2476	1232	EhStorAuthn.exe
PID 1232 wrote to memory of 2476	1232	EhStorAuthn.exe
PID 1232 wrote to memory of 2476	1232	EhStorAuthn.exe
PID 1232 wrote to memory of 2464	1232	SystemPropertiesComputerName.exe
PID 1232 wrote to memory of 2464	1232	SystemPropertiesComputerName.exe
PID 1232 wrote to memory of 2464	1232	SystemPropertiesComputerName.exe
PID 1232 wrote to memory of 2500	1232	SystemPropertiesComputerName.exe
PID 1232 wrote to memory of 2500	1232	SystemPropertiesComputerName.exe
PID 1232 wrote to memory of 2500	1232	SystemPropertiesComputerName.exe
PID 1232 wrote to memory of 1932	1232	AdapterTroubleshooter.exe
PID 1232 wrote to memory of 1932	1232	AdapterTroubleshooter.exe
PID 1232 wrote to memory of 1932	1232	AdapterTroubleshooter.exe
PID 1232 wrote to memory of 1660	1232	AdapterTroubleshooter.exe
PID 1232 wrote to memory of 1660	1232	AdapterTroubleshooter.exe
PID 1232 wrote to memory of 1660	1232	AdapterTroubleshooter.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b5589e5a3385a3f1ff553658fa81ecb2_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1208

C:\Windows\system32\EhStorAuthn.exe
C:\Windows\system32\EhStorAuthn.exe
1⤵
PID:2616

C:\Users\Admin\AppData\Local\ZEZ\EhStorAuthn.exe
C:\Users\Admin\AppData\Local\ZEZ\EhStorAuthn.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2476

C:\Windows\system32\SystemPropertiesComputerName.exe
C:\Windows\system32\SystemPropertiesComputerName.exe
1⤵
PID:2464

C:\Users\Admin\AppData\Local\3LBJOxhp\SystemPropertiesComputerName.exe
C:\Users\Admin\AppData\Local\3LBJOxhp\SystemPropertiesComputerName.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2500

C:\Windows\system32\AdapterTroubleshooter.exe
C:\Windows\system32\AdapterTroubleshooter.exe
1⤵
PID:1932

C:\Users\Admin\AppData\Local\tQiKM\AdapterTroubleshooter.exe
C:\Users\Admin\AppData\Local\tQiKM\AdapterTroubleshooter.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1660

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\3LBJOxhp\SYSDM.CPL
Filesize
1.2MB

MD5
f770fb3c74e91b76acca0ac4050b98a8

SHA1
e79fc837568cc021a854896f5b2959ad57dccd07

SHA256
00bc2b88313d28f4cf3d956b137dd8654eb5b17b109759933552d4cfd313f086

SHA512
cea7ebe98f9fd55cd7598b35dca5d3e8185bfce841b8a114a38f21f74be3ca6622b3935e19dcd65ff2e959bde2b02bd52dfe641b4d4709306778c1afb285fd53

Download Submit
C:\Users\Admin\AppData\Local\ZEZ\WTSAPI32.dll
Filesize
1.2MB

MD5
cc299c236f43ce92cba24efc025b2292

SHA1
84764a9bb8d3f15bd27b9c4272106e06ad691748

SHA256
9a56aa7176a7f3a5b3c8f626e3669cbcafb9f51895848c9a9a955512302b3226

SHA512
ed4eb1ab528c9a5a4e71198495be1b30e7e77cdcd9f9dde52b43cfe881de04946f31fc6119ed1c7387c840d7d691b625d337ed82facce1b929e460c740392c8e

Download Submit
C:\Users\Admin\AppData\Local\tQiKM\d3d9.dll
Filesize
1.2MB

MD5
3df0a81bcb49e8a3f70ef8c123235a9b

SHA1
200511b2a62ddb1bf39b31f589b8b8b0b6da3637

SHA256
59b0464d5ec354de2ba491bd4636234318ff4f746385fc068d50e1261f8288a6

SHA512
ce49edc898667f785a7c6aeac0c0e7d5710c7795b93b879243d07ae725e91cba43c1affba894c94e1798f9e0e2e695f0703438d608e3d5738ff0d7a00c02ecb9

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Eyoyeoki.lnk
Filesize
1KB

MD5
c83e9301a38431b835ec0835e1210e69

SHA1
4ca6b54ba453194324afabec469845dc0ccab4b1

SHA256
9ad2ee7aa0a33dfee8470a4a3abaf2582e70afb11f21ed34debc560b1e146b17

SHA512
9f461b989575bdc2db86ed8074ea238702cd49db968ddd443f524c44c3d6238520a5cf6a9e696a6a6c98d446fe8876d49bfe60e8cf1534f3fe8a6a9d1e14dd63

Download Submit
\Users\Admin\AppData\Local\3LBJOxhp\SystemPropertiesComputerName.exe
Filesize
80KB

MD5
bd889683916aa93e84e1a75802918acf

SHA1
5ee66571359178613a4256a7470c2c3e6dd93cfa

SHA256
0e22894595891a9ff9706e03b3db31a751541c4a773f82420fce57237d6c47cf

SHA512
9d76de848b319f44657fb7fbe5a3b927774ae999362ff811a199002ffa77ad9e1638a65a271388e605ab5e5a7cb6ce5aa7fcabc3ed583ade00eaa4c265552026

Download Submit
\Users\Admin\AppData\Local\ZEZ\EhStorAuthn.exe
Filesize
137KB

MD5
3abe95d92c80dc79707d8e168d79a994

SHA1
64b10c17f602d3f21c84954541e7092bc55bb5ab

SHA256
2159d9d5c9355521de859d1c40907fcdfef19f8cf68eda7485b89e9aa119e3ad

SHA512
70fee5e87121229bba5c5e5aaa9f028ac0546dc9d38b7a00a81b882c8f8ce4abfdc364a598976b1463cca05e9400db715f8a4478ec61b03a693bbeee18c6ae5c

Download Submit
\Users\Admin\AppData\Local\tQiKM\AdapterTroubleshooter.exe
Filesize
39KB

MD5
d4170c9ff5b2f85b0ce0246033d26919

SHA1
a76118e8775e16237cf00f2fb79718be0dc84db1

SHA256
d05e010a2570cdd5a67f62c99483aeeecb6a8d5ecc523cd49b158a460c9be5da

SHA512
9c85a9ea4002bd55cf9c51e470dd1bec527ff04b5d0d6f83094a998c541416cd47c9f42c6ca7e35ffa2842877f79e3c2e989489b9bf81644c5c57bb406b89608

Download Submit
memory/1208-0-0x000007FEF6070000-0x000007FEF61B0000-memory.dmp

Filesize
1.2MB

Download
memory/1208-3-0x00000000003A0000-0x00000000003A7000-memory.dmp

Filesize
28KB

Download
memory/1208-47-0x000007FEF6070000-0x000007FEF61B0000-memory.dmp

Filesize
1.2MB

Download
memory/1232-9-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/1232-39-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/1232-28-0x0000000077471000-0x0000000077472000-memory.dmp

Filesize
4KB

Download
memory/1232-16-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/1232-14-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/1232-12-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/1232-11-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/1232-10-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/1232-26-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/1232-29-0x0000000077600000-0x0000000077602000-memory.dmp

Filesize
8KB

Download
memory/1232-38-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/1232-7-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/1232-27-0x00000000025B0000-0x00000000025B7000-memory.dmp

Filesize
28KB

Download
memory/1232-18-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/1232-13-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/1232-17-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/1232-4-0x0000000077266000-0x0000000077267000-memory.dmp

Filesize
4KB

Download
memory/1232-8-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/1232-66-0x0000000077266000-0x0000000077267000-memory.dmp

Filesize
4KB

Download
memory/1232-15-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/1232-5-0x00000000025D0000-0x00000000025D1000-memory.dmp

Filesize
4KB

Download
memory/1660-95-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download
memory/1660-98-0x000007FEF6060000-0x000007FEF61A1000-memory.dmp

Filesize
1.3MB

Download
memory/2476-55-0x000007FEF6B70000-0x000007FEF6CB1000-memory.dmp

Filesize
1.3MB

Download
memory/2476-61-0x000007FEF6B70000-0x000007FEF6CB1000-memory.dmp

Filesize
1.3MB

Download
memory/2476-58-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/2500-80-0x000007FEF6060000-0x000007FEF61A1000-memory.dmp

Filesize
1.3MB

Download
memory/2500-74-0x000007FEF6060000-0x000007FEF61A1000-memory.dmp

Filesize
1.3MB

Download
memory/2500-75-0x0000000000390000-0x0000000000397000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads