dridex | cffddf0df20a62148836e66becc88ad43e55cf66175c19277a3c9dddf9faeaea

General

Target

b5589e5a3385a3f1ff553658fa81ecb2_JaffaCakes118.dll
Size

1.2MB
MD5

b5589e5a3385a3f1ff553658fa81ecb2
SHA1

b9e8de230bcbae3350b46b3a1f6d7ad71133d5a4
SHA256

cffddf0df20a62148836e66becc88ad43e55cf66175c19277a3c9dddf9faeaea
SHA512

c5581bfc136312bc8d606a9ed1392eee11b7f0c52557a5d640bb51158986adea812cc0a7d9a6118e7cd9587e4744622564cfea159fa20b5cc0d09f5cf387bece
SSDEEP

24576:fuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:h9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3552-4-0x00000000021A0000-0x00000000021A1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

slui.exeGamePanel.exeDmNotificationBroker.exe

pid process

3340 slui.exe
1648 GamePanel.exe
4956 DmNotificationBroker.exe
Loads dropped DLL 3 IoCs

Processes:

slui.exeGamePanel.exeDmNotificationBroker.exe

pid process

3340 slui.exe
1648 GamePanel.exe
4956 DmNotificationBroker.exe

pid	process
3340	slui.exe
1648	GamePanel.exe
4956	DmNotificationBroker.exe

pid	process
3340	slui.exe
1648	GamePanel.exe
4956	DmNotificationBroker.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Fsnnuctyadbpkex = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\nPJ\\GamePanel.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeslui.exeGamePanel.exeDmNotificationBroker.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	slui.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	GamePanel.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DmNotificationBroker.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
4264	rundll32.exe
4264	rundll32.exe
4264	rundll32.exe
4264	rundll32.exe
4264	rundll32.exe
4264	rundll32.exe
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3552

pid	process
3552

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3552 wrote to memory of 2556	3552	slui.exe
PID 3552 wrote to memory of 2556	3552	slui.exe
PID 3552 wrote to memory of 3340	3552	slui.exe
PID 3552 wrote to memory of 3340	3552	slui.exe
PID 3552 wrote to memory of 2464	3552	GamePanel.exe
PID 3552 wrote to memory of 2464	3552	GamePanel.exe
PID 3552 wrote to memory of 1648	3552	GamePanel.exe
PID 3552 wrote to memory of 1648	3552	GamePanel.exe
PID 3552 wrote to memory of 2088	3552	DmNotificationBroker.exe
PID 3552 wrote to memory of 2088	3552	DmNotificationBroker.exe
PID 3552 wrote to memory of 4956	3552	DmNotificationBroker.exe
PID 3552 wrote to memory of 4956	3552	DmNotificationBroker.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b5589e5a3385a3f1ff553658fa81ecb2_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4264

C:\Windows\system32\slui.exe
C:\Windows\system32\slui.exe
1⤵
PID:2556

C:\Users\Admin\AppData\Local\vN4OhRX\slui.exe
C:\Users\Admin\AppData\Local\vN4OhRX\slui.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3340

C:\Windows\system32\GamePanel.exe
C:\Windows\system32\GamePanel.exe
1⤵
PID:2464

C:\Users\Admin\AppData\Local\iccPNrr\GamePanel.exe
C:\Users\Admin\AppData\Local\iccPNrr\GamePanel.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1648

C:\Windows\system32\DmNotificationBroker.exe
C:\Windows\system32\DmNotificationBroker.exe
1⤵
PID:2088

C:\Users\Admin\AppData\Local\Xi1\DmNotificationBroker.exe
C:\Users\Admin\AppData\Local\Xi1\DmNotificationBroker.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4956

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Xi1\DUI70.dll
Filesize
1.5MB

MD5
049d58072e32a68ea1099d9dc386571a

SHA1
e150a7d527cb884ff17271c6be6936c5622a3263

SHA256
bfabcc50d09fef8d7c4b697882ad7a05a39c25feb8ba81ffb57ca0f5437241a9

SHA512
8b16cc530df19309b97936053c6979dcc07629b52226aecaebc7f87436f0ed01bd1b6c480a091f28d5465977b6dae5c968a3cb27759263c7b149d761b8b2542f

Download Submit
C:\Users\Admin\AppData\Local\Xi1\DmNotificationBroker.exe
Filesize
32KB

MD5
f0bdc20540d314a2aad951c7e2c88420

SHA1
4ab344595a4a81ab5f31ed96d72f217b4cee790b

SHA256
f87537e5f26193a2273380f86cc9ac16d977f65b0eff2435e40be830fd99f7b5

SHA512
cb69e35b2954406735264a4ae8fe1eca1bd4575f553ab2178c70749ab997bda3c06496d2fce97872c51215a19093e51eea7cc8971af62ad9d5726f3a0d2730aa

Download Submit
C:\Users\Admin\AppData\Local\iccPNrr\GamePanel.exe
Filesize
1.2MB

MD5
266f6a62c16f6a889218800762b137be

SHA1
31b9bd85a37bf0cbb38a1c30147b83671458fa72

SHA256
71f8f11f26f3a7c1498373f20f0f4cc960513d0383fe24906eeb1bc9678beecd

SHA512
b21d9b0656ab6bd3b158922722a332f07096ddd4215c802776c5807c9cf6ece40082dd986ea6867bdc8d22878ce035a5c8dfcc26cfae94aeee059701b6bf1e68

Download Submit
C:\Users\Admin\AppData\Local\iccPNrr\UxTheme.dll
Filesize
1.2MB

MD5
762edeadd94d4a8418b8d38ed57e2cd2

SHA1
4cadfdc3ce2a7483c390c14afcbf8498574201db

SHA256
f9b9c820a10acfccfa5c6e8fadb204c1c55309d193e07135600ecf56e7442299

SHA512
8494b32c0a4b7776824ed7f421f7baca1814f6d796b301dbb382d08b8ddaa06d4636c5907a051d45b2dacf6b3fe77b8f6a13cbb0d5955abf2f17873a5acd9848

Download Submit
C:\Users\Admin\AppData\Local\vN4OhRX\WINBRAND.dll
Filesize
1.2MB

MD5
e1471af8d3f3d0b4f93025f77d11d4d1

SHA1
efaa4b9740a8165b8ad09baa731210f354fe3b07

SHA256
e9cbd39fa16c9a618eda3ec97ecc429461662614bf02af8b4669c9b987a521da

SHA512
f77881017abf4a2e905cb75103433479f219f31cf65a207c4285ee5b3713823ee5c286044b329d8a75c95ac8cd6ab2a526c050cbd9d2b3fa32f0a66bdb603e3e

Download Submit
C:\Users\Admin\AppData\Local\vN4OhRX\slui.exe
Filesize
534KB

MD5
eb725ea35a13dc18eac46aa81e7f2841

SHA1
c0b3304c970324952e18c4a51073e3bdec73440b

SHA256
25e7624d469a592934ab8c509d12c153c2799e604c2a4b8a83650a7268577dff

SHA512
39192a1fad29654b3769f007298eff049d0688a3cb51390833ec563f44f9931cd3f6f8693db37b649b061b5aab379b166c15dade56d0fc414375243320375b26

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Mmqqsjwrsdxmnj.lnk
Filesize
1KB

MD5
538c17fbe690c5d836713e656f352d28

SHA1
0ba8e5df9f14870e890955d19562c770bb7b9c02

SHA256
f13189e21d1e85f0ef7d635aef7bcb04f22991928b9047be847107754f4ed9e2

SHA512
cfa41732769452509bbf85801d9baf28e98d0054c76afe0a19ade29619c8e4b0a130c0690949aa2b0c2d406b492d1c636853885fbbf5f58c85e5c8648fa0c439

Download Submit
memory/1648-70-0x00007FFA96D90000-0x00007FFA96ED1000-memory.dmp

Filesize
1.3MB

Download
memory/1648-67-0x000002B664F70000-0x000002B664F77000-memory.dmp

Filesize
28KB

Download
memory/3340-53-0x00007FFA96D90000-0x00007FFA96ED1000-memory.dmp

Filesize
1.3MB

Download
memory/3340-47-0x00007FFA96D90000-0x00007FFA96ED1000-memory.dmp

Filesize
1.3MB

Download
memory/3340-50-0x0000022C42280000-0x0000022C42287000-memory.dmp

Filesize
28KB

Download
memory/3552-34-0x0000000000600000-0x0000000000607000-memory.dmp

Filesize
28KB

Download
memory/3552-15-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/3552-10-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/3552-9-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/3552-8-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/3552-7-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/3552-25-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/3552-18-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/3552-4-0x00000000021A0000-0x00000000021A1000-memory.dmp

Filesize
4KB

Download
memory/3552-12-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/3552-13-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/3552-11-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/3552-33-0x00007FFAA40BA000-0x00007FFAA40BB000-memory.dmp

Filesize
4KB

Download
memory/3552-6-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/3552-35-0x00007FFAA5C90000-0x00007FFAA5CA0000-memory.dmp

Filesize
64KB

Download
memory/3552-37-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/3552-16-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/3552-14-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/4264-2-0x00007FFA972F0000-0x00007FFA97430000-memory.dmp

Filesize
1.2MB

Download
memory/4264-40-0x00007FFA972F0000-0x00007FFA97430000-memory.dmp

Filesize
1.2MB

Download
memory/4264-0-0x000001CE30C70000-0x000001CE30C77000-memory.dmp

Filesize
28KB

Download
memory/4956-81-0x00007FFA96D50000-0x00007FFA96ED6000-memory.dmp

Filesize
1.5MB

Download
memory/4956-86-0x00007FFA96D50000-0x00007FFA96ED6000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads