dridex | 46c5de5439adf19819d78a52bbdbc97c4c63e00049e019ce437c1c08ed140f33

General

Target

b20e9a37b5d638259d80111028dae1da_JaffaCakes118.dll
Size

990KB
MD5

b20e9a37b5d638259d80111028dae1da
SHA1

27499b1c4232cd3b06e687aa42bdf0b404b83583
SHA256

46c5de5439adf19819d78a52bbdbc97c4c63e00049e019ce437c1c08ed140f33
SHA512

d4f36bce2c25de4a48b8de4e32c5f938c506beeb10a6f39f1f0bfeeb30b1813ef0492b50c7e25055e0a6a72335c24ea4e1a3d6873f94ccfe69cc6695e790dd0f
SSDEEP

24576:jVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:jV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3432-4-0x0000000009380000-0x0000000009381000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

WindowsActionDialog.exewlrmdr.exeWMPDMC.exe

pid process

3728 WindowsActionDialog.exe
3048 wlrmdr.exe
3248 WMPDMC.exe
Loads dropped DLL 3 IoCs

Processes:

WindowsActionDialog.exewlrmdr.exeWMPDMC.exe

pid process

3728 WindowsActionDialog.exe
3048 wlrmdr.exe
3248 WMPDMC.exe

pid	process
3728	WindowsActionDialog.exe
3048	wlrmdr.exe
3248	WMPDMC.exe

pid	process
3728	WindowsActionDialog.exe
3048	wlrmdr.exe
3248	WMPDMC.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Iphtcfjrejti = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\USERPI~1\\gUk3tvHq\\wlrmdr.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

WMPDMC.exerundll32.exeWindowsActionDialog.exewlrmdr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WMPDMC.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WindowsActionDialog.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wlrmdr.exe

Modifies registry class 1 IoCs

Processes:

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2656	rundll32.exe
2656	rundll32.exe
2656	rundll32.exe
2656	rundll32.exe
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3432
Token: SeCreatePagefilePrivilege	3432
Token: SeShutdownPrivilege	3432
Token: SeCreatePagefilePrivilege	3432
Token: SeShutdownPrivilege	3432
Token: SeCreatePagefilePrivilege	3432
Token: SeShutdownPrivilege	3432
Token: SeCreatePagefilePrivilege	3432
Token: SeShutdownPrivilege	3432
Token: SeCreatePagefilePrivilege	3432
Token: SeShutdownPrivilege	3432
Token: SeCreatePagefilePrivilege	3432

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

pid process

3432
3432
3432
3432
3432
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

pid process

3432
3432
3432
Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3432

pid	process
3432
3432
3432
3432
3432

pid	process
3432
3432
3432

pid	process
3432

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3432 wrote to memory of 4784	3432	WindowsActionDialog.exe
PID 3432 wrote to memory of 4784	3432	WindowsActionDialog.exe
PID 3432 wrote to memory of 3728	3432	WindowsActionDialog.exe
PID 3432 wrote to memory of 3728	3432	WindowsActionDialog.exe
PID 3432 wrote to memory of 2796	3432	wlrmdr.exe
PID 3432 wrote to memory of 2796	3432	wlrmdr.exe
PID 3432 wrote to memory of 3048	3432	wlrmdr.exe
PID 3432 wrote to memory of 3048	3432	wlrmdr.exe
PID 3432 wrote to memory of 4616	3432	WMPDMC.exe
PID 3432 wrote to memory of 4616	3432	WMPDMC.exe
PID 3432 wrote to memory of 3248	3432	WMPDMC.exe
PID 3432 wrote to memory of 3248	3432	WMPDMC.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b20e9a37b5d638259d80111028dae1da_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2656

C:\Windows\system32\WindowsActionDialog.exe
C:\Windows\system32\WindowsActionDialog.exe
1⤵
PID:4784

C:\Users\Admin\AppData\Local\FY06M\WindowsActionDialog.exe
C:\Users\Admin\AppData\Local\FY06M\WindowsActionDialog.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3728

C:\Windows\system32\wlrmdr.exe
C:\Windows\system32\wlrmdr.exe
1⤵
PID:2796

C:\Users\Admin\AppData\Local\gZN\wlrmdr.exe
C:\Users\Admin\AppData\Local\gZN\wlrmdr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3048

C:\Windows\system32\WMPDMC.exe
C:\Windows\system32\WMPDMC.exe
1⤵
PID:4616

C:\Users\Admin\AppData\Local\rPJCL\WMPDMC.exe
C:\Users\Admin\AppData\Local\rPJCL\WMPDMC.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3248

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\FY06M\DUI70.dll
Filesize
1.2MB

MD5
255046daf971dd23fac5ddf3e4ddfde9

SHA1
591999fd3ac19db0b5a9e94685777293ec2d56ec

SHA256
cd6434d4c52e81393d2767e481f125d3ee2fc5bc825fc78bf790ed12e88de7f6

SHA512
c981f72c090264e7d78d954a28d608f124a3037980f7b6dc3e8b7af424700e4554d26ed6ab8b5de3e70b6d8d985c360c20c19ebe7b97a6421ba530875cd045aa

Download Submit
C:\Users\Admin\AppData\Local\FY06M\WindowsActionDialog.exe
Filesize
61KB

MD5
73c523b6556f2dc7eefc662338d66f8d

SHA1
1e6f9a1d885efa4d76f1e7a8be2e974f2b65cea5

SHA256
0c6397bfbcd7b1fcefb6de01a506578e36651725a61078c69708f1f92c41ea31

SHA512
69d0f23d1abaad657dd4672532936ef35f0e9d443caf9e19898017656a66ed46e75e7e05261c7e7636799c58feccd01dc93975d6a598cbb73242ddb48c6ec912

Download Submit
C:\Users\Admin\AppData\Local\gZN\DUI70.dll
Filesize
1.2MB

MD5
28b0bf476de423c69625d4183b44b57e

SHA1
a611c678a24d3dc4019a3744c0432714b83c8e77

SHA256
4ad1eee438051cb59557e325b12c43dd779f0ef33c58ac7f66491bd927e42605

SHA512
3947a311b0b9dd156de3b7928f35bcad152aa936d09e7b5698af9a5b35e92d7d8e5b9fd3fc083332cf541bf7471cb67b8f186acdf2f2a9e79d05830e515eaa4f

Download Submit
C:\Users\Admin\AppData\Local\gZN\wlrmdr.exe
Filesize
66KB

MD5
ef9bba7a637a11b224a90bf90a8943ac

SHA1
4747ec6efd2d41e049159249c2d888189bb33d1d

SHA256
2fda95aafb2e9284c730bf912b93f60a75b151941adc14445ed1e056140325b1

SHA512
4c1fdb8e4bf25546a2a33c95268593746f5ae2666ce36c6d9ba5833357f13720c4722231224e82308af8c156485a2c86ffd97e3093717a28d1300d3787ef1831

Download Submit
C:\Users\Admin\AppData\Local\rPJCL\UxTheme.dll
Filesize
993KB

MD5
2371114c3a45d237c6d77006ae0d1b46

SHA1
f48e1c93b03844a72c8af9254e320e3666113b18

SHA256
3eb3948dee01836fdd1b81e73fab48618cdf5d3e5f39dbfe0505439259274cb1

SHA512
51b24ff0244682e5b4da5631b6e2d006e2ade4f879217609040713e3001cc5f968c4db34fc087881584e5f28b565a91e64eec6230155d1f2fa362676a75d5e78

Download Submit
C:\Users\Admin\AppData\Local\rPJCL\WMPDMC.exe
Filesize
1.5MB

MD5
59ce6e554da0a622febce19eb61c4d34

SHA1
176a4a410cb97b3d4361d2aea0edbf17e15d04c7

SHA256
c36eba7186f7367fe717595f3372a49503c9613893c2ab2eff38b625a50d04ba

SHA512
e9b0d310416b66e0055381391bb6b0c19ee26bbcf0e3bb9ea7d696d5851e6efbdd9bdeb250c74638b7d73b20528ea1dfb718e75ad5977aaad77aae36cc7b7e18

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Lyvwlrjkvg.lnk
Filesize
1KB

MD5
f6ef854c3ae92b131f1893cc8f5d6b54

SHA1
ea1fda13d29f583ff3332b15c131b03727cc1875

SHA256
6a7253f7ee2c41e0987fdf6a115cfa04d9305f330c1d7d146dfbb01f54d01b36

SHA512
b49a63a63d0f749adb53cf3aa1249e47fafea4cb31bdb5f51bb855692b7c29bbb6803ed803640f5735017fec1f26569402bfb9e4e46393fb068d23131592d416

Download Submit
memory/2656-37-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/2656-0-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/2656-3-0x000001D52BDE0000-0x000001D52BDE7000-memory.dmp

Filesize
28KB

Download
memory/3048-64-0x0000018A95EB0000-0x0000018A95EB7000-memory.dmp

Filesize
28KB

Download
memory/3048-67-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3248-84-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3248-81-0x000001E462DE0000-0x000001E462DE7000-memory.dmp

Filesize
28KB

Download
memory/3248-78-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3432-12-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3432-8-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3432-31-0x00007FFD6C8AA000-0x00007FFD6C8AB000-memory.dmp

Filesize
4KB

Download
memory/3432-32-0x0000000008DE0000-0x0000000008DE7000-memory.dmp

Filesize
28KB

Download
memory/3432-4-0x0000000009380000-0x0000000009381000-memory.dmp

Filesize
4KB

Download
memory/3432-10-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3432-9-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3432-33-0x00007FFD6D1F0000-0x00007FFD6D200000-memory.dmp

Filesize
64KB

Download
memory/3432-34-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3432-22-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3432-7-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3432-11-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3432-6-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3432-13-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3728-50-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3728-44-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3728-47-0x000002037A990000-0x000002037A997000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads