dridex | 3b11229202dc3871b693be51b91981a7050d395fed046f2a71895ed88ee4d6a0

General

Target

b3f3a7a92eec72e39d8a9277730a077e_JaffaCakes118.dll
Size

993KB
MD5

b3f3a7a92eec72e39d8a9277730a077e
SHA1

39ec84a1246b2ae1a5f3307cd100fe59025967e5
SHA256

3b11229202dc3871b693be51b91981a7050d395fed046f2a71895ed88ee4d6a0
SHA512

475f1c60b1f75013f219761d0e9bfe5c397d2c1c61e6d9aff59f66529ff35b3134cb93708d2206a4691d4d7f67d1b484217abf8a407d1fca9d6969a7d95937dd
SSDEEP

24576:OVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:OV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3432-4-0x0000000009380000-0x0000000009381000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

printfilterpipelinesvc.exeusocoreworker.exeDWWIN.EXE

pid process

4656 printfilterpipelinesvc.exe
3700 usocoreworker.exe
4616 DWWIN.EXE
Loads dropped DLL 3 IoCs

Processes:

printfilterpipelinesvc.exeusocoreworker.exeDWWIN.EXE

pid process

4656 printfilterpipelinesvc.exe
3700 usocoreworker.exe
4616 DWWIN.EXE

pid	process
4656	printfilterpipelinesvc.exe
3700	usocoreworker.exe
4616	DWWIN.EXE

pid	process
4656	printfilterpipelinesvc.exe
3700	usocoreworker.exe
4616	DWWIN.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Iphtcfjrejti = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1337824034-2731376981-3755436523-1000\\5VpyETX4t6o\\usocoreworker.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeprintfilterpipelinesvc.exeusocoreworker.exeDWWIN.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	printfilterpipelinesvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	usocoreworker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DWWIN.EXE

Modifies registry class 1 IoCs

Processes:

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
4952	rundll32.exe
4952	rundll32.exe
4952	rundll32.exe
4952	rundll32.exe
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3432
Token: SeCreatePagefilePrivilege	3432
Token: SeShutdownPrivilege	3432
Token: SeCreatePagefilePrivilege	3432
Token: SeShutdownPrivilege	3432
Token: SeCreatePagefilePrivilege	3432
Token: SeShutdownPrivilege	3432
Token: SeCreatePagefilePrivilege	3432
Token: SeShutdownPrivilege	3432
Token: SeCreatePagefilePrivilege	3432
Token: SeShutdownPrivilege	3432
Token: SeCreatePagefilePrivilege	3432

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

pid process

3432
3432
3432
3432
3432
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

pid process

3432
3432
3432
Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3432

pid	process
3432
3432
3432
3432
3432

pid	process
3432
3432
3432

pid	process
3432

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3432 wrote to memory of 2692	3432	printfilterpipelinesvc.exe
PID 3432 wrote to memory of 2692	3432	printfilterpipelinesvc.exe
PID 3432 wrote to memory of 4656	3432	printfilterpipelinesvc.exe
PID 3432 wrote to memory of 4656	3432	printfilterpipelinesvc.exe
PID 3432 wrote to memory of 3100	3432	usocoreworker.exe
PID 3432 wrote to memory of 3100	3432	usocoreworker.exe
PID 3432 wrote to memory of 3700	3432	usocoreworker.exe
PID 3432 wrote to memory of 3700	3432	usocoreworker.exe
PID 3432 wrote to memory of 4384	3432	DWWIN.EXE
PID 3432 wrote to memory of 4384	3432	DWWIN.EXE
PID 3432 wrote to memory of 4616	3432	DWWIN.EXE
PID 3432 wrote to memory of 4616	3432	DWWIN.EXE

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b3f3a7a92eec72e39d8a9277730a077e_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4952

C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe
1⤵
PID:2692

C:\Users\Admin\AppData\Local\W7XW\printfilterpipelinesvc.exe
C:\Users\Admin\AppData\Local\W7XW\printfilterpipelinesvc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4656

C:\Windows\system32\usocoreworker.exe
C:\Windows\system32\usocoreworker.exe
1⤵
PID:3100

C:\Users\Admin\AppData\Local\2LSW4\usocoreworker.exe
C:\Users\Admin\AppData\Local\2LSW4\usocoreworker.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3700

C:\Windows\system32\DWWIN.EXE
C:\Windows\system32\DWWIN.EXE
1⤵
PID:4384

C:\Users\Admin\AppData\Local\N7Kzo\DWWIN.EXE
C:\Users\Admin\AppData\Local\N7Kzo\DWWIN.EXE
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4616

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\2LSW4\XmlLite.dll
Filesize
994KB

MD5
175ede8c5c707b64f6395f3cfeb3d770

SHA1
b9fc5ef4202d4ffaa3f7de4d37b07afeb0d3781c

SHA256
74ba0f0e5a6aa05015b524bf863fc550a6e9cf5cd0c13aab09e3fcf05268c496

SHA512
bea0621eb0a3af78585e6292fdf1a6a85280c5564ee1c4ec761ba862a00193583fa6f14c119e2f573cbf78981163f862a2584c5b124cf1e2012b11a86a81244f

Download Submit
C:\Users\Admin\AppData\Local\2LSW4\usocoreworker.exe
Filesize
1.3MB

MD5
2c5efb321aa64af37dedc6383ce3198e

SHA1
a06d7020dd43a57047a62bfb443091cd9de946ba

SHA256
0fb6688a32340036f3eaab4a09a82dee533bfb2ca266c36f6142083134de6f0e

SHA512
5448ea01b24af7444505bda80064849a2efcc459011d32879e021e836fd573c9b1b9d3b37291d3f53ff536c691ac13a545b12f318a16c8a367421986bbf002ed

Download Submit
C:\Users\Admin\AppData\Local\N7Kzo\DWWIN.EXE
Filesize
229KB

MD5
444cc4d3422a0fdd45c1b78070026c60

SHA1
97162ff341fff1ec54b827ec02f8b86fd2d41a97

SHA256
4b3f620272e709ce3e01ae5b19ef0300bd476f2da6412637f703bbaded2821f0

SHA512
21742d330a6a5763ea41a8fed4d71b98e4a1b4c685675c4cfeb7253033c3a208c23902caf0efdf470a85e0770cb8fac8af0eb6d3a8511445b0570054b42d5553

Download Submit
C:\Users\Admin\AppData\Local\N7Kzo\VERSION.dll
Filesize
994KB

MD5
c8142309e9d47b5749968a38e5773fd6

SHA1
a6858322af2d47ced51e2c39bd5569f2948d012a

SHA256
310e8f8e4856805242b03a4a4d5625b855537ed11d7816a4c395a1b2d4db7bf0

SHA512
ae38652ab121902364d2c80b10a833a122eff86ed640237ee6501fdb85cc8fa5d3ec17e41b19fc93d22b006825221f1ac43f54f4a2197058f970a61606eacd1a

Download Submit
C:\Users\Admin\AppData\Local\W7XW\XmlLite.dll
Filesize
994KB

MD5
a27285939b06e499cd5ca027d4c4370a

SHA1
2a97e4ebadc6e6ebab086396e814c94ca7a276ff

SHA256
fac36cc37b32ca3702c04bd00842490d2cfd28037d36851a74a6b6e77b4e56a2

SHA512
9e07eccb19ca4bb9b728ec7d1550380b9fa9ae7b901fb68e1b1a979878332d36778647f49317ee0bb0438e87b5ece72c1a12f78085c7ffcc8832184edfefa756

Download Submit
C:\Users\Admin\AppData\Local\W7XW\printfilterpipelinesvc.exe
Filesize
813KB

MD5
331a40eabaa5870e316b401bd81c4861

SHA1
ddff65771ca30142172c0d91d5bfff4eb1b12b73

SHA256
105099819555ed87ef3dab70a2eaf2cb61076f453266cec57ffccb8f4c00df88

SHA512
29992dbf10f327d77865af5e6ebbe66b937a5b4ad04c68cafbf4e6adbd6c6532c8a82ac7e638d97c1f053353a7c8a6d7e379f389af15443c94a1e8f9b16be5f8

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Lyvwlrjkvg.lnk
Filesize
1KB

MD5
14c0ae2ff6ba81aead16e122ffb342b3

SHA1
df095ee3220ed9cc65b24c8edda5ac8a3f0769fa

SHA256
2e2c56a7fe3e1a919715bec617855e41a014bae5af05f1b6e3009dbc8f82b674

SHA512
31386954177b1af9c46f2703a1b3d6cef564d10c75be93c24eeba80115d157c9387f6f3956cd16abf549aaeb4fdb84579fa475bf67aecd7c49f81f0fbe639714

Download Submit
memory/3432-23-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3432-14-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3432-32-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3432-11-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3432-10-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3432-9-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3432-8-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3432-6-0x00007FFD6C8AA000-0x00007FFD6C8AB000-memory.dmp

Filesize
4KB

Download
memory/3432-7-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3432-4-0x0000000009380000-0x0000000009381000-memory.dmp

Filesize
4KB

Download
memory/3432-36-0x00007FFD6D1F0000-0x00007FFD6D200000-memory.dmp

Filesize
64KB

Download
memory/3432-35-0x0000000008DE0000-0x0000000008DE7000-memory.dmp

Filesize
28KB

Download
memory/3432-12-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3432-13-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3700-65-0x00000172B3C00000-0x00000172B3C07000-memory.dmp

Filesize
28KB

Download
memory/3700-67-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/4616-81-0x000001B54A680000-0x000001B54A687000-memory.dmp

Filesize
28KB

Download
memory/4616-84-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/4656-50-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/4656-47-0x0000025BCF1A0000-0x0000025BCF1A7000-memory.dmp

Filesize
28KB

Download
memory/4656-44-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/4952-37-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/4952-3-0x00000257854D0000-0x00000257854D7000-memory.dmp

Filesize
28KB

Download
memory/4952-0-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads