dridex | 11a95688e0ad5924bea8664e03a8ed114d16fc06323819e26e8481cb19bbae95

General

Target

b701e2b9d6cd0a2dcc4bf110bdcd5e65_JaffaCakes118.dll
Size

990KB
MD5

b701e2b9d6cd0a2dcc4bf110bdcd5e65
SHA1

93d31fc474daf3963b0664e3fadb47432469177d
SHA256

11a95688e0ad5924bea8664e03a8ed114d16fc06323819e26e8481cb19bbae95
SHA512

ac33c85628afaea0cf2f62829b0fe007004398176c4c42b9a19fdf9cef3441f106f292f83243871d91bae9127ce803cf0730ce70f110fbdb63dbc6ba712ecf50
SSDEEP

24576:vVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8Lt:vV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3540-4-0x0000000003190000-0x0000000003191000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

PresentationSettings.exesessionmsg.exeomadmclient.exe

pid process

3532 PresentationSettings.exe
2692 sessionmsg.exe
3876 omadmclient.exe
Loads dropped DLL 3 IoCs

Processes:

PresentationSettings.exesessionmsg.exeomadmclient.exe

pid process

3532 PresentationSettings.exe
2692 sessionmsg.exe
3876 omadmclient.exe

pid	process
3532	PresentationSettings.exe
2692	sessionmsg.exe
3876	omadmclient.exe

pid	process
3532	PresentationSettings.exe
2692	sessionmsg.exe
3876	omadmclient.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rnerhfezerqab = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\AccountPictures\\Dozz\\sessionmsg.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

omadmclient.exerundll32.exePresentationSettings.exesessionmsg.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	omadmclient.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	PresentationSettings.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sessionmsg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
5088	rundll32.exe
5088	rundll32.exe
5088	rundll32.exe
5088	rundll32.exe
5088	rundll32.exe
5088	rundll32.exe
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540
3540

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3540

pid	process
3540

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3540 wrote to memory of 1240	3540	PresentationSettings.exe
PID 3540 wrote to memory of 1240	3540	PresentationSettings.exe
PID 3540 wrote to memory of 3532	3540	PresentationSettings.exe
PID 3540 wrote to memory of 3532	3540	PresentationSettings.exe
PID 3540 wrote to memory of 3804	3540	sessionmsg.exe
PID 3540 wrote to memory of 3804	3540	sessionmsg.exe
PID 3540 wrote to memory of 2692	3540	sessionmsg.exe
PID 3540 wrote to memory of 2692	3540	sessionmsg.exe
PID 3540 wrote to memory of 4848	3540	omadmclient.exe
PID 3540 wrote to memory of 4848	3540	omadmclient.exe
PID 3540 wrote to memory of 3876	3540	omadmclient.exe
PID 3540 wrote to memory of 3876	3540	omadmclient.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b701e2b9d6cd0a2dcc4bf110bdcd5e65_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:5088

C:\Windows\system32\PresentationSettings.exe
C:\Windows\system32\PresentationSettings.exe
1⤵
PID:1240

C:\Users\Admin\AppData\Local\DQDjhVbY\PresentationSettings.exe
C:\Users\Admin\AppData\Local\DQDjhVbY\PresentationSettings.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3532

C:\Windows\system32\sessionmsg.exe
C:\Windows\system32\sessionmsg.exe
1⤵
PID:3804

C:\Users\Admin\AppData\Local\VxUsddzXP\sessionmsg.exe
C:\Users\Admin\AppData\Local\VxUsddzXP\sessionmsg.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2692

C:\Windows\system32\omadmclient.exe
C:\Windows\system32\omadmclient.exe
1⤵
PID:4848

C:\Users\Admin\AppData\Local\v5OGiyGf\omadmclient.exe
C:\Users\Admin\AppData\Local\v5OGiyGf\omadmclient.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\DQDjhVbY\PresentationSettings.exe

Filesize
219KB

MD5
790799a168c41689849310f6c15f98fa

SHA1
a5d213fc1c71a56de9441b2e35411d83770c01ec

SHA256
6e59ab1a0b4ac177dc3397a54afcf68fcea3c1ee72c33bd08c89f04a6dac64b8

SHA512
8153b79d4681f21ade7afe995841c386bff8e491ad347f8e7c287df5f9053cae7458e273339146d9a920ceaa2ba0f41cc793d7b2c0fa80efbb41477d39470866

Download Submit
C:\Users\Admin\AppData\Local\DQDjhVbY\WINMM.dll

Filesize
995KB

MD5
d6142026702cd703e11c3493950d10dd

SHA1
fa93dfc601fbeffabedc161078c9b9d2be06f7ec

SHA256
a30f986a6b88cd983ec84c8e4d701e449ffb3556756ed6ea97e8b0837e6b30f1

SHA512
450b05e524738fd075c5603e40e869865ea73800e8ad64e9005fb33746ff9c99e0f300a0c934b6184ac12599e73a876b0db3ffbdba55f3dd47fda090508533ef

Download Submit
C:\Users\Admin\AppData\Local\VxUsddzXP\DUI70.dll

Filesize
1.2MB

MD5
c016866ff0a70538b94c26a37297b943

SHA1
79fd95a22af69b5069eda36642eb958c865ff2db

SHA256
a05acf2c76c3d86a0b0cfc8b097ca7249c27aaefc34c4ac4b201f391353e487f

SHA512
f378d90871c44de5dd02e138467ac037e81b6ae9b9907093fb9d039a56c65ce75094492b59536c8e6409e323302a79fe47ae1161c56aa4f87911e9eb035bc636

Download Submit
C:\Users\Admin\AppData\Local\VxUsddzXP\sessionmsg.exe

Filesize
85KB

MD5
480f710806b68dfe478ca1ec7d7e79cc

SHA1
b4fc97fed2dbff9c4874cb65ede7b50699db37cd

SHA256
2416cd4aa577dbb2f8790a61e36fbab2b30bff81a4e1f67a5151c2fec29585bc

SHA512
29d3d234ebc45049a533b6a91b246ac043a56b9af67276aaf493b014ae34d73000f99a6b0c0b85d2dfb7fba54811cf8bbdfd167a9eed01a8617b7f05bf2971db

Download Submit
C:\Users\Admin\AppData\Local\v5OGiyGf\XmlLite.dll

Filesize
990KB

MD5
1c89a441b3ea7c7c4f928ced3df6f08f

SHA1
2067b1c7937edd1bb5b87691cb280a78cf93e228

SHA256
1f37ffea67a247bd5122022fa271bdf3199f16e689a95cb9ddd2170a458c9fda

SHA512
6bf6edac3e523ea870c3888959fdb225ecca5f8ce1b08b018e6ccdee33ae293f477a80702e701637404eb7e18026e267d17e9465fbb314a08bbc96e7cf49b2c7

Download Submit
C:\Users\Admin\AppData\Local\v5OGiyGf\omadmclient.exe

Filesize
425KB

MD5
8992b5b28a996eb83761dafb24959ab4

SHA1
697ecb33b8ff5b0e73ef29ce471153b368b1b729

SHA256
e0c6c1b082c5d61be95b7fad95155b7cb2e516d6dcd51b8e1554a176876699e7

SHA512
4ab0d71f6f9e5a5d0870d8e6eaa4b5db74ea6148de0a00603e3e56303d0fec4722172e0207b9678a5bd0136f2d43d43b9d34907183369ab3b9b9c1484034fe3d

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Shhkphqwzh.lnk

Filesize
972B

MD5
3648a651a101e21ff17d3e1ce6c5da28

SHA1
a26867eb3685e1415911293a1f5c2f5e152d1ac9

SHA256
47feb0a1aca0e2261c53c44d933c777220ee66f9e22465ca98ea8e1c9227213f

SHA512
1f2c14c6b734316dac33b83cafd88682c3f59feb7ad2c0d875819b3ded8c629c2ea60939fde7b85909e002dd8c81ec7ceddeed07845356cce8b70c29a5594790

Download Submit
memory/2692-64-0x0000016628B00000-0x0000016628B07000-memory.dmp

Filesize
28KB

Download
memory/2692-61-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/2692-67-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3532-50-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/3532-47-0x000001BD6B530000-0x000001BD6B537000-memory.dmp

Filesize
28KB

Download
memory/3532-44-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/3540-24-0x0000000003020000-0x0000000003027000-memory.dmp

Filesize
28KB

Download
memory/3540-8-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3540-34-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3540-4-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/3540-7-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3540-10-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3540-11-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3540-13-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3540-23-0x00007FFBC394A000-0x00007FFBC394B000-memory.dmp

Filesize
4KB

Download
memory/3540-9-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3540-25-0x00007FFBC3BB0000-0x00007FFBC3BC0000-memory.dmp

Filesize
64KB

Download
memory/3540-22-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3540-12-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3540-6-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3876-81-0x000001BE40D40000-0x000001BE40D47000-memory.dmp

Filesize
28KB

Download
memory/3876-84-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/3876-78-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/5088-0-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/5088-37-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/5088-3-0x0000024A84990000-0x0000024A84997000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads