dridex | c2bcb7fc70fedc285ef4250a1244ece0a6455aca49bf76ee6bdd1e9add01ed28

General

Target

b7a2e00a6f0a560d3230fb624e59871b_JaffaCakes118.dll
Size

1.2MB
MD5

b7a2e00a6f0a560d3230fb624e59871b
SHA1

7377a79136e1d9787cd431f389419865cb2bc086
SHA256

c2bcb7fc70fedc285ef4250a1244ece0a6455aca49bf76ee6bdd1e9add01ed28
SHA512

bd3cda925d1a12d1694408992eaa7c2591837a9ccdc318bda2cf4ce742abb420bc1a02928099d7a1115651d54d153d6e202bb9e7a00217b64e187d572c4fba1c
SSDEEP

24576:AVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8I:AV8hf6STw1ZlQauvzSq01ICe6zvmt

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3464-4-0x00000000035A0000-0x00000000035A1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

rdpinput.exeSystemPropertiesDataExecutionPrevention.exepsr.exe

pid process

4608 rdpinput.exe
1460 SystemPropertiesDataExecutionPrevention.exe
4764 psr.exe
Loads dropped DLL 3 IoCs

Processes:

rdpinput.exeSystemPropertiesDataExecutionPrevention.exepsr.exe

pid process

4608 rdpinput.exe
1460 SystemPropertiesDataExecutionPrevention.exe
4764 psr.exe

pid	process
4608	rdpinput.exe
1460	SystemPropertiesDataExecutionPrevention.exe
4764	psr.exe

pid	process
4608	rdpinput.exe
1460	SystemPropertiesDataExecutionPrevention.exe
4764	psr.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Iphtcfjrejti = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\SYSTEM~1\\MxkYhHLy\\SYSTEM~1.EXE"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exerdpinput.exeSystemPropertiesDataExecutionPrevention.exepsr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdpinput.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesDataExecutionPrevention.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	psr.exe

Modifies registry class 1 IoCs

Processes:

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
5084	rundll32.exe
5084	rundll32.exe
5084	rundll32.exe
5084	rundll32.exe
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3464
Token: SeCreatePagefilePrivilege	3464
Token: SeShutdownPrivilege	3464
Token: SeCreatePagefilePrivilege	3464
Token: SeShutdownPrivilege	3464
Token: SeCreatePagefilePrivilege	3464
Token: SeShutdownPrivilege	3464
Token: SeCreatePagefilePrivilege	3464

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

pid process

3464
3464
3464
3464
3464
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

pid process

3464
3464
3464
Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3464

pid	process
3464
3464
3464
3464
3464

pid	process
3464
3464
3464

pid	process
3464

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3464 wrote to memory of 1664	3464	rdpinput.exe
PID 3464 wrote to memory of 1664	3464	rdpinput.exe
PID 3464 wrote to memory of 4608	3464	rdpinput.exe
PID 3464 wrote to memory of 4608	3464	rdpinput.exe
PID 3464 wrote to memory of 2968	3464	SystemPropertiesDataExecutionPrevention.exe
PID 3464 wrote to memory of 2968	3464	SystemPropertiesDataExecutionPrevention.exe
PID 3464 wrote to memory of 1460	3464	SystemPropertiesDataExecutionPrevention.exe
PID 3464 wrote to memory of 1460	3464	SystemPropertiesDataExecutionPrevention.exe
PID 3464 wrote to memory of 1684	3464	psr.exe
PID 3464 wrote to memory of 1684	3464	psr.exe
PID 3464 wrote to memory of 4764	3464	psr.exe
PID 3464 wrote to memory of 4764	3464	psr.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b7a2e00a6f0a560d3230fb624e59871b_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:5084

C:\Windows\system32\rdpinput.exe
C:\Windows\system32\rdpinput.exe
1⤵
PID:1664

C:\Users\Admin\AppData\Local\texyXF\rdpinput.exe
C:\Users\Admin\AppData\Local\texyXF\rdpinput.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4608

C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
1⤵
PID:2968

C:\Users\Admin\AppData\Local\QcVzea8\SystemPropertiesDataExecutionPrevention.exe
C:\Users\Admin\AppData\Local\QcVzea8\SystemPropertiesDataExecutionPrevention.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1460

C:\Windows\system32\psr.exe
C:\Windows\system32\psr.exe
1⤵
PID:1684

C:\Users\Admin\AppData\Local\liePgmH\psr.exe
C:\Users\Admin\AppData\Local\liePgmH\psr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4764

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\QcVzea8\SYSDM.CPL
Filesize
1.2MB

MD5
339ddddb62d48a9820e78d92997ea9ca

SHA1
37f45f2e1f409134620609e97834f32a4bd91076

SHA256
d26b0a4f45c8a8cf389a2d715e1023dfeb65d24eb3306f1f92f77d289e0260d5

SHA512
56e060309747392680e57711ad19c239c95629e6924384f1eb0ee493ef905f80533acdca9ab758cf99c0a786d962bbd47e4fe8806cff6067ca05ffe58fe95339

Download Submit
C:\Users\Admin\AppData\Local\QcVzea8\SystemPropertiesDataExecutionPrevention.exe
Filesize
82KB

MD5
de58532954c2704f2b2309ffc320651d

SHA1
0a9fc98f4d47dccb0b231edf9a63309314f68e3b

SHA256
1f810658969560f6e7d7a14f71d1196382e53b984ca190fa9b178ac4a32acfb3

SHA512
d4d57cc30d9079f4e9193ba42631e8e53d86b22e9c655d7a8c25e5be0e5e1d6dfff4714ddc23e3e392809d623b4f8d43c63893f74c325fc77459ac03c7a451ed

Download Submit
C:\Users\Admin\AppData\Local\liePgmH\VERSION.dll
Filesize
1.2MB

MD5
3ae9b0d89a8d347fea0cc3fc04d1e773

SHA1
d9f47eb1b8c2f1a773ef6821a3a42dd353e86bf1

SHA256
7ff2a7d2ed739ca0b6b6099e216656aaf02010be058b4115233c775d6f8e7039

SHA512
eef6030ba14e7cb63b3a7ff76e3177bff3adeb6fd5f3c6094ea4ceb323dddcb4121b1bc32b4a9b51c0ca5c792cbceed4b6150b30593ce18dec899a226d8812c1

Download Submit
C:\Users\Admin\AppData\Local\liePgmH\psr.exe
Filesize
232KB

MD5
ad53ead5379985081b7c3f1f357e545a

SHA1
6f5aa32c1d15fbf073558fadafd046d97b60184e

SHA256
4f0144f0e3e721b44babbf41b513942e4117f730546105480571f9c8fce56a1f

SHA512
433098bd74c34fbadfa447ef45cfa9dc076aef4cf7f2a0a6fe79d5e67f2504eebe8aa31fc1b7a4c5eeb20ede2c5485f75ad0fd77b4ecba3d68ca63313e6f6ea0

Download Submit
C:\Users\Admin\AppData\Local\texyXF\WTSAPI32.dll
Filesize
1.2MB

MD5
a490ab9f3a309f185486c380af883a66

SHA1
77cc5a98ca474d578d3d9db0c3c7e50e7248ec4a

SHA256
b49976cfa8ab73fb398265fa7675a5ab0ffc4a7559723453301c0d53a20287d9

SHA512
bc826c6adb3d1ddcb891a3988f7ed81b61baaa2b9de7d674a3419f6eb063d1b53b3a6f020ac8422d96f688a3f37daefb9043e8e70f54bed0c668a62ddd746214

Download Submit
C:\Users\Admin\AppData\Local\texyXF\rdpinput.exe
Filesize
180KB

MD5
bd99eeca92869f9a3084d689f335c734

SHA1
a2839f6038ea50a4456cd5c2a3ea003e7b77688c

SHA256
39bfb2214efeed47f4f5e50e6dff05541e29caeb27966520bdadd52c3d5e7143

SHA512
355433c3bbbaa3bcb849633d45713d8a7ac6f87a025732fbe83e259ec3a0cb4eabb18239df26609453f9fc6764c7276c5d0472f11cf12d15ef806aa7594d090e

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Lyvwlrjkvg.lnk
Filesize
1KB

MD5
e152f8cf073afd8b2d602d3ab3689669

SHA1
e5ee9da6eb6369c778bddaf694de9b7cd2c16b67

SHA256
1fa7f0b6d0792141224b0c551d1818700c44e01f881f4245a76ef872cb62c5b1

SHA512
b3b5bdc0c89db3c4b25c1f786268fcf87843768a64b0cb7aac9d1959a02ac9615271ae80edb0ef6b57eceeb7999171a9a44fbefcd9cc6123db08534d40113b1e

Download Submit
memory/1460-67-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1460-66-0x000001E62AE70000-0x000001E62AE77000-memory.dmp

Filesize
28KB

Download
memory/3464-7-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/3464-12-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/3464-11-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/3464-9-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/3464-8-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/3464-4-0x00000000035A0000-0x00000000035A1000-memory.dmp

Filesize
4KB

Download
memory/3464-6-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/3464-10-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/3464-31-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/3464-34-0x00007FFA91E8A000-0x00007FFA91E8B000-memory.dmp

Filesize
4KB

Download
memory/3464-13-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/3464-22-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/3464-36-0x00007FFA932B0000-0x00007FFA932C0000-memory.dmp

Filesize
64KB

Download
memory/3464-35-0x0000000003580000-0x0000000003587000-memory.dmp

Filesize
28KB

Download
memory/4608-50-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/4608-44-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/4608-47-0x000001D2B9BE0000-0x000001D2B9BE7000-memory.dmp

Filesize
28KB

Download
memory/4764-81-0x000002868FB20000-0x000002868FB27000-memory.dmp

Filesize
28KB

Download
memory/4764-84-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/5084-37-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/5084-0-0x000001B2B2570000-0x000001B2B2577000-memory.dmp

Filesize
28KB

Download
memory/5084-1-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads