dridex | 6e595a15eb50e2fc6c4d76554b992ab4a81be446c4b8b450e84ed308f7dcf341

General

Target

ba78189a1e1389cdcf5478ec3ec0f8c2_JaffaCakes118.dll
Size

1.2MB
MD5

ba78189a1e1389cdcf5478ec3ec0f8c2
SHA1

0b5278a45fb91bddbc33841fcdd4074bda3377f2
SHA256

6e595a15eb50e2fc6c4d76554b992ab4a81be446c4b8b450e84ed308f7dcf341
SHA512

f59f0409426fad48a60cfed2cdd33d523699f7c23fb4dfb1dccc5525a7c5be2dacb5c612debb73a2d0af69748fe78f2276c5653feb7b655e794205af11ec692d
SSDEEP

24576:5VHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:5V8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1340-5-0x0000000002D20000-0x0000000002D21000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

BitLockerWizardElev.exefveprompt.exewinlogon.exe

pid process

2760 BitLockerWizardElev.exe
864 fveprompt.exe
1240 winlogon.exe
Loads dropped DLL 7 IoCs

Processes:

BitLockerWizardElev.exefveprompt.exewinlogon.exe

pid process

1340
2760 BitLockerWizardElev.exe
1340
864 fveprompt.exe
1340
1240 winlogon.exe
1340

pid	process
2760	BitLockerWizardElev.exe
864	fveprompt.exe
1240	winlogon.exe

pid	process
1340
2760	BitLockerWizardElev.exe
1340
864	fveprompt.exe
1340
1240	winlogon.exe
1340

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Groztcac = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\ACCESS~1\\ACCESS~1\\8W1\\FVEPRO~1.EXE"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeBitLockerWizardElev.exefveprompt.exewinlogon.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BitLockerWizardElev.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fveprompt.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1340 wrote to memory of 2720	1340	BitLockerWizardElev.exe
PID 1340 wrote to memory of 2720	1340	BitLockerWizardElev.exe
PID 1340 wrote to memory of 2720	1340	BitLockerWizardElev.exe
PID 1340 wrote to memory of 2760	1340	BitLockerWizardElev.exe
PID 1340 wrote to memory of 2760	1340	BitLockerWizardElev.exe
PID 1340 wrote to memory of 2760	1340	BitLockerWizardElev.exe
PID 1340 wrote to memory of 2768	1340	fveprompt.exe
PID 1340 wrote to memory of 2768	1340	fveprompt.exe
PID 1340 wrote to memory of 2768	1340	fveprompt.exe
PID 1340 wrote to memory of 864	1340	fveprompt.exe
PID 1340 wrote to memory of 864	1340	fveprompt.exe
PID 1340 wrote to memory of 864	1340	fveprompt.exe
PID 1340 wrote to memory of 2440	1340	winlogon.exe
PID 1340 wrote to memory of 2440	1340	winlogon.exe
PID 1340 wrote to memory of 2440	1340	winlogon.exe
PID 1340 wrote to memory of 1240	1340	winlogon.exe
PID 1340 wrote to memory of 1240	1340	winlogon.exe
PID 1340 wrote to memory of 1240	1340	winlogon.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ba78189a1e1389cdcf5478ec3ec0f8c2_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2372

C:\Windows\system32\BitLockerWizardElev.exe
C:\Windows\system32\BitLockerWizardElev.exe
1⤵
PID:2720

C:\Users\Admin\AppData\Local\vve\BitLockerWizardElev.exe
C:\Users\Admin\AppData\Local\vve\BitLockerWizardElev.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2760

C:\Windows\system32\fveprompt.exe
C:\Windows\system32\fveprompt.exe
1⤵
PID:2768

C:\Users\Admin\AppData\Local\ihTpsuX\fveprompt.exe
C:\Users\Admin\AppData\Local\ihTpsuX\fveprompt.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:864

C:\Windows\system32\winlogon.exe
C:\Windows\system32\winlogon.exe
1⤵
PID:2440

C:\Users\Admin\AppData\Local\3kl7eEI2F\winlogon.exe
C:\Users\Admin\AppData\Local\3kl7eEI2F\winlogon.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\3kl7eEI2F\WINSTA.dll

Filesize
1.2MB

MD5
590fe8e9781145f521354708165e1d8a

SHA1
6b6f8ce9efb5adcec7102fb6bf972b6183589550

SHA256
6c92c354c5ab2e72bdfce0bc65b366acecc34f8eddde6f0ac5c7fc9a109fc0f4

SHA512
90b9b37dd8089105de6da70421788956c42876043f1e6854e9c1c0b6fb0d0cd6887013f583482b89ef8711ae07054dbd8ceb4fc1044b19afa459a3e1c84b7a28

Download Submit
C:\Users\Admin\AppData\Local\ihTpsuX\slc.dll

Filesize
1.2MB

MD5
ad74bf5c3aae8aff3b3783455ab06f29

SHA1
1fc012d0a2be3e7601dbc9c9f8e46219010d07f5

SHA256
5d47a01c8a98a360cc6e9f82cc2a8e667c51ff51c7f0fbbd3332f43fe10d57bc

SHA512
f5a9a0b4a8075eb3d45e70bdc6d0d1195f5d1468e9166ae0044d10dcc4585b8f3f8a476f73ea62bb8c649b8e618a89b0d93a97559c889bdb073722d4190c7b5c

Download Submit
C:\Users\Admin\AppData\Local\vve\FVEWIZ.dll

Filesize
1.2MB

MD5
ae7c45f2ca77f3f598d800e87746a91d

SHA1
42d5cbea83453880d71e9359998df7a976582119

SHA256
8df519b3c539e92d4c0917aabcccebc4230ee4ee4235c68e2ed8884082a79632

SHA512
b48791c7a349c2ec14208093158316620cf945bb93b704a7a86c8cd568f6560469ac5825ce961cc3279f58b662e38f6959b188e309548e5177852ca04b6e91af

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Aqrvnhd.lnk

Filesize
1KB

MD5
5ce7930f76edc78f3623875266cd9f20

SHA1
6d8be6b457329be99bf01dff965bc06d3fc8ba65

SHA256
d14a9111a30bc13299d2c36b836921ef1f7a20ef92046273f3dfa81188f1a8a7

SHA512
ecbdfb72eec0843583bb3048e2f5e3ccccce1ec2b2efc921e8f50df0ed049283ab83daf12d9a5f9edfe2eed34a6c7cd6257f1d1b0d9ceb2c2b6c5218124d34b6

Download Submit
\Users\Admin\AppData\Local\3kl7eEI2F\winlogon.exe

Filesize
381KB

MD5
1151b1baa6f350b1db6598e0fea7c457

SHA1
434856b834baf163c5ea4d26434eeae775a507fb

SHA256
b1506e0a7e826eff0f5252ef5026070c46e2235438403a9a24d73ee69c0b8a49

SHA512
df728d06238da1dece96f8b8d67a2423ed4dcb344b42d5958768d23bd570a79e7189e7c5ba783c1628fe8ddd1deaebeacb1b471c59c8a7c9beb21b4f1eb9edab

Download Submit
\Users\Admin\AppData\Local\ihTpsuX\fveprompt.exe

Filesize
104KB

MD5
dc2c44a23b2cd52bd53accf389ae14b2

SHA1
e36c7b6f328aa2ab2f52478169c52c1916f04b5f

SHA256
7f5b19f2c6a94833196ee1929d48094889b33b504d73d3af88dd857ceaf67921

SHA512
ff083f74777a9cfc940d4e0cb55886397e27c85f867de9a5dd9ea2c2751d2a77bf75fe0734e424d9678c83e927788d07d0b3072024f7e5a9848c7ff1aa4090dc

Download Submit
\Users\Admin\AppData\Local\vve\BitLockerWizardElev.exe

Filesize
98KB

MD5
73f13d791e36d3486743244f16875239

SHA1
ed5ec55dbc6b3bda505f0a4c699c257c90c02020

SHA256
2483d2f0ad481005cca081a86a07be9060bc6d4769c4570f92ad96fa325be9b8

SHA512
911a7b532312d50cc5e7f6a046d46ab5b322aa17ce59a40477173ea50f000a95db45f169f4ea3574e3e00ae4234b9f8363ac79329d683c14ebee1d423e6e43af

Download Submit
memory/864-78-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/864-72-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download
memory/1240-96-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/1240-93-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/1240-90-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/1340-12-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1340-14-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1340-25-0x0000000002D00000-0x0000000002D07000-memory.dmp

Filesize
28KB

Download
memory/1340-9-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1340-24-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1340-36-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1340-37-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1340-4-0x0000000076D96000-0x0000000076D97000-memory.dmp

Filesize
4KB

Download
memory/1340-29-0x0000000077130000-0x0000000077132000-memory.dmp

Filesize
8KB

Download
memory/1340-10-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1340-5-0x0000000002D20000-0x0000000002D21000-memory.dmp

Filesize
4KB

Download
memory/1340-8-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1340-7-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1340-64-0x0000000076D96000-0x0000000076D97000-memory.dmp

Filesize
4KB

Download
memory/1340-11-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1340-13-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1340-26-0x0000000076FA1000-0x0000000076FA2000-memory.dmp

Filesize
4KB

Download
memory/1340-15-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/2372-3-0x0000000000120000-0x0000000000127000-memory.dmp

Filesize
28KB

Download
memory/2372-45-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/2372-0-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/2760-59-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/2760-56-0x0000000000290000-0x0000000000297000-memory.dmp

Filesize
28KB

Download
memory/2760-53-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads