dridex | 61819c444513737fc13a7684e6fa004993613415bfa7acef09a50a246f225db9

General

Target

bafc52288eff94557ec9acdde60f3dc0_JaffaCakes118.dll
Size

986KB
MD5

bafc52288eff94557ec9acdde60f3dc0
SHA1

d72d53837486b490e641eb162d629ba5f0a7621b
SHA256

61819c444513737fc13a7684e6fa004993613415bfa7acef09a50a246f225db9
SHA512

5a6994f68fb33b1a1a8ba852ee5de2fa05610db3179f9612d3868dbf7cac36923263ee885b9722f0c33adc2a11a9c3f6afccb8eae7c75f7f6b518ba997e89a18
SSDEEP

24576:dVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:dV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1212-5-0x00000000029E0000-0x00000000029E1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

rekeywiz.exeSystemPropertiesComputerName.exeBdeUISrv.exe

pid process

2496 rekeywiz.exe
580 SystemPropertiesComputerName.exe
2924 BdeUISrv.exe
Loads dropped DLL 7 IoCs

Processes:

rekeywiz.exeSystemPropertiesComputerName.exeBdeUISrv.exe

pid process

1212
2496 rekeywiz.exe
1212
580 SystemPropertiesComputerName.exe
1212
2924 BdeUISrv.exe
1212

pid	process
2496	rekeywiz.exe
580	SystemPropertiesComputerName.exe
2924	BdeUISrv.exe

pid	process
1212
2496	rekeywiz.exe
1212
580	SystemPropertiesComputerName.exe
1212
2924	BdeUISrv.exe
1212

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\Gqwtkfbnxxlbs = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\ACCESS~1\\SYSTEM~1\\PDET1H~1\\SYSTEM~1.EXE"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rekeywiz.exeSystemPropertiesComputerName.exeBdeUISrv.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rekeywiz.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesComputerName.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BdeUISrv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1688	rundll32.exe
1688	rundll32.exe
1688	rundll32.exe
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1212 wrote to memory of 2448	1212	rekeywiz.exe
PID 1212 wrote to memory of 2448	1212	rekeywiz.exe
PID 1212 wrote to memory of 2448	1212	rekeywiz.exe
PID 1212 wrote to memory of 2496	1212	rekeywiz.exe
PID 1212 wrote to memory of 2496	1212	rekeywiz.exe
PID 1212 wrote to memory of 2496	1212	rekeywiz.exe
PID 1212 wrote to memory of 2016	1212	SystemPropertiesComputerName.exe
PID 1212 wrote to memory of 2016	1212	SystemPropertiesComputerName.exe
PID 1212 wrote to memory of 2016	1212	SystemPropertiesComputerName.exe
PID 1212 wrote to memory of 580	1212	SystemPropertiesComputerName.exe
PID 1212 wrote to memory of 580	1212	SystemPropertiesComputerName.exe
PID 1212 wrote to memory of 580	1212	SystemPropertiesComputerName.exe
PID 1212 wrote to memory of 2788	1212	BdeUISrv.exe
PID 1212 wrote to memory of 2788	1212	BdeUISrv.exe
PID 1212 wrote to memory of 2788	1212	BdeUISrv.exe
PID 1212 wrote to memory of 2924	1212	BdeUISrv.exe
PID 1212 wrote to memory of 2924	1212	BdeUISrv.exe
PID 1212 wrote to memory of 2924	1212	BdeUISrv.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\bafc52288eff94557ec9acdde60f3dc0_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1688

C:\Windows\system32\rekeywiz.exe
C:\Windows\system32\rekeywiz.exe
1⤵
PID:2448

C:\Users\Admin\AppData\Local\uLVY9O\rekeywiz.exe
C:\Users\Admin\AppData\Local\uLVY9O\rekeywiz.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2496

C:\Windows\system32\SystemPropertiesComputerName.exe
C:\Windows\system32\SystemPropertiesComputerName.exe
1⤵
PID:2016

C:\Users\Admin\AppData\Local\TCnmkOKn\SystemPropertiesComputerName.exe
C:\Users\Admin\AppData\Local\TCnmkOKn\SystemPropertiesComputerName.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:580

C:\Windows\system32\BdeUISrv.exe
C:\Windows\system32\BdeUISrv.exe
1⤵
PID:2788

C:\Users\Admin\AppData\Local\A5l\BdeUISrv.exe
C:\Users\Admin\AppData\Local\A5l\BdeUISrv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2924

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\A5l\BdeUISrv.exe
Filesize
47KB

MD5
1da6b19be5d4949c868a264bc5e74206

SHA1
d5ee86ba03a03ef8c93d93accafe40461084c839

SHA256
00330a0e0eb1dbb6ee84997963f8e15c7c15c1df787f1c7f109609d7b31bd35c

SHA512
9cee858c55eb0852e5bad53a675a094ae591b46b07afe9fb4224cac32e0be577fe36c1ed3e9f6bda4d4eb0c924a773d00e3181cd97f07e24c6c68c70f2b002c6

Download Submit
C:\Users\Admin\AppData\Local\A5l\WTSAPI32.dll
Filesize
988KB

MD5
c4c8fe665a95bc106082e9d87044d403

SHA1
66e5fb8c22676254e2519a5f1d399706ca4f1cea

SHA256
225b93cd08919e6ebfed7db37b5bf8cac6bb35f0e3d45daeab58d59138ec18bb

SHA512
1edd4443b69177ae4a795d1d09bc18ab612e1a29e950570a17b6c088a57638249b94384622d62bfa86054ff0474cc7546f09b5fe50d54216131511ea9f8a7de1

Download Submit
C:\Users\Admin\AppData\Local\TCnmkOKn\SYSDM.CPL
Filesize
986KB

MD5
92adf2237743a15fc725db8cdf0e2fcd

SHA1
39244aae802fb8649b1df9d4b49479fbc9da333a

SHA256
41055e56a54c21b835a7181bded23754ba99b73b8bc4f8c1eabcf7577be9e349

SHA512
5d2bf0fc650d6312e06a7249e8c594e12e5d0e1fa1f873139d197f4b176790e7abc44ffece95a8453b56e049963deb079f286fcad5f2d6ef9c1bc984750d7946

Download Submit
C:\Users\Admin\AppData\Local\uLVY9O\slc.dll
Filesize
987KB

MD5
54e670cfdeb52378ddaa5b7b3d3e0677

SHA1
3fa7b99bf4f2c80676d0dbcbdba83126dfe856be

SHA256
9c572a1a53e19e50fd10d07a8178ce446cad48cba10aa593d5a092cc929fb340

SHA512
ebf50d0e6de0145f5501a07d642295a38d4b6d6d91462a0ed9a4f30d6e9eec00df124872c5d716070a33a2babae112c7807e00f77e0a4295e231c96df328ee43

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Egmip.lnk
Filesize
875B

MD5
4045bce660cf1e978f9c875bd6e4347f

SHA1
d84030b90757eecd3dee767f57549bfebcdb7a8b

SHA256
05a861205050fbf2f9c83670e7f6de4e496b509f24310185b3245bce6d4d13a3

SHA512
2b0943cc8f438098cde60efeff3e193edf9473b4f388d536051bfd1eb4328dab8082bb589d24595aa3cba2cab1c92a9a6cff6d821441819359c00c374db0f693

Download Submit
\Users\Admin\AppData\Local\TCnmkOKn\SystemPropertiesComputerName.exe
Filesize
80KB

MD5
bd889683916aa93e84e1a75802918acf

SHA1
5ee66571359178613a4256a7470c2c3e6dd93cfa

SHA256
0e22894595891a9ff9706e03b3db31a751541c4a773f82420fce57237d6c47cf

SHA512
9d76de848b319f44657fb7fbe5a3b927774ae999362ff811a199002ffa77ad9e1638a65a271388e605ab5e5a7cb6ce5aa7fcabc3ed583ade00eaa4c265552026

Download Submit
\Users\Admin\AppData\Local\uLVY9O\rekeywiz.exe
Filesize
67KB

MD5
767c75767b00ccfd41a547bb7b2adfff

SHA1
91890853a5476def402910e6507417d400c0d3cb

SHA256
bd70e504871a2ac1c883d19b87970c8d1b8b251c784bf777ba77ed764f5f2395

SHA512
f096043452a1aa213a5e4d62638de3ee4b0b3ad3d12b7ee0372d8c79e00e2e13b4fd0ebc4206bbdb5124bed292dd5b30ef1641288046ef835f89c332985154f9

Download Submit
memory/580-77-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/580-71-0x0000000000080000-0x0000000000087000-memory.dmp

Filesize
28KB

Download
memory/1212-36-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1212-7-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1212-23-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1212-11-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1212-25-0x0000000077CD1000-0x0000000077CD2000-memory.dmp

Filesize
4KB

Download
memory/1212-10-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1212-26-0x0000000077E60000-0x0000000077E62000-memory.dmp

Filesize
8KB

Download
memory/1212-4-0x0000000077AC6000-0x0000000077AC7000-memory.dmp

Filesize
4KB

Download
memory/1212-37-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1212-5-0x00000000029E0000-0x00000000029E1000-memory.dmp

Filesize
4KB

Download
memory/1212-14-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1212-24-0x00000000029C0000-0x00000000029C7000-memory.dmp

Filesize
28KB

Download
memory/1212-12-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1212-52-0x0000000077AC6000-0x0000000077AC7000-memory.dmp

Filesize
4KB

Download
memory/1212-13-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1212-9-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1212-8-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1688-42-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1688-0-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1688-3-0x00000000001A0000-0x00000000001A7000-memory.dmp

Filesize
28KB

Download
memory/2496-59-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/2496-54-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/2496-53-0x00000000001F0000-0x00000000001F7000-memory.dmp

Filesize
28KB

Download
memory/2924-89-0x0000000000270000-0x0000000000277000-memory.dmp

Filesize
28KB

Download
memory/2924-95-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads