dridex | 61819c444513737fc13a7684e6fa004993613415bfa7acef09a50a246f225db9

General

Target

bafc52288eff94557ec9acdde60f3dc0_JaffaCakes118.dll
Size

986KB
MD5

bafc52288eff94557ec9acdde60f3dc0
SHA1

d72d53837486b490e641eb162d629ba5f0a7621b
SHA256

61819c444513737fc13a7684e6fa004993613415bfa7acef09a50a246f225db9
SHA512

5a6994f68fb33b1a1a8ba852ee5de2fa05610db3179f9612d3868dbf7cac36923263ee885b9722f0c33adc2a11a9c3f6afccb8eae7c75f7f6b518ba997e89a18
SSDEEP

24576:dVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:dV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3352-4-0x00000000008F0000-0x00000000008F1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

bdeunlock.exeLicensingUI.exeSystemSettingsRemoveDevice.exe

pid process

4784 bdeunlock.exe
3104 LicensingUI.exe
4532 SystemSettingsRemoveDevice.exe
Loads dropped DLL 3 IoCs

Processes:

bdeunlock.exeLicensingUI.exeSystemSettingsRemoveDevice.exe

pid process

4784 bdeunlock.exe
3104 LicensingUI.exe
4532 SystemSettingsRemoveDevice.exe

pid	process
4784	bdeunlock.exe
3104	LicensingUI.exe
4532	SystemSettingsRemoveDevice.exe

pid	process
4784	bdeunlock.exe
3104	LicensingUI.exe
4532	SystemSettingsRemoveDevice.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Iphtcfjrejti = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\m8eFMV\\LicensingUI.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exebdeunlock.exeLicensingUI.exeSystemSettingsRemoveDevice.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bdeunlock.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	LicensingUI.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemSettingsRemoveDevice.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
884	rundll32.exe
884	rundll32.exe
884	rundll32.exe
884	rundll32.exe
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

pid process

3352
3352
3352
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

pid process

3352
3352
3352
Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3352

pid	process
3352
3352
3352

pid	process
3352
3352
3352

pid	process
3352

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3352 wrote to memory of 4580	3352	bdeunlock.exe
PID 3352 wrote to memory of 4580	3352	bdeunlock.exe
PID 3352 wrote to memory of 4784	3352	bdeunlock.exe
PID 3352 wrote to memory of 4784	3352	bdeunlock.exe
PID 3352 wrote to memory of 1344	3352	LicensingUI.exe
PID 3352 wrote to memory of 1344	3352	LicensingUI.exe
PID 3352 wrote to memory of 3104	3352	LicensingUI.exe
PID 3352 wrote to memory of 3104	3352	LicensingUI.exe
PID 3352 wrote to memory of 5080	3352	SystemSettingsRemoveDevice.exe
PID 3352 wrote to memory of 5080	3352	SystemSettingsRemoveDevice.exe
PID 3352 wrote to memory of 4532	3352	SystemSettingsRemoveDevice.exe
PID 3352 wrote to memory of 4532	3352	SystemSettingsRemoveDevice.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\bafc52288eff94557ec9acdde60f3dc0_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:884

C:\Windows\system32\bdeunlock.exe
C:\Windows\system32\bdeunlock.exe
1⤵
PID:4580

C:\Users\Admin\AppData\Local\0zW\bdeunlock.exe
C:\Users\Admin\AppData\Local\0zW\bdeunlock.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4784

C:\Windows\system32\LicensingUI.exe
C:\Windows\system32\LicensingUI.exe
1⤵
PID:1344

C:\Users\Admin\AppData\Local\WTFSEbPg5\LicensingUI.exe
C:\Users\Admin\AppData\Local\WTFSEbPg5\LicensingUI.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3104

C:\Windows\system32\SystemSettingsRemoveDevice.exe
C:\Windows\system32\SystemSettingsRemoveDevice.exe
1⤵
PID:5080

C:\Users\Admin\AppData\Local\GWT2u8z\SystemSettingsRemoveDevice.exe
C:\Users\Admin\AppData\Local\GWT2u8z\SystemSettingsRemoveDevice.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\0zW\DUser.dll

Filesize
990KB

MD5
0b22a916270a8d7bcde54f84b4d8d168

SHA1
433ab183f32758f44877372587490f1d554ae100

SHA256
b1b79cfa93315fdba285074f6b47bd2c81acbcbb399bd78739f438afa0c5f6df

SHA512
4b2dc434b8f8297caa8b35214a9c83ed0854aef590b38d6f83753bd1cb11a13c6fa5abea6daea78016bc409042682dbb341ed52594817d0ba3208e8979c46d06

Download Submit
C:\Users\Admin\AppData\Local\0zW\bdeunlock.exe

Filesize
279KB

MD5
fef5d67150c249db3c1f4b30a2a5a22e

SHA1
41ca037b0229be9338da4d78244b4f0ea5a3d5f3

SHA256
dcfdd67bf3244ff86cadaaea50b43cce5479014ea2021c0c2fb40b7c856e5603

SHA512
4ded9ca87d9d30c31ab2baededaa6e26681741ea1742d80c318173536c643a01bc049e03a03c3b45b3cb8860464a855830e12e87670503e65eedcdd5e9b2d1e7

Download Submit
C:\Users\Admin\AppData\Local\GWT2u8z\DUI70.dll

Filesize
1.2MB

MD5
49a39f98a186e7cb62c635ea0d248aea

SHA1
0a150d186c9304d38aa6a7e5ca70fb09f549aa6e

SHA256
a06b8ad2805302e90f5465390a210fc9ab4c6bcc218ebf13f1810666f99fd8ad

SHA512
d6f28159f20ea37a6af3912dbb9ebb67f97bccd5b28c5bf54d6de120a7cacea60becec8c397fa2204a265fd53d075f407b3ef9e7c8ec31e28252fc2bb5903ee8

Download Submit
C:\Users\Admin\AppData\Local\GWT2u8z\SystemSettingsRemoveDevice.exe

Filesize
39KB

MD5
7853f1c933690bb7c53c67151cbddeb0

SHA1
d47a1ad0ccba4c988c8ffc5cbf9636fd4f4fa6e6

SHA256
9500731b2a3442f11dfd08a8adfe027e7f32ef5834c628eed4b78be74168470d

SHA512
831993d610539d44422d769de6561a4622e1b9cb3d73253774b6cecabf57654a74cd88b4ebe20921585ea96d977225b9501f02a0f6a1fc7d2cad6824fd539304

Download Submit
C:\Users\Admin\AppData\Local\WTFSEbPg5\DUI70.dll

Filesize
1.2MB

MD5
c6a685d37e39fe1d2894c94a58f4bf7b

SHA1
4b68c7e22f0fc21dd2d5dacce3afa0fd4c03e63d

SHA256
c76d24a8d9714af8773fe4d17d4ca77aecf783d0ad24da46bbf76c08dd9a9a4c

SHA512
16f21dd374bcc36ae48d1eee178229b4a86bda84d820454bce6732770b7c0180fb6c94df1a478dc46c1176dedc6150098d8e060c42cc8ce34a2000c4d0bb45aa

Download Submit
C:\Users\Admin\AppData\Local\WTFSEbPg5\LicensingUI.exe

Filesize
142KB

MD5
8b4abc637473c79a003d30bb9c7a05e5

SHA1
d1cab953c16d4fdec2b53262f56ac14a914558ca

SHA256
0e9eb89aa0df9bb84a8f11b0bb3e9d89905355de34c91508968b4cb78bc3f6c5

SHA512
5a40c846c5b3a53ae09114709239d8238c322a7d3758b20ed3fc8e097fc1409f62b4990557c1192e894eabfa89741a9d88bd5175850d039b97dfdf380d1c6eeb

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Lyvwlrjkvg.lnk

Filesize
1KB

MD5
9db583efcebb6cffaaf67327ac8122ad

SHA1
ada3c9d017429923f2dd25205e827b2699cb6741

SHA256
89fc0e94b5b48a890276e3476b4cba07ef77bbf5d90066396f781f10f22ba3c1

SHA512
b2da87c1ba0a9151397229b74e1cbd504eea597e628601727d21fc5dc83e90960ddab85b26caeab4662a955a9d0942573d97a46ceefa40e8b198b001cacfee88

Download Submit
memory/884-37-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/884-3-0x00000238E48C0000-0x00000238E48C7000-memory.dmp

Filesize
28KB

Download
memory/884-1-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3104-61-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3104-64-0x000001628D400000-0x000001628D407000-memory.dmp

Filesize
28KB

Download
memory/3104-67-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3352-11-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3352-26-0x00000000008B0000-0x00000000008B7000-memory.dmp

Filesize
28KB

Download
memory/3352-35-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3352-10-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3352-14-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3352-23-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3352-6-0x00007FFEE968A000-0x00007FFEE968B000-memory.dmp

Filesize
4KB

Download
memory/3352-4-0x00000000008F0000-0x00000000008F1000-memory.dmp

Filesize
4KB

Download
memory/3352-13-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3352-7-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3352-27-0x00007FFEE9890000-0x00007FFEE98A0000-memory.dmp

Filesize
64KB

Download
memory/3352-12-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3352-8-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/3352-9-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/4532-81-0x000001E3D93A0000-0x000001E3D93A7000-memory.dmp

Filesize
28KB

Download
memory/4532-84-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/4784-50-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download
memory/4784-47-0x000001D6CB370000-0x000001D6CB377000-memory.dmp

Filesize
28KB

Download
memory/4784-44-0x0000000140000000-0x00000001400FE000-memory.dmp

Filesize
1016KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads