dridex | 5f4efeb2f3136e117f51044a6122e1089daae2908d27492dbec3094b6719fa58

General

Target

bc26b565bcd6a66c51368a58f663d94b_JaffaCakes118.dll
Size

1.6MB
MD5

bc26b565bcd6a66c51368a58f663d94b
SHA1

95d83abdaca04ba954e3fde7088422a3cd2622e4
SHA256

5f4efeb2f3136e117f51044a6122e1089daae2908d27492dbec3094b6719fa58
SHA512

b7eae94f31e4696e42ebf457aee957a2787ea07abb1b1dac3fcdedb8495e5f588c709f75134519c285f6162cfc1f6dcbe11f285a71e7d140d3f6193b4b04477c
SSDEEP

24576:WuYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:W9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence privilege_escalation trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1204-5-0x0000000002D70000-0x0000000002D71000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

WFS.exeosk.exerekeywiz.exe

pid process

2208 WFS.exe
2180 osk.exe
2764 rekeywiz.exe
Loads dropped DLL 7 IoCs

Processes:

WFS.exeosk.exerekeywiz.exe

pid process

1204
2208 WFS.exe
1204
2180 osk.exe
1204
2764 rekeywiz.exe
1204

pid	process
2208	WFS.exe
2180	osk.exe
2764	rekeywiz.exe

pid	process
1204
2208	WFS.exe
1204
2180	osk.exe
1204
2764	rekeywiz.exe
1204

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Yyeybzteybdsbj = "C:\\Users\\Admin\\AppData\\Roaming\\MEDIAC~1\\xbKXV\\osk.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeWFS.exeosk.exerekeywiz.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WFS.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	osk.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rekeywiz.exe

Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2204	rundll32.exe
2204	rundll32.exe
2204	rundll32.exe
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1204 wrote to memory of 2448	1204	WFS.exe
PID 1204 wrote to memory of 2448	1204	WFS.exe
PID 1204 wrote to memory of 2448	1204	WFS.exe
PID 1204 wrote to memory of 2208	1204	WFS.exe
PID 1204 wrote to memory of 2208	1204	WFS.exe
PID 1204 wrote to memory of 2208	1204	WFS.exe
PID 1204 wrote to memory of 2908	1204	osk.exe
PID 1204 wrote to memory of 2908	1204	osk.exe
PID 1204 wrote to memory of 2908	1204	osk.exe
PID 1204 wrote to memory of 2180	1204	osk.exe
PID 1204 wrote to memory of 2180	1204	osk.exe
PID 1204 wrote to memory of 2180	1204	osk.exe
PID 1204 wrote to memory of 2512	1204	rekeywiz.exe
PID 1204 wrote to memory of 2512	1204	rekeywiz.exe
PID 1204 wrote to memory of 2512	1204	rekeywiz.exe
PID 1204 wrote to memory of 2764	1204	rekeywiz.exe
PID 1204 wrote to memory of 2764	1204	rekeywiz.exe
PID 1204 wrote to memory of 2764	1204	rekeywiz.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\bc26b565bcd6a66c51368a58f663d94b_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2204

C:\Windows\system32\WFS.exe
C:\Windows\system32\WFS.exe
1⤵
PID:2448

C:\Users\Admin\AppData\Local\x2gtr\WFS.exe
C:\Users\Admin\AppData\Local\x2gtr\WFS.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2208

C:\Windows\system32\osk.exe
C:\Windows\system32\osk.exe
1⤵
PID:2908

C:\Users\Admin\AppData\Local\2mWVwH\osk.exe
C:\Users\Admin\AppData\Local\2mWVwH\osk.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2180

C:\Windows\system32\rekeywiz.exe
C:\Windows\system32\rekeywiz.exe
1⤵
PID:2512

C:\Users\Admin\AppData\Local\qNIR\rekeywiz.exe
C:\Users\Admin\AppData\Local\qNIR\rekeywiz.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2764

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

Accessibility Features

1

T1546.008

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

Accessibility Features

1

T1546.008

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\2mWVwH\WMsgAPI.dll
Filesize
1.6MB

MD5
f9574d335d53896730158d270e96b9cf

SHA1
f116aed8d82a64d7b3acec2c70b2db61c1c7062c

SHA256
db5162c75b2f08a99bf7a54a6a08286f3bf034bf901aed5e1ad40a8de651a3a8

SHA512
c1679a9e7a29283f305637bb50e39b22627b50652f3b6e6ed493294eedbb230b8b692f20a8cf6c1dab9f7c649a51684c869da9060f2e53c0ea8f8c9522ed7f34

Download Submit
C:\Users\Admin\AppData\Local\qNIR\slc.dll
Filesize
1.6MB

MD5
ba50c0f610c80c2fad31069856d28007

SHA1
517fce335cb06b327a7ffd520fd9ad83f322d273

SHA256
50f94b67537701fd318a1b8e4fc06a219c315d98f91380041fe0f55ce02287ce

SHA512
ccf18b3738fac39caeb0ac287fd8144b0aa5129cb90aba3e4e62cfbbe72c9566cbcdb9a43fbcc80e356bb666df5dfdf2e92adfa30a8b35af23df1c391bbdf288

Download Submit
C:\Users\Admin\AppData\Local\x2gtr\credui.dll
Filesize
1.6MB

MD5
3d316cf6b8430c1e76d00aa710e68fc4

SHA1
25e7401031958540143b1481e5ed80b7f026f7c8

SHA256
6f3e01412c11f481f31a1424f661cc86351fb0d18eea98a2e55463363fcbee9b

SHA512
7ecc86dbc34d019a7bd50ffe3f71687419eb081801b1546f4009b042c1020118d5dfeea0cb5cbd1e26965be404d4d9602d604f02be8867280fa1a231c1f6607c

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Omdqupblcei.lnk
Filesize
1KB

MD5
849ff865465bcfb7d6e3e57034c90a8f

SHA1
82060b124abc127af9b5a38136ea1b2608552409

SHA256
077a23747083f2e3fcdbc4363d2459a11d021c324135879da868f1d83b5e7f39

SHA512
9c8e02e13faab5cb0727e6894662d8f212d0305428df94272648e99973c84252daf84cddea1a21610923e9ec8b95bada566cbed8a5b507ed7028822652f41587

Download Submit
\Users\Admin\AppData\Local\2mWVwH\osk.exe
Filesize
676KB

MD5
b918311a8e59fb8ccf613a110024deba

SHA1
a9a64a53d2d1c023d058cfe23db4c9b4fbe59d1b

SHA256
e1f7612086c2d01f15f2e74f1c22bc6abeb56f18e6bda058edce8d780aebb353

SHA512
e3a2480e546bf31509d6e0ffb5ce9dc5da3eb93a1a06d8e89b68165f2dd9ad520edac52af4c485c93fe6028dffaf7fcaadaafb04e524954dd117551afff87cf1

Download Submit
\Users\Admin\AppData\Local\qNIR\rekeywiz.exe
Filesize
67KB

MD5
767c75767b00ccfd41a547bb7b2adfff

SHA1
91890853a5476def402910e6507417d400c0d3cb

SHA256
bd70e504871a2ac1c883d19b87970c8d1b8b251c784bf777ba77ed764f5f2395

SHA512
f096043452a1aa213a5e4d62638de3ee4b0b3ad3d12b7ee0372d8c79e00e2e13b4fd0ebc4206bbdb5124bed292dd5b30ef1641288046ef835f89c332985154f9

Download Submit
\Users\Admin\AppData\Local\x2gtr\WFS.exe
Filesize
951KB

MD5
a943d670747778c7597987a4b5b9a679

SHA1
c48b760ff9762205386563b93e8884352645ef40

SHA256
1a582ebe780abc1143baccaf4910714d3e9f4195edd86939499d03ed6e756610

SHA512
3d926ddead8afcb32b52b3eb3c416d197c15e5fff6ba9fa03a31a07522bdb9088b32500fc8b98d82af657071571d09cd336a65cf45c485ebcc145dea70b3a934

Download Submit
memory/1204-15-0x0000000140000000-0x00000001401A1000-memory.dmp

Filesize
1.6MB

Download
memory/1204-39-0x0000000140000000-0x00000001401A1000-memory.dmp

Filesize
1.6MB

Download
memory/1204-11-0x0000000140000000-0x00000001401A1000-memory.dmp

Filesize
1.6MB

Download
memory/1204-12-0x0000000140000000-0x00000001401A1000-memory.dmp

Filesize
1.6MB

Download
memory/1204-23-0x0000000002B50000-0x0000000002B57000-memory.dmp

Filesize
28KB

Download
memory/1204-29-0x0000000077491000-0x0000000077492000-memory.dmp

Filesize
4KB

Download
memory/1204-28-0x0000000140000000-0x00000001401A1000-memory.dmp

Filesize
1.6MB

Download
memory/1204-19-0x0000000140000000-0x00000001401A1000-memory.dmp

Filesize
1.6MB

Download
memory/1204-18-0x0000000140000000-0x00000001401A1000-memory.dmp

Filesize
1.6MB

Download
memory/1204-17-0x0000000140000000-0x00000001401A1000-memory.dmp

Filesize
1.6MB

Download
memory/1204-16-0x0000000140000000-0x00000001401A1000-memory.dmp

Filesize
1.6MB

Download
memory/1204-4-0x0000000077286000-0x0000000077287000-memory.dmp

Filesize
4KB

Download
memory/1204-13-0x0000000140000000-0x00000001401A1000-memory.dmp

Filesize
1.6MB

Download
memory/1204-32-0x0000000077620000-0x0000000077622000-memory.dmp

Filesize
8KB

Download
memory/1204-40-0x0000000140000000-0x00000001401A1000-memory.dmp

Filesize
1.6MB

Download
memory/1204-10-0x0000000140000000-0x00000001401A1000-memory.dmp

Filesize
1.6MB

Download
memory/1204-5-0x0000000002D70000-0x0000000002D71000-memory.dmp

Filesize
4KB

Download
memory/1204-9-0x0000000140000000-0x00000001401A1000-memory.dmp

Filesize
1.6MB

Download
memory/1204-8-0x0000000140000000-0x00000001401A1000-memory.dmp

Filesize
1.6MB

Download
memory/1204-7-0x0000000140000000-0x00000001401A1000-memory.dmp

Filesize
1.6MB

Download
memory/1204-14-0x0000000140000000-0x00000001401A1000-memory.dmp

Filesize
1.6MB

Download
memory/1204-67-0x0000000077286000-0x0000000077287000-memory.dmp

Filesize
4KB

Download
memory/2180-78-0x0000000000130000-0x0000000000137000-memory.dmp

Filesize
28KB

Download
memory/2180-81-0x000007FEF60B0000-0x000007FEF6252000-memory.dmp

Filesize
1.6MB

Download
memory/2204-48-0x000007FEF60B0000-0x000007FEF6251000-memory.dmp

Filesize
1.6MB

Download
memory/2204-3-0x0000000000120000-0x0000000000127000-memory.dmp

Filesize
28KB

Download
memory/2204-0-0x000007FEF60B0000-0x000007FEF6251000-memory.dmp

Filesize
1.6MB

Download
memory/2208-62-0x000007FEF60B0000-0x000007FEF6252000-memory.dmp

Filesize
1.6MB

Download
memory/2208-59-0x00000000001B0000-0x00000000001B7000-memory.dmp

Filesize
28KB

Download
memory/2208-57-0x000007FEF60B0000-0x000007FEF6252000-memory.dmp

Filesize
1.6MB

Download
memory/2764-93-0x000007FEF5EA0000-0x000007FEF6042000-memory.dmp

Filesize
1.6MB

Download
memory/2764-98-0x000007FEF5EA0000-0x000007FEF6042000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads