dridex | e5db20f974acc6c68386f1de1c5fc3f65799ee320308e82ebc1701236266e353

General

Target

060b59843389a4333c15ef205c5fd793_JaffaCakes118.dll
Size

876KB
MD5

060b59843389a4333c15ef205c5fd793
SHA1

10d69c27d16a32dccef75288fc286b07b6bab498
SHA256

e5db20f974acc6c68386f1de1c5fc3f65799ee320308e82ebc1701236266e353
SHA512

45996e3a340efb973fedb32f4855223139bb35d0f8b6cad645b3d29f9b3fbea167cba33948983ffc0898e3a89dfddf22a2a8c9edb515e37110e41864bb886a96
SSDEEP

12288:bdMIwS97wJs6tSKDXEabXaC+jhc1S8XXk7CZzHsZH9dq0T:5MIJxSDX3bqjhcfHk7MzH6z

Score

10^/10

dridex botnet evasion payload persistence privilege_escalation trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1204-4-0x0000000002E00000-0x0000000002E01000-memory.dmp	dridex_stager_shellcode

Dridex payload 8 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/2152-0-0x0000000140000000-0x00000001400DB000-memory.dmp	dridex_payload
behavioral1/memory/1204-48-0x0000000140000000-0x00000001400DB000-memory.dmp	dridex_payload
behavioral1/memory/1204-60-0x0000000140000000-0x00000001400DB000-memory.dmp	dridex_payload
behavioral1/memory/1204-59-0x0000000140000000-0x00000001400DB000-memory.dmp	dridex_payload
behavioral1/memory/2152-68-0x0000000140000000-0x00000001400DB000-memory.dmp	dridex_payload
behavioral1/memory/2504-76-0x0000000140000000-0x00000001400DC000-memory.dmp	dridex_payload
behavioral1/memory/2504-81-0x0000000140000000-0x00000001400DC000-memory.dmp	dridex_payload
behavioral1/memory/3016-98-0x0000000140000000-0x00000001400DC000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

PresentationSettings.exeosk.exeisoburn.exe

pid process

2504 PresentationSettings.exe
3016 osk.exe
2672 isoburn.exe
Loads dropped DLL 7 IoCs

Processes:

PresentationSettings.exeosk.exeisoburn.exe

pid process

1204
2504 PresentationSettings.exe
1204
3016 osk.exe
1204
2672 isoburn.exe
1204

pid	process
2504	PresentationSettings.exe
3016	osk.exe
2672	isoburn.exe

pid	process
1204
2504	PresentationSettings.exe
1204
3016	osk.exe
1204
2672	isoburn.exe
1204

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Javhf = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\oAf5XVd7\\osk.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

isoburn.exerundll32.exePresentationSettings.exeosk.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	isoburn.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	PresentationSettings.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	osk.exe

Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2152	rundll32.exe
2152	rundll32.exe
2152	rundll32.exe
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1204 wrote to memory of 2452	1204	PresentationSettings.exe
PID 1204 wrote to memory of 2452	1204	PresentationSettings.exe
PID 1204 wrote to memory of 2452	1204	PresentationSettings.exe
PID 1204 wrote to memory of 2504	1204	PresentationSettings.exe
PID 1204 wrote to memory of 2504	1204	PresentationSettings.exe
PID 1204 wrote to memory of 2504	1204	PresentationSettings.exe
PID 1204 wrote to memory of 2976	1204	osk.exe
PID 1204 wrote to memory of 2976	1204	osk.exe
PID 1204 wrote to memory of 2976	1204	osk.exe
PID 1204 wrote to memory of 3016	1204	osk.exe
PID 1204 wrote to memory of 3016	1204	osk.exe
PID 1204 wrote to memory of 3016	1204	osk.exe
PID 1204 wrote to memory of 2496	1204	isoburn.exe
PID 1204 wrote to memory of 2496	1204	isoburn.exe
PID 1204 wrote to memory of 2496	1204	isoburn.exe
PID 1204 wrote to memory of 2672	1204	isoburn.exe
PID 1204 wrote to memory of 2672	1204	isoburn.exe
PID 1204 wrote to memory of 2672	1204	isoburn.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\060b59843389a4333c15ef205c5fd793_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2152

C:\Windows\system32\PresentationSettings.exe
C:\Windows\system32\PresentationSettings.exe
1⤵
PID:2452

C:\Users\Admin\AppData\Local\8ALP8pp\PresentationSettings.exe
C:\Users\Admin\AppData\Local\8ALP8pp\PresentationSettings.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2504

C:\Windows\system32\osk.exe
C:\Windows\system32\osk.exe
1⤵
PID:2976

C:\Users\Admin\AppData\Local\K827gOcWL\osk.exe
C:\Users\Admin\AppData\Local\K827gOcWL\osk.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3016

C:\Windows\system32\isoburn.exe
C:\Windows\system32\isoburn.exe
1⤵
PID:2496

C:\Users\Admin\AppData\Local\yaueE\isoburn.exe
C:\Users\Admin\AppData\Local\yaueE\isoburn.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2672

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

Accessibility Features

1

T1546.008

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

Accessibility Features

1

T1546.008

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\8ALP8pp\Secur32.dll
Filesize
880KB

MD5
899709be3b1897b88a6d11a739aa89e1

SHA1
328f5aa4b52be819a2dd41e46b55f8b8798f6796

SHA256
f2fb92a4fdcf44546a78e31d72c96cdf276e337620912f163a5c0953738ad317

SHA512
198e8572243baa177deeccb27acdd7aaf2d605aef995e2314e4bf633b40d0a05a751885187b8604e112f11c3950e016bee383c9c6f1b3695e55dedff4ab4e876

Download Submit
C:\Users\Admin\AppData\Local\K827gOcWL\UxTheme.dll
Filesize
880KB

MD5
327a1f1f7844e35b6f7ab97f9cea01dd

SHA1
079364863d7f6024d4348f1693a7c808ce84f07b

SHA256
34fe43839c64254ccf038f4efd14cfa759990391a5397da362f5cef12a8626db

SHA512
d88cf8527a5c33dc8e5593b53f0b6b35cbc0d27bb4e398e1032a950fde7f91d53fab217cefbc8764cf335cb66022bfe370c5006b57008b018b8e0717580abce8

Download Submit
C:\Users\Admin\AppData\Local\yaueE\UxTheme.dll
Filesize
880KB

MD5
703e12468fa54ac154f6f53d793ec9d5

SHA1
80c69cfbef4f022af50bd8d03af05163c8fafe29

SHA256
205d4131c15885b0533c99e01401c7c48a29ad75a61d71e3f2e8297ae867636a

SHA512
9c790b4bc06ee342ab6ef82e016555d753b5b9488cb0b2ece74eb2ef73e18ce48f6a68c3464fc29a01aa1b2bb7b036a2c7d40d9914b47e265e558ab40d479466

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Xwtifesqpwfy.lnk
Filesize
1KB

MD5
66f6998835125a148fc6cde739dfb340

SHA1
65419118133f952ea22974f40280dbe1ebfdf82a

SHA256
7ca748afc9ad5162087c3eb9d86547eccb61072278fdff4a3418f6ceb5872a4f

SHA512
e7bbad82817efd4788eafe47aeb3c14820e99d8f712b5262d8492181cb6ae0e06407d20fcd069512ca8ea0f7858c54797ec921cbeafe241002a26cc402dc024e

Download Submit
\Users\Admin\AppData\Local\8ALP8pp\PresentationSettings.exe
Filesize
172KB

MD5
a6f8d318f6041334889481b472000081

SHA1
b8cf08ec17b30c8811f2514246fcdff62731dd58

SHA256
208b94fd66a6ce266c3195f87029a41a0622fff47f2a5112552cb087adbb1258

SHA512
60f70fa8a19e6ea6f08f4907dd7fede3665ad3f2e013d49f6649442ea5871a967b9a53ec4d3328a06cb83b69be1b7af1bb14bf122b568bd1f8432ee1d0bfee69

Download Submit
\Users\Admin\AppData\Local\K827gOcWL\osk.exe
Filesize
676KB

MD5
b918311a8e59fb8ccf613a110024deba

SHA1
a9a64a53d2d1c023d058cfe23db4c9b4fbe59d1b

SHA256
e1f7612086c2d01f15f2e74f1c22bc6abeb56f18e6bda058edce8d780aebb353

SHA512
e3a2480e546bf31509d6e0ffb5ce9dc5da3eb93a1a06d8e89b68165f2dd9ad520edac52af4c485c93fe6028dffaf7fcaadaafb04e524954dd117551afff87cf1

Download Submit
\Users\Admin\AppData\Local\yaueE\isoburn.exe
Filesize
89KB

MD5
f8051f06e1c4aa3f2efe4402af5919b1

SHA1
bbcf3711501dfb22b04b1a6f356d95a6d5998790

SHA256
50dcb4be409f50d26c0fc32dd9cdbf96bff4e19bf624221cb566ebeb3e09ce1a

SHA512
5f664d937abe4426ee7e0d8491a395f9ef4ffe7a51dba05b54b7ba27e80c9be37833400911c5878d3dec659f4fa1579ec8ba4cfc485fb2ce24dd37c321006daa

Download Submit
memory/1204-35-0x0000000140000000-0x00000001400DB000-memory.dmp

Filesize
876KB

Download
memory/1204-31-0x0000000140000000-0x00000001400DB000-memory.dmp

Filesize
876KB

Download
memory/1204-10-0x0000000140000000-0x00000001400DB000-memory.dmp

Filesize
876KB

Download
memory/1204-27-0x0000000140000000-0x00000001400DB000-memory.dmp

Filesize
876KB

Download
memory/1204-28-0x0000000140000000-0x00000001400DB000-memory.dmp

Filesize
876KB

Download
memory/1204-12-0x0000000140000000-0x00000001400DB000-memory.dmp

Filesize
876KB

Download
memory/1204-11-0x0000000140000000-0x00000001400DB000-memory.dmp

Filesize
876KB

Download
memory/1204-13-0x0000000140000000-0x00000001400DB000-memory.dmp

Filesize
876KB

Download
memory/1204-14-0x0000000140000000-0x00000001400DB000-memory.dmp

Filesize
876KB

Download
memory/1204-15-0x0000000140000000-0x00000001400DB000-memory.dmp

Filesize
876KB

Download
memory/1204-16-0x0000000140000000-0x00000001400DB000-memory.dmp

Filesize
876KB

Download
memory/1204-17-0x0000000140000000-0x00000001400DB000-memory.dmp

Filesize
876KB

Download
memory/1204-19-0x0000000140000000-0x00000001400DB000-memory.dmp

Filesize
876KB

Download
memory/1204-22-0x0000000140000000-0x00000001400DB000-memory.dmp

Filesize
876KB

Download
memory/1204-21-0x0000000140000000-0x00000001400DB000-memory.dmp

Filesize
876KB

Download
memory/1204-37-0x0000000140000000-0x00000001400DB000-memory.dmp

Filesize
876KB

Download
memory/1204-48-0x0000000140000000-0x00000001400DB000-memory.dmp

Filesize
876KB

Download
memory/1204-47-0x0000000002AF0000-0x0000000002AF7000-memory.dmp

Filesize
28KB

Download
memory/1204-39-0x0000000140000000-0x00000001400DB000-memory.dmp

Filesize
876KB

Download
memory/1204-38-0x0000000140000000-0x00000001400DB000-memory.dmp

Filesize
876KB

Download
memory/1204-36-0x0000000140000000-0x00000001400DB000-memory.dmp

Filesize
876KB

Download
memory/1204-8-0x0000000140000000-0x00000001400DB000-memory.dmp

Filesize
876KB

Download
memory/1204-34-0x0000000140000000-0x00000001400DB000-memory.dmp

Filesize
876KB

Download
memory/1204-33-0x0000000140000000-0x00000001400DB000-memory.dmp

Filesize
876KB

Download
memory/1204-32-0x0000000140000000-0x00000001400DB000-memory.dmp

Filesize
876KB

Download
memory/1204-9-0x0000000140000000-0x00000001400DB000-memory.dmp

Filesize
876KB

Download
memory/1204-30-0x0000000140000000-0x00000001400DB000-memory.dmp

Filesize
876KB

Download
memory/1204-29-0x0000000140000000-0x00000001400DB000-memory.dmp

Filesize
876KB

Download
memory/1204-26-0x0000000140000000-0x00000001400DB000-memory.dmp

Filesize
876KB

Download
memory/1204-50-0x0000000077600000-0x0000000077602000-memory.dmp

Filesize
8KB

Download
memory/1204-49-0x00000000775D0000-0x00000000775D2000-memory.dmp

Filesize
8KB

Download
memory/1204-25-0x0000000140000000-0x00000001400DB000-memory.dmp

Filesize
876KB

Download
memory/1204-24-0x0000000140000000-0x00000001400DB000-memory.dmp

Filesize
876KB

Download
memory/1204-60-0x0000000140000000-0x00000001400DB000-memory.dmp

Filesize
876KB

Download
memory/1204-59-0x0000000140000000-0x00000001400DB000-memory.dmp

Filesize
876KB

Download
memory/1204-23-0x0000000140000000-0x00000001400DB000-memory.dmp

Filesize
876KB

Download
memory/1204-20-0x0000000140000000-0x00000001400DB000-memory.dmp

Filesize
876KB

Download
memory/1204-18-0x0000000140000000-0x00000001400DB000-memory.dmp

Filesize
876KB

Download
memory/1204-3-0x0000000077266000-0x0000000077267000-memory.dmp

Filesize
4KB

Download
memory/1204-4-0x0000000002E00000-0x0000000002E01000-memory.dmp

Filesize
4KB

Download
memory/1204-6-0x0000000140000000-0x00000001400DB000-memory.dmp

Filesize
876KB

Download
memory/1204-103-0x0000000077266000-0x0000000077267000-memory.dmp

Filesize
4KB

Download
memory/1204-7-0x0000000140000000-0x00000001400DB000-memory.dmp

Filesize
876KB

Download
memory/2152-68-0x0000000140000000-0x00000001400DB000-memory.dmp

Filesize
876KB

Download
memory/2152-2-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/2152-0-0x0000000140000000-0x00000001400DB000-memory.dmp

Filesize
876KB

Download
memory/2504-78-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download
memory/2504-81-0x0000000140000000-0x00000001400DC000-memory.dmp

Filesize
880KB

Download
memory/2504-76-0x0000000140000000-0x00000001400DC000-memory.dmp

Filesize
880KB

Download
memory/3016-95-0x00000000001D0000-0x00000000001D7000-memory.dmp

Filesize
28KB

Download
memory/3016-98-0x0000000140000000-0x00000001400DC000-memory.dmp

Filesize
880KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads