dridex | e5db20f974acc6c68386f1de1c5fc3f65799ee320308e82ebc1701236266e353

General

Target

060b59843389a4333c15ef205c5fd793_JaffaCakes118.dll
Size

876KB
MD5

060b59843389a4333c15ef205c5fd793
SHA1

10d69c27d16a32dccef75288fc286b07b6bab498
SHA256

e5db20f974acc6c68386f1de1c5fc3f65799ee320308e82ebc1701236266e353
SHA512

45996e3a340efb973fedb32f4855223139bb35d0f8b6cad645b3d29f9b3fbea167cba33948983ffc0898e3a89dfddf22a2a8c9edb515e37110e41864bb886a96
SSDEEP

12288:bdMIwS97wJs6tSKDXEabXaC+jhc1S8XXk7CZzHsZH9dq0T:5MIJxSDX3bqjhcfHk7MzH6z

Score

10^/10

dridex botnet evasion payload persistence privilege_escalation trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3552-3-0x0000000002DA0000-0x0000000002DA1000-memory.dmp	dridex_stager_shellcode

Dridex payload 8 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3940-0-0x0000000140000000-0x00000001400DB000-memory.dmp	dridex_payload
behavioral2/memory/3552-59-0x0000000140000000-0x00000001400DB000-memory.dmp	dridex_payload
behavioral2/memory/3552-47-0x0000000140000000-0x00000001400DB000-memory.dmp	dridex_payload
behavioral2/memory/3940-62-0x0000000140000000-0x00000001400DB000-memory.dmp	dridex_payload
behavioral2/memory/620-69-0x0000000140000000-0x00000001400DC000-memory.dmp	dridex_payload
behavioral2/memory/620-74-0x0000000140000000-0x00000001400DC000-memory.dmp	dridex_payload
behavioral2/memory/1140-90-0x0000000140000000-0x00000001400DC000-memory.dmp	dridex_payload
behavioral2/memory/3496-106-0x0000000140000000-0x00000001400DC000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

lpksetup.exeosk.exeMusNotificationUx.exe

pid process

620 lpksetup.exe
1140 osk.exe
3496 MusNotificationUx.exe
Loads dropped DLL 3 IoCs

Processes:

lpksetup.exeosk.exeMusNotificationUx.exe

pid process

620 lpksetup.exe
1140 osk.exe
3496 MusNotificationUx.exe

pid	process
620	lpksetup.exe
1140	osk.exe
3496	MusNotificationUx.exe

pid	process
620	lpksetup.exe
1140	osk.exe
3496	MusNotificationUx.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Zyaxxifxvt = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\ACCESS~2\\hZ\\osk.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

lpksetup.exeosk.exeMusNotificationUx.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lpksetup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	osk.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MusNotificationUx.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
3940	rundll32.exe
3940	rundll32.exe
3940	rundll32.exe
3940	rundll32.exe
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552
3552

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3552 wrote to memory of 3648	3552	lpksetup.exe
PID 3552 wrote to memory of 3648	3552	lpksetup.exe
PID 3552 wrote to memory of 620	3552	lpksetup.exe
PID 3552 wrote to memory of 620	3552	lpksetup.exe
PID 3552 wrote to memory of 216	3552	osk.exe
PID 3552 wrote to memory of 216	3552	osk.exe
PID 3552 wrote to memory of 1140	3552	osk.exe
PID 3552 wrote to memory of 1140	3552	osk.exe
PID 3552 wrote to memory of 4756	3552	MusNotificationUx.exe
PID 3552 wrote to memory of 4756	3552	MusNotificationUx.exe
PID 3552 wrote to memory of 3496	3552	MusNotificationUx.exe
PID 3552 wrote to memory of 3496	3552	MusNotificationUx.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\060b59843389a4333c15ef205c5fd793_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3940

C:\Windows\system32\lpksetup.exe
C:\Windows\system32\lpksetup.exe
1⤵
PID:3648

C:\Users\Admin\AppData\Local\aRFTTH4\lpksetup.exe
C:\Users\Admin\AppData\Local\aRFTTH4\lpksetup.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:620

C:\Windows\system32\osk.exe
C:\Windows\system32\osk.exe
1⤵
PID:216

C:\Users\Admin\AppData\Local\tFowOMLm\osk.exe
C:\Users\Admin\AppData\Local\tFowOMLm\osk.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1140

C:\Windows\system32\MusNotificationUx.exe
C:\Windows\system32\MusNotificationUx.exe
1⤵
PID:4756

C:\Users\Admin\AppData\Local\rRvq06\MusNotificationUx.exe
C:\Users\Admin\AppData\Local\rRvq06\MusNotificationUx.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3496

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

Accessibility Features

1

T1546.008

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

Accessibility Features

1

T1546.008

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\aRFTTH4\dpx.dll
Filesize
880KB

MD5
c0f038c3fed7ba22e36a31c3096e4037

SHA1
5f75c6fa7043df133cf24ec8f4d5ffe0bef89601

SHA256
2f703f5c31de7b1dae1870b83fc2c11e95e6db543bd7fa7481e0b17592f6afb1

SHA512
d242ea10bd3f0fbf1a02cb68660ccf88659e2a894471374bec9d2e94b6d3fbd63387e53802ab2557d5fc19572f4e8e1c29ddad048024dc9d97a4e59de499e4ef

Download Submit
C:\Users\Admin\AppData\Local\aRFTTH4\lpksetup.exe
Filesize
728KB

MD5
c75516a32e0aea02a184074d55d1a997

SHA1
f9396946c078f8b0f28e3a6e21a97eeece31d13f

SHA256
cb3cbeaaff7c07b044f70177e2899a87e80840d177238eb7dd25b8d9e20bef22

SHA512
92994fdb75b15742e33e6d7a499664b722e45b9c160d8cc42d30bc727044063d589f45853692b5b754df6ff0fd21294dc32fed985b153f93f4bcf9f8c89a5bcc

Download Submit
C:\Users\Admin\AppData\Local\rRvq06\MusNotificationUx.exe
Filesize
615KB

MD5
869a214114a81712199f3de5d69d9aad

SHA1
be973e4188eff0d53fdf0e9360106e8ad946d89f

SHA256
405c2df9a36d7cfb5c8382c96f04792eb88c11a6cfa36b1d2ec3e0bec8d17361

SHA512
befcdeb8de6e68b9ee0bacd4cbc80f7393a0213d4039b239c98585e0cd5db1755c75559a62372374cbfb7132b6a7973ea9e6a31952e0e0ba007079c56e6d9012

Download Submit
C:\Users\Admin\AppData\Local\rRvq06\XmlLite.dll
Filesize
880KB

MD5
c7aed7b5e7730f6187b4520db0a656da

SHA1
48425f5d919e24aa7eee670886f02804bbaffdb9

SHA256
078a1a26643880debc5f642a274a4784e1c59caef6e99a4f16e458f07d3aa0ad

SHA512
fbc76e887e5c108f30f83fac0ba43aab80ecc26f2b16dd94eada244bafc251abedeece1cde84c8e2e5f00f873c106ec9f6a27b366938795cbb2444336f683689

Download Submit
C:\Users\Admin\AppData\Local\tFowOMLm\WMsgAPI.dll
Filesize
880KB

MD5
0687039e308b046a787fabc68cb483fd

SHA1
20fd0244bfb09491e1a0fb103deeee7e90ad3deb

SHA256
b02bfa9ffc5f0d4e54cd20cec66e03693a604e9d61a545bde7fbd5932e19bb7f

SHA512
f8bf52874de977800519454126b5caf35b23c58ddf5e16cd50e454983a369e793459d74c01d16bb77cc4cc5e262e57468aa776983f16ea0cbae8cea296236114

Download Submit
C:\Users\Admin\AppData\Local\tFowOMLm\osk.exe
Filesize
638KB

MD5
745f2df5beed97b8c751df83938cb418

SHA1
2f9fc33b1bf28e0f14fd75646a7b427ddbe14d25

SHA256
f67ef6e31fa0eaed44bfbab5b908be06b56cbc7d5a16ab2a72334d91f2bb6a51

SHA512
2125d021e6f45a81bd75c9129f4b098ad9aa15c25d270051f4da42458a9737bff44d6adf17aa1f2547715d159fb621829f7cd3b9d42f1521c919549cc7deb228

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Kscubvdexgimjec.lnk
Filesize
1KB

MD5
98e19daed21e17c1a3b354ec535a18ea

SHA1
bd0f7eadc14cb6e5fec216e0307dbb163af786ae

SHA256
98932753eced6617bcda8d557344763aa93c03f119f0a66493a913388f0057e4

SHA512
91640a0d1693ecff47a507ce8af37a7789169f624e75595bbc2650ed10847e88e06acb73f278102f9d8540eb289c292cdc59e5d64e99f6e2c0ea61a1fbf0d7f6

Download Submit
memory/620-74-0x0000000140000000-0x00000001400DC000-memory.dmp

Filesize
880KB

Download
memory/620-71-0x000002270B660000-0x000002270B667000-memory.dmp

Filesize
28KB

Download
memory/620-69-0x0000000140000000-0x00000001400DC000-memory.dmp

Filesize
880KB

Download
memory/1140-90-0x0000000140000000-0x00000001400DC000-memory.dmp

Filesize
880KB

Download
memory/1140-87-0x000002440AB10000-0x000002440AB17000-memory.dmp

Filesize
28KB

Download
memory/3496-103-0x000002A0E0AD0000-0x000002A0E0AD7000-memory.dmp

Filesize
28KB

Download
memory/3496-106-0x0000000140000000-0x00000001400DC000-memory.dmp

Filesize
880KB

Download
memory/3552-15-0x0000000140000000-0x00000001400DB000-memory.dmp

Filesize
876KB

Download
memory/3552-8-0x0000000140000000-0x00000001400DB000-memory.dmp

Filesize
876KB

Download
memory/3552-29-0x0000000140000000-0x00000001400DB000-memory.dmp

Filesize
876KB

Download
memory/3552-28-0x0000000140000000-0x00000001400DB000-memory.dmp

Filesize
876KB

Download
memory/3552-27-0x0000000140000000-0x00000001400DB000-memory.dmp

Filesize
876KB

Download
memory/3552-26-0x0000000140000000-0x00000001400DB000-memory.dmp

Filesize
876KB

Download
memory/3552-25-0x0000000140000000-0x00000001400DB000-memory.dmp

Filesize
876KB

Download
memory/3552-24-0x0000000140000000-0x00000001400DB000-memory.dmp

Filesize
876KB

Download
memory/3552-23-0x0000000140000000-0x00000001400DB000-memory.dmp

Filesize
876KB

Download
memory/3552-22-0x0000000140000000-0x00000001400DB000-memory.dmp

Filesize
876KB

Download
memory/3552-21-0x0000000140000000-0x00000001400DB000-memory.dmp

Filesize
876KB

Download
memory/3552-18-0x0000000140000000-0x00000001400DB000-memory.dmp

Filesize
876KB

Download
memory/3552-17-0x0000000140000000-0x00000001400DB000-memory.dmp

Filesize
876KB

Download
memory/3552-16-0x0000000140000000-0x00000001400DB000-memory.dmp

Filesize
876KB

Download
memory/3552-5-0x0000000140000000-0x00000001400DB000-memory.dmp

Filesize
876KB

Download
memory/3552-13-0x0000000140000000-0x00000001400DB000-memory.dmp

Filesize
876KB

Download
memory/3552-14-0x00007FFA8F12A000-0x00007FFA8F12B000-memory.dmp

Filesize
4KB

Download
memory/3552-12-0x0000000140000000-0x00000001400DB000-memory.dmp

Filesize
876KB

Download
memory/3552-11-0x0000000140000000-0x00000001400DB000-memory.dmp

Filesize
876KB

Download
memory/3552-10-0x0000000140000000-0x00000001400DB000-memory.dmp

Filesize
876KB

Download
memory/3552-9-0x0000000140000000-0x00000001400DB000-memory.dmp

Filesize
876KB

Download
memory/3552-30-0x0000000140000000-0x00000001400DB000-memory.dmp

Filesize
876KB

Download
memory/3552-7-0x0000000140000000-0x00000001400DB000-memory.dmp

Filesize
876KB

Download
memory/3552-6-0x0000000140000000-0x00000001400DB000-memory.dmp

Filesize
876KB

Download
memory/3552-31-0x0000000140000000-0x00000001400DB000-memory.dmp

Filesize
876KB

Download
memory/3552-19-0x0000000140000000-0x00000001400DB000-memory.dmp

Filesize
876KB

Download
memory/3552-3-0x0000000002DA0000-0x0000000002DA1000-memory.dmp

Filesize
4KB

Download
memory/3552-32-0x0000000140000000-0x00000001400DB000-memory.dmp

Filesize
876KB

Download
memory/3552-33-0x0000000140000000-0x00000001400DB000-memory.dmp

Filesize
876KB

Download
memory/3552-34-0x0000000140000000-0x00000001400DB000-memory.dmp

Filesize
876KB

Download
memory/3552-35-0x0000000140000000-0x00000001400DB000-memory.dmp

Filesize
876KB

Download
memory/3552-36-0x0000000140000000-0x00000001400DB000-memory.dmp

Filesize
876KB

Download
memory/3552-37-0x0000000140000000-0x00000001400DB000-memory.dmp

Filesize
876KB

Download
memory/3552-38-0x0000000140000000-0x00000001400DB000-memory.dmp

Filesize
876KB

Download
memory/3552-47-0x0000000140000000-0x00000001400DB000-memory.dmp

Filesize
876KB

Download
memory/3552-48-0x0000000001030000-0x0000000001037000-memory.dmp

Filesize
28KB

Download
memory/3552-49-0x00007FFA8F5E0000-0x00007FFA8F5F0000-memory.dmp

Filesize
64KB

Download
memory/3552-59-0x0000000140000000-0x00000001400DB000-memory.dmp

Filesize
876KB

Download
memory/3552-50-0x00007FFA8F5D0000-0x00007FFA8F5E0000-memory.dmp

Filesize
64KB

Download
memory/3552-39-0x0000000140000000-0x00000001400DB000-memory.dmp

Filesize
876KB

Download
memory/3552-20-0x0000000140000000-0x00000001400DB000-memory.dmp

Filesize
876KB

Download
memory/3940-0-0x0000000140000000-0x00000001400DB000-memory.dmp

Filesize
876KB

Download
memory/3940-2-0x000001CD9C390000-0x000001CD9C397000-memory.dmp

Filesize
28KB

Download
memory/3940-62-0x0000000140000000-0x00000001400DB000-memory.dmp

Filesize
876KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads