dridex | 9ba56ae49d371b3a11923736585155a6fbfb169691d7740b2962c7ed2c60e026

General

Target

d6b9fdcac2da2a9cb9fe03e8634b03d3_JaffaCakes118.dll
Size

1.2MB
MD5

d6b9fdcac2da2a9cb9fe03e8634b03d3
SHA1

30f5b61c52d0ee263890edad76b0c4419a489b26
SHA256

9ba56ae49d371b3a11923736585155a6fbfb169691d7740b2962c7ed2c60e026
SHA512

69d9e6dc9ed6217b1a3ced3660471dcb5549da9635ccd6ae5d4314b91bbe4c75cb1a1e2db0f5a4f5d5bd2380a1d45a44a1f88bd5a5637e3bfb4b6e08975950cf
SSDEEP

24576:7uYfg4LhHr4NFXKJO1aUiDBvZ2+ITHmpclO9N:l9cKrUqZWLAcU

Score

10^/10

dridex botnet evasion payload persistence privilege_escalation trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1192-5-0x0000000002AE0000-0x0000000002AE1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

cmstp.exeUI0Detect.exesethc.exe

pid process

3008 cmstp.exe
2204 UI0Detect.exe
628 sethc.exe
Loads dropped DLL 7 IoCs

Processes:

cmstp.exeUI0Detect.exesethc.exe

pid process

1192
3008 cmstp.exe
1192
2204 UI0Detect.exe
1192
628 sethc.exe
1192

pid	process
3008	cmstp.exe
2204	UI0Detect.exe
628	sethc.exe

pid	process
1192
3008	cmstp.exe
1192
2204	UI0Detect.exe
1192
628	sethc.exe
1192

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zoekctxdbskyzr = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Office\\Recent\\EXHv1j\\UI0Detect.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.execmstp.exeUI0Detect.exesethc.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmstp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	UI0Detect.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sethc.exe

Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2400	rundll32.exe
2400	rundll32.exe
2400	rundll32.exe
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1192 wrote to memory of 1660	1192	cmstp.exe
PID 1192 wrote to memory of 1660	1192	cmstp.exe
PID 1192 wrote to memory of 1660	1192	cmstp.exe
PID 1192 wrote to memory of 3008	1192	cmstp.exe
PID 1192 wrote to memory of 3008	1192	cmstp.exe
PID 1192 wrote to memory of 3008	1192	cmstp.exe
PID 1192 wrote to memory of 2460	1192	UI0Detect.exe
PID 1192 wrote to memory of 2460	1192	UI0Detect.exe
PID 1192 wrote to memory of 2460	1192	UI0Detect.exe
PID 1192 wrote to memory of 2204	1192	UI0Detect.exe
PID 1192 wrote to memory of 2204	1192	UI0Detect.exe
PID 1192 wrote to memory of 2204	1192	UI0Detect.exe
PID 1192 wrote to memory of 2012	1192	sethc.exe
PID 1192 wrote to memory of 2012	1192	sethc.exe
PID 1192 wrote to memory of 2012	1192	sethc.exe
PID 1192 wrote to memory of 628	1192	sethc.exe
PID 1192 wrote to memory of 628	1192	sethc.exe
PID 1192 wrote to memory of 628	1192	sethc.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d6b9fdcac2da2a9cb9fe03e8634b03d3_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2400

C:\Windows\system32\cmstp.exe
C:\Windows\system32\cmstp.exe
1⤵
PID:1660

C:\Users\Admin\AppData\Local\JkxQZ\cmstp.exe
C:\Users\Admin\AppData\Local\JkxQZ\cmstp.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3008

C:\Windows\system32\UI0Detect.exe
C:\Windows\system32\UI0Detect.exe
1⤵
PID:2460

C:\Users\Admin\AppData\Local\38yBmf\UI0Detect.exe
C:\Users\Admin\AppData\Local\38yBmf\UI0Detect.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2204

C:\Windows\system32\sethc.exe
C:\Windows\system32\sethc.exe
1⤵
PID:2012

C:\Users\Admin\AppData\Local\b1R\sethc.exe
C:\Users\Admin\AppData\Local\b1R\sethc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

Accessibility Features

1

T1546.008

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

Accessibility Features

1

T1546.008

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\38yBmf\UI0Detect.exe

Filesize
40KB

MD5
3cbdec8d06b9968aba702eba076364a1

SHA1
6e0fcaccadbdb5e3293aa3523ec1006d92191c58

SHA256
b8dab8aa804fc23021bfebd7ae4d40fbe648d6c6ba21cc008e26d1c084972f9b

SHA512
a8e434c925ef849ecef0efcb4873dbb95eea2821c967b05afbbe5733071cc2293fc94e7fdf1fdaee51cbcf9885b3b72bfd4d690f23af34558b056920263e465d

Download Submit
C:\Users\Admin\AppData\Local\JkxQZ\cmstp.exe

Filesize
90KB

MD5
74c6da5522f420c394ae34b2d3d677e3

SHA1
ba135738ef1fb2f4c2c6c610be2c4e855a526668

SHA256
51d298b1a8a2d00d5c608c52dba0655565d021e9798ee171d7fa92cc0de729a6

SHA512
bfd76b1c3e677292748f88bf595bfef0b536eb22f2583b028cbf08f6ae4eda1aa3787c4e892aad12b7681fc2363f99250430a0e7019a7498e24db391868e787a

Download Submit
C:\Users\Admin\AppData\Local\b1R\sethc.exe

Filesize
272KB

MD5
3bcb70da9b5a2011e01e35ed29a3f3f3

SHA1
9daecb1ee5d7cbcf46ee154dd642fcd993723a9b

SHA256
dd94bf73f0e3652b76cfb774b419ceaa2082bc7f30cc34e28dfa51952fa9ccb5

SHA512
69d231132f488fd7033349f232db1207f88f1d5cb84f5422adf0dd5fb7b373dada8fdfac7760b8845e5aab00a7ae56f24d66bbb8aa70c3c8de6ec5c31982b4df

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Adlnwv.lnk

Filesize
993B

MD5
abb35a854e92ab84f3a2b80ca8f5dfdc

SHA1
4ffe4ea155597ee388f6dfaedc4868cfaf34aa8d

SHA256
68aa8b4cef93a2c0ccd51d756e5ad427fce92620acd3f776fe4c25caade79338

SHA512
d156c1632db6bf3bfaa9d7dfe985bde73cd9a7223a491b30f87c4d74bb0aa361d074440cd82176b2ecff7b61fd04140917e383f804ac402a52724cccf8a9bd4c

Download Submit
\Users\Admin\AppData\Local\38yBmf\WTSAPI32.dll

Filesize
1.2MB

MD5
17a48b7c3e23237b17a89c85cd94fe16

SHA1
2fbe2884becf6df51d6f4901684b851a5e790960

SHA256
6280f012fb2f0484914c32598a77bb5f2872cfc37001546c96367218c52cc11b

SHA512
231f1240a1a147a046771c894089ca240e0ebafe7de1b4ab90399b870a3c29def6747aa288151278b78e919e1624bfe312e937db5c6945d74839325aebcf0b76

Download Submit
\Users\Admin\AppData\Local\JkxQZ\VERSION.dll

Filesize
1.2MB

MD5
1973e39b9812bfc58dcb8a125911ffa0

SHA1
4227a87e06f5c1e749b93acafba6e97ef389aa04

SHA256
588c9ed8ad74ff9d2c7d288a49d9a742dad9d40e196d872eab0634e85824865e

SHA512
5ce9223f476f4a4cc44e8f26ad752e9df8d1bfb2833c47ec34976234e7e7f064d38876bd22750b5df87acf77dc4fcd08cc764d089d4e84ef25dbdfab2c2ef4d9

Download Submit
\Users\Admin\AppData\Local\b1R\OLEACC.dll

Filesize
1.2MB

MD5
8f698d54f8bd5585382151f4a4f93da4

SHA1
b223c35ed6c29968c43cde8fea9c66ec1e80b445

SHA256
c5a827f4a6e0a6b69b8b3f2fdbe0c1634360cfdcf772d1a5807173269afde0e7

SHA512
1e69f92dee9791d1d2bb9692cb0dc6146e4a9a3e8941945a02cfb9b8b110ffa69232658bb6e4374ad969461cf784bf369ab316f6f8a690799b9baa0f03649004

Download Submit
memory/628-88-0x00000000001A0000-0x00000000001A7000-memory.dmp

Filesize
28KB

Download
memory/628-93-0x000007FEF7110000-0x000007FEF7242000-memory.dmp

Filesize
1.2MB

Download
memory/1192-7-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1192-25-0x0000000002AC0000-0x0000000002AC7000-memory.dmp

Filesize
28KB

Download
memory/1192-14-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1192-13-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1192-12-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1192-11-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1192-10-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1192-9-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1192-8-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1192-4-0x0000000077646000-0x0000000077647000-memory.dmp

Filesize
4KB

Download
memory/1192-5-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

Filesize
4KB

Download
memory/1192-15-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1192-46-0x0000000077646000-0x0000000077647000-memory.dmp

Filesize
4KB

Download
memory/1192-24-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1192-16-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1192-29-0x00000000779E0000-0x00000000779E2000-memory.dmp

Filesize
8KB

Download
memory/1192-28-0x0000000077851000-0x0000000077852000-memory.dmp

Filesize
4KB

Download
memory/1192-37-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1192-36-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/2204-76-0x000007FEF7110000-0x000007FEF7242000-memory.dmp

Filesize
1.2MB

Download
memory/2204-71-0x000007FEF7110000-0x000007FEF7242000-memory.dmp

Filesize
1.2MB

Download
memory/2400-45-0x000007FEF7110000-0x000007FEF7241000-memory.dmp

Filesize
1.2MB

Download
memory/2400-3-0x0000000000120000-0x0000000000127000-memory.dmp

Filesize
28KB

Download
memory/2400-0-0x000007FEF7110000-0x000007FEF7241000-memory.dmp

Filesize
1.2MB

Download
memory/3008-54-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/3008-55-0x000007FEF7730000-0x000007FEF7862000-memory.dmp

Filesize
1.2MB

Download
memory/3008-59-0x000007FEF7730000-0x000007FEF7862000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads