dridex | 44e7d8edde3c976623785b7bd9aef613f93911a38728631c59dc4c7d1b625e39

General

Target

d88233c134145cb03ea57d46a0d34923_JaffaCakes118.dll
Size

1.2MB
MD5

d88233c134145cb03ea57d46a0d34923
SHA1

ca7a8098357ce83214652ba7e02c7dc385861760
SHA256

44e7d8edde3c976623785b7bd9aef613f93911a38728631c59dc4c7d1b625e39
SHA512

1e3efe4ca779e216fa379aa69d87f9939c25c5f16b646f610da94bce18037cd13d78b5a05b8682cbd366fb9651fbf3e0baa95652f774e4e3c6a8d138947dd50d
SSDEEP

24576:5VHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:5V8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1192-5-0x0000000002260000-0x0000000002261000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

perfmon.exeBitLockerWizardElev.exeDevicePairingWizard.exe

pid process

2620 perfmon.exe
1752 BitLockerWizardElev.exe
2544 DevicePairingWizard.exe
Loads dropped DLL 7 IoCs

Processes:

perfmon.exeBitLockerWizardElev.exeDevicePairingWizard.exe

pid process

1192
2620 perfmon.exe
1192
1752 BitLockerWizardElev.exe
1192
2544 DevicePairingWizard.exe
1192

pid	process
2620	perfmon.exe
1752	BitLockerWizardElev.exe
2544	DevicePairingWizard.exe

pid	process
1192
2620	perfmon.exe
1192
1752	BitLockerWizardElev.exe
1192
2544	DevicePairingWizard.exe
1192

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Orgemlwcbffgzj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\goS\\BitLockerWizardElev.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeperfmon.exeBitLockerWizardElev.exeDevicePairingWizard.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	perfmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BitLockerWizardElev.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DevicePairingWizard.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2148	rundll32.exe
2148	rundll32.exe
2148	rundll32.exe
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1192 wrote to memory of 2576	1192	perfmon.exe
PID 1192 wrote to memory of 2576	1192	perfmon.exe
PID 1192 wrote to memory of 2576	1192	perfmon.exe
PID 1192 wrote to memory of 2620	1192	perfmon.exe
PID 1192 wrote to memory of 2620	1192	perfmon.exe
PID 1192 wrote to memory of 2620	1192	perfmon.exe
PID 1192 wrote to memory of 2380	1192	BitLockerWizardElev.exe
PID 1192 wrote to memory of 2380	1192	BitLockerWizardElev.exe
PID 1192 wrote to memory of 2380	1192	BitLockerWizardElev.exe
PID 1192 wrote to memory of 1752	1192	BitLockerWizardElev.exe
PID 1192 wrote to memory of 1752	1192	BitLockerWizardElev.exe
PID 1192 wrote to memory of 1752	1192	BitLockerWizardElev.exe
PID 1192 wrote to memory of 2732	1192	DevicePairingWizard.exe
PID 1192 wrote to memory of 2732	1192	DevicePairingWizard.exe
PID 1192 wrote to memory of 2732	1192	DevicePairingWizard.exe
PID 1192 wrote to memory of 2544	1192	DevicePairingWizard.exe
PID 1192 wrote to memory of 2544	1192	DevicePairingWizard.exe
PID 1192 wrote to memory of 2544	1192	DevicePairingWizard.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d88233c134145cb03ea57d46a0d34923_JaffaCakes118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2148

C:\Windows\system32\perfmon.exe
C:\Windows\system32\perfmon.exe
1⤵
PID:2576

C:\Users\Admin\AppData\Local\JejtSeg\perfmon.exe
C:\Users\Admin\AppData\Local\JejtSeg\perfmon.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2620

C:\Windows\system32\BitLockerWizardElev.exe
C:\Windows\system32\BitLockerWizardElev.exe
1⤵
PID:2380

C:\Users\Admin\AppData\Local\D4o7\BitLockerWizardElev.exe
C:\Users\Admin\AppData\Local\D4o7\BitLockerWizardElev.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1752

C:\Windows\system32\DevicePairingWizard.exe
C:\Windows\system32\DevicePairingWizard.exe
1⤵
PID:2732

C:\Users\Admin\AppData\Local\kR4mhs\DevicePairingWizard.exe
C:\Users\Admin\AppData\Local\kR4mhs\DevicePairingWizard.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D4o7\FVEWIZ.dll

Filesize
1.2MB

MD5
11925a1433933846a17b8add2a646e3f

SHA1
445b940fe7b75093b7645d658adda166a98cd697

SHA256
f308c1eab7680bbc66553fdeb280246844df9588c232b0450465592d52d20cf0

SHA512
ec8678eedf2c9a86ec4ab7241901e85a972967272a8d681f27afd3f4c3e4a28139975dede858cb9016680eaeaabb2c30a61be5994d7acf66173e5497c9796ad4

Download Submit
C:\Users\Admin\AppData\Local\JejtSeg\Secur32.dll

Filesize
1.2MB

MD5
a6245fd5b9b6b3a789cc61fcf8c73288

SHA1
99167e896f59780e63d8aa3609b7693220e04f70

SHA256
ac6515e5cc1921084d7114d3a3433d7d5467273a2ca0c9722849cd64d8a97ccd

SHA512
300f9491cb25973d6be495185cc2d724eadd038281f7a7c99ac1ff043744a0c56fff5e12ff2216133b3df3496887a852e4d78c14ed13a46e4e46003bbde1f23e

Download Submit
C:\Users\Admin\AppData\Local\kR4mhs\MFC42u.dll

Filesize
1.3MB

MD5
c05c42473a400176e9239ff34eb58b4d

SHA1
53b18c31b3f4b8723a32619ce1d4d29eb3f96810

SHA256
bfd1d9c626a8c751c1e6fff872e5359cbfb4e2121c2f8f3329172f814e606985

SHA512
3b820d671cce0526d58e8ab08f3eacc2e3e760da92ff6d78d204b1fc3bfa461b86c4d0157d265f5c7ca7169db9491a51ed64a07b28f44ebd05af79900cabe113

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wzkhocxsoqdr.lnk

Filesize
1KB

MD5
821d7f3f2b58fd35d88237f767739bee

SHA1
165800004ba39908028ceae6e8383967ac0f3dfa

SHA256
1ee948ad0cd61829a171da161b16faecabab4a8a6630e3355608ca41889e8e9d

SHA512
90d0df693cbf7e13841bf5fffbd557f4a99e15b68bbb7be2a43468a0183f753a0bcf43bab82e3606be95c30d82f0325e12f5c1f8aa01f51962c593ef5dbd52f8

Download Submit
\Users\Admin\AppData\Local\D4o7\BitLockerWizardElev.exe

Filesize
98KB

MD5
73f13d791e36d3486743244f16875239

SHA1
ed5ec55dbc6b3bda505f0a4c699c257c90c02020

SHA256
2483d2f0ad481005cca081a86a07be9060bc6d4769c4570f92ad96fa325be9b8

SHA512
911a7b532312d50cc5e7f6a046d46ab5b322aa17ce59a40477173ea50f000a95db45f169f4ea3574e3e00ae4234b9f8363ac79329d683c14ebee1d423e6e43af

Download Submit
\Users\Admin\AppData\Local\JejtSeg\perfmon.exe

Filesize
168KB

MD5
3eb98cff1c242167df5fdbc6441ce3c5

SHA1
730b27a1c92e8df1e60db5a6fc69ea1b24f68a69

SHA256
6d8d5a244bb5a23c95653853fec3d04d2bdd2df5cff8cffb9848bddeb6adb081

SHA512
f42be2a52d97fd1db2ed5a1a1a81a186a0aab41204980a103df33a4190632ba03f3cbb88fcea8da7ed9a5e15f60732d49a924b025fe6d3e623195ec1d37dfb35

Download Submit
\Users\Admin\AppData\Local\kR4mhs\DevicePairingWizard.exe

Filesize
73KB

MD5
9728725678f32e84575e0cd2d2c58e9b

SHA1
dd9505d3548f08e5198a8d6ba6bcd60b1da86d5c

SHA256
d95d3aa065a657c354244e3d9d4dc62673dc36c1bed60650fade7d128ddab544

SHA512
a5d22240450e7b659cba507f9abe7e6d861e9712ca2335ea5ceb69e3557362b00f5d02bf84c3a6fed82a09eda555866dcab43741ad9c6db96e1e302ef2363377

Download Submit
memory/1192-13-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1192-15-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1192-4-0x0000000076CD6000-0x0000000076CD7000-memory.dmp

Filesize
4KB

Download
memory/1192-12-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1192-11-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1192-10-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1192-9-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1192-25-0x0000000002240000-0x0000000002247000-memory.dmp

Filesize
28KB

Download
memory/1192-26-0x0000000076EE1000-0x0000000076EE2000-memory.dmp

Filesize
4KB

Download
memory/1192-27-0x0000000077070000-0x0000000077072000-memory.dmp

Filesize
8KB

Download
memory/1192-37-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1192-5-0x0000000002260000-0x0000000002261000-memory.dmp

Filesize
4KB

Download
memory/1192-40-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1192-46-0x0000000076CD6000-0x0000000076CD7000-memory.dmp

Filesize
4KB

Download
memory/1192-24-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1192-14-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1192-7-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1192-8-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1752-72-0x0000000000180000-0x0000000000187000-memory.dmp

Filesize
28KB

Download
memory/1752-78-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/2148-36-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/2148-0-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/2148-3-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download
memory/2544-90-0x00000000000F0000-0x00000000000F7000-memory.dmp

Filesize
28KB

Download
memory/2544-91-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/2544-96-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/2620-60-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/2620-55-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/2620-54-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads